I didn’t want to become that Dad. The one who says, “Turn that crap down.” Or “What is this music?” Or “Get off my lawn!” I didn’t want that to be me. I wanted to be the cool Dad, who would listen to the new music with my kids and appreciate it. Maybe even like it. For a while, I was able to do that.

Let’s backtrack a bit. I control the iTunes account in the house. That allows me to centralize apps for all the kids and their devices, and more importantly make sure we keep spending within reason. Even better, it gives me the ability to give the kids a hard time about buying an app or song. They love being scrutinized over a $1.99 app. Don’t tell them I spend more than that on coffee every day. To be clear, it’s not worth my time to even think for a minute about an app, but I still get enjoyment out of making them present a case for why they need the latest version of Clash of Clans or Subway Surfer.

That also means that when XX1 wants to buy new music, she has to come through me. So about 3 or 4 times a year I get a list of 40-50 songs she wants to buy. She has her own money, so it’s not a money thing. But I won’t give her access to the account (since that would end very badly), so I have to buy the songs myself. Which means I have to listen to some of them.

For quite a while, I was fine with that. I like some of the stuff XX1 listens to – statistically about half the pop music she listens to is tolerable with a decent groove and melody. But over the weekend I hit my limit. I was checking her song list before camp, and 90% of the music was just awful. And at that moment, I became that guy. The guy who just doesn’t understand the noise kids are listening to today.

Of course I couldn’t let it go. I had to ask, “What the hell is this stuff?” She just shrugged. It’s her money, so I couldn’t tell her not to waste it on crap music. And I think I saw her chuckle the “you just don’t understand, old dude” chuckle. You know that chuckle because it’s how you reacted when your folks wondered about Elvis or the Beatles or Pink Floyd or Springsteen when you were growing up.

I guess I am that old dude. And I just don’t understand. Though that doesn’t make it any easier to explain to my friends why I have Bieber songs in my iTunes library. Those songs are for XX1, really! That’s my story and I’m sticking to it.


Photo credit: “Noise” originally uploaded by richardoyork

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide back in February. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. At least there is consistency: Love those survey-based media campaigns, where a company sponsors a survey to determine that a certain industry is vulnerable. Just like every other industry. It’s awesome. So I enjoyed the FUD-tastic writeup of a survey paid for by ThreatTrack, which showed (through a whopping 200 person survey) that energy companies are vulnerable to attack. 61% said the biggest threat comes from email. Shocker. Web is next at 25% and mobile at 3%. Yup, that sounds about right. Even better, 40% thought they’d be targeted by advanced attacks. The other 60% have an appointment on Thursday to see their therapist to deal with the self-esteem issues. – MR
  2. That’s WEAK: eBay users are noticing for the first time – post breach of password hashes – that eBay does not allow long passwords. eBay sent email instructing users to reset passwords this week; one week after we heard about the data loss. But those are pesky details, right? Those who took it seriously enough to create strong passphrases to resist brute-force password cracking noticed their long passwords were not allowed. Worse, passwords longer than 20 characters were labelled ‘weak’. Not cool, but remember that eBay – like many firms – only uses passwords as one hurdle; they rely on fraud analytics and monitoring on the back end. The problem is the way their policy is communicated – it seems like they don’t care about their users’ security, but in reality they focus more on protecting the system from fraud. Gunnar and I complain a lot about the lack of industry interest in readily available stronger authentication (OAuth, SAML, etc) capabilities, but the majority of firms filled the security gap not with a new identity infrastructure that might make users lives more complicated, but instead by bolting analysis techniques and risk-based auth onto the transaction flow, hopefully invisibly to customers. I would prefer stronger passwords but eBay knows what they are doing with security, and has chosen an effective overall approach, despite what this breach suggests. – AL
  3. What’s the icon for Pwn my iPhone? Weak passwords are a killer. Now it seems attackers are using iCloud’s Find My iPhone capability to lock and ransom user devices. The article speculates that attackers “gained access to a database with user names and passwords used for several services, including iCloud.” Uh, what? Then they find an actual victim who mentioned they used the same password for eBay and iCloud. Right. Occam’s Razor FTW again. So let’s review. Use strong, unique passwords. It’s easy with a password manager. And very likely most of you do this. But as long as lots of folks don’t, we will see the same nonsense. – MR
  4. Compensating control: I am surprised by the political call to protect consumers from Internet Advertiser networks and their streaming malware, as it means the problem is big enough for political attention. ‘Cyber’ is front page news! Online advertising networks are designed to selectively funnel ads to you, based upon the intelligence they gather from your browser and browsing behavior. A common developer refrain is “One person’s bug is another’s feature,” which is pertinent to ad networks who leverage every browser flaw to better deliver targeted advertisements, making them highly susceptible to malware and various cross-site scripting attacks coming down the pipe. But while you are under a microscope, they do not use this same degree of scrutiny on partners; as long as the check is good the ads flow, even if you’re serving up malvertising. The outcry will help, but will not result in better privacy or security – instead ad networks will combat the problem with customer vetting, and likely employ a Dunn & Bradstreet style third-party service. – AL
  5. Dude, where’s my hack? We have a major skills gap in security. As if it wasn’t hard enough getting folks to do security in the public sector, now the FBI makes it even harder by not hiring anyone who has smoked pot in the past 3 years. So let me get this straight. Security practitioners can make a bunch more money in the private sector, and they get to smoke pot too! I’m shocked they are having problems getting top candidates interested. Security is a stressful job. I’m sure there are doctors in Colorado and Washington who would write hackers legitimate scripts to deal with the stress with a little weed. I guess we’ll have to wait a little while before we can send out those invites to the hookah party at the Director’s house, eh? And before I’m done, let’s give a big hand to Graham Cluley, who figured out how to get Snoop Dogg and the Hack is Whack campaign into a blog post. That’s an even bigger win. – MR