Do you ever stumble upon a show from the old days, perhaps on Boomerang or TVLand, where the doting wife meets the hubby as he comes home from work? It’s just like my deal. I come home from that tough day writing at Starbucks and the Boss is waiting with my smoking jacket, pipe, and slippers, and the trusty glass of brandy to take the edge off a tough day. And then I wake up.

What about those scenes where the entire family sits down to dinner and discusses current events? We don’t either. When I come home has more to do with which kid needs to be shuttled to which activity. The Boss has to ride herd on play dates, homework, and all those other balls she keeps in the air every day. We have sit down dinners a few times a month, usually when we go out to dinner as a family. But most of the time we don’t have time to breathe until the kids are in bed, numbing the pain with some inane show on TV.

For years we had a great couch we bought from Crate and Barrel. It wasn’t cheap, but it lasted for 10 years. Maybe more. It held up well, but it wasn’t new and we didn’t worry about eating on it. So we’d park on the couch, eat our dinner, talk, and wind down from the day. I know she wanted a new couch, but the old one was fine, so I was pretty resistant to dropping a bunch of coin for something I didn’t think we really needed.

But then my overly generous in-laws decided they can’t take it with them, so they gave us a new couch. It was a floor model, and we got a great deal on it. I’m not one to be ungrateful so I said thank you and moved on. Of course, the Boss was very happy, so it was all good. Until I got home. At that point I was suddenly transported back into the 50’s, when we had a virtual sheet of plastic wrap on the couch. Not literally a cover like your grandparents had on their couches, but it might as well have been.

I mean, we couldn’t get close to the couch. I was kind of scared to sit on it unless I had just jumped out of the shower. The kids had to change their clothes if they were outside and wanted to sit down. Eating on the new couch? No chance. So we set up some other chairs in front of the couch, so we could still eat in the family room, but the priority was protecting the sanctity of our virginal couch. But we still had to deal with the elephant in the (family) room. That was our annual Super Bowl party. We host about 100 folks on my favorite day of the year. They eat pizza and wings and buffalo chicken dip and all sorts of other things that don’t look very good when spilled on your couch. It was quite a problem, and the Boss even threatened to cancel the party.

But as my stepfather says, if it’s a problem that can be solved with money it’s not really a problem. So we went over to the store and bought about 8 huge cushy throw blankets and wrapped the couch from top to bottom. OK, it’s not plastic wrap, but it worked. No spills on the couch. The Giants won, and a good time was had by all, especially me. But Lord knows I wasn’t drinking my Guinness on the new couch. I was willing to take the chance of someone spilling something, so long as it wasn’t me.


Photo credits: “frakkin’ plastic!” originally uploaded by wotthe7734

Heavy Research

After a bit of a hiatus from blogging we are back at it. The Heavy Research feed is hopping, and here are a couple links of our latest stuff. So check them out and (as always) let us know what you think via comments.

You can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.

