A lot of folks ask me how I work from home. My answer is simple: I don’t. I have a home office, but I do the bulk of my work from a variety of coffee shops in my local area. So I give a few minutes’ thought at night to where I want to work the following day. Sometimes I have a craving for a Willy’s Burrito Bowl, which means I drive 20 minutes to one of their coffee shops in Sandy Springs. Other times I just have to have the salad bar’s chocolate mousse at Jason’s Deli, which means there are three different places that I could work that day. Lunch drives office location. For me, anyway.

Sometimes I don’t have the foggiest idea what I want to eat for lunch, so I get into the car and drive. Sooner or later I end up where I’m supposed to be and then I get to work. Assuming I can get a seat in the coffee shop, that is. Evidently I’m not the only guy who works like a nomad. Sometimes it’s a packed house and I need to move on to Plan B. There is always another coffee shop to carpet bag.

I try not to go to the same coffee shops on the same days or to have any kind of predictable pattern. I usually shrug that off with the excuse that my randomized office location strategy is for operational security. You know, when they come to get me I want to make them work for it. But really it’s because I don’t want to overstay my welcome. I pay $2.50 a day for office space and all the coffee I can drink, because the places I hang out provide free refills. By showing up at a place no more than once a week, I can rationalize that I’m not taking advantage of their hospitality. And yes, analysts have the most highly-functioning rationalization engines of all known species.

I also like to see other people. Notice I said see – not talk to. Big difference. I guess I have a little “I am Legend” fear of being the only person left on Earth, so seeing other folks in the coffee shop allays that fear. Sometimes I see someone I know, and they miss the social cues of me having my earbuds in and not making eye contact. I engage in a short chat because I’m not a total douche. Not always, anyway. As long as it’s not a long chat it’s okay, because I have to get back to my Twitter timeline and whatever drivel I need to write that day.

The other reality of my office space is that I’m far more productive when I’m out of the house. And evidently I’m not alone. It seems that the ambient noise of a coffee shop can boost productivity, unlike the silence of sitting in my home office. There is even a new web site that can provide a soundtrack that sounds like a coffee shop to stir your creativity.

Maybe that works for some night owls, who like to work on the graveyard shift when coffee shops are closed. For me, I’ll head out and find a real coffee shop. With real people for me not to talk to. Speaking of which, must be time for that refill…


