I’m not sure why I ever think I’ll get anything done in June. I do try. I convince myself this year will be different. I look at the calendar and figure I’ll be able to squeeze in some writing. I’m always optimistic that I will be able to crank through it because there is stuff to get done. And then at the end of June I just shrug and say to myself, “Yup, another June gone and not much got done.”
That’s not really true. I did a lot of travel. I took some great vacations with the family. I had great meetings with clients. But from a deliverables standpoint, not much got done at all. I shouldn’t be hard on myself because I have been at home a grand total of 30 hours for the entire month thus far. Seriously, 30 hours.
Yes, I understand these are first world problems. I mentioned that the girls dance at Disney, then it was off to the west coast for a client meeting. Then I flew across the pond for a couple days in London for the Eskenzi PR CISO forum. For the first time (shocking!), I got to tour around London and it was great. What a cool city! Duh. As I mentioned in Solo Exploration I’ve made a point to explore cities I visit when possible, and equipped with my trusty mini-backpack I set out to see London.
And I did. I saw shows. I checked out the sites with the rest of the tourists. I took selfies (since evidently that’s what all the kids do today). I met up with some friends of friends (non-work related) and former colleagues who I don’t get to see enough. It was great. But right when I got home, it was a frantic couple hours of packing to get ready for the annual beach trip with my in-laws. Yup, told you this was a first world problem.
I did work a bit at the beach, but that was mostly to make sure I didn’t drown when I resurfaced today. I also had some calls to do since I wasn’t able to do them earlier in the month, and given that I commit to family time by noon, there wasn’t a lot of time to write. There never is in June. Then last Sunday we dropped the kids off for their 6+ weeks of camp and I spent another couple days meeting friends and clients in DC around a certain other analyst firm’s annual security conference.
So by the time we packed up the van and headed back to ATL yesterday, I have basically been gone the entire month. Now I have a few days in ATL to dig out and then it’s another quick trip next week. Yes, this is the life I chose. Yes, I really enjoy the work.
And yes, I’m in a daze and it won’t slow down until the middle of July. Then I’ll get to bang through the backlog and start work on summer projects. I could make myself crazy about what’s not getting done, or I can take a step back and remember things are great. I choose the latter, so I’ll get done what I can and smile about it. I will be sure to be a bit more realistic about what will get done next June. Until I’m not.
Photo credit: “Daze” originally uploaded by Clifford Horn
The fine folks at the RSA Conference posted the talk Jennifer Minella and I gave on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts, and Twitter timeline will be there when you get back.
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- June 17 – Apple and Privacy
- May 19 – Wanted Posters and SleepyCon
- May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling
- May 5 – There Is No SecDevOps
- April 28 – The Verizon DBIR
- April 14 – Three for Five
- March 24 – The End of Full Disclosure
- March 19 – An Irish Wake
- March 11 – RSA Postmortem
- Feb 21 – Happy Hour – RSA 2014
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
Trends in Data Centric Security
Open Source Development and Application Security Analysis
Understanding Role-based Access Control
NoSQL Security 2.0
Newly Published Papers
- Advanced Endpoint and Server Protection
- Defending Against Network-based DDoS Attacks
- Reducing Attack Surface with Application Control
- Leveraging Threat Intelligence in Security Monitoring
- The Future of Security
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7
- Eliminating Surprises with Security Assurance and Testing
Incite 4 U
- Problem fixed. Now clean up your mess. Yes, some 300k sites have yet to patch the OpenSSL ‘Heartbleed’ vulnerability, but a more troubling issue is that residual leaked data will cause ongoing problems, as Robert Hansen illustrated in The Ghost of Information Disclosure Past. Many vulnerable sites had credentials scraped, and while they asked their users to reset their passwords, they did not force resets. Attackers now have accumulated credentials which can provide fun and mayhem for anyone with 5 Bitcoins. The Heartbleed cleanup is messy, and in cases where (potentially) all user passwords could be compromised, it is best to “nuke from orbit” and require resets for all registered users. No one said it was easy, right? – AL
- You too can be a security person: There is no doubting the skills shortage in security. We routinely talk to folks who have open positions for 6-12 months and they are significantly compromising on the skills & capabilities of candidates. The answer is to both grow your own (invest in internal programs) and work within broader programs to get kids interested in security. So kudos to Symantec, which announced a partnership with the Clinton Global Initiative and a bunch of other partners to train folks in security. Of course we all know the best security folks have a broad background in technology, but beggars can’t be choosers. To be clear, you’ll be training these folks yourself, even with their certs and couple months of work experience. But one step above entry level is still a step above entry level. – MR
- A bigger speed bump: My friend Antony Ma posted some research on how to Design a hack proof password storage aimed at developers who want to create better password hashes. His advice is pretty solid, and for anyone interested in security I recommend experimenting with passwords and hashing as a way to start learning about developing secure software. Even better, trying cracking your own system and see what weaknesses you find. Yes, hack yourself! But don’t even think about putting any crypto (or even security) code into production without professional validation. Even seasoned cryptographers make mistakes, and you generally code for the weaknesses you expect. Combine that with the fact that you are just good enough to keep someone at your skill level from breaking your own system. If you’re serious hire an unbiased third party to analyze what you did. And don’t take the finding personally – it’s a learning experience. – AL
- Myrcurial’s nanosecond revenge: One of the coolest things about being a part of Securosis is the sheer intellectual horsepower of our contributors. It’s hard to overstate how valuable they are for keeping us honest and making us think about the longer term, given it’s what they live every day in their day jobs. So a Bloomberg story about how organized crime infiltrated a hedge fund’s systems and impacted their ability to trade just made me smile. Our own Jamie Arlen was right, three years ahead of everyone else. That link is to the abstract of his 2011 BlackHat talk about protecting High-Frequency Trading networks. To be clear, your run-of-the-mill pimply teen isn’t going to pop a hedge fund and game their systems. But organized crime factions which understand financial markets – and more importantly can trade ahead of impacted systems and launder their earnings – are doing this stuff today. And I’m sure some of you can only snicker that the crooks traders on Wall Street are now being bested at their own game. – MR
- PaaS the remote: Oracle needs to have a cloud strategy before they can declare war on cloud markets. Usually when Oracle “declares war” they take on all comers with some huge TPC benchmark from their uber-server. Of course they win, but bigger servers and more on-prem infrastructure is missing the entire point of where the market is going: to the cloud. A software delivery cloud is not really SaaS at all, and DBaaS is not interesting to customers who need the full stack of products and services to get their applications into production. I have said many times that if Oracle ever really gets their act together, they will be huge in the PaaS market. Providing existing Oracle customers a lower cost, on-demand, less-involved cloud implementation of what they have today – and migration support to get there – would give them a big winner. But they have been too busy smacking ‘cloud’ labels on their big iron to go after a genuine cloud strategy. Customers are getting bored and starting to look elsewhere. – AL