My friend Shimmy must have taken his nostalgia pills over the long weekend – on Monday he tweeted:

Doesn’t it suck getting older I didn’t realize how truly carefree life was All is good here thinking about some new stuff

Besides the fact that it’s Twitter-english (half sentences/thoughts to fit into 140 characters, punctuation not required), I disagree with that sentiment. I don’t think it sucks getting older. Aging is awesome. I’m not sure I would recognize my 24-year old self if I ran into him on the street. If I take a rare moment to reflect, almost every aspect of my life is better now. My main gripe is that my body is 20 years older, so my knees ache from time to time and it takes me a bit longer to kick a hangover. But on the list of potential issues, those are pretty minor.

There is nothing saying that a carefree life is a better life. Or maybe I just never had a carefree life. When I was younger I was always striving. I had a timetable for success and wanted to hit my dates. A few years ago I dropped the timetable. I could do that because I changed my view of success, which is still evolving as I learn more about myself and what I’m really about.

To be fair, there are Saturdays I would like to stay in bed until 2pm like I did 20 years ago. And there was something liberating about fitting pretty much all my possessions into a duffle bag or two. I had nothing to lose. But I don’t buy into the notion that having responsibilities (family, kids, expenses) is worse. In fact all I could think about when I had no responsibilities was my timetable to gain them. I searched for a partner and found the Boss. I worked hard at a number of jobs and then stumbled into research. Same old story. Lots of folks think the grass was greener in the past. Or will be greener in the future. They would rather be anywhere else but here. Any other time but now.

Which is a shame. All we have is right now. The past is gone. The future hasn’t happened yet. What I want to do is enjoy the time I have, as long as it lasts. To age gracefully like a good single malt (and I don’t even like scotch). To leverage my experience and help people improve. To connect those I value to resources or knowledge I can access. Just thinking about it gets me fired up about the road ahead.

But I shouldn’t beat Shimmy up too badly – he got it right in the last part of his tweet. All is good here. It sure is, brother. I wouldn’t trade my experiences, which have been a critical part of the journey. As I said in Live Right Now: “You could choose to live in the past. We need to be respectful of history, and learn the lessons of those that came before us.” I also said, “Think to the future not in fear and worry, but in hope and grace.” I’m choosing to live right now because I am finally old enough to appreciate the challenges of the alternatives.

As Steve Jobs would say, this approach allows you to “Stay Hungry. Stay Foolish.” Which seems pretty carefree to me…


Photo credit: “The Maltman Bowmore 21 Years” originally uploaded by Sven Cipido

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

What CISOs Need to Know about Cloud Computing

Defending Against Application Denial of Service

Newly Published Papers

Incite 4 U

  1. Staying focused on the prize: Our pal Wendy posted another terrific rant before the holiday. This time on user feedback in applications. In What’s my name? No, really, what is it?, she talks about how pen testers always gave her a hard time about the feedback given by the login process. With that information, the attacker could infer user IDs, etc. Wendy points out that is by design – if users cannot remember their user names they call the help desk. When they call the help desk it costs money or takes folks away from more important tasks. So yes, you need to balance the obscurity required to make it harder on attackers against the downside of making it harder for legitimate users. Which do you choose? Thought so. She closes with: “If your system can’t withstand attacks by someone who knows a valid username or email address, then you have MUCH bigger problems to solve.” Wendy drops the mic and goes home. – MR
  2. Super-unrelated: The PCI DSS 3.0 requirement that firms map the flow of payment card data is really nothing new – identifying what systems contain cardholder data has been part of every DSS specification since the beginning. Mapping the data flow and showing which users and applications have access to that data simply provides a clearer picture of how that data is used so you understand how best to safeguard it. For threat modeling this type of diagram is a must! The key is that it makes the assessor’s job easier to have a map of the systems in scope and subject to review. That does not address the flaw Troy Leach identifies: unknown and unsecured cardholder storage locations as the cause of breaches. Those breaches result from poor understanding of what data IT systems actually collect, bad discovery tools, and/or unwillingness to discover weak spots because that would increase the merchant’s exposure to audit and liability (and perhaps costs to fix the problems). The map simply helps define the merchant’s Cardholder Data Environment. – AL
  3. Data center immortality: It has been a slow news week in security, so let me dig into the archives and link to a NetworkWorld story on How to build the immortal data center . The article summarizes a Gartner Symposium pitch on data center evolution, arguing that existing data centers can be retrofitted to last another dozen years, if not more. Using innovations such as hot and cold aisles, advanced cooling, and far more efficient new 1U servers running at 90% workloads can add huge capacity within existing footprints. Did you know you can save big bucks by running your data center at 78F instead of 72F? Me neither, and that’s because I’m a security guy. So what? Data center evolution eventually comes to roost when you need to protect things. Virtualized servers, workloads that move around, hybrid cloud architectures, and lots of other things don’t get you off the hook for protecting the organization’s critical information. Not that these trends are good or bad, but ignoring the trends underlying the significant infrastructure disruption we see coming ensures you won’t be ready when it hits. And that will be sooner rather than later. – MR
  4. You do it: Lots of enterprises say they cannot adopt cloud computing because they cannot meet their compliance obligations given the opacity of the cloud provider’s service. But it dawned on me that things like WFT Cloud are a huge advancement as these service providers have the expertise already in house. While the list of services WFT Cloud provides seems paltry, given the complexity of SAP, they actually do a lot. SAP is a critical application for lots of very large enterprises, but it’s also a miserable beast to manage, forcing many firms to rely on 3rd parties for the bulk of the heavy management lifting. User provisioning, security and compliance are a nightmare. Most auditors settle for whatever reports they can get because what they really want is often infeasible. Rather than forcing consultants to do a bulk of the work, using outsourced infrastructure masks the complexity of the enterprise application, while serving the core functions makes financial, operational and security sense. – AL