Photo credits: Busy Coffeeshop originally uploaded by Kevin Harbor

Upcoming Cloud Security Training

Interested in Cloud Security? Are you in EMEA (or have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading UK April 8-10. Sign up now.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Follow the money to DDoS mitigation: Marcus Carey brings up a couple good questions regarding the screwed-up process to defend against volume-based DDoS. You basically contract with a service provider to take the massive traffic hit. But he correctly observes that’s somewhat stupid, because everyone else upstream needs to accept and transmit the bogus traffic aimed at you. Wouldn’t it be smarter for the closest service provider (the first mile) to block clear DDoS attacks? It would be. But it won’t happen, mostly because there is no way to compensate the first-mile provider for blocking the attack. It would also require advanced signaling to identify attack nodes and tell the upstream provider to block the traffic. To be clear, some consumer ISPs do block devices streaming traffic, but that’s because it’s screwing up their network. Not because they care about the target. As always, follow the money to see whether something will happen or not. In this case, the answer is ‘not’. – MR
  2. Smash ‘em up old school: Our FNG (Gal Shpantzer) and I were talking about the recent malware attacks in South Korea the other day. Unlike most attacks we see these days, these didn’t target data (at least, on the surface), but instead left a trail of destruction. If you think about it, most of our security defenses over the past 10 years were oriented toward preventing data breaches. Before that it was all about stopping massive proliferation of malware and worms. So we have covered destructive attacks and then targeted attacks, but not necessarily both. I don’t expect this to be a big trend – the financial and political economics, meaning the risk of mutually assured destruction, self-limit the number of possible targeted destruction attacks, but I expect to hear more about this in the next couple years. It is a very tough problem, and Gal and I are brewing some research to talk about it. It will be a tasty brew. – RM
  3. Pardon(ing) the audit: Walt Conway always offers constructive insight, and his post on PCI DSS: The Next Generation goes one step further to delve into one of the murkier areas of PCI compliance: EMV. That’s “Europay, MasterCard, and Visa” to the newly initiated, but the acronym also implies a smart chip standard for inclusion into payment cards. The effort has taken hold in most parts of the world to help thwart fraud via counterfeit cards, but it has never taken hold here in the US. Walt accurately notes that EMV helps with authentication but not confidentiality of payment card data. There is the rub – PCI assessors are put into a bad position by the PCI Council, as the PCI Technology Innovation Program eliminates the merchants’ need to validate PCI compliance if 75% or more of their transactions are processed via EMV terminals. Assessors are the ones sitting in front of customers, they and bear the burden of explaining stuff that does not make sense to an already annoyed IT staff. Good times! – AL
  4. APT is marketing: I couldn’t have said it better myself, but the 451 folks did a great job pointing out that APT is a marketing term. And like pretty much all marketing terms it is manipulated, repurposed, and bent to serve vendors’ needs. I personally use the term “Advanced Attacker”, but it’s not really any more concrete. But I prefer to focus on the adversary rather than the attack. Ultimately, like PCI back in the day, APT is driving a wave of security investment as the FUD of being attacked by the Chinese army continues to fund all sorts of technology. And that’s not necessarily a bad thing – as long as the stuff you’re buying helps implement a broader security strategy. Don’t buy a magic box to detect zero-day advanced persistent malware attacks. You have a better chance of clicking to land in Kansas. – MR
  5. Cloudy with a chance of HSM: As I was finishing up my submissions for this week’s Incite, Mr. Mortman dropped the news in our chat room that Amazon is offering HSM as a service in two regions (for now). Under the covers these are SafeNet Hardware Security Modules, accessible directly in your Virtual Private Cloud. Coincidentally, I am scheduled to start a paper on IaaS encryption and key management today, because a few months ago you fine readers voted for that as my next research paper. Amazon’s announcement means you don’t need to buy your own hardware, but you can use your own HSMs or key management tools with your VPC if you prefer. The key thing (get it?) that you will see in the finished blog series (and paper) is that you really want to separate key management from your instances. It is nice to see new options appear. – RM
  6. Cyberdouchery in the (digital) shadows: Digital Shadows CEO Alastair Paterson thinks that ‘cybercriminals’ as ‘casing’ big companies for ‘user names or passwords’, or intelligence on technology that they run which has been leaked to social media, so they can construct an attack. The answer? Big data, of course! Digital Shadows can, through big data analysis, identify “very interesting” buckets of data that may contain sensitive information, which would be useful to attackers. Just ask them. On that note, here is a little news alert of my own: ‘cybercriminals’ already leverage big data to do this: It’s called Google. And that ‘interesting’ data leakage is often sponsored by the corporations these people work for. Corporations tend to get confused and push their employees to engage on Twitter, Facebook, LinkedIn, and other media as free marketing. But this puts personal and corporate personas into a blender set to ‘frappe’. If you want to know if you’re leaking data leverage big data like a champ – Google yourself like the rest of us. – AL
    1. UnfocusedX: The vultures are being a bit more public as they circle Cisco’s security business. This borderline hit piece in NetworkWorld asks all sorts of pointed questions about how dedicated Cisco is to the security business, using a bunch of Gartner research as air cover. And the Cisco folks continue to spin about how important security is and how their SecureX architecture is still where they are going. Uh, okay. I guess I have learned through many many years in this business that talk is cheap. And Cisco talks a lot about how committed they are to security. The last quote by Cisco’s Vice President of Security is the money shot, “Frampton does acknowledge that Cisco could be doing a better job in one area: uniting the security products it has acquired over the years so that they have a more unified policy and management platform. An integrated system, says Frampton, “will happen over the next several years.” And in several years we’ll all be dead. – MR