Blog

Incite 6/27/2012: Empty Nest

By Mike Rothman

Be quiet. Be vewy vewy quiet. Now listen. What do you hear? Listen very closely. Do you hear anything? No? That’s exactly the point. The Boss and I woke up yesterday morning to the sound of nothing. No grumbling about having to get ready for school. No kvetching about ill-fitting bathing suits, and no asking for this play date or that activity. No crappy Disney Tween shows blaring from the TV. No nothing. The house is quiet.

It smells like happiness.On Sunday we put the kids on the bus for sleepaway camp. Barbarians that we are, we ship the kids off to Pennsylvania every summer. The girls go for 6 weeks. The Boy is going for 4 weeks, as it’s his first summer away. So for the first time since XX1 was born, we will have the house to ourselves for longer than a day.

Will we miss the kids? Of course. We huddle around the laptop every night and look for pictures posted on the camp website. We dutifully write them letters every day. Well actually, we type the letters into a website, which then prints a copy for delivery to them. We’ll trudge off to the mailbox every day, hoping we got a letter.

But we will also enjoy the time they are away. We’re going to see Earth, Wind and Fire tonight – and we don’t have to worry about arranging for a baby sitter. We may take a long weekend at a nearby resort. Or we might not. We can sleep late. We can work late. We can go to the pool at 2pm if we feel like it. We can BBQ on Wednesday, and I could party on Friday night, knowing that I don’t have to wake up early to take a kid to a game or activity.

Best of all, I can spend quality time with the Boss without the constant crushing pressure of being the involved parents of active kids. We don’t have to worry about who’s making lunches, or picking up from the dance studio, or folding the laundry. Two adults don’t really generate that much laundry. These quiet times also prepare us for the inevitable, when the kids leave the nest. Lots of parents forget to have their own relationship because they are too busy managing the kids. Not us – for here on, our nest will be empty every summer.

We are painfully aware that the kids are with us for a short time, and then they will live their own lives. And 6 weeks every summer is a big chunk of their summer vacation. Like everything, it’s a trade-off. Ultimately the decision is easy for us. They learn independence and how to function as part of a group, without their parents telling them what to do. We take very seriously our responsibility to prepare our kids to prosper in the wide world, and I don’t think there is a better place to apply the skills we teach them than at summer camp.

It’s also great for the kids. On the first day we have seen the boy at the pool, at the lake doing paddle boats, at the firing range, playing basketball, and watching some kind of show put on by the counselors. That was one day. So as barbaric as it may seem to send our kids away for that long, there is no other place they’d rather be every summer.

And that’s a win/win in my book.

–Mike

Photo credits: Empty Nest originally uploaded by Kristine Paulus


Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently under way. Remember you can get our Heavy Feed via RSS, with all our content in its unabridged glory. And you can get all our research papers too.

Understanding and Selecting Data Masking

Pragmatic Key Management

Evolving Endpoint Malware Detection


Incite 4 U

  1. Blue Horseshoe loves threat intelligence: For a long time, the reactive approach to doing security worked well enough. But the past few years, not so much. So large organizations, with significant security infrastructure, have started to try to learn a bit about attackers before they attack. Wait, what? You mean an intel type function, which requires investment? Yup. So not only are we seeing a re-emergence of vulnerability trackers like iDefense, but also some new business models based on using intelligence to deceive attackers (as described in Dark Reading), or buying up zero-days to share with the good guys (Aaron Portnoy’s new shop, Exodus Intelligence). We love content, and cannot be happier that we’re finally seeing security content valued on its own merits – not just as part of a widget. – MR

  2. The future of software: We see continuing evidence in support of the assertion made by Red Monk’s founder Stephen O’Grady: Large software firms will be making money with software rather than from software. And I totally agree with that statement! While the main thrust of the post is to argue that Microsoft’s share price has suffered from poor choices in direction and lack of innovation, the really interesting aspects highlight the competitive forces within the software industry. In part it’s the transition from desktop, to web app, to mobile app, but it’s also about growing adoption of Software as a Service (SaaS) and what I consider the real long-term direction for back office applications: Platform as a Service (PaaS). Many of his observations are solid, but the dim picture he paints for Microsoft and other software vendors fails to account for their mobile and PaaS efforts, or the pricing pressures these larger software vendors will inflict on the rest of the market when they start offering the entire back office stack – including hardware and service – for a single price. Apple’s – and to a lesser extent Google’s – more consumer-oriented cloud service models differ from the visions offered by Microsoft, Oracle, and IBM. No, Oracle’s is not the most comprehensive cloud on planet Earth, but calling it “cloud in a box” is equally unfair. Apple has a fantastic product line, but that does not mean they are going to displace Microsoft SharePoint, Office, Exchange, SQL Server, or any other thoroughly entrenched back office tools – more likely iDevices will host presentation and management apps linked to those back-office applications via cloud services – brought to you by the same companies you have been doing business with for years. Same as it ever was, but fundamentally different. – AL

