The Boss and I don’t get out to see movies too often. At least for the last 12 years or so. It was hard to justify paying a babysitter for two extra hours so we could go see a movie. Quick dinner? Sure. Party with friends, absolutely. But a movie, not so much. We’d wait until Grandma came to visit, and then we’d do things like see movies and have date nights. But I’m happy to say that’s changing.

You see, XX1 is now 12, which means she can babysit for the twins. We sent her to a day-long class on babysitting, where she learned some dispute resolution skills, some minor first aid, and the importance of calling an adult quickly if something goes south. We let her go on her maiden voyage New Year’s Eve. We went to a party about 10 minutes from the house. Worst case we could get home quickly. But no worries – everything went well. Our next outing was a quick dinner with some friends very close to the house. Again, no incidents at all. We were ready to make the next jump. That’s right, time for movie night!

We have the typical discussions with XX1 about her job responsibilities. She is constantly negotiating for more pay (wonder where she got that?), but she is unbelievably responsible. We set a time when we want the twins in bed, and she sends us a text when they are in bed. The twins respect her authority when she’s in the babysitting mode, and she takes it seriously. It’s pretty impressive.

Best of all, the twins get excited when XX1 is babysitting. Maybe it’s because they can watch bad TV all night. Or bang away on their iTouches. But more likely it’s because they feel safe and can hang out and have a good time with their siblings. For those of you (like me), who grew up in a constant state of battle with your siblings, it’s kind of novel. We usually have to set up an Aerobed over the weekend, so all three kids can pile into the same room for a sleepover. They enjoy spending time together. Go figure.

Sure it’s great to be able to go out and not worry about having to pay a babysitter some ungodly amount, which compounds the ungodly amount you need to pay to enjoy Hollywood’s finest nowadays. But it’s even better to know that our kids will only grow closer through the rest of their lives. As my brother says, “You can pick your friends, but you can’t pick your family!” I’m just glad my kids seem to be okay with the family they have.


Photo credits: Bad babysitter originally uploaded by PungoM

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Network-based Threat Intelligence

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. We are all next: I may have been a little harsh in my post on the Bit9 hack: Karma is a Bit9h, but the key point is that all security vendors need to consider themselves high value targets. I wouldn’t be surprised if lot more get compromised and (attempt to) cover it up. There isn’t any schadenfreude here – I derive no pleasure from someone being hacked, no matter how snarky I seem sometimes. I also assume that it is only a matter of time until I get hacked, so I try to avoid discussing these issues from a false position of superiority. Wendy Nather provides an excellent reminder that defense is damn hard, with too many variables for anyone to completely control. In her words: “So if you’re one of the ones scolding a breach victim, you’re just displaying your own ignorance of the reality of security in front of those who know better. Think about that for a while, before you’re tempted to pile on.” Amen to that. – RM
  2. Swing and a miss: Managing database accounts to deny attackers easy access is a hassle – as pointed out by Paul Roberts in his post on Building and Maintaining Database Access Control Permissions. But the ‘headaches’ are not just due to default packages and allowing public access – these issues are actually fairly easy to detect and fix before putting a database server into production. More serious are user permissions within enterprise applications which have thousands of users assigned multiple roles. In these cases finding an over-subscribed user is like finding the proverbial “needle in a haystack”. The use of generic “service accounts” shared by multiple users – make it much harder to detect misuse, and if spotted to figure out who the real perpetrator is. Perhaps the most difficult problem is segregation of database administrative duties, where common tasks should be split up, at the expense of making administrators’ jobs far more complex – annoying and time-consuming. Admins are the ones who set these roles up, and they don’t want make their daily work harder. Validating good security requires someone with access and knowhow. Database operations are more difficult that database setup, which is why monitoring and periodic assessments are necessary to ensure security. – AL
  3. First things first: Wim Remes wrote an interesting post about getting value from a SIEM investment, Your network may not be what is SIEMs. Wim’s point is that you can get value from the SIEM, even if it’s horribly delayed and over budget (as so many are), but without a few key things in place initially, you would just be wasting your time. You need to know what’s important in your environment and the activity and traffic dynamics of those devices (baselining of a kind). Amen to that. I’d push Wim’s points a bit further – it’s not the security practitioner’s role to figure out what’s important. He/she needs to get out and learn from business leaders what is important, and then design the control set accordingly. We are big fans of monitoring – more data is better than less data. But without basic processes in place to analyze the data, and more importantly to address the problems you find, any monitoring investment is a waste. Wim is right on the money there. – MR
  4. Statistics never lie: There’s nothing like an infosec story that really lays the numbers on thick. This week’s offender is the many reports on Chinese malware infection rates. It’s not so much that I’m super skeptical whenever a product company comes out with numbers that support their point of view. No, seriously, I’m completely ok with self-serving blood-on-the-wall reports. Seriously! It’s much more that finding the story buried in the noise of useless statistics is difficult. We’ve been told over and over about how China is hacking our everything – perhaps it’s much more simply that China is where you go if you want to lay your grubby little paws on a modest botnet from which to launch all of your attacks. Isn’t the real story here that we’ve created an incredibly complex machine and we’re past the point of meaningfully understanding it and being able to properly attribute an attack? Nah, I suppose not. Silly me. – JA
  5. No surprises: Robert Lemos says Software Vulnerabilities Rise Again After 5-Year Decline. What he means is that discovered software vulnerabilities are on the rise for the first time in 5 years. These vulnerabilities have been sitting in the code for years, with some weaknesses having been theorized over the last decade, so it’s not like these flaws were just checked into the source. The issue is that attackers have changed from targeting all things Microsoft to shiny ‘new’ applications like Java and Flash, and are digging up a veritable greenfield of unfixed (and previously unreported) problems. If we fix or get rid of these platforms, next year it will be… whatever comes next. The point is that the pile of insecure code is already there – it has always been there. So how does this distinction help you? You may want to do some preventative maintenance with static analysis and some better input validation testing – especially if it’s your code you are worried about. Otherwise carry on as you were, and do your best to act surprised when the next burst of vulnerabilities shows up. – AL
  6. Selling out: We are in a very odd global situation right now. This is one of the first cases in the history of warfare where governments are incented to leave their populace at risk in order to maintain offensive capabilities. Not merely at risk from foreign governments, but from common criminals. Governments need software bugs to build their cyberweapons, and patching these bugs degrades cyberweapons and goveronments’ capabilities. The problem is that, unlike chemical weapons and guns, there is nothing to say a bug won’t be used by someone else. And paying a lot for these bugs on a open market, as so well documented by NPR, decreases the odds of independently discovered bugs being publicly reported, and increases their chances of ending up in the hands of more serious “bad guys”. I highly expect to see regulation here within the next 2-3 years. – RM
  7. Kill the head (and two grow back): On the week of Gregg Williams’ (of the famous “kill the head” locker room speech) reinstatement into the NFL, the idea of taking down botnets is notably similar. You need to kill the head, as Microsoft and Symantec partnered to do with the Bamital botnet. Hard to believe, but the bot masters were clearing north of $1MM per month by redirecting unsuspecting devices to their search pages. But the issue is that it took them almost 2 years to track down the servers really running the botnet, and killing Bamital just created a vacuum for another botnet to fill. Like one of those weird monster movies, where you cut off one of the Hydra’s heads, and two more grow back. Fortunately that doesn’t mean Microsoft and Symantec’s significant investment and work to partner with law enforcement isn’t worthwhile. It is but these are only temporary setbacks for the attackers, who have a resilient system that many F1000 enterprises could learn from. – MR