I’m not sure why I do it, but every year I fill out brackets for the annual NCAA Men’s College basketball tournament. Over all the years I have been doing brackets, I won once. And it wasn’t a huge pool. It was a small pool in my office, when I used to work in an office, so the winnings probably didn’t even amount to a decent dinner at Fuddrucker’s. I won’t add up all my spending or compare against my winning, because I don’t need a PhD in Math to determine that I am way below the waterline.

Like anyone who always questions everything, I should be asking myself why I continue to play. I’m not going to win – I don’t even follow NCAA basketball. I’d have better luck throwing darts at the wall. So clearly it’s not a money-making endeavor.

I guess I could ask the same question about why I sit in front of a Wheel of Fortune slot machine in a casino. Or why I buy PowerBall tickets when the pot goes above $200MM. I understand statistics – I know I’m not going to win slots (over time) or the lottery (ever).

They call the NCAA tournament March Madness – perhaps because most people get mad when their brackets blow up on the second day of the tournament when the team they picked to win it all loses to a 15 seed. Or does that just happen to me? But I wasn’t mad. I laughed because 25% of all brackets had Michigan State winning the tournament. And they were all as busted as mine.

These are rhetorical questions. I play a few NCAA tournament brackets every year because it’s fun. I get to talk smack to college buddies about their idiotic picks. I play the slots because my heart races when I spin the wheel and see if I got 35 points or 1,000. I play the lottery because it gives me a chance to dream. What would I do with $200MM?

I’d do the same thing I’m doing now. I’d write. I’d sit in Starbucks, drink coffee, and people-watch, while pretending to write. I’d speak in front of crowds. I’d explore and travel with my loved ones. I’d still play the brackets, because any excuse to talk smack to my buddies is worth the minimal donation. And I’d still play the lottery. And no, I’m not certifiable. I just know from statistics that I wouldn’t have any less chance to win again just because I won before. Score 1 for Math.


Photo credit: “Now, that is a bracket!” from frankieleon

We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Shadow Devices

Building a Vendor IT Risk Management Program

Securing Hadoop

SIEM Kung Fu

Building a Threat Intelligence Program

Recently Published Papers

Incite 4 U

  1. Enough already: Encryption is a safeguard for data. It helps ensure data is used the way its owner intends. We work with a lot of firms – helping them protect data from rogue employees, hackers, malicious government entities, and whoever else may want to misuse their data. We try to avoid touching political topics on this blog, but the current attempt by US Government agencies to paint encryption as a terrorist tool is beyond absurd. They are effectively saying security is a danger, and that has really struck a nerve in the security community. Forget for a minute that the NSA already has all the data that moves on and off your cellphone, and that law enforcement already has the means to access the contents of iPhones without Apple’s assistance. And avoid wallowing in counter-examples where encryption aided freedom, or illustrations of misuse of power to inspire fear in the opposite direction. These arguments devolve into pig-wrestling – only the pig enjoys that sort of thing. As Rich explained in Do We Have a Right To Security?, this is a simple question of whether anyone (companies or individuals) can have security. Currently the US government (at least the executive branch) says ‘No!’ – as does the UK government. – AL
  2. The US blinks… Following up Adrian’s rant above, the US government decided after all that they may not need Apple to open the San Bernadino iPhone after all. Evidently a third party would be happy to sell the US government either an exploit or another means to get access to the locked phone. Duh. Like we didn’t already know that was possible. As many of us argued, this case was much more about establishing a precedent for the FBI than about accessing that specific phone. Now that it looks like an uphill climb to win that motion, it’s time to save face and do what they should have done in the first place. Pay someone to break the phone, if they think it’s that important. We have huge respect for law enforcement and what they do, but we could do with less grandstanding and backdoors. Backdoors are stupid. – MR
  3. Hindsight is 20/20: In the Beretta files goes the case of a Ryan Collins, who was behind the attacks on celebrity iPhones. This is the attacker who stole the pictures. It’s not clear how much he made by selling them, but it was probably not worth the felony violation he will plead to or the associated jail time. They are still looking for the person who actually posted the pictures. But that guy is even dumber – he didn’t make any money, apparently because content wants to be free. All I have to say is: idiots. – MR
  4. Getting chippy: Better than 75% of stores I go into still have tape over their EMV chipped card slots on payment terminals. While it seems merchants are tardy in getting their work done, it’s not always that they are dragging their feet – it may also be the card networks. It appears some merchants who are actively processing EMV cards are getting charged for fraud and chargeback fees because they have yet to complete a certification audit by the card networks. To reverse these charges that supermarket chain filed suit, and is pushing for quick certification. The suit may halt the “liability shift” entirely, which has gotten the card brands’ attention. This entire game of “Pass The Liability” will continue to entertain us until we stop passing credit card numbers around. – AL
  5. Security faith healers: Adam Shostack posted an interesting piece at Dark Reading about how the concepts in The Gluten Lie apply to security. In a nutshell, the health industry has vilified gluten, and besides the people who have legitimate celiac disease, the data doesn’t seem to support the general position that gluten is bad. Adam makes the analogy that telling people to be secure isn’t going to help. Nor is telling them not to do things (like surf pr0n). And folks should drop the fear-based marketing. Yeah, right. A lot of technology marketing is selling snake oil, and it’s as bad in security as anywhere else. But as long as a tactic works (including vilifying gluten to sell more gluten-free stuff) free market economics say that that tactic will continue to be used. Go figure. – MR