Incite 4 U

  1. Yamatough lost the negotiating handbook… I won’t say the T word but the rules are the same. Did Symantec really think it would end well when they tried to buy back the source code to Norton and pcAnywhere? They really didn’t think the emails would end up on Pastebin? That email thread is actually quite entertaining – the funniest part is Symantec’s condition that yamatough lie about the hack of the source code. And then SYMC wants to put them on a payment plan. Totally ridiculous. I get they wanted to protect customers – code for minimizing a PR fiasco. But they should have come clean immediately, fixed whatever the issue was, and moved on. I don’t think these folks follow the Negotiating 101 handbook. – MR
  2. Security Bowl: Last Sunday’s Super Bowl was a heck of a good game. I’m just sad I had to turn the TV off after the first quarter, record it on the TiVo, and then watch it later mostly in fast forward mode thanks to both kids melting down. Many years ago I had the chance to go work physical security for the game (I was a local supervisor for the company that handles it), but I had to turn it down because it would have meant missing the beginning of the school semester. Needless to say, back then security sure wasn’t as high tech as it is today. But I have gotten to work on response teams at a couple National Security Special Events, and the biggest change I have noticed is the increased use of the Incident Command System and improved intelligence and communications. During my last event we had a website with text feeds from all the agencies involved. In the past we had to listen to radio scanners to get an idea of what others were up to. Pretty cool. – RM
  3. The Path to Insecurity: Good post by Arun Thampi on how he discovered the Path iPhone app siphoned off his entire address book without permission and uploaded all his contacts to their servers. What they are doing with the data is unknown, but this shows clearly how easy it is to capture and move data from an app to the cloud. Just about any data on a mobile device is potentially available to the app developers – your privacy is in their hands. The iOS security model is really good, but that doesn’t mean it’s perfect, or that developers won’t abuse their users’ devices. The problem with most apps is validating the vendor’s security claims. Without the source code it’s difficult for security professionals to determine exactly what a mobile app is doing. If you are really interested you need to monitor network communications and use a development license to monitor apps, while also reverse engineering functions. The average user has no idea what’s going on inside their phone, or the impact of downloading that must-have app. An even bigger issue is collusion between two (or more) mobile apps as a way to bypass certain user and platform security controls. What can you do about it? Not much. If your app developer decides to pwn you, they will. What was it that McNealy said about privacy? – AL
  4. You can’t outsource thinking: With all the outsourcing happening in security we need constant reminders that someone on the payroll of the enterprise must be accountable for data protection and security. You can’t outsource accountability, and as Gunnar points out in this great piece, you still need to think. Even with the best metrics program you can never have 100% of the answer to anything. You get paid the big bucks for using your experience and judgement to figure out what the best choice is to achieve your mission. No vendor has a silver bullet to sell you. There is no security pixie dust. There are just educated guesses and damage control. If you want to do security as a career you had better become familiar with both disciplines. – MR
  5. Are you (risk) literate?: I will admit that I never took a college class on statistics. I made it through calculus and calc-based physics but math was never my strong suit. I did complete most of a degree in molecular biology on top of my full history degree, but that’s still only really basic math. But unlike a lot of people I fully recognize the importance of math and the role it can play in decision-making – both overt and otherwise. So I highly recommend you try the 3-minute Risk Literacy test (apologies for forgetting who tweeted it). It took me less than 3 minutes and I think it does a good job of quickly assessing your ability to evaluate probabilities. Our entire profession is about risk, so we all need at least a basic understanding of the math behind it. And hey, I kind of liked seeing the sentence, “Technically, relative to the general population, you are among the most statistically literate in the world.” I’d frame it and hang it in my office, but my risk literacy tells me that would assure an ass-beating and a pwning from someone. – RM
  6. Rewriting the rules of segmentation (in the cloud): Let’s play the cloud fortune cookie game. Whatever you say, finish it with in the cloud. It’s pretty funny, right? So Mort calls bunk on the term DMZ as we move to the public cloud. Can’t disagree with that, but the point here is actually bigger. What we used to think about as secure network architecture kind of goes away in a cloud context. If there is no DMZ, how do you enforce segmentation on stuff like PCI data? Security groups? Will your PCI assessor sign off on that? We need to rethink network architecture in the cloud, especially as we need to support hybrid environments for the foreseeable future. I’m not saying I have an answer today, and if you paid attention to some of the chatter about Nicera over the last few days there are lots of folks looking to define how cloud networking will work – including the virtualization infrastructure folks. Interesting times, and network security folks need to start paying attention. – MR
  7. Defensive Security: Configuration management is difficult. Patch management is painful. Reviewing logs is tedious, and reviewing user permission mappings across an entire organization will make you want to burn your eyes out with a flaming stick. And this is what many have come to think of when they hear about “Defensive Security”. But Brad Arkin of Adobe is proposing a Defensive Approach In Security Research to raise the cost to an attacker of writing an exploit – or at least working exploits. ASLR – basically randomizing memory addresses – is one example. Or communications protocols designed so the client side of the connection is computationally expensive, in order to thwart DDoS attacks. This is a very interesting field of study with lots of practical solutions to security problems. The most successful deflection techniques are not specific to any one type of attack – instead they are the ones that come bundled in development tools. That’s right – the ones that are easy to use and readily available. As with most secure development efforts, developers either don’t think about deflection techniques during design, or don’t have time to implement them, due to other priorities. ASLR is very effective and widely available for many operating systems, but usage is still pretty low, which is a shame. This is a field of security science where the big platform developers like Adobe, Apple, and Microsoft can give back to the community and make security for everyone better. – AL
  8. The real objective behind magic charts: Wendy talks a bit here about magic charts, from brand-name analyst groups, but using the pithy term Analyst Geometries. One of her points is that there is very little precision behind where companies end up on the chart, and Lord knows vendors get very bent out of shape about every millimeter between them and their competition. I have been in meetings with CEOs who literally got out a ruler to measure where the dots were. What they forgot about is the two camps of users, and how they leverage these magic charts. The first bucket are the smart ones. They know what they want to buy and when the chart validates that decision they use it. When it doesn’t they do a phone inquiry with the analyst and get him or her to back their decision in their particular context. The other camp is the fat, dumb and/or lazy. They use the chart to do their work because it’s easier than thinking. They shortlist all the vendors in the upper right, pick one based on how many ballgames they can finagle from the MDF funds, and blame the reseller when the project goes south. So it doesn’t matter where in the upper right you are – just that you are there. – MR