I’m pretty lucky – my most recent memories of a long commute were back in 1988, when I worked in NYC during my engineering co-op in college. It was miserable. Car to bus to train, and then walk a couple blocks through midtown to the office. It made me old when I was young. I only did it for 6 months, and I can’t imagine the toll it takes on folks who do it every day for decades.

Today you can be kind of productive while commuting, which is different than in the late 80s. There are podcasts and books on tape, and if you take aboveground public transportation, you can get network connectivity and bang through your email and social media updates before you even get to the office. But it still takes a toll. Time is not your own. You are at the mercy of traffic or mass transit system efficiency.

I was recently traveling to see some clients (and doing some end-of-year strategy sessions), and the first day it took me over 90 minutes to go 35 miles. For some reason I actually left enough time to get there and didn’t screw up my day by being late for my first meeting. Getting back to my hotel for a dinner meeting took another hour. I was productive, making calls and the like. And amazingly enough, I didn’t get pissy about the traffic or the idiocy I saw on the roads. I had nowhere else to be, so it was fine.

The next day was more of the same. I was able to leave after the worst of rush hour, but it still took me 65 minutes to go 40 miles. A lot of that was stop and go. I started playing my mental games, pretending the highway was a football field and looking for openings to squeeze through. Then I revisited my plans for world domination. Then I went back in time to remember some of my favorite football games. Then I got around to preparing for the meeting a bit. So again, I didn’t waste the time, but I don’t commute very often at all.

So when I was on my way to the airport Monday morning again, and it took me 65 minutes to get there, I was running out of things to think about. 3 long commutes in less than a week took its toll. How many times can you take over the world? How many meetings can you mentally prepare for, knowing whatever I decide to do will be gone from my frontal cortex before I board the plane? Then I revisited my unwritten spy thriller novel. The plot still needs work, especially because I forgot all the great ideas I had during the commute. Ephemeral thoughts for the win.

So when my father in law expressed a desire to stop commuting into Washington DC and move to an office closer to his home we were very supportive. Not just because he really shouldn’t be driving anywhere (he is 80 años, after all), but also he seems to have finally realized that he could have been talking to clients during the 60-90 minutes he spent in the car each way every day for the past 35 years. I’m decent at math, but I’m not going to do that calculation and I’m certainly not going to put a dollar figure on an opportunity cost comparable to the GDP of a small Central American nation.

Which means the next time my biggest morning decision is which coffee shop to set up at for the day, I will be grateful that I have the flexibility to spend my time working. Not commuting.


Photo credit: “Traffic in Brisbane” originally uploaded by Simon Forsyth

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

What CISOs Need to Know about Cloud Computing

Defending Against Application Denial of Service

Newly Published Papers

Incite 4 U

  1. It comes down to trust: In the world of encryption we try to use advanced math to prove or disprove the effectiveness of ciphers, entropy collection, and the generation of pseudo-random numbers. But in some cases you simply cannot know the unknown, so it comes down to trust, which is why I think the developers of FreeBSD removing “RDRAND” and “Padlock” pseudo-random number generation (PRNG) facilities – provided by Intel and VIA respectively – is a good idea. There is concern that these routines might not free of NSA adaptation. Even better, they chose Yarrow as a replacement – a PRNG which John Kelsey and Bruce Schneier designed specifically because they neither trusted other PRNGs nor could find one that provided good randomness. Yarrow, like Blowfish, is an effective and trustworthy choice. Bravo! – AL
  2. Doing the web app two-step: I’m a big fan of 2FA (two factor authentication), especially for key web apps where I store stuff I’d rather not see on WikiLeaks. Like anything I have access to would be interesting to the conspiracy crowd, but let me dream, would ya? So I was pretty early to use Google’s 2FA for Apps, and at this point I have it set up on Twitter, Facebook, and Evernote. Why not? It’s easy, it works, and it makes it quite a bit harder for someone who isn’t me to access my accounts. But there is a use case that can lock you out of apps. It’s the disconnected, again. To be clear, back in the early days of encrypted email, you needed to perform unnatural key management acts to support disconnected users. And there used to be disconnected users, like in developing nations or in the air. These folks could not get connected, and you had to provide for that. But with the ubiquity of wireless services that’s less of an issue. At this point you get pretty decent connectivity at 35,000 feet. Unless you don’t. I made the mistake of shutting down Evernote before boarding, and the WiFi was out. And I needed information I had stored there to bang out some research. It was awesome. So let’s just say I know to make sure the information I need is accessible before they close the airplane door. Fool me once… – MR
  3. Uh, wait, what? Apparently the DoD is contracting with GammaTech to build tools to reverse engineer software and firmware. This is a great idea – if you run an application or device that is reliant on a stack of code, it’s good to know what is really going on in that code. Learning about backdoors, defects and malware lurking in the software you use can help protect yourself in case your vendor failed to. What is ironic is the legal murkiness of doing this kind of analysis – in light of how fiercely companies protect their IP with end-user license agreements, patents, and trade secrets. And they have been known to sue their partners and customers to avoid this sort of analysis. “Fair use” will always be a legal grey area, which makes it difficult for security vendors to scan other applications without asking for a fight. But it’s one thing to sue ‘Timmy’ for reverse engineering a copy of Halo because he wants the game to work differently, and quite another to prosecute the DoD for looking at all your IP in their systems. It will be interesting to see whether this has any effect on end user license agreements and fair use in general, or whether the US government (and other large enterprises) will simply mandate audit rights as part of doing business. – AL
  4. Hi ho, Jericho! SC Mag offers an interesting perspective on how Google accepted that they would be a target (Aurora convinced them), so they fundamentally rethought both the devices they allow on their network (no more Windows) and their network security defenses (no more perimeter). They keep track of all their devices and authenticate/authorize devices to access stuff as needed. Regardless of location or network connectivity. But here’s the thing: Is there really no perimeter? Or do they just build many perimeters, around each of the distinct ‘services” they offer? This seems more of a hyper-segmented model providing isolation by service, as opposed to the traditional “get in and you’re in” external perimeter model. But hey, saying Zero Trust and no perimeter is much sexier than acknowledging that you have thousands of perimeters, right? – MR