This time of year neighborhoods are overrun with “Graduation 2013” signs. The banners hang at the entrance of every subdivision congratulating this year’s high school graduates. It’s a major milestone and they should celebrate. Three kids on our street are graduating, and two are youngests. So we will have a few empty nests on our street.

You know what that means, right? At some point those folks will start looking to downsize. Who needs a big house for the summer break and holidays when the kids come home? Who needs the upkeep and yard work and cost? And the emptiness and silence for 10 months each year, when the kids aren’t there? They all got dogs presumably to fill the void – maybe that will work out. But probably not. Sooner rather than later they will get something smaller. And that means new neighbors.

In fact it is already happening. The house next door has been on the market for quite a while. Yes, they are empty nesters, and they bought at the top of the market. So the bank is involved and selling has been a painstaking process. Not that I’d know – I don’t really socialize with neighbors. I never have. I sometimes hear about folks hanging in the garage, drinking brews or playing cards with buddies from the street. I played cards a couple of times in a local game across the street. It wasn’t for me.

Why? I could blame my general anti-social nature, but that’s not it. I don’t have enough time to spend with people I like (yes, they do exist). So I don’t spend time with folks just because they live on my street. The Boy can’t get in his car to go see buddies who don’t live in the neighborhood. So he plays with the kids on the street and the adjoining streets. There are a handful of boys and they are pretty good kids, so it works out well. And he doesn’t have an option.

But I can get in my car to see my friends, and I do. Every couple weeks I meet up with a couple guys at the local Taco Mac and add to my beer list. They recently sent me a really nice polo shirt for reaching the 225 beer milestone in the Brewniversity. At an average of $5 per beer that shirt only cost $1,125. I told you it was a nice shirt.

I hang with those guys because I choose to – not because we liked the same neighborhood. We talk sports. We talk families. We talk work, but only a little. They are my buds. As my brother says, “You can pick your friends, but you can’t pick your family.” Which is true, but I’m not going there…

–Mike

Photo credit: “friend” originally uploaded by papadont

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Quick Wins with Website Protection Services

• Are Websites Still the Path of Least Resistance?

Network-based Malware Detection 2.0

• Advanced Attackers Take No Prisoners

Security Analytics with Big Data

• Use Cases
• Introduction

Newly Published Papers

• Email-based Threat Intelligence: To Catch a Phish
• Network-based Threat Intelligence: Searching for the Smoking Gun
• Understanding and Selecting a Key Management Solution

Incite 4 U

1. Amazon to take over US government: Well, not really, but nobody should be surprised that Amazon is the first major cloud provider to achieve FedRAMP certification. Does this mean the NSA is about to store all the wiretaps of every US citizen in S3? Nope, but it means AWS meets some baseline level of security and can hold sensitive (but not classified) government information. Keep in mind that big clients could already have Amazon essentially host a private cloud for them on dedicated hardware, so this doesn’t necessarily mean the Bureau of Land Management will run their apps on the same server streaming you the new Arrested Development, nor will you get the same levels of assurance. But it is a positive sign that the core infrastructure is reasonably secure, and public cloud providers can meet higher security requirements when they need to. – RM
2. Arguing against the profit motive… is pointless, as Dennis Fisher points out while trying to put a few nails in the exploit sales discussion. He does a great job revisiting the slippery slope of vulnerability disclosure, but stifles discussion on exploit sales with a clear assessment of the situation. “Debating the morality or legality of selling exploits at this point is useless. This is a lucrative business for the sellers, who range from individual researchers to brokers to private companies.” You cannot get in the way of Mr. Market – not for long, anyway. Folks like Moxie can choose not to do projects that may involve unsavory outcomes. But there will always be someone else ready, willing, and able to do the job – whether you like it or not. – MR
3. Static Analysis Group Hug: WASC announced publication of a set of criteria to help consumers evaluate static analysis tools, including a view of their evaluation criteria. With more and more companies looking to address software security issues in-house we see modest growth in the code security market. But static analysis vendors are just as likely to find themselves up against dynamic application scanning vendors as static analysis competitors. The first thing that struck me about this effort is that, not only did the contributors represent just about every vendor in the space, it’s a “who’s who” list for code security. Those people really know their stuff and I am very happy that a capable group like this has put a stake in the ground. That said, I am disappointed that the evaluation criteria are freaking bland. They read more like a minimum feature set each product should have rather than a set of criteria to differentiate between products or solve customer problems. All the vendors meet the minimum criteria, so the list is politically correct, but it cannot help customers choose a product. That analysis can only come from internal requirements and understanding how your organization wants to use static analysis, and applying that knowledge to the vendor list. – AL
4. A malware silver bullet – wouldn’t that be nice: I get that it’s exciting and compelling to dream of a day when our devices are safe from the diabolical clutches of malware. When built-in security protects ourselves from ourselves. And if you read Jason Perlow’s post on Bromium, A virtualization technology to kill all malware forever, you might think that happy day is right around the corner. Let’s just say I’m not as excited. Not that I don’t think Bromium is cool, and potentially very disruptive to the ways we protect devices. But I am not ready to start shoveling dirt on malware yet. Not until the Segway revolutionizes urban transportation, anyway. Although a full read of the article makes clear that Jason is asking a question, not making a prediction. It seems his editors forgot a question mark at the end of the title. I guess I have just seen the cat and mouse game in security too many times to think Tom will finally get Jerry next time. Although we security folks could certainly use some Lone Ranger and Tonto silver bullet action. – MR
5. This Old Bill: Do we still care about state breach disclosure laws? California is amending CA-1798 to include email and online account data as part of your personal information. That means when your account data is stolen from an online service provider – as in the Sony breach – you will be notified. California should be commended for pioneering breach disclosure laws that help expose companies with abysmal security policies, and which negatively impact their customers. That said, I am uncertain what problem this amendment solves or how consumers benefit. Consumer awareness is generally a good thing so maybe that is enough, and informed users will force changes to bad behavior. Okay – probably not. It is even more unfortunate the bill leaves disclosure optional if the data is encrypted. The encryption loophole has motivated some companies to encrypt data, but I say ‘unfortunate’ because it does not say companies must take “reasonable care” with encryption (or some other such arbitrary legislative language meaning “encryption that actually works”). We have seen companies cling to DES-based encryption and confuse hashing with encryption – with either about as effective as a ROT13 cipher. But transparency is good, so maybe this will be a very small step in the right direction. – AL
6. Loose lips leave an electronic trail: I recall being fascinated when Petraeus got caught with his proverbial pants down, because it showed law enforcement has many ways to track down informants and suspects. Everything electronic leaves a trail, and this kind of thing makes it hard to truly leak information anonymously. This piece at Wired describes what you would need to do using burn phones and temporary email addresses, but it is clearly hard. You would really need to want to leak something badly, to go through all those hoops to remain anonymous. And it turns out the safest way may be snail mail. But you’ve seen CSI, right? They’ll track it back to you anyway. – MR