Sitting at my feet is the brand spanking new Kindle I ordered for XX1. It arrived before the snow and ice storm hits the ATL, so we got pretty lucky. She’s a voracious reader and it has become inefficient (and an ecological crime) to continue buying her paper books. She has probably read the Harry Potter series 5 or 6 times, and is constantly giving me new lists of books to buy. She has books everywhere. She reads on the bus. She gets in trouble because sometimes she reads in class. It’s pretty entertaining that the Boss and I need to try to discipline her, when her biggest transgression is reading in class. I kind of want to tell the teacher that if they didn’t suck at keeping the kid’s attention, it wouldn’t be a problem. But I don’t.

I have used the Kindle app on my iOS devices for a couple years. I liked it but my older iPads are kind of heavy, so it wasn’t a very comfortable experience to prop on my chest and read. I also had an issue checking email and the Tweeter late at night. So I bought a Kindle to just read. And I do. Since I got it my reading has increased significantly. Which I think is a good thing.

So I figured it was time to get XX1 a Kindle too. The Boss was a bit resistant, mostly because she likes the tactile feeling of reading a book and figured XX1 should too. Once we got past that resistance, I loaded up the first Divergent book onto my Kindle and let her take it for a test drive. I showed her two features, first the ability to select a word and see it in the dictionary. That’s pretty awesome – how many kids do you know who take the time to write down words they don’t know and look them up later? I also showed her how to highlight a passage. She was sold.

A day and half later, she was ready for book 2 in the Divergent series. Suffice it to say, I loaded up book 3 as well, preemptively. Of all the vices my kids have, reading is probably okay. Before I go to bed tonight I will set up her new device and load up a bunch of books I have which I think she’ll like. We will be snowed in for at least a day, so they will give her something to do. The over/under in Vegas is that she reads two books over the next couple days. I’m taking the over.

What’s really cool is that in a few years, she will hardly remember carrying a book around. That will seem so 2005. Just like it seems like a lifetime ago that I loaded up 40-45 CDs to go on a road trip in college (or cases of cassette tapes when I was in high school). Now I carry enough music on my phone to drive for about 3 weeks, and never hear the same song twice.

It’s the future, and it’s pretty cool.

–Mike

Photo credit: “Stack of Books” originally uploaded by Indi Samarajiva

Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep these less than 15 minutes, and usually fail.

• Feb 10 – Mass Media Abuse
• Feb 03 – Inevitable Doom
• Jan 27 – Government Influence
• Jan 20 – Target and Antivirus
• Jan 13 – Crisis Communications

2014 RSA Conference Guide

We’re at it again. For the fifth year wea re putting together a comprehensive guide to what you need to know if you will be in San Francisco for the RSA Conference at the end of February. We will also be recording a special Firestarter video next week, because you obviously cannot get enough of our mugs.

Key Themes

• Key Theme: Retailer Breaches
• Key Theme: Big Data Security
• Key Theme: APT0

And don’t forget to register for the Disaster Recovery Breakfast Thursday, 8-11 at Jillian’s.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The Future of Information Security

• Implications for Cloud Providers
• Implications for Security Vendors
• What it means
• Six Trends Changing the Face of Security
• A Disruptive Collision
• Introduction

Leveraging Threat Intelligence in Security Monitoring

• Quick Wins with TISM
• The Threat Intelligence + Security Monitoring Process
• Revisiting Security Monitoring
• Benefiting from the Misfortune of Others

Advanced Endpoint and Server Protection

• Assessment
• Introduction

Newly Published Papers

• Defending Data on iOS 7
• Eliminating Surprises with Security Assurance and Testing
• What CISOs Need to Know about Cloud Computing
• Defending Against Application Denial of Service
• Security Awareness Training Evolution
• Firewall Management Essentials
• Continuous Security Monitoring

