It was a crummy winter. Cold. Snowy. Whiplash temperature swings. Over the past few weeks, when ATL finally seemed to warm up for spring (and I was actually in town), I rejoiced. One of the advantages of living a bit south is the temperate weather from mid-February to late November.

But there is a downside. The springtime blooming of the flowers and trees is beautiful, and brings the onslaught of pollen. For a couple weeks in the spring, everything is literally green. It makes no difference what color your car is – if it’s outside for a few minutes it’s green. Things you leave outside (like your deck furniture and grill), green. Toys and balls the kids forget to put back in the garage when they are done. Yup, those are green too. And not a nice green, but a fluorescent type green that reminds you breathing will be a challenge for a few weeks.


Every so often we get some rain to wash the pollen away. And the streams and puddles run green. It’s pretty nasty.

Thankfully I don’t have bad allergies, but for those few weeks even I get some sniffles and itchy eyes. But XX2 has allergies, bad. It’s hard for her to function during the pollen season. Her eyes are puffy (and last year swelled almost shut). She can’t really breathe. She’s hemorrhaging mucus; we can’t seem to send her to school with enough Sudafed, eye drops, and tissues to make it even barely comfortable.

It’s brutal for her. But she’s a trooper. And for the most part she doesn’t play outside (no recess, phys ed, and limited sports activities) until the pollen is mostly gone. Unless she does. Last night, when we were celebrating Passover with a bunch of friends, we lost track of XX2. With 20+ kids at Seder that was easy enough to do. When it was time to leave we found her outside, and she had been playing for close to an hour. Yeah, it rained yesterday and gave her a temporary respite from the pollen. But that lulled her into a false sense of security.

So when she started complaining about her eyes itching a bit and wanted some Benadryl to get to sleep, we didn’t want to hear about it. Yes, it’s hard seeing your child uncomfortable. It’s also brutal to have her wake you up in the middle of the night if she can’t breathe and can’t get back to sleep. But we make it clear to all the kids that they have the leeway to make choices for themselves. With that responsibility, they need to live with the consequences of their choices. Even when those consequences are difficult for all of us.

But this will pass soon enough. The pollen will be gone and XX2 will be back outside playing every day. Which means she’ll need to learn the same lesson during next year’s pollen onslaught. Wash, rinse, repeat. It’s just another day in the parenting life.


Photo credit: “I Heart Pollen!” originally uploaded by Brooke Novak

See Mike Speak

Mike will be moderating a webcast this coming Thursday at 2pm ET, discussing how to Combat the Next Generation of Advanced Malware with folks from Critical Assets and WatchGuard. Register here:

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers

Incite 4 U

  1. Traitors are the new whistleblowers: A good thought-provoking post by Justine Aitel on how security needs to change and evolve, given some of the architectural and social disruptions impacting technology. She makes a bunch of points about how the cloud and the “compete now/share first/think later mentality, “ impacts risk. It comes back to some tried and true tactics folks have been talking about for years (yes, Pragmatic CSO reference). Things like communications and getting senior folks on board with the risks they are taking – and ignorance is no excuse. She also makes good points about new roles as these changes take root, and that’s where the traitors and whistleblowers in the title comes from. Overall her conclusion: “This game is no longer just for us nerds” rings true. But that’s not new. Security has been the purview of business folks for years. It’s just that now the stakes are higher. – MR
  2. A glimpse of DBSec’s future: From a database design perspective, the way Facebook is customizing databases to meet their performance needs is a fascinating look at what’s possible with modular, open source NoSQL platforms. Facebook’s goals are performance related, but these approaches can also be leveraged for security. For example you can implement tokenization or encryption where FB leveraged compression. And the same way Facebook swapped Corona for Hadoop’s job manager, you could implement identity controls prior to resource grants from the cluster manager. You can install what you want – most anything is possible here! Security can be woven into the platform, without being beholden to platform vendors to design and develop the security model. Granted, most customers want someone else to provide off-the-shelf security solutions, but their modular approach to Hadoop nicely illustrates what is possible. – AL
  3. ‘Marketing’ attacks: The Kalzumeus blog has a really interesting point about how the stickiness of any attack tends to be based on how it is merchandised. Remember Melissa? Or the I Love You virus? Or SQL Slammer? Of course you do – these high-profile attacks got a ton of press coverage and had catchy names. The Heartbleed name and logo were genius. Yes, it is a big issue and worthy of note and remembrance. But will we really remember Kaminsky’s DNS discovery years from now? I probably will because I am a security historian of sorts, but you might not – it doesn’t have a cool name. As an industry we pooh-pooh marketing, but it is integral to many things. But only if you want them to be memorable and drive action. – MR
  4. Helpful ignorance: The question Why should passwords be encrypted if they’re stored in a secure database? makes security professionals go into uncontrollable spasms, but it is a good question! For those new to security, the implicit assumptions underscore areas they don’t understand, and which pieces they need to be educated on. There is no single answer to this question, but “Secured from what?” is a good starting point. Is it secured from malicious DBAs? SQL injection? Direct file examination? The point here is to open a dialog to educate DBAs – and application developers, for that matter – to other types of threats not directly addressed by passwords, user roles, and encrypted backup tapes. – AL
  5. You can’t fight city hall: Actually you can, but it probably won’t work out very well. Case in point: Barrett Brown of allegedly Anon and Stratfor hack fame. He recently agreed to a sealed plea bargain for being an accesssory after the fact on posting the credit card numbers (and other stuff). What he pled to wasn’t even part of the original indictment, and he has already done 2 years in custody. With today’s forensicators and their ability to parse digital trails, it is really hard to get away with hacking. At least over a sustained period of time, and at some point the authorities (or Krebs – whoever gets there first) will find you with a smoking digital gun. So what to do? I know it sounds novel, but try to do the right thing – don’t steal folks’ stuff or be a schmuck. – MR