I recently took the Boy to see “42,” which I highly recommend for everyone. It’s truly a great (though presumably dramatized) story about Jackie Robinson and Branch Rickey as they tore down the color line in major league baseball. My stepfather knew Jackie Robinson pretty well and always says great things about him. It seems the movie downplayed the abuse he took, alone, as he worked to overcome stereotypes, bigotry, and intolerance to move toward the ideal of the US founding fathers that “all men are created equal”. But importantly the movie successfully conveyed the significance of his actions and the courage of the main players.

As unlikely as it seemed in 1945 that we would have a black man playing in the major leagues, it must have felt similarly unlikely that we would have an openly gay man playing in the NBA (or any major league sport). Except that it’s not. Jason Collins emerged from his self-imposed dungeon after 12 years in the NBA and became the first NBA player to acknowledge that he’s gay. It turns out men of all creeds, colors, nationalities, and sexual orientations play professional sports. Who knew?

This was a watershed moment in the drive toward equal rights. NFL writer Mike Freeman Tweeted that it was a great day in his life: “(I) get to see a true civil rights moment unfold instead of reading about it in a book.” Those interested in equality are ecstatic. Those wanting to maintain the status quo, not so much.

I tend to not discuss my personal views on politics, religion, or any other hot topic publicly. The reality is that I believe what I believe, and you believe what you believe. We can have a good, civil discussion about those views, but I’m unlikely to change my mind and you are unlikely to change yours. Most such discussions are a complete waste of time. I accept your right to believe what you want and I hope you accept mine.

Unfortunately the world isn’t like that. There was a tremendous amount of support for Jason Collins from basketball players, other athletes, and even the president of the US. There was also a lot of bigotry, ignorance, and hatred spewed in his direction. But when he stepped out of the closet he knew that would be the case. He was ready. And he is laying the groundwork for other gay athletes to emerge from their darkness. As Jackie Robinson blazed the trail for athletes like Roy Campanella, Larry Doby, and Satchel Paige to play in the majors, Jason Collins will be the first of many professional athletes to embrace who they are and stop hiding.

I think it’s great. Hats off to Jason Collins and all of the other courageous gay athletes that will become known in the months and years to come. Although you may disagree, which is cool. You are entitled to your own opinions. But to be clear, you can’t stop it. This genie is out of the bottle, and it’s not going back in.


Photo credits: Sports Illustrated cover – May 6, 2013

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Defending Cloud Data/IaaS Encryption

Security Analytics with Big Data

The CISO’s Guide to Advanced Attackers

Newly Published Papers

Incite 4 U

  1. The worst press release of the year: It kills me to do this, but this week I need to slam an “article” on Dark Reading that claims users don’t care about security. This is clearly a press release posted as if it were a news article, which deliberately confuses readers. As an occasional writer for DR (and huge supporter of the team there), it hurts to see such drivel intermingled with good content. Unfortunately many online publications now post press releases as articles in the ongoing battle to collect page views, which is a horrific practice that should be destroyed. Back to the press release, which has more hyperbole than the Encyclopedia of Hyperbole. It claims that users don’t care about security since they reuse passwords and don’t track the latest threats. That’s stupid. They reuse passwords because the alternatives don’t work for most average users. They don’t track threats or obsess about security because it isn’t their job. At least most FUD press releases make minor nods to reality – this one doesn’t even pretend. It reeks of desperation. Pathetic. – RM
  2. Stepping into the AV time machine: I know this OPSWAT post, Varied Antivirus Engine Detection of Two Malware Outbreaks is dated April 13, 2013 but it feels like 2003. It talks about the need to use multiple detection engines because anti-virus vendors add signatures for new attacks at different times. Wait. What? Evidently no one told these guys that blacklists are dead. But this seems to be a recurring theme – I recently got into it with another MSS, who told me how great it is that they can scan traffic with two different AV engines to catch advanced malware. I tried to delicately tell him that they wouldn’t catch much advanced malware with 15 AV engines, but they can certainly crush their throughput. I guess I shouldn’t be surprised – AV remains the primary control to fight attacks, even though it’s not good enough. Sigh. – MR
  3. Always the last to know: Wendy Nather had exactly the same thought I did on the the latest Verizon Data Breach Report, and hit the nail on the head with her Dark Reading post on why organizations aren’t detecting their own breaches. 69% of breaches are discovered by third parties. Were they not monitoring at all, or just not monitoring well? With all the SIEM, DSP, DLP, NGFW, and web & email filtering out there – and these tool are often in place – why so few organizations the first to know when they get hacked? Does this tell us that the products are not effective? What do these third parties know or do differently? I, too, would love to see (or write) an analysis of the differences between the 69% who who fail to discover, and the companies who detect their own breaches. A great idea for a research project. – AL
  4. You don’t need no stinking privacy: In the name of protecting against cyber threats (whatever they are), ISPs can have immunity from wiretapping laws. Awesome! I am no Captain Privacy type but there is no way to actually draw distinguish traffic related to cyber-attacks from all our traffic. I haven’t read the act or a copy of the letters but I would be shocked if it was specific about which kinds of data can legally be handed over by ISPs, how long the government will keep it, or what they can or will do with it. Either way we need to assume that anything we send over the Internet can (and likely will be) read by someone other than the intended recipient. Act accordingly. – MR
  5. Same as yesterday: Anyone who thought the APT1 team in China would back down because of some bad press doesn’t understand the game, or China. According to researchers at Cyber Squared, APT1 is back at work using the same techniques. And why not? Geopolitics are slowly applying pressure on China to change their policies but have’t reached the threshold where they will actually change anything. I suspect it will take another year or so before they push their activities deeper underground. It wouldn’t surprise me to see APT1 team members using better operational security than a year ago, but if attacks work they are still advanced enough. Attackers only change methods when the existing ones don’t work, and governments only change policies when the costs (to them) exceed the benefits. Easy math on this one. – RM
  6. Busted: I have gotten a new credit cards every 9 months for years – fraudulent charges on my bill or known compromised numbers make this a frequent occurrence. When I get a notification letter I usually get mad, wishing the merchants and card brands would aggressively go after the perpetrators. But I know from conversations with people at the different card brands that their legal teams have decided it’s not cost effective to investigate issues unless the dollar amount is extraordinary. So they don’t. The theft of credit card numbers is usually the least interesting aspect of credit card fraud – the interesting part is how those cards are used to commit fraud. In a case worthy of Brian Krebs’ blog, an Internet merchant for stereo gear did what many of us long to do: they set up a sting to bust several people who had cheated them of thousands of dollars. The fraudsters were switching merchandise delivery points and using ‘mules’ to pick it up. Part of the reason I am covering this story is I was unaware that “The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).” Nice to see some of these people caught and prosecuted. If you can’t do the time, don’t do the crime. – AL