There is no easy way to say this. I violated a vow I made years ago. It wasn’t a spur of the moment thing. I have been considering how to do it, without feeling too badly, for a few weeks. The facts are the facts. No use trying to obscure my transgression. I cheated. If I’m being honest, after it happened I didn’t feel bad. Not for long anyway.


This past weekend, I ate both steak and bacon. After deciding to stop eating meat and chicken almost 6 years ago. Of course there is a story behind it. Basically I was in NYC celebrating a close friend’s 45th birthday and we were going to Peter Luger’s famous steakhouse. Fish isn’t really an option, and the birthday boy hadn’t eaten any red meat for over 20 years. Another guy in the party has never eaten bacon. Never! So we made a pact. We would all eat the steak and bacon. And we would enjoy it.

It was a one night stand. I knew it would be – it meant nothing to me. I have to say the steak was good. The bacon was too. But it wasn’t that good. I enjoyed it, but I realized I don’t miss it. It didn’t fulfill me in any way. And if I couldn’t get excited about a Peter Luger steak, there isn’t much chance of me going back back to my carnivorous ways.

Even better, my stomach was okay. I was nervously awaiting the explosive alimentary fallout that goes along with eating something like a steak after 6 years. Although the familiar indigestion during the night came back, which was kind of annoying – that has been largely absent for the past 6 years – but I felt good. I didn’t cramp, nor did I have to make hourly trips to the loo. Yes, that’s too much information, but I guess my iron stomach hasn’t lost it.

To be candid, the meat was the least of my problems over the weekend. It was the Vitamin G and the Saturday afternoon visit to McSorley’s Old Ale House that did the damage. My liver ran a marathon over the weekend. One of our group estimated we might each have put down 2 gallons of beer on Saturday. That may be an exaggeration, but it may not be. I have no way to tell.

And that’s the way it should be on Boys’ Weekend. Now I get to start counting days not eating meat again. I’m up to 5 days and I think I’ll be faithful for a while…


Photo credit: “NoHo Arts District 052309” originally uploaded by vmiramontes

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers

Incite 4 U

  1. Palo Alto Does Endpoints: It was only a matter of time. After the big FireEye/Mandiant deal and Bit9/Carbon Black, Palo Alto Networks needed to respond. So they bought a small Israeli start-up named Cyvera for $200 million! And I thought valuations were only nutty in the consumer Internet market. Not so much. Although no company can really have a comprehensive advanced malware story without technology on the network and endpoints. So PANW made the move, and now they need to figure out how to sell endpoint agents, which are a little bit different than boxes in the perimeter… – MR
  2. Payment Tokenization Evolution: EMVCo – the Visa, Mastercard, and Europay ‘standards’ organization, has released the technical architecture for a proposed Payment Tokenisation Specification, which will alter payment security around the globe over the coming years. The framework is flexible enough to both enable Near Field Communication (NFC, aka mobile payments) and help combat Card Not Present fraud – the two publicly cited reasons for the card brands to create a tokenization standard in parallel with promotion of EMV-style “smart cards” in the US. The huge jump in recent transactional fraud rates demands some response, and this looks like a good step forward. The specification does not supersede use of credit card numbers (PAN) for payment yet, but would enable merchants to support either PAN or tokens for payment. And this would be done either through NFC – replacing a credit card with a mobile device – or via wallet software (either a mobile or desktop application). For those of you interested in the more technical side of the solution, download the paper and look at the token format! They basically create a unique digital certificate for each transaction, which embeds merchant and payment network data, and wrapped it with a signature. And somewhere in the back office the payment gateways/acquirer (merchant bank) or third-party service will manage a token vault. More to come – this warrants detailed posts. – AL
  3. Vultures are going to vulture: I’m not surprised that Trustwave is being sued as part of the Target breach. Class-action vultures (lawyers) see a company with money, so they sue. It’s the American way. Of course, the assessment contract removes much of the liability in what the customer actually does, but it’s an excuse to try for shakedown money. It would be really disappointing to see anyone settle in this kind of nonsensical case – setting an absolutely horrible precedent regarding liability for auditors/assessors. If there was truly malfeasance, that might be exposed during discovery, and that would be good to know. But pinning the Target breach on a PCI assessor would be ridiculous. – MR
  4. Password Hashing Competition: Most people know hashing as a means of validating someone’s password without actually storing the original value. To a developer hashing algorithms are a handy way to ‘fingerprint’ an object, allowing quick verification of whether an object is still in its original state, or it had been tampered with. But hash algorithms, as noted by Thomas Ptacek, are often employed incorrectly. Still, they remain a core cryptographic tool in the security toolbox. As we get better at breaking stuff, and computational power continues to double every couple years, it is good that a new password hashing competition is under way, with submissions due at the end of the month. If you think you have the math and coding chops, get your submission in! This is community innovation that both makes and breaks security, so give it a try, and maybe they’ll name a standard after you. – AL
  5. The Power of Change: Wendy kills it on her personal blog with her Power of Change post. Her point is that security is all about detecting and controlling change. Of course that is easier said than done, especially with the disruption we are seeing all over the security stack. But she is right on the money. If it is too hard to detect and manage change, you won’t. Until you need to, or perhaps your successor. She closes by pointing out that you don’t need to spend a lot of money to get a handle on change. It is about “knowing what your systems, applications and users are supposed to do,” and then looking for cases when they are doing otherwise. That i also a good metaphor for life, but that’s another story for another day. – MR