  3. Love it or leave it: If there’s one thing that bothers me about the security profession it’s opportunists. People who jump in, want to call themselves security professionals, but don’t want to actually do the work. You know, the people who are more interested in policies than technology. Even if your role ends up in policy – without a firm grounding in technology and a fundamental curiosity and love for what you do, I don’t see how you can succeed except by accident. That’s why I love Thomas Ptacek’s interview with Krebs. It really captures where security is headed in the next few years, the skills needed, and a little of what can make the security profession so damn interesting. – RM

  4. Malware cat and mouse: As I have done more and more research into malware analysis this year, I can’t help but be intrigued by the cat and mouse game that happens every day. In the Friday Summary I highlighted a cool post detailing how a malware writer chatted with a researcher through a chat client embedded in his malware (along with camera control and a keylogger) built in. I guess the malware writers follow the Boy Scout credo, to be prepared for anything. This NetworkWorld article looks at another evolution, detailing how malware is getting smarter by detecting when it is run in a VM. Researchers and sandboxes use VMs to test malware safely, but if the malware doesn’t execute because it detects that it’s in a VM, the researcher might let the malware pass. Of course, that intentionally reduces the malware’s chances to run – giving up on infecting virtual environments – but obviously the tradeoff makes sense for them. We will see a lot more of these cat and mouse games. – MR

  5. The hamster’s dead, but the wheel is spinning: My favorite part of following a new regulation is measuring the time elapsed before it shows up in vendor product briefings. Usually with the vendor hinting (none too subtly) that this new law means everyone should buy product X or they’ll go to jail. And don’t forget the orange jumpsuit guy who always makes his way into briefing decks. For instance, take the federal breach disclosure law, a version of which has been kicking around since I worked at Gartner. Not only is there a new one, but it looks like rather than strengthening existing consumer protections, this one is really intended to weaken existing state laws. Long live the Federation! This is a nifty political trick lobbyists love to play. I admit a nice consistent federal law would be nifty, but I can’t see anything with strong protections making it through our worthless legislative branch anytime soon. Not that you won’t see it on slide 3 of the next 20 PowerPoint briefings, right next to Mr. Orange Jumpsuit. – RM

  6. I got a bad reputation: The Code’n’web blog has a post on how Symantec’s AV product blocked a TexturePacker update for having a bad reputation . While I feel for the author, WS.Reputation.1 is doing the right thing: Default deny. The AV product has no idea what TexturePacker is, so it blocks it. That’s what you do with unknown and possibly malicious software. Small software vendors have to take that extra step, and to include comments that instruct users to manually adjust AV settings in their installation instructions, or to turn it off during installation. Yeah, that’s a pretty bad idea, but you see it all the time. This is also an issue with other security products, as many IDS, NAC, and anti-virus products flag other security products as evil. We feel for smaller vendors, but the malware guys have figured out how to deal with this. They actually test their products with market-leading security controls engaged to see what breaks. Imagine that, actually trying to Q/A a product before shipping it to customers… – AL

  7. Must have been the fire retardant suit: A hat tip to our friends at LiquidMatrix for lampooning Bit9’s attempt to convince prospects that they were the only vendors to stop the Flame malware. Admittedly, configured tightly, something like application whitelisting could potentially, under the right circumstances, have blocked malware like Flame. Basically if you block Windows Update you are in business. Because nobody needs Windows Update, right? But if you do, and it’s trusted by the whitelisting product, then guess what? Yeah, pwnage. But why let the truth get in the way of marketing puffery? The nerve I got! Actually wanting vendors to tell the truth about what their products do… – MR

No Related Posts
Comments

>
without a firm grounding in technology and a fundamental curiosity and love for what you do, I don’t see how you can succeed except by accident.
<

In the very important but highly specialised world Thomas Ptacek described, this is correct, but not so in the field as a whole.  In fact, I think that technical skills often are an inhibitor. 

I see security as two sides of a coin: supply and demand. 

Supply is all about the provision of IT services such as firewall administration and application pen testing.  Here, technical skills matter alot.  But supply people can’t be successful on their own.  They need demand people. 

Demand people work with the business types and understand the problems which can be solved by supply.  They convince the buyers of these products and services that the gain is worth the investment.  Without demand people to build the case for application security, all you have is excess supply and excess supply is always cheap to consume. 

Technical skills become a problem when dealing in the demand world because technical people live in details and absolutely love to share everything they know.  They bore the buyers and confuse them with irrelevant details.  They focus on process instead of results.  They are *kooky*.  They are often a solution in search of a problem. 

Unless we have more security leaders with sound experience in the business they support and with the credibility that comes with that experience, we’ll continue down the path we’re on and I don’t see that ending well. 

By ds


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.