You want it and you want it now. So do I. Whatever it is. We live in an age of instant gratification. You don’t need to wait for the mailman to deliver letters – you get them via email. If you can’t wait the 2 days for Amazon Prime shipping, you order it online and pick it up at one of the few remaining brick and mortar stores. Record stores? Ha! Book stores? Double ha!! We live in the download age. You want it, you buy it (or not), and you download it. You have it within seconds.

But what happens when you don’t get what you want or (egads!) when you have to wait? You are disappointed. We all are. We get locked into that thing. It’s the only outcome we can see. Maybe it’s a thing, maybe it’s an activity. Maybe it’s a reaction from someone, or more money, or a promotion. It could be anything, but you want it and you get pissy when you don’t get it – now!

The problem comes down to attachment. Disappointment happens when you don’t get the desired outcome in the timeframe you want. Disappointment leads to unhappiness, which leads to sickness, and so it goes. I have made a concerted effort to stop attaching myself to specific outcomes. Sure, there are goals I have and things I want to achieve. But I no longer give myself a hard time when I don’t attain them. I don’t consider myself a failure when things don’t go exactly as I plan. At least I try not to…

But I was struggling to find an analogy to rely on for this philosophy, until earlier this week. I was in a discussion in a private Facebook group, and I figured out the concept in a way I can easily remember and rely on when my mind starts running amok.

I think many of us fall into the trap of seeing a desirable outcome and getting attached to that. I know I do. I’m trying to flow like water. Water doesn’t care where it ends up. It goes along the path the provides the least resistance at any given time. Not that we don’t need resistance from time to time to grow, rather we need to be flexible to adapt to the reality of the moment.

Be like water. Water takes the shape of whatever vessel it’s in. Water flows. Water has no predetermined goal and can change form as needed. As the waves crash they show the awesome power of harnessed water. The analogy also works for me because I like being by the water, and the sound of water calms me. But I am not the only one who likes the water. Bruce Lee figured this out way before me and talked about it in this classic interview.

Maybe the concept works for you, and maybe it doesn’t. It’s fine either way for me – I’m not attached to a particular outcome…


Photo credit: “The soothing sound of flowing water” originally uploaded by Ib Aarmo

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Building an Enterprise Application Security Program

Security and Privacy on the Encrypted Network

Secure Agile Development

Newly Published Papers

Incite 4 U

  1. Shiny attack maps for everyone: I hand it to Bob Rudis and Alex Pinto for lampooning vendors’ attack maps. They have issued an open source attack map called IPew, which allows you to build your own shiny map to impress your friends and family. As they describe it, ‘IPew is an open source “live attack map” simulation built with D3 (Datamaps) that puts global cyberwar just a URL or git clone away for anyone wanting to display these good-for-only-eye-candy maps on your site.’ Humor aside, visualization is a key skill, and playing around with their tool may provide ideas for how you can present data in a more compelling way within your own shop. So it’s not all fun and games, but if you do need some time to decompress, set IPew to show the Internet having a bad day… War Games FTW. – MR
  2. Not for what you think: Occasionally we need to call BS on a post, and Antone Gonsalves on Fraudster Protection for Websites qualifies. His claim is that IBM’s patented new technology can detect fraud by monitoring a user’s interaction with their browser, examining the duration between clicks and how they scroll. The concept is that you understand what a user does normally, so anything different is fraud. What could go wrong? The fundamental problem is that hackers don’t use browsers – at least nothing like an average user’s browser. This press release was obviously created by a guy who thinks all hackers wear ski masks to work. The use cases for this type of technology are marketeers wanting to watch customers use their web sites (to figure out and optimize click streams), and law enforcement looking for a better determination of who is behind the keyboard. It is a type of malware. For security it is surprisingly bad because of false positives – in the same way financial trading models completely fail under any unusual circumstances, which is why this approach failed in 2004 when it first made the rounds. – AL
  3. Outsourcing responsibility: Raj Samani and Brian Honan’s post about the (In)Security of Cloud Computing on the Wired Blog is thought provoking. They are conflating all the varieties of cloud computing together, despite several key nuances. Though it is true that ultimately the responsibility for data protection resides with you – not a cloud provider. Whether it is malware targeting a SaaS provider, or a social engineering attack trying to gain a foothold in your cloud environment, a cloud provider will do whatever they do, and you will still be responsible. We have said for years that you can outsource almost anything – except accountability. So ask questions, do your diligence, and get comfortable with the fact that you will have less visibility (at least initially) and control over the cloud infrastructure. But not forever – as the cloud matures we are betting that cloud security will leapfrog what is possible to secure traditional infrastructure. But that is a discussion for another day. – MR
  4. Quietly important: Microsoft’s latest additions to the Azure cloud are very important – not because of IOT Streaming Analytics, but because they provide all of the infrastructure needed to produce a security event analysis and analytics platform within the cloud. Stream analytics provides a way to insert real-time security analytics and anti-fraud services into the cloud technology stack; the data factory aggregates data to pipe into SIEM, log management, and data warehouses. Microsoft is positioning their data factory and event hubs to be the ultimate repository, but customers are likely to demand the opposite, choosing Hadoop or whatever platform best serves their analytics requirements – exactly what NoSQL excels at. But this core infrastructure is critical for enterprises looking to move to the cloud. – AL
  5. Get your pen test on: We have been vociferous supporters of penetration testing for a long time. Obviously folks who know what they are doing cost money. And you should be testing on an ongoing basis anyway. Maybe you bought a tool (or fired up Metasploit), but you may not know where to start. Fortunately for you Stephen Haywood has decided he is less of a promoter and more of a tester, and open sourced his Beginner’s Guide to Pentesting. I checked out the Table of Contents (and plan to read it over the holidays) and it is a good overview of the things you will need to pen test your own stuff. Including intelligence gathering and reconnaissance, wireless testing, web app testing, and phishing. You will still need to work to actually figure out how it works, but Stephen’s book provides a basis to guide your experimentation, so send some beer to thank him for the effort. You can send that beer to our main Securosis address and we’ll make sure he gets it… LOL. – MR