Incite 4 U

1. Hot or Not: We spend a ton of time working with security startups (and lately cloud startups looking for security help). So we will be the first to admit we don’t know all of them, and it can sometimes be hard to evaluate broad market perception – our instincts and research are good but we don’t do quantitative market surveys. Justin Somaini just published his personal survey results on security startups and issues and it’s pretty interesting. (Full disclosure: Justin is Chief Trust Officer at Box, who is licensing a paper of ours). Justin got 500 responses from people rating the perceived value of every security startup he could find, and also teased out a bit on perceived top security issues. I’m sure there is survey bias, but if you want a sense of which startups have the best recognition this is a great start, and Justin published all the results in the open, just the way we like it. (Note to Mike: I call dibs on the new prospect list.). – RM
2. Attacks are not evenly distributed: You have to love Rob Graham. Words matter to Rob. And when he see words misused he usually pens a very detailed diatribe on the Errata blog. This time he takes Glenn Greenwald and NBC News to task for incorrectly calling an attack DDoS. Rob’s point is that nation-states would not likely launch a DDoS attack because it involves lots of compromised devices taking down networks. Nation-states aren’t likely to use compromised devices when they have more efficient means of knocking things down. The whole rant comes back to Rob’s general expectation that professional reporters should get it right, rather than simply parroting hacktivists without even trying to understand what they are repeating. The hacktivists get a pass because they “are largely unskilled teenagers with a very narrow range of expression.” Kind of sounds like a lot of adults I know as well… But that’s just me. – MR
3. Facing the unfamiliar: When I was a programmer there was always a ‘dread’ project: a task I dreaded facing because it was new, tough, and would require significant effort to solve. I would drag my feet, worry about the project, and keep pushing it to the bottom of the stack. More often than not, once I jumped in, not only did the task turn out easier than I thought, but the process of learning made the whole effort exciting and fun! “How do you face a programming task you’ve never done before?” brought this to mind, and I can say without reservation, “Jump in and try it.” If you fail, that’s actually okay – we call that “rapid prototyping” now, and it’s part of the learning process. But I’m betting that more often than not new tasks are not as hard as you think, and more rewarding that you imagine! – AL
4. Snap, Clinkle, Popped: Peter Hesse makes a good case for why even startups need to worry about security with a story of a stealth-mode payment startup called Clinkle getting pwned recently. Was the breach a death blow? Probably not, but it doesn’t look good for a company trying to get established in the payment space. It highlights a key reality of today’s world: you need to think about security early. Like Day 2, right after you open your bank account and make your first Staples run. You can use the cloud for a bunch of stuff, but ultimately you need a security strategy both for your product (whatever it is) and your company. – MR
5. Let’s talk about trust: I will be publishing my “Security’s Future” paper next week, and one of the key things I call out is the need for cloud providers to establish trust. We have two great examples of trust failures this week, with both Snapchat (again) and Instagram suffering security malfunctions. With a difference: Snapchat is struggling to manage their security responses, while Instagram (owned by Facebook, BTW) fixed things quickly and paid the discoverer a bug bounty. This is the new normal, folks, and cloud providers need to not only bake in security as best they can, but learn to respond like Facebook/Instagram too – nail issues early and work well with researchers. – RM
6. Proof of concept companies: Normally we provide a detailed writeup when technology vendors in key coverage areas (e.g., WAF, DAM and cloud) go on acquisition sprees like Imperva did last week when they acquired Incapsula and Skyfence in one fell swoop. But these acquisitions are so closely aligned with Imperva’s vision that there was not much to report: both offer SaaS-based security gateways, monitoring and blocking suspicious behavior – albeit for slightly different use cases. In both cases the firms were funded by Imperva’s founder Shlomo Kramer, and Incapsula licensed Imperva’s technology in exchange for an equity stake. It was as if these two firms were externally incubated by Imperva – an astute move in case things did not work out, in which case they wouldn’t have impacted Imperva’s reputation, and the financial cost would have been minimal. But the concepts worked, so once the models were proven they were rolled up into the Imperva stable without much fuss or the typical worries about technology or cultural integration. In the interest of full disclosure, we have been using Incapsula for a number of years here, after Cloudflare failed to offer some of the security features and performance we wanted, and we have been happy with it. Incapsula isn’t the last word in filtering, but it filters out most cruft. – AL