After a mostly miserable winter, at least in terms of the weather, spring is here. And some days it feels like summer. This past weekend was awesome. A little hot, but nice. Sun shining. Watching the kids play LAX. Dinner/drinks to celebrate two of my best friends completing a trail marathon. Yes, they ran 26.2 miles through the woods. I didn’t say my friends were overly bright, did I?

What I didn’t wear was sunscreen. So when you check out the Firestarter we recorded Monday, you will see I spent some time in the sun. I guess I shouldn’t be surprised – I do this every year. I just forget. It’s doesn’t feel that hot. The sun isn’t that strong. Until I’m getting ready for bed and I look like a tomato. Evidently the sun is that strong. And it was that hot. So the farmer sunburn is in full effect.

When I think of sunscreen I always think of an awesome column by Mary Schimich, which was wrongly attributed to Kurt Vonnegut for years. It’s not quite Steve Jobs’ commencement speech, but it’s pretty good. Because it reminds us of the important stuff, like wearing sunscreen.

She also reminds us to not worry. Worrying is not important, and it doesn’t help you do anything anyway. If it’s out of your control then what can you do? If it is within your control, then fix it. We also shouldn’t waste time on jealousy or competing with folks. It’s not a race. Not with anyone else anyway. It is about consistent improvement, and being the best you that you can be. At least that’s the way I try to live.

But the title of that speech is “Advice, like youth, probably just wasted on the young”. Which is exactly right. I couldn’t understand the logic of wearing sunscreen when I was 22. Just like I couldn’t understand why I shouldn’t worry about what I have or haven’t accomplished. Nor could I understand the importance of living right now – not tomorrow, and certainly not reliving yesterday.

I couldn’t understand that stuff, and if you’re 22, you probably have no idea what I’m talking about. But at some point you will, and the folks in my age bracket probably understand. I wouldn’t go back in time because I didn’t know anything. And it turns out I am actually in better physical shape, and can afford better beer now than 25 years ago. I finally understand what’s important and can appreciate how every setback taught me something I use almost every day. Cool, huh?

By the way, that doesn’t mean I will wear sunscreen next spring either. But at least I’ll have the perspective to laugh at the fact that I do the same stuff every year, as I reach for the aloe.


Photo credit: “Use plenty of sunscreen originally uploaded by Alex Liivet

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Advanced Endpoint and Server Protection

Newly Published Papers

Incite 4 U

  1. Revisiting monoculture: Dan Geer is at it again. One of our preeminent security thinkers is back on the monoculture theme, revisiting his position that any single component used by a majority of technology users represents undue risk. Back in 2003 Dan talked about the risks of Windows dominance. He was right and still is. Now he has applied the monoculture concept to OpenSSL, which was the component that enabled Heartbleed. The reality is, these base components are everywhere. You probably remember that SQL*Slammer leveraged the Jet database. You didn’t buy the Jet DB? Of course you did! It was just built into stuff you wanted. Same deal with OpenSSL, and about a zillion other components that are built in everywhere. Is there a way to contain this kind of risk? Or at least understand it? Um, ask Josh Corman. – MR
  2. Sometimes good enough is… Does anyone outside the SIM card alliance really think that Host Card Emulation – mobile app software that mimics a secure element function – is not a threat to their hardware strategy? For that matter, does anyone really believe that HCE is not secure enough for EMV payments? While mobile carriers and device manufactures fumble about putting different secure elements with capabilities on a subset of devices and call that a standard, firms like Apple and Square will simply deliver a seamless, consistent, user-friendly payment experience for most mobile devices. Sure, SIM cards are more secure, but when we are talking about basically one credit card per mobile device, HCE solutions do not need to provide infallible security to be sufficient. Add in tokenization to remove payment data from merchants – which is where we keep seeing mass losses of credit card data – and the level of security is more than acceptable. HCE and mobile payment apps are the likely way the market is headed, and why rumors of Square’s sale are heating up. – AL
  3. Trust us, we’re the from government: The White House released guidance on how they will handle zero day vulnerabilities. It is very well-reasoned, but I think they are full of… brown stuff that tends to clog up your profanity filters. Look, governments need to maintain some offensive capabilities, but history is showing that they cannot resist hoovering up whatever they can get, and they rarely notify vendors of what they find. At least that’s what my research and defense contacts tell me. Basically, if they want it, they get to keep it. The post merely lists some questions they ask themselves, like “How badly do we need the intelligence we think we can get from exploiting the vulnerability?” How about something more proscriptive? Like a requirement to actively hunt for evidence of use of any vulnerability being withheld? A requirement that anything structural or massive, like Heartbleed or the DNS vulnerability, must be treated differently? Or, you know, a restriction against introducing vulnerabilities into products? I know, I know, that’s what I get for watching West Wing instead of House of Cards. – RM
  4. Who gets to behead Weev? I’m a big Game of Thrones fan, but not big enough to subscribe to HBO. So I am only through Season 3, but I digress. When I saw Corey Nachreiners post Six infosec tips I learned from Game of Thrones I got all fired up to think about beheading some of those folks who, well, deserve it. But Corey actually relates things to security and talks about the fallacy of building and hiding behind a huge wall. He also mentions the need to pay attention to alerts, especially from trusted sources. You never know when you’ll be the Target (pun intended). He even relates some of the great GoT characters to master social engineers. Nice. Kind of makes me want to start pulling down Season 4 via Torrent, but Rich gets pissed at behavior like that. So I’ll wait. Maybe. – MR
  5. Doom and gloom: Normally I try to ignore the hand-waving sky-is-falling garbage, but this time it kinda-sorta is real a problem. It seems the government is warning the healthcare industry to watch out for attacks, while clinical healthcare systems are ridiculously vulnerable. As in “could kill someone” vulnerable. Literal movie plot stuff, like over-radiating patients in scanners (which has already happened due to software bugs), delivering heart shocks through implanted defibrillators (wirelessly, natch), and mucking up implantable insulin pumps (or regular drug pumps). As someone who is technically still a healthcare provider, it is probably worse than you think. Clinical systems are a mess across the board, non-clinical records systems are insanely complex with little attention paid to security, and IT security is typically unfunded to the point of… don’t get me started. What is the real risk? Only time will tell in this case. Targeting an individual is still hard, and there isn’t much of a profit motive for killing people in general. So it is somewhat self-limiting but I am sure we will see headline cases to feed the cable news networks. – RM
  6. As bad as you want to be: Network security company Bkav accused Amazon AWS of providing them an unpatched operating system, which was later infected with malware. Think about this for a second – when you spin up servers in AWS you select the image to launch. Amazon provides a list which does not come pre-infected with malware. Or you can download images directly – for Ubuntu, for example – from the official distributor. Or you can upload your own prepackaged (fully patched and configured) AMI. Then, as part of your startup scripts, you can instruct the system to patch the OS again before you launch it! It is a core feature of AWS. You choose. Or not. Your instances running in AWS are as secure or insecure as you want them to be – that is a key point of IaaS. Selecting an ancient OS, not patching it, exposing it to the world, and then blaming Amazon is like driving your 1955 Cadillac into a tree after brake failure, and then blaming the Department of Transportation. – AL
  7. Facebook’s DoS magnification: Sometimes you wonder how hackers even think to try stuff. Like how Chaman Thapa figured out that Facebook would crawl a site multiple times for an image posted on the Facebook notes environment to create a denial of service attack, with only a little automated script to change some parameters on an image file. Yes, a cache attack leveraging Facebook. Awesome. He generated 900mbps of traffic by targeting a 13mb file on a small site. That is some leverage. And Facebook figures this is okay and won’t fix it. Which nicely underscores the point that pretty much any tool can be used to launch a DoS attack, and most of them will. So if you don’t have a plan to mitigate these kinds of attacks, just build some downtime into your business model. – MR