It is interesting to see the concept of mindfulness enter the vernacular. For folks who have read the Incite for a while, I haven’t been shy about my meditation practice. And next week I will present on Neuro-Hacking with Jen Minella at her company’s annual conference. I never really shied away from this discussion, but I didn’t go out of my way to discuss it either.


If someone I was meeting with seemed receptive to talking about it, I would. If they weren’t, I wouldn’t. I doesn’t really matter to me either way. Turns out I found myself engaging in interesting conversations in unexpected places once I became open to talking about my experiences.

It turns out mindfulness is becoming mass market fodder. In our Neuro-Hacking talk we reference Search Inside Yourself, which describes Google’s internal program, which is broadening into a mindfulness curriculum and a variety of other resources to kickstart a practice. These materials are hitting the market faster and faster now. When I was browsing through a brick and mortar bookstore last weekend with the Boy (they still exist!), I saw two new titles in the HOT section on these topics. From folks you wouldn’t expect.

10% Happier is from Dan Harris, a weekend anchor for ABC News. He describes his experiences embracing mindfulness and meditation. I am about 75% done with his book, and it is good to see how a skeptic overcame his pre-conceived notions to gain the aforementioned 10% benefit in his life. I also noticed Arianna Huffington wrote a book called Thrive, which seems to cover a lot of the same topics – getting out of our own way to find success, by drawing “on our intuition and inner wisdom, our sense of wonder, and our capacity for compassion and giving.”

At this point I start worrying that mindfulness will just be the latest in a series of fads to capture the public’s imagination, briefly. ‘Worry’ is probably the wrong word – it’s more that I have a feeling of having seen this movie before and knowing it ends up like the Thighmaster. Like a lot of fads, many folks will try it and give up. Or learn they don’t like it. Or realize it doesn’t provide a quick fix in their life, and then go back to their $300/hr shrinks, diet pills, and other short-term fixes.

And you know what? That’s okay. The nice part about really buying into mindfulness and non-judgement is that I know it’s not for everyone. How can it be? With billions of people on earth, there are bound to be many paths and solutions for people to find comfort, engagement, and maybe even happiness. And just as many paths for people to remain dissatisfied, judgmental, and striving for things they don’t have.

I guess the best thing about having some perspective is that I can appreciate that nothing I’m doing is really new. Luminaries and new-age gurus like Ekhart Tolle and Deepak Chopra have put a new coat of paint on a 2,500 year old practice. They use fancy words for a decidedly unfancy practice. That doesn’t make it new. It just makes it shiny, and perhaps accessible to a new generation of folks. And there’s nothing wrong with that.


Photo credit: “Wet Paint II originally uploaded by James Offer

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers

Incite 4 U

  1. Questions driving the search for answers: Whatever you are doing, stop! And read Kelly White’s 3-part series on Questioning Security (Part 1Part 2, and Part 3). Kelly’s main contention is that the answers we need to do security better are there, but only if we ask the right questions. Huh. Then he provides a model for gathering that data, contextualizing it, using some big data technologies to analyze it, and even works through an example or two. This echoes something we have been talking about for a long time. There is no lack of data. There is a lack of information to solve security problems. Of course a lot of this stuff is easily said but much harder to do. And even harder to do consistently. But it helps to have a model which provides a roadmap. Without some examples to make the model tangible you woon’t even know where to start. So thank Kelly for a piece of that. Now go read the posts. – MR
  2. Bounties on open source security flaws: The Veracode blog’s latest post is thought-provoking, asking whether it is time to Crowdfund Open Source Software. The post hits the key points on both sides of the open source vs. proprietary software debate, discussed for almost a decade without resolution so far. While I consider the statement “Heartbleed vulnerability puts the lie to the idea of the ‘thousands of eyes’ notion” total BS – software will always have flaws which are not readily apparent – it is good they threw in that point, balanced against Andy Ellis’s “Our lesson of the last few days is that proprietary products are not stronger…” This is the core issue! Enterprise IT never fully trusted open source code, and it would be a lie to say otherwise. But that is more an emotional response than based on fact – they say they don’t trust it but (often unwittingly) use lots of it. Look at it this way: how many major web sites, many of which include substantial proprietary code, rely on OpenSSL? And OpenSSL was in use for years, with this bug undetected. So I throw in a hearty ‘Yes!’. We definitely need to crowdfund open source software security for critical components. This software can benefit from additional scrutiny, the same way we have proven proprietary code does. – AL
  3. Botnet innovation latte: Our pals at Malcovery identified an interesting phishing message targeting Starbucks customers/aficionados (I wouldn’t know any of those). Targeting a large consumer brand with a phishing attack isn’t interesting. But the phishing site’s ability to deliver “the GameOver Zeus variant adding the victim’s machine to a large peer-to-peer botnet and deploy rootkiting tools from the Necurs rootkit to hamper detection and removal of this trojan–all without downloading additional files or contacting a static command and control.” [emphasis mine] That’s interesting. No additional files, and no need to contact a C&C network, because it’s a peer-to-peer botnet. So much for that cool callback detection widget you just deployed, eh? Actually it’s just another opportunity for defenders to take another step to keep pace with attackers. And the beat goes on… – MR
  4. The shape of things to go: Have you noticed all the new security positions listed on job boards? Retail is just now seeing The Rise of the CSO, and this article captures the mindset of those grappling with security for the first time: “We should not be having any breaches …”. Yeah, right. Finance and regulated industries have placed C-level executives in IT security and compliance or the better of the last decade, and understand that breaches will happen, necessitating a balancing act, prevention against detection and response. Retail? On the technology adoption curve, the retail data security vertical is decidedly in the ‘laggard’ category. It is ironic that an industry at the forefront of customer analytics, driven by sensitive data and monetized via just-in-time sales programs, is at the tail end of data security. But clearly the Target breach prompted a collective “Oh crap, am I vulnerable too?!” gasp. While other firms are evolving to distribute security responsibility across different business centers, retail is trying to buy a clue through CSO/CISO hires. – AL
  5. Security lemonade: Not that I’m a fan of Schneier, but every so often he finds a metaphor that makes sense for security folks. He recently wrote on his blog that Security is a Market for Lemons, pointing that like the used car market, the best offerings price themselves out of the market because typical buyers don’t know the difference between options and so opts for the average or even below-average (priced) solution. It is hard to tell real security from snake oil, so we need someone to vouch for a product to help unsuspecting consumers know the difference. Kind of like Consumer Reports. The problem, as Schneier points out, is that there is no real market for this. Product testing labs tend to focus on the stuff they can measure, and as nicely demonstrated by the NSS/FireEye dust-up, they can all to easily get swamped in a messy he-said/she-said deal. And the media can no longer pay for real product testing like in the old days. So what to do? Rely on your friends, of course. They tend to be the most reliable source of information. – MR