This week I will take a page from Adrian’s Friday Summary approach, and just offer a stream of consciousness about the recent trip the family and I took to DisneyWorld. We went down there to watch the girls dance in Downtown Disney. Their dance company does this every other year, which means we are down in Orlando doing the Disney thing every two years. Trying to be more present and aware in my daily life was interesting in a place like Disney. So let me start with a few observations.

First of all, it’s expensive to hang out with the Mouse. We get a great deal on tickets to the parks and it still costs a metric crap ton of coin to be there for a couple days. Then you throw in food, bottled water, and the bargain $8 ponchos (which are a bargain during the 20 minute daily downpours) – and it’s not a cheap vacation.

Next you have people of all shapes, sizes, nationalities, languages, cultures, etc. If you think America in general is a great melting pot, spend a little time at Disney. You see young and old. Extended families. Those from the US and those not. Newlyweds. Bachelorette parties and all sorts of other groups. Most of these families have group t-shirts on. I just don’t get that. Do you think they wear that T-shirt any other time? Okay, don’t answer that. Actually the best shirts we saw all week were on a family that said, “We don’t believe in family trip t-shirts.” On all 20 of them. Hilarious.

The diversity you see is really cool. The downside for me is varying levels of hygiene. I have a pretty sensitive nose and it can get a little steamy in June in Orlando. So standing on line for 40 minutes to ride Peter Pan (I’m still peeved at XX1 about that) next to a group that don’t get deodorant is unpleasant to say the least.

You can also see the impact of mobile technology. We let XX1 roam around EPCOT with her dance friends one of the days. We always knew how to get in touch with her. The expectation was that she would check in every hour or so. And worst case we could always use Find My Friends to see where she was. I noticed loads of people with heads down on mobile devices as they walked the park. They were missing the experience, but that’s the culture today. Same goes for folks who watch rides or their kids dancing through the viewfinder of a camera. That doesn’t work for me but it’s common. One dude got it right and had a GoPro camera affixed to his kid’s stroller. I guess to record the reactions to seeing Mickey and the like. That was pretty cool – like a second set of eyes. I didn’t see anyone with Google Glasses on, so there’s that.

Last summer I rued missing XX1’s first experience riding a big roller coaster. I did make amends by doing the Rock and Roller Coaster with both the girls and then the Tower of Terror. The girls couldn’t be more different. XX1 was cursing up a storm on both rides (though she did ask before spewing profanity – manners first). I wonder where she got that from? The Daredevil (XX2) was laughing throughout both rides.

And best of all, I was right next to the Boy as we rode the Everest coaster in Animal Kingdom. He was scared, like I was the first time I rode a coaster. Which was a little curious given he has no issue doing a 5-story drop at the water park. He cried a little as we boarded the car, much to the chagrin of the family behind us – who thought I was a monster forcing my son onto the ride. I was in his ear the whole time assuring him it was going to be great. As we made the first climb, he ducked a little to not see much of anything. Then we were off, and as he squeezed my hand through the backwards drop and as we pulled a G or 2 through the curves and drops. You know what? He survived. And he loved it! I loved being there right next to him as he experienced it. That’s what being a Dad is all about.

The reason we went to Orlando also worked out marvelously. Despite raining pretty much all day, the sun came out and shined during their performance. And the girls shined as well. I have mentioned there are few things more gratifying than seeing your kids excel at something they are passionate about. So as long as they want to dance in Disney, I’ll be down there every two years, contributing to the Mouse economy and riding roller coasters with all my kids. And loving every minute of it.


Photo credit: “Mickey Mouse Magician” originally uploaded by Alain

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. Half Life: As always, Wendy put up a post that makes you think. She plays off some of Jon Ramsey’s perspectives (from Dell Secureworks), which include “the more widely [a security control is] used, the more attention it will be given by attackers.” Not novel. But the adjunct theory that “the pervasiveness of a control is driven by its requirement for compliance” makes this interesting. So all the things compliance mandates become pervasive, which then means attackers figure out how to evade them. The answer then pretty much has to be security by obscurity, no? That’s a short-term fix but not a long-term solution. The answer over time will be to reinvent security, which also requires us to rethink infrastructure. The good news is that it’s happening and it’s called cloud computing. But that’s a story for another day, and as Wendy says, “If you want to talk this over, you can find me in the bar.” Right next to me. – MR
  2. Winds of Change: Branden Williams discusses EMV as an E-Commerce Fraud Driver, but quickly makes the point that even if EMV (i.e., “smart cards”) becomes a reality in the US, it cannot solve ‘card-not-present’ security issues. I believe EMV will become irrelevant before it’s adopted. In the US you may be paying with your smart phone before you ever put a smart card in your wallet. Branden’s story about bypassing the line at the local restaurant – ordering and paying via his mobile phone – serves as a reminder that customer convenience is a bigger driver for adoption, and ask Mike about his Starbucks app, which may get more use than his iOS Mail app. Card-not-present (CNP) transactions are growing fast, and they are not protected by EMV but most merchants already protect themselves with reasonably effective tools like 2FA, geolocation, device fingerprinting, IP reputation and fraud analytics to name just some of the methods. Well, most do. I think whether the US will ever get EMV is an open question – payment apps that fully emulate EMV with good-enough security may arrive first. The latter essentially solve both problems with a better user experience. – AL
  3. Secure as it needs to be: You know the old adage that the Internet is as secure as it needs to be. So clearly there is a danger to the advertising networks because all of a sudden the US Senate is these folks calling out and recommending the US FTC lock them down, and miraculously they have gotten religion about controlling the malware running through ad networks. We are starting to hear about start-up companies targeting this opportunity, and we will see a bunch of changes within ad networks to scrutinize ads (and the links they connect to) before ads go live. Not unlike the App Store model, where Apple actually does some testing of apps before they are released, ad networks will need to test their links. Yet, the ad networks face a tougher dilemma because attackers can keep a destination link clean until they don’t. So we may be getting to a situation where links needs to be checked every time. But the alternative is to have either the government lock it down or consumers stop clicking things. Okay, the former is more likely than the latter. Which also means that it will be years before anything really happens. – MR
  4. 2FA 4U2: Brian Donahue’s post, What is Two-Factor Authentication? Where Should You Use It? is a good and timely read. We already know that firms fail to secure password hashes, even when they try. We already know most password systems in use today use the wrong (i.e., weak) hashing algorithms. And we know users, for the most part, use weak passwords. Two-Factor Authentication (2FA for short) is considered a “security speed bump” by most security professionals, as it only slows down determined attackers. To which I say “So What?” – most attackers are not well funded NSA types, but profiteers using compromised and guessed passwords. More and more firms are offering 2FA, and I have started using it just about everywhere I can. You should too, especially if it’s an admin account, or one that has your credit card. Check your settings pages as it may be buried there; it typically costs the provider money so the feature is not always advertised. An automatic SMS to your phone or get a one-time password via a soft token app, enter that value on the web site, and you’re done. – AL
  5. Moscow Rules: Gunnar has a great summary up of a keynote talk he did for an Identify Summit. He talks about some rules we need to think about as we move towards cloud and mobility enabled existence. They come directly from spy tradecraft. Gunnar points out that the rules under which spies operated behind enemy lines are a good metaphor for how we should treat mobile devices. Things like having standards, assuming devices are compromised, anticipating things going wrong, and making sure any data on devices can be quickly discarded or destroyed. He has more pithy terminology so you should go read his post. But he’s exactly right – we cannot assume these devices aren’t hostile or compromised, and that means we need to ensure we do everything we can to protect ourselves from them. – MR