Blog

Incite 6/6/2012: Universally Awesome

By Mike Rothman

With all the vacation I have planned this summer, finding time for work may be a challenge. We had 4 days at home after the Barcelona trip and then headed down to Orlando where the girls’ dance troupe did a performance at Downtown Disney. Yup, a 7-hour drive, a pair of 3-day Park Hopper tickets (which we didn’t use), costumes, hotel, and meals, so we could see the girls dance for less than 30 minutes – melting in 90+ degree weather.

This doesn't look so bad (until you're on it)...And it was worth every penny. They love to perform and we love to watch them. The owner of their dance studio always does a nice job with the choreography and getting all the age groups involved. Thankfully for my wallet’s sake, the Disney trip only happens every two years, so I get a 24-month respite from Orlando in June.

But it wasn’t all dance all the time. On Monday we did the Universal theme parks, where the highlight was the Harry Potter attraction in Islands of Adventure. XX1 is a huge Potter fan and she has been looking forward to touring Hogsmeade since the park opened – right after the last time she performed in Orlando. Touring Hogwarts was great and checking out the shops provided a few hours of fun as well. Even better, we survived the trip without buying wands, though we did bring home some of the famous Bertie Bott’s Every-Flavour Beans. Amazingly enough, I wasn’t keen on trying the rotten egg flavor. Go figure.

I also got my bi-annual dose of roller coasters. And then some. We went to the park with a group of folks on the dance trip, and a few were fans of the coasters. So I had some running buddies. Normally the Boss allows me to peel away from herding the kids to jump on one coaster. But with a lot of help around and with some of the kids old enough to ride the coasters themselves, I had a lot more flexibility to ride away.

I did the Hulk Coaster twice. There is nothing like the feel of being shot out of a cannon. I rode the Dragon Challenge as well, where your feet dangle to provide a different feel. But the highlight of the day was the Rockit with XX2, who was on her first real roller coaster. She wasn’t tall enough to ride the other rides and just made the requirement on this one. The kind folks at Universal gave us a VIP pass (because she was so excited when she passed the height requirement), so we scooted to the front of the line and jumped into the front row.

It isn’t just an ordinary roller coaster. You ascend 167 feet vertically (literally), and then the fun begins. XX2 is a real daredevil – she not only wasn’t scared, but she lifted her hands as we descended through the first drop. By the way, I was holding on for dear life. She was so excited, I’m just glad I was able to share that experience with her. We also dragged the other kids (kicking and screaming) on a less intense ride, and they seemed to enjoy it.

I explained to my kids that for me, roller coasters represent the fear that can paralyze many folks in every aspect of their lives. Too many folks don’t try things or take risks or live their life to the fullest because they are scared. The only way to overcome that fear is to face it and realize it all works out. I have come to enjoy the anticipation of the experience, the adrenaline surge as you climb the hill, the trust needed to let go and just enjoy, and finally the feeling of accomplishment as the ride comes to a grinding halt at the end.

Not to be too melodramatic, but roller coasters kind of reset my worldview when I was a kid. My Dad forced me to go on the Comet at Hershey Park when I was about 10 or 11. I didn’t want to go. I was scared. And every time I strap into a roller coaster I remember that day. I remember overcoming self-imposed limitations of what I can do and what was safe. XX2 needs no convincing to do anything. She came out of the womb fearless. The other two need a bit more coaxing, and I can only hope that 30 years from now they thank me for forcing them out of their comfort zones.

–Mike

Photo credits: “Life is a roller coaster…. you have your ups and downs unless you fall off” ~ Happy FRISKY Friday ~ originally uploaded by turtlemom4bacon


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently under way. Remember you can get our Heavy Feed via RSS, where you can see all our content in its unabridged glory. And you can get all our research papers too.

Understanding and Selecting Data Masking

Pragmatic Key Management

Evolving Endpoint Malware Detection

Understanding and Selecting a Database Security Platform


Incite 4 U

  1. The weakness of account recovery: We got another stark reminder that it’s not if, but when you get popped, this week. CloudFlare’s CEO lost control of his email when attackers reset his password. But Prince says passwords are at least 20 characters, random, and not used on other services. So how did they get his account? Leave it to Krebs to figure out what really happened. The attackers gamed the account recovery process at Google (where he had both personal and corporate email) by tricking AT&T into forwarding his voicemail to a different account. It’s a pretty complicated hack, but if you use Gmail (or Google apps) for email, their 2-step verification is a must. Just remember that, depending on your phone, taking advantage of their SMS backup system might be as simple as triggering a password reset SMS while you’re in the can, with your phone in your jacket/purse. – MR

  2. Automated on-boarding: Rohit Sethi offers a really nice approach to addressing security in a recent post on Managing Security Requirements in Agile Projects. I have always stressed the importance of on-boarding security, and getting security into user stories is really important for making sure developers know their responsibilities. What I like about Rohit’s process is the filtering and prioritization. He suggests a bit more of a formulaic approach, with a repeatable process for including security – a/k/a Non-Functional Requirements (NRFs) – into the generation of requirements and stories. I normally expect the constraints to come from threat modeling and secure coding standards, but this is a bit different. Sure, validation comes from unit and regression tests (a burden on developers and QA), and as Rohit recommends, additional validation though manual and static review. But Rohit implies that you can auto-generate and embed requirements and checklists right into the stories as part of the project management process. You’re adding requirements, and more importantly filtering unnecessary requirements, right from the management tools. That’s a pretty slick way to efficiently include NRFs, which makes it much easier on less technical project managers who don’t usually know what’s appropriate to include. – AL

  3. I wonder what this cost them? I guess sometimes I take it personally when folks calls industry analysts paid shills. I know how we do business, but unfortunately there are folks who have no problem publishing puff pieces defending their clients. And for better or worse, we all get grouped together as street walkers. Evidently Zeus Kerravala has hung out his own shingle after years at Yankee Group and it seems F5 paid for the entire house. OK. Maybe that’s not entirely fair, but to do a point/counterpoint in response to a vendor white paper? Really? I know you do things to get a new business off the ground, but this post should have come with a pair of fishnet stockings and a get out of jail free card. – MR

  4. When sucking does not matter: What are the attributes of a NoSQL database? Distributed fault tolerant architecture, scalablity, data partitioning, performance over (eventual) consistency, and simple key-value lookups tend to comprise the list. Working from those basic principles, Andreas Jung delivers a major smack-down to MongoDB, basically saying it’s non-competitive – if not an outright failure – in several of these key areas. He makes good points on locking, single index support, and MapReduce – they do feel beta-ish in usability. Then again, so do about a hundred of MongoDB’s competitor NoSQL databases. The entire segment is comprised of adolescent software (pimples and all)! What’s amazing to me is how many NoSQL databases are running huge production applications today – especially considering that a decade ago most enterprises refused to use open source software because of the lack of support, product immaturity, and fear of code tampering. There seem to be no such impediments to open source adoption nowadays. We hear complaints about quality and platform immaturity – but make no mistake, the only reason we hear the complaints is because developers care. Developers, and the companies they work for, already rely on NoSQL platforms as critical infrastructure. – AL

  5. It depends on your definition of effective: Apparently the folks at Consumer Reports deem free anti-virus effective. [Subscription required or check out NetworkWorld’s summary] That is “as long as you surf safely – that is, you never download software from unfamiliar sites or click on e-mail links to access bank or other personal accounts…” Really, that’s what they say. Uh, so basically free works for nobody. I believe that free AV is as crappy as the paid version, but this seems to gloss over the complexity of the attacks and oversimplify things. But then I hear Jack Nicholson ringing in my ears: “You can’t handle the truth!” Right, carry on. I’ll just try to be thankful to have an ongoing market for what I do, and not to rail against these ridiculous mass-market security tests. – MR

  6. Vendor tip: If there is APT in your PPT, you’re doing it wrong. I know we write for users, but sometimes I just have to do a quick piece to help vendors stop acting like idiots. Time time again I see the buzzword du jour, APT, in a vendor’s briefing deck. Check out this scathing post from Kyle Maxwell and get your laughs for the day. Really, if you are trying to sell a security product to security people, trying to convince them it will stop the APT will make for a short meeting and a fatal blow to your credibility. Unless your pitch is that you can’t stop the APT, but your product can help find it (maybe), and figure out what it did (maybe). So please push back when your CEO demands an APT slide. Or pull the slide out before you give the pitch to anyone. Leave it in for the CEO, and let them twist in the wind. And then start working on your resume. – MR

No Related Posts
Comments

Fun Incite this past week!

RE: NoSQL in the enterprise in production: There’s not much to stop developers wanting to play with the cool neat new things like NoSQL/MongoDB stuff. All the successful, high-profile peeps bend rules like that, so can they! Ship first, secure later on if anyone finds issues… For me, this is the time of year when my developers have free time, and I’m scrambling trying to keep up with their research projects sending our data to various “cloud” ops and access all over the place with shared/personal accounts and so on.

RE CloudFlare: It’s