There are things you just can’t explain. No amount of dogma, perceived slights, or anything can excuse a senseless act of violence on unsuspecting, innocent people. Yes, I’m talking about the Boston Marathon attack, but it applies extends to any act of terrorism. I believe in karma, and the perpetrators will get their just rewards. Maybe out of the view of the public eye, but they will.

Though I’m not really a fan, Schneier has it right in his post, “Keep Calm and Carry On”. We cannot live in fear. That’s what the terrorists want. We can’t legitimize their cause and we can’t impinge on our personal freedoms. Because then they win. Truth be told, we in the US are spoiled. There are many parts of the world where a bombing like yesterday wouldn’t even make the news. Where terror is an everyday occurrence. I feel very fortunate that isn’t my life and it’s not the life of my kids. We won the birthplace lottery and we must not forget that.

But we do have to deliver some kind of message to the younger generation. Try to explain the unexplainable. In today’s iPhone (and iPod touch) driven society, the kids are tuned in whether we like it or not. XX1’s Instagram blew up with pictures and prayers, and she started asking questions right when she got home from school. XX2 and the Boy learned of it soon after because news travels like wildfire in my house. All we could do is explain that some people are misguided souls and they harm each other for no apparent reason.

We are security folks. We understand how this works. That you can be aware of what’s around you and not put yourself unnecessarily at risk, but you cannot eliminate this kind of attack. Schneier mentions (correctly) your extreme unlikelihood of being personally impacted by this kind of attack. That’s little consolation to my friend who was at the finish line yesterday, who still has a ringing in his ears and concussive effects from the explosion. And it’s clearly no consolation to the families the people hurt in the attack, picking up the pieces of their lives today.

But ultimately the balance is tipped heavily towards the good. Just think of the emergency responders running into the blast area. The folks carrying the wounded out of harm’s way. People opening their homes to displaced strangers. Good people doing good deeds when called upon. The best viewpoint I saw yesterday came from comedian Patton Oswalt on Facebook. He makes exactly the right point at exactly the right time:

But the vast majority stands against that darkness and, like white blood cells attacking a virus, they dilute and weaken and eventually wash away the evil doers and, more importantly, the damage they wreak. This is beyond religion or creed or nation. We would not be here if humanity were inherently evil. We’d have eaten ourselves alive long ago.

So when you spot violence, or bigotry, or intolerance or fear or just garden-variety misogyny, hatred or ignorance, just look it in the eye and think, “The good outnumber you, and we always will.”

Well said, Mr. Oswalt. Well said.


Photo credits: good and evil originally uploaded by Scotto Bear

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The CISO’s Guide to Advanced Attackers

Understanding Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Can we sacrifice PCI yet? Dave Elfering makes a number of good points in Worshipping at the Alter of Best Practices. It is basically stuff you know, but we see folks fall into the same trap over and over again. Not you but other folks, of course. Looking for the prescriptive guidance rather than doing the work. “Unfortunately we in security and IT often succumb to the microwave dinner approach to solving business issues.” Should we call this the Hungry Man approach to security? But Dave is exactly right – mandates start in the right place, but ultimately “often cross over into zealotry complete with dueling and echelons of priestly orders.” How many of you will be at the Temple of Bob Russo on Sunday? Yeah, that’s a scary thought… – MR
  2. Cloud FUD-tastic: Things must be getting ugly in the competitive battle between cloud vendors if Verizon is pulling out the FUD card by claiming that you’re ‘endangering’ your business by selecting Amazon as a cloud service provider. Many data centers did get flooded by hurricane Sandy, so Verizon’s dodging of that bullet makes them look smart by comparison, but that is a long way from claiming Amazon AWS endangers your business. Any cloud provider basing their competitive claims on 100% uptime is likely to be embarrassed in the future – it is unreasonable to expect a cloud service to be 100% reliable. And if Amazon AWS is having more security issues that competitors, I am willing to bet tha it’s because they have a lot more customers, with a far larger number who don’t take security seriously. If other cloud infrastructure providers want to cast stones, look at issues of lock-in and why more customers don’t have failover contingencies to multiple regions. Those are more compelling concerns. – AL
  3. Awareness and security training – not mutually exclusive: This is wading into the discussion a couple weeks late, but two of the biggest windbags in security, Bob Schneier and Ira Winkler, got into it over security training. Stephen Cobb provided a good summary and better perspective on the issues. Suffice it to say we need more and better of both security awareness initiatives (targeting all employees) and security training (targeting IT and application developers). Folks are right to question the effectiveness of these efforts, but correlation isn’t causation. Many smart folks are building much better training materials, and the impact will be felt over the next few years. But in today’s ADD generation looking for quick answers, addressing the root cause (teaching folks not to hurt themselves with computers) isn’t very exciting. And it doesn’t generate the page views of a shiny new widget. – MR
  4. Unprovable security: It’s not surprising that the FAA called BS on Hugo Teso’s ‘PlaneSploit’ app, which he claims can take over some computers on some commercial jets. Even if it’s true they would deny it until they had a response, as public admission would undermine faith in the airline industry. But the fact is that we are not going to know until someone tests it on a real commercial airliner. That’s a criminal offense if caught (as in, rooming with a dude named Bubba for a couple years), but I suspect there are plenty of hackers out there who will give it a try. Since Sophos is asking “What do you think?” I’ll offer an answer: I’d set up a bug bounty program, as Google has amply demonstrated works, to see if there are issues that really need to be addressed. Do it under NDA and pay handsomely for bugs. But the reality is that no government agency will yield their loving embrace of security through obscurity, nor the old favorite, “we certified our adherence to best practices” shield of deniability. – AL
  5. DDoS: the gift that keeps on giving: I love the pomp and circumstance around market sizing. And by ‘love’, you know I mean can’t stand the ridiculous farce. So when I see the projections of the huge market for DDoS prevention, I figure it’s clearly bigger than a breadbox. Is it $870 million in 2017 or $945 million? I have no idea, and neither do the folks who wrote that report. But does it matter? The market is bigger than a breadbox. Silly boy, that’s not how the game is played. DoS companies looking to raise money at huge valuations need their analyst market size reports to make the VCs smile and write big checks. I’m sure those same VCs will be ecstatic when DDoS scrubbing services are a core offering of every carrier and DDoS mitigations are built into every perimeter device. But of course that won’t happen for years. The existing vendors and carriers are slow. Blah blah blah. See, the funny thing is that the numbers folks usually don’t break down how the market share will be distributed in 5 years. Though I’m not sure why not – it’s not like they ever need to account for their prognostications. Okay, off the soapbox now. – MR