Early December is a big deal in our house. It’s Nutcracker time, with both girls working all fall to get ready for their dance company’s annual production of the Xmas classic. They do 5 performances over a weekend, and neither girl wants it to end. We have to manage the letdown once that weekend is over. It has been really awesome to see all of the dancers grow up, via the Nutcracker. They start as little munchies playing party boys and girls in the first scene, and those who stick with it become Dew Drop or possibly even the Sugarplum Fairy.

The big part for XX1’s group this year was Party Clara. It’s on Pointe and it’s a big and featured role in Act 1. She has been dreaming about this part for the past 4 years, and when we heard she got it for one of the performances this year, we knew it was going to be a special Nutcracker. She also got a featured Rag Doll part for another performance and was on stage 4-5 times during the show.

XX2 wasn’t left out, and she got a number of featured parts as well. I used to dread that weekend but the girls didn’t really do much, so I could get away with going to one performance and being done with it. Now I attend 3 out of the 5 performances, and would go to all 5 if the girls had sufficient parts. I’m pretty sure the Boy wouldn’t be happy going to 5 performances, but he’ll get over it. I even skipped a home Falcons game to see the Sunday afternoon performance (I did!).

One of the things I am working on is to pause during the big stuff and just enjoy it. You could call it smelling the flowers or something like that. For me it’s about savoring the moment. To see XX1 with a grin ear to ear performing as Party Clara was overwhelming for me. She was so poised, so in command, so happy. It was incredible. During those 3-4 minutes the world fell away. There was only my girl on stage. That’s it.

Some folks watch their kids perform through a camera viewfinder. Or a cellphone screen while taking video. Not me. I want to experience it directly through my own eyes. To immerse myself in the show. I want to imprint it in my memory. Yes, we’ll buy the DVD of the performance, but that’s for the folks who weren’t there. I don’t need it. I was fully in that moment, and I can go back any time I want. And I do.


Photo credit: “P1-VS-P2” originally uploaded by MoreInterpretations

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security Best Practices for Amazon Web Services

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers

Incite 4 U

  1. Security deadly sin: offensive envy: I dug up Richard Bejtlich’s awesome post from right before New Year, where he dismantles a list from Microsoft’s John Lambert and calls him out for minimizing the potential of defensive security. It is true that hacking stuff is sexy, and the chicks & dudes dig it. But still, the fact that many defenders work off checklists doesn’t mean all do. Because the defenders seem to come up on the losing end of some breach every day doesn’t mean their efforts are pointless. It means it’s a hard job, pure and simple. And glorifying the adversary only provides a defeatist attitude before you even start playing. Which I guess is the adversary’s plan… – MR
  2. No hands: I just love it when someone comes up with an entire class of security vulnerability – and if it might affect an Apple product guess what’s in the headlines? Like the general GSM wireless issue that was hyped as “iPhones Vulnerable” (every GSM phone was vulnerable). That hype sometimes does the issue a disservice, as highlighted in this piece at the Huffington Post on Jan Krissler recreating thumbprints from normal photographs at the Chaos Computer Club. It’s a fascinating and brilliant idea as we progress towards ubiquitous high-definition cameras throughout the world. Not merely for hacking phones, but for all the CSI-spinoff episodes it will inspire. Practically speaking, today I think the barriers to successfully executing this attack are high enough to keep this from becoming a major issue now, and anyone in a sensitive position should never rely on biometrics alone, but in 10 or years? Oh, and don’t forget to read the bit at the end about researchers pulling pass codes from over 100 feet away via screen reflections in someone’s eye via high def video. – RM
  3. Leadership: I think I was too young to understand what the term ‘leadership’ meant when I was promoted to CTO for the first time. Blindly stepping into a role I knew nothing about, I was blessed with a CEO who did not mince words: “If I catch you coding again, you’re fired!” That forced me to focus on the CTO job, which was leading the development team – communicating vision and providing direction on how we were going to deliver product. Over at Security Uncorked JJ wrote a thought-provoking piece on the mental challenges of changing – or even expanding – one’s role in Infosec. Releasing your grip on the hands-on work that got you where you are today is not easy. It’s not just learning leadership and management skills, but also giving up many things you enjoy in your current job. No college offers a “Security Leadership and Management 101” course, and as a new profession we don’t have that many resources to draw on. Bravo to JJ for sharing the angst of this transition. – AL
  4. In the real world, it depends… Wendy kills it again, pointing out that compliance is a pretty low bar, highly dependent on the competence of the assessor and with “the(ir) ability to measure objectively, not just answer questions.” A control can be implemented in such a way that it fails to protect anything. And the process may be in place, but if no one uses it, who cares? This isn’t really about maligning compliance (again), but the fact that prescriptive lists in mandates must be considered the lowest of low bars; once they are taken care of you can start really thinking about how to protect your stuff. So is compliance even helpful? Well, it depends… – MR
  5. Unintended consequences: If I were to redirect cellular tower traffic or interfere with cell transmissions, I would be prosecuted and go to jail for a very long time. If it’s illegal for me, shouldn’t law enforcement need a warrant to do it? The FBI says ‘No’: search warrants are not needed to use ‘stingrays’ in public places to perform mass surveillance of voice and data traffic on everyone in the area. Our government is spurring an interest in security I never thought would make the mainstream. Accusations like monitoring a CBS journalist – true or not – are so creepy that they will keep this story in the limelight for a while. Even at the giant Consumer Electronics Show in Vegas this week, vendors are competitively positioning consumer products with security features, and the keynote touched on the Sony hack. We are moving into a culture of digital security. Whodathunk that a few years ago? – AL
  6. Airway. Breathing. Cyberattack. As a geek and paramedic I became involved fairly early in healthcare IT. I still remember almost being fired for hacking into our manager’s computer because he accidentally locked us out of an important application that was only on his PC but required for our job, and he wouldn’t answer his landline or pager (yeah, I’m dating myself). Nothing fancy – I just found his password for the app in a plain text file via legit access we already had. Anyhow… Pre-Gartner I helped design an EMR app (and implement it in a clinic) for replacing dictation. I also have some more recent experience due to family connections in the industry. So it was no surprise to read Jack Daniel’s story of witnessing multiple hospital IT failures while visiting friends. Forget about security – this is an industry with massive structural issues in IT management. The situation is so much worse than you think, and despite all the security headlines fundamental reliability will consume healthcare dollars for a long time. Hop over to any healthcare forum (especially the physician ones) to see how bad things are, and be glad your providers would all prefer to go back to paper charting and orders in the first place. – RM
  7. The other EMET: I’m a football head, so when I hear the name “Emmitt” I always think of those times Emmitt Smith ran into the end zone to finish off the Giants as I was growing up. But I’m not talking about that Emmitt. I’m referring to EMET, Microsoft’s Enhanced Mitigation Experience Toolkit, which should be implemented on all your Windows devices. And it’s good that TrustedSec’s Dave Kennedy found some time (when he wasn’t hugging it out with the entire industry) to document how to install EMET. Is EMET perfect? Of course not. But it definitely makes it much harder to compromise Windows devices, so you should have it in your anti-malware toolkit. Yes, there are other cool technologies emerging to help on endpoints, but EMET is free, so why not use it? – MR