It has been a while since I’ve mentioned my gang of kids. XX1, XX2 and the Boy are alive and well, despite the best efforts of their Dad. All of them started new schools this year, with XX1 starting high school (holy crap!) and the twins starting middle school. So there has been a lot of adjustment. They are growing up and it’s great to see. It’s also fun because I can start to pollute them with the stuff that I find entertaining.

Like classic comedies. I’ve always been a big fan of Monty Python, but that wasn’t really something I could show an 8-year-old. Not without getting a visit from Social Services. I knew they were ready when I pulled up a YouTube of the classic Mr. Creosote sketch from The Meaning of Life, and they were howling. Even better was when we went to the FroYo (which evidently is the abbreviation for frozen yogurt) place and they reminded me it was only a wafer-thin mint.


I decided to press my luck, so one Saturday night we watched Monty Python and the Holy Grail. They liked it, especially the skit with the Black Knight (It’s merely a flesh wound!). And the ending really threw them for a loop. Which made me laugh. A lot. Inspired by that, I bought the Mel Brooks box set, and the kids and I watched History of the World, Part 1, and laughed. A lot. Starting with the gorilla scene, we were howling through the entire movie. Now at random times I’ll be told that “it’s good to be the king!” – and it is.

My other parenting win was when XX1 had to do a project at school to come up with a family shield. She was surprised that the Rothman clan didn’t already have one. I guess I missed that project in high school. She decided that our family animal would be the Honey Badger. Mostly because the honey badger doesn’t give a _s**t_. Yes, I do love that girl. Even better, she sent me a Dubsmash, which is evidently a thing, of her talking over the famous Honey Badger clip on YouTube. I was cracking up.

I have been doing that a lot lately. Laughing, that is. And it’s great. Sometimes I get a little too intense (yes, really!) and it’s nice to have some foils in the house now, who can help me see the humor in things. Even better, they understand my sarcasm and routinely give it right back to me. So I am training the next generation to function in the world, by not taking themselves so seriously, and that may be the biggest win of all.


Photo credit: “Horse Laugh” originally uploaded by Bill Gracey

Thanks to everyone who contributed to my Team in Training run to battle blood cancers. We’ve raised almost $6,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. The cloud poster child: As discussed in this week’s FireStarter, the cloud is happening faster than we expected. And that means security folks need to think about things differently. As if you needed more confirmation, check out this VentureBeat profile of Netflix and their movement towards shutting down their data centers to go all Amazon Web Services. The author of the article calls this the future of enterprise tech and we agree. Does that mean existing compute, networking, and storage vendors go away? Not overnight, but in 10-15 years infrastructure will look radically different. Radically. But in the meantime, things are happening fast, and folks like Netflix are leading the way. – MR
  2. Future – in the past tense: TechCrunch recently posted The Future of Coding Is Here, outlining how the arrival of APIs (Application Programming Interfaces) has ushered in a new era of application development. The fact is that RESTful APIs have pretty much been the lingua franca of software development since 2013, with thousands of APIs available for common services. By the end of 2013 every major API gateway vendor had been acquired by a big IT company. That was because APIs are an enabling technology, speeding integration and deployment, and making it easy to leverage everything from mobile to the Internet of Things. And don’t even bother trying to use cloud services without leveraging vendor APIs. But the OWASP Top Ten will not change any time soon, as traditional web-facing apps and browsers still provide too many attractive targets for attackers to forsake them. – AL
  3. Cheaters gonna cheat: Crowdstrike published some interesting research recently, discussing how they detected the Chinese hacking US commercial entities, even after the landmark September 25 agreement not to. Now, of course, there could have been a lag between when the agreement was signed and when new marching orders made it to the front lines. Especially when you send the message by Pony Express. Turns out there are things like email, phones, and maybe even these newfangled things called “web sites” to make sure everyone knows about changes in policy. But did you really expect a political agreement to change anything? Me neither. So just like cheaters are gonna cheat, nations states are gonna hack. – MR
  4. Stealing from spies: Hackers have figured out how to uncloak advertising links embedded in iFrames by exploiting the relationship between two frames. For those of us who think iFrames are an attack vector themselves, it’s no surprise that this dodgy means of tracking users and supporting ad networks was cracked by bad (worse?) guys. The good news is that it does not expose any additional user information, but it does allow attackers to manipulate ad clicks. Most tricks, hacks, and sneaky methods of scraping data or force user browsers to take action were pioneered by some marketing firm to game the system. The problem is that dodgy habits are endemic to how many very large companies make money, so we get hacked solutions to compensate for the hacks these firms leverage to satisfy their own profit motive. Until the economics change, hackers will have plenty of ‘features’ from ad, social, and analytics networks to exploit and profit. – AL
  5. A cyberinsurance buffet: Warren Buffett has done pretty well by sticking to things he can understand. OK, maybe that’s the understatement of the millennium. His Specialty Insurance business getting into underwriting cyber policies seems to run counter to that philosophy. He wouldn’t even invest in tech companies, but now he’s willing to value something that you pretty much can’t value (cyber-exposure). Of course it’s not Warren himself writing the policies. But all the same, and maybe it’s just me, but it is not clear how to write these policies – even the best defenses can be breached at any time by sophisticated attackers. I’m happy to hear explanations, because I still don’t get this. – MR