Wasn’t it just yesterday that we put XX1 on the bus for her first day of kindergarten? I guess if yesterday was August of 2006, that would be correct. Man, six years have gone by fast! On Friday she moves up to Middle School. As we watched the annual Field Day festivities with all the kids dressed up in their countries’ garb yesterday, the kindergartners seemed so small. And they are. Six years doesn’t seem so long, but against the growth of such a child it’s a lifetime.

I have to say I’m proud of my oldest girl. She did very well in elementary school, and is ready to tackle 7 different teachers and a full boat of advanced classes next year. Of course there will be stumbles and challenges and other learning experiences. As my army buddies say, “she has an opportunity to excel.” Despite our desire to make time slow down, it’s not going to happen. She’s ready for the next set of experiences and to continue on her path. Whether we like it or not. Whether we are ready or not.

We have heard story after story about how difficult middle school is, especially for girls. Between raging hormones, mean girls, and a much heavier course load, it requires a lot of adjustment. For all of us. It seems XX1 will have to learn organizational skills and focus a lot earlier than I had to. I kind of coasted until I got to college, and then took a direct shot upside the head from the clue bat, when I learned what it took to thrive in a much more competitive environment. She needs to learn that achievement is directly correlated to work and decide how hard she wants to work. She will have to learn to deal with difficult people as well. Too bad it’s not only in middle school that she’ll come across idiots. We all have to learn these lessons at some point.

But that’s tomorrow’s problem. I don’t want to think about that stuff right now. Of course life marches on. That’s the way it’s supposed to be. As she goes through the ceremony on Friday I will be one proud father. I hope she’s as proud of herself as we are of her. I will celebrate the passing of one milestone without thinking about the next. I appreciate the person she has become, with a healthy respect for where we’ve been. From first holding her right after her birth, to putting her on that kindergarten bus, to packing her off for sleepaway camp, to now watching her leave elementary school, and everything in between. Steve Miller was right, Time keeps on slippin’ into the future… Every single day.


Photo credits: “Me on graduation day” originally uploaded by judyboo

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Understanding and Selecting Data Masking

Vulnerability Management Evolution

Understanding and Selecting DSP

Incite 4 U

  1. Don’t fear the Boobs: About 15+ years ago I was working as a paramedic in New Jersey and volunteered with the local fire department. This was a temporary sojourn back east because I was making $6.25 an hour as a paramedic in Colorado, but could pull down $16 an hour in Jersey. Something about “hazard pay”. Anyway, this particular department had a culture that was both racist and sexist. They refused to authorize ‘females’ to full firefighter status due to concerns that a 120-pound women who ran marathons couldn’t haul their 300-pound asses out of a fire. (I figured it wouldn’t be a problem after enough of the fat melted off.) I won’t lie – I have engaged in locker room talk on more than one occasion, and I recognize that men and women really are different, but I simply don’t understand sexism in the workplace. Jack Daniels wrote a great rant (as usual) on the recent reemergence of sexism and its expression at conferences. There’s no place for this in IT, certainly no place for it in security, and I think it’s largely a lot of dudes with very little self-confidence who are afraid of women. Get over it, lose the ‘bro’ culture, and dump the booth babes. All it reflects is weakness. – RM
  2. Firewall dead? Meh. Every couple months somebody proclaims some established control dead. This week’s transgressor is Roger Grimes, who tells us why you don’t need a firewall. Come on, man! Evidently the only attack firewalls can block is buffer overflows, so they are destined for the trash bin. Give me a break. And most traffic comes through port 80 or 443 – but evidently this NGFW thing, with its application awareness, is news to Roger. He points out that firewalls are hard to manage, which is true. And that developers and other folks always push to open up this port or that, basically obviating the security model. That’s not wrong either. But we have been through this before. As Corman says, we never retire controls. Nor should we, as Wendy points out rather effectively. Jody Brazil of Firemon piles on with more reasons it’s a bad idea to kill your firewall. I suspect Grimes gets paid per page view, so maybe he’ll be able to buy a few extra beers this week. But that doesn’t make him right. – MR
  3. Tokens <> Tokenization: MasterCard announced their PayPass Wallet Services for mobile devices, an “App designed to complete with PayPal and Google” wallets, or at least that is how the press is describing it. I think this is a pure marketing move to make sure app developers don’t forget MasterCard has a horse in this race. Technically, MasterCard is not offering a wallet app at all – instead they are providing a PayPass Wallet Java API for other applications to use MasterCard’s payment network. And they do not support Near Field Communications with any of the mobile platform providers, a critical feature for anyone who wants to offer card-less mobile payment. Whether MasterCard actually will (only?) support third-party developers remains to be seen. Another media mischaracterization is the portrayal of this as beneficial to merchants, with StorefrontBacktalk reporting PayPass will offer tokenization to reduce PCI scope for e-commerce. But I am certain this is false – first because MasterCard does not offer tokenization, and second because if you look at the API you see that it’s using OAUTH identity tokens, not credit card tokenization or even Format Preserving Encryption. Pesky details. What’s important to remember is that with digital wallets you can bypass traditional payment infrastructure, meaning it’s possible to disintermediate Visa and MasterCard, if a big enough competitor chose to. And given resistance to EMV ‘smartcards’ in the US, “an app for that” is the likely payment medium of the future, which further threatens the established players. – AL
  4. Open source and security: Don’t you hate those guys who actually use logic and data to win arguments? Yeah, me too. But I learned a while back that arguing with folks who command a lot of data and history is a fool’s errand. Which is why I know better than to wade into the Thunderdome with Rob Graham. He makes a point here (based on the cgi-php vulnerability) that the concept that open source is more secure than commercial software has failed. Not in concept, but in practice. Just because there are more folks to look at the code for security errors that doesn’t mean they do. I don’t buy into security by obscurity either, but in reality commercial software vendors have a significant disincentive now to screw up security. And with enterprising models like Google paying security bug bounties there are creative ways to address the issue. So now we need some kind of open source response, or not. After all, it’s a hobby for most of the contributors. – MR
  5. #byronisfree: I have always been a staunch supporter of law enforcement. I’ve spent far too long working side by side with police to believe their power brings inherent corruption. But cops are people, and police departments aren’t exempt from the Peter Principle – but the consequences can be much greater than in the corporate world. Byron Sonne, a member of our hacker community, decided to poke and prod the establishment in Canada at the G20 summit a few years ago. He was arrested on trumped up charges and then the police and prosecutors doubled down. He spent years in jail, lost his wife, and suffered terrible career consequences. All for exposing security theater without actually breaking any laws. On Tuesday Byron was cleared of all charges. Unfortunately, when you challenge establishments (of any stripe) they rarely respond with thanks and introspection, but instead generally lash out in self defense. Especially when security is involved. – RM
  6. Do not-that: When you have a historically buggy and insecure product, your response to requested security patches should not be “buy more of our stuff”. But that’s what Adobe did when they told customers they would need to buy software upgrades to get patches for 8 security related vulnerabilities. Shockingly, Adobe reversed their position this week – saying they would port patches to older versions of Photoshop, Flash Professional, and Illustrator; and provide the fixes free of charge. Every company has to draw the line on what’s unsupported, and how far back they go to support older products. But CS5 is a current product, with CS6 just released. Sure, we have seen many companies struggle with when they should cut support for older products, and companies push new products out faster than customers want them because that keeps the upgrade machine humming and driving revenue. But most companies support at least one revision back. If you are in software development and wondering how many back releases you should support, doing the opposite of Adobe would be a good start. – AL
  7. Scam-o-rama: This isn’t security related but it’s important. It’s tough out there for a lot of folks. I get that and it makes me appreciate how fortunate I am to be able to do what I love and make a good living. As security folks, we also know tough times bring out the scammers. A sad tale of boiler rooms and innocent folks getting ripped off (h/t to Krebs) is detailed on the Verge, and it’s heart wrenching. For those cynical about almost everything, you know if it sounds too good to be true, it is. Other folks want to believe, and they will get taken to the cleaners. I have been looking for a shortcut to wealth for a long time, and will admit to buying one or two of the books discussed in the article. I have gotten calls from these boiler rooms, but they were short conversations – I have been wading through hyperbole and lies from shysters since I got into the working world. But not many have my crap detector. The shortcut is that there is no shortcut. Do the work. And then do more work. So every time you have a yen to start a web site and get rich, refer back to Godin’s ideas on making money online. He’s exactly right. – MR