As I mentioned, I’m running a half marathon for Team in Training to defeat blood cancers. I’ve raised a bunch of money and still appreciate any donations you can make. I’m very grateful to have made it through my training in one piece (mostly), and ready to go. The race is this coming Saturday and the final two weeks of training are referred to as the taper, when you recover from months of training and get ready to race.

This will be my third half, so by this time in the process I’m pretty familiar with how I feel, which is largely impatient. Starting about a month out, I don’t want to run any more because my body starts to break down a bit after about 250+ miles of training. I’m ready to rest when the taper starts – I need to heal and make sure I’m ready to run the real deal. I want to get the race over with and then move on with my life. Training can be a bit consuming and I look forward to sleeping in on a Sunday morning, as opposed to a 10-12 mile training run. It’s not like I’m going to stop running, but I want to be a bit more balanced. I’m going to start cycling (my holiday gift to myself will be a bike) and get back to my 3x weekly yoga practice to switch things up a bit.


The taper is actually a pretty good metaphor for navigating life transitions. Transitions are happening all the time. Sometimes it’s a new job, starting a new hobby, learning something new, relocating, or anything really that shakes up the status quo. Some people have very disruptive transitions, which not only shake their foundations but also unsettle everything around them. To live you need to figure out how to move through these transitions – we are all constantly changing and evolving, and every decade or so you emerge a different person whether you like it or not. Even if you don’t want to change, the world around you is changing, and forces you to adapt. But if you can be aware enough to sense a transition happening, you can taper and make things more graceful – for everyone.

So what does that even mean? When you are ready for a change, you likely want to get on with it. But another approach is to slow down, rest a bit, take a pause, and prepare everyone around you for what’s next. I’ve mentioned the concept of slowing down to speed up before, and that’s what I’m talking about. When running a race, you need to slow down in the two weeks prior to make sure you have the energy to do your best on race day. In life, you need to slow down before a key transition and make sure you and those impacted are sufficiently prepared.

That requires patience and that’s a challenge for me and most of the people I know. You don’t want to wait for everyone around you to be ready. You want to get on with it and move forward, whatever that means to you. Depending on the nature of the transition, your taper could be a few weeks or it could be a lot longer. Just remember that unless you are a total hermit, transitions reverberate with those around you. It can be a scary time for everyone else because they are not in control of your transitions, but are along for the ride. So try to taper as you get ready to move forward. I try to keep in mind that it’s not a race, even when it’s a race.


Photo credit: “graff la rochelle mur aytre 7” originally uploaded by thierry llansades

Thanks to everyone who contributed to my Team in Training run to battle blood cancers. We’ve raised almost $6,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Getting started in InfoSec: Great post/resource here from Lesley Carhart about how to get started in information security. Right up at the top the key points comes across loud and clear: you need to understand how things work to hack them (or defend them). YES! That’s why a degree in security is useful, but the reality is that students coming out of these programs aren’t ready because they don’t know how everything works. That takes a few years in the coal mines, so you need to grow folks to meet demand, but it’s a multi-year investment. You can’t just send them to a SANS class and figure they’ll be ready to take on sophisticated adversaries. The other point right up front is on passion about security. It’s not a 40-hour-a-week job (not even in France), and it’s thankless. So if you don’t really like it, it’s a slog to do security for years. If you have folks who are interested in getting into our little area of the world, have them read this post. – MR
  2. Infinite primes, wasted: Remember back in high school, when your teachers said “Math is important!” You muttered under your breath, “When am I ever going to use this stuff? Combinatorials? Prime numbers? Never again!” Well guess what? Your math teacher was right. J. Alex Halderman and Nadia Heninger, in How is NSA breaking so much crypto?, offer a plain english explanation of how nation-state hackers are likely able to eavesdrop on HTTPS sessions. They go on to discuss the economics, and the incentives for governments to invest in crypto hacking hardware to keep pace with networks and technology. Because of a common implementation failure in the use of prime numbers – using the same ones every time – the NSA and other nation-states can leverage a few hundred million in custom hardware to crack the majority of secured sessions – and what’s a few hundred million between friends (or enemies). The brute force cracking is not rocket science, nor is the discovery of the simple mistake in usage of prime numbers, but combined they allow determined parties to eat ‘secure’ sessions for lunch. – AL
  3. Mobile + Pr0n = Pwn: I highlighted this link in last week’s Friday Summary, but it’s worth a broader discussion: porn sites are the top mobile infection vector. Mostly because it’s about pr0n. HA! But that brings up a good point about the path of least resistance. Attackers find ways to figure out the easiest way to achieve their mission, and folks who use tablets and phones to consume adult content are pretty low-hanging. No pun intended, but the key points here are that malvertising is a key attack vector now and some sites are going to be more careful about it, and that porn sites probably aren’t among the best of them. So what to do? Abstinence? Just say no? As Nancy Reagan turns over in her grave, the answer is to make sure you are following the same practices you follow on your PC devices. Don’t click on stupid links, and make sure your device is patched and up to date. – MR
  4. Fast pass to replacement: In the last two weeks Mastercard has launched the MasterPass Mobile App with full tokenization of credit cards (i.e., PAN) through the MasterPass Digital Enablement Service – a fancy name for their tokenization gateway. This is important as they are directly linking issuing banks to mobile apps like Android Pay, Apple Pay, and Samsung Pay. In The EMV Migration and the Changing Payment space we explained that EMV cards are almost trivial in the bigger picture. The transition to mobile is where the real security benefits will be derived. And here is we will see full end-to-end tokenization and merchants no longer getting access to card numbers. The road will continue to be bumpy for a while, as card-not-present fraud forces banks to reissue cards (and reissue them again), and consumers are forced to sit on their phones (if you’re like me) explaining to their bank that they are putting another new credit card number into Apple Pay, and asking why the $@#! the bank can’t automate this process! The answer in both cases is fraud, which will continue to escalate until this migration to more secure (i.e., mobile) platforms, which can help combat both card cloning and card not present fraud. – AL
  5. Patience is hard: Most of the folks in your organization aren’t security people. Sure you can bust out the platitudes like “security is everyone’s job” and other such puffery, but the reality is these folks have demanding jobs, and security isn’t in their job descriptions. So how long does it take them to become aware? Sometime between forever and forever? The news isn’t that bad, but it will take time and repetition, with some gamification and possibly some public shaming, for everyone to get the picture. And there will always be those ‘special’ folks who won’t ever get it, but you have to tolerate them (and clean up their messes) because they are too important. Maybe show them the article linked above about mobile and porn – I’m sure that has never been an attack vector for these folks. – MR