Queue up the Alice Cooper and get ready. Last Friday was the last day of school for the kids. That means school’s out for summer, and it’s time to get ready for the heat in all its glory. Rich and Adrian live in the desert (literally), so I’m not going to complain about temperatures in the 90s, but thankfully there is no lack of air conditioning and pools to dissipate this global warming thing.

Living life, one cherry at a time...There are plenty of things about summer I enjoy, but probably best of all is being able to let my kids be kids. During the school year there is always a homework assignment to finish, skills to drill, and activities to get to. We are always in a rush to get somewhere to do something. But over the summer they can just enjoy the time without the pressure of deadlines. They spend days at camp, then head to the pool, and finish up with a cook-out and/or sleep-over. Wash, rinse, repeat. It’s not a bad gig, especially when you factor in the various trips we take over the summer. Not a bad gig at all.

But enough about them – one of my favorite aspects of summer is the fruit. I know that sounds strange, but there is nothing like a fresh, cheap melon to nosh on. Or my favorite desert, cherries. Most of the year, the cherries are crap. Not only are they expensive (they need to fly them in from Chile or somewhere like that) – they just don’t taste great. Over the 3-4 months of summer, I can get cherries cheap and tasty. There is nothing like sinking my teeth into a bowl of cherries at the end of a long, sweaty day. Nom.

It’s been said that life is like a bowl of cherries. I’ve certainly found that to be the case, and not because some days are the pits. It’s also that some folks always chase the easy path. You know, getting pre-pitted cherries. Or buying one of those pitting devices to remove the pits. In my opinion that basically defeats the purpose. Over the summer I enjoy moving a little more slowly (though not too slowly, Rich, settle down). And that means I like to enjoy my dessert. It’s not like grabbing a handful of M&Ms and inhaling them as quickly as possible to get to the next thing. It’s about taking my time, without anywhere specific to go. Really just taking a step back and enjoying my cherries.

Hmmm. If I think a little broader, that’s a pretty good metaphor for everything. We spend most of our lives snacking on M&Ms. Yes, they are sweet and tasty, but ultimately unsatisfying. Unless you are very disciplined, you eat a whole bag quickly with nothing to show for it. Except a few more pounds on your ass. But I’d rather my life be more like a bowl of cherries. I have to work a little harder to get it done and I’ve learned to enjoy each pit for making me slow down. Although in the summer, my dessert takes a bit longer, in the end I can savor each moment. Not a bad gig at all.

There is some food for thought.

– Mike

Photo credits: “Cherry Abduction” originally uploaded by The Rocketeer

Incite 4 U

  1. Thinking about what “cyberwar” really means: Professor Gene Spafford wrote a pretty compelling and intriguing thought piece over the weekend about cyber war, whatever that means. One of his main points is that our definition is very fuzzy, and we are looking at it from the rear view mirror rather than through the windshield. Many folks joke about the security industry “solving yesterday’s problems tomorrow,” but Gene makes a pretty compelling point that these issues can impact the global standing of the US within a generation. One of Gene’s answers is to start sharing data about every intrusion right now, and I know that would make lots of us data monkeys very happy. There is a lot in this piece to chew on. I suggest you belly up to the table and start chewing. We all have a lot to think about. – MR
  2. Battle for the cloud: So you’ve heard of OpenStack, right? That amazing open source cloud alternative that’s going to kick VMware’s ass and finally bring us some portability and interoperability? Well I’ve spent a few weeks working with it, and have to say it’s a loooonnnnng way from being enterprise ready (long in Internet years, which might be a couple weeks for all I know). It’s rough around the edges, relies too much on VLANs for my taste, and the documentation is crap. On the other hand… it’s insanely cool once you get it working, and the base architecture looks solid. And heck, Citrix is going to use it for their cloud offering, and has already contributed code to support VMware’s hypervisor. Kyle Hilgendorf has a good post over on his Gartner blog about the battle for enterprise cloud dominance. Like Kyle, I’m “optimistically skeptical”, but I do think Citrix has way too much at stake to not offer a viable and compatible alternative to VMWare. – RM
  3. Payment pirates: A popular refrain from CEOs I have worked for was they did not want to spend money on training because employees would just leave and take new knowledge with them. They know they don’t own what’s in their employee’s brains, so they view educational investment as risky. Gunnar Peterson pointed out last week that it could be worse – you could not train employees, and have them stay! There is no loyalty between businesses and their employees. Companies replace employees like they were changing a car’s oil filter, paying for new skill sets because they prefer to or because they can’t retain good people. Employees are always looking for a better opportunity, taking their skills to another firm when they feel they can do better. That’s the modern reality. Last time I checked, the average tech job tenure was 21 months. The news that PayPal Sues Google Over Mobile-Payment Secrets for hiring a guy named Osama Bedier falls exactly into this category. It sucks that your employees left for another company – and took their knowledge with them – but that’s every company’s incentive to treat their people well. Unless the guy walked out with source code in his pocket, this is nothing more than competitive saber-rattling over what’s becoming a hotly contested payment market. To be clear, I don’t have any sympathy for Google, who is four years late to the payment party because of their moronic hiring practices. Now they must buy their way in through talent acquisition. You can bet they did not ask Osama about Bloodthirsty Pirates. – AL
  4. Dog stole your Blackberry, eh?: Mobile security and the lack of accountability seems to be popping up in the news at an increasing rate. Of course we’re used to seeing the likes of malware on Android phones and similar but, the part that irks me to no end is the refrain “someone stole my blackberry”. Um, yeah. That happens, I’ll stipulate. The part of it that I have difficulty with is the pictures of (alleged) political junk. This week we saw the case of US Rep. Anthony Weiner who had a lewd picture sent from his Blackberry to a pretty coed which was apparently the work of…gaspa hacker. Next up, north of the border we find Ontario Progressive Conservative candidate George Lepp’s Blackberry sending out a picture to Twitter no less of, what could potentially be, his junk. This after allegedly being the victim of a pick pocket. Does no one take the time to put a password on their mobile device? Have we learned nothing from the years of IT infrastructure build outs? Do we REALLY have to go back to the beginning and start to learn how to walk? At least the voters are not deluded by these types of stories. These tales of mobile device woe amount to the modern day equivalent of “the dog ate my homework”. – DL (that’s Dave Lewis)
  5. On curmudgeons: Far be it from me to pass up getting involved in a scrum. And this one is near and dear to my heart – it’s about curmudgeons. Bill Brenner kicked the hornet’s nest by calling out some grumpy folks (mostly RAGE kids, BTW), drawing a rather lengthy and reasoned response from Jericho at attrition.org. Shrdlu weighs in as well. Given that I have underwear older than some of these so-called ‘curmudgeons’, I think this is much ado about nothing. Maybe that’s my maturity talking (in Shrdlu’s words), or the fact that I call people out when they do stupid things (as Jericho may do from time to time as well). The real issue is Bill thinking that Twitter represents the real world in any way, shape, or form. Security people need to blow off steam and many do that on Twitter. Big deal. Some folks do have legitimate problems, but that’s their issue – not mine. I unfollow, which is easy enough. The issue is folks who take their job performance into the gutter to satisfy a need to rage. That’s our industry’s version of emo, and if you have enough people, you will always find some who want to play the emo game. If they think RAGE will change anything, all we can do is feel bad for them. – MR
  6. Cybersecurity goes political: This weekend I did a short interview with the AP that landed me a choice quote in an article on the Lockheed breach. Not that I have inside knowledge, but that we shouldn’t be surprised when countries treat each other as they always have, since the dawn of time. What is interesting to me is that the breach became public. Sure, some of it might have been a leak, but I think despite the increasing pace of breaches, the politics might be skewing more towards certain disclosures. Mike hit on Spafford’s call for similar action above. You can’t get Congress to free up funds without the right publicity. And you can’t hammer your Favored Nation about their bad behavior without riling up the folks back home. So I think breaches are definitely up, but we also need to read past the headlines and think about why these incidents are coming to light. – RM
  7. A forensics view of APT: I’m a big fan of the Chief Monkey’s blog. When he writes (which isn’t as often as we’d all like), it usually about a real issue he’s dealt with or a case study about a relevant attack and the proper response. In this two-part series (part 1, part 2) he takes on the APT – or really a motivated persistent attacker. Notice the techniques weren’t that advanced. They don’t have to be. Most targeted executives will fall for pretty simple stuff. Here is the killer: “Attacker[s] have found that by attacking a victim from multiple fronts, with a variety of tools, and by being patient, the payoffs are astounding.” The reality is that we have always had enough clues to detect this attack way before it was discovered, but it wasn’t caught. React Faster and Better, folks. React Faster and Better. – MR
  8. It’s the use case that matters: Someone needs to inform GlobalSign that Access Control, combined with Encryption, does not constitute Digital Rights Management (DRM). It’s debatable whether the BIOWRAP product helps with compliance, but clearly this product is access control – not DRM. There are many granular access control technologies available, just as there are plenty of great encryption libraries out there to manage certificates. The value of DRM systems is their ability to protect information across multiple systems. The entire concept behind DRM is that data and rules governing use are tied together and inseparable (by users of the data). Placing a protective wrapper around data is easy. It’s especially easy when the data does not move off the file system, but that’s the issue with health related data: you have many audiences in many locations with different applications and storage media. Making sure controls and access rights are maintained inside and outside your network is a very difficult problem. Especially when there are different rules for each location governing user rights and applications use of information. You can embed DRM controls at the transport layer – as with Data Loss Prevention technologies – or you can embed within the application layer. Either way you need to control use, not just storage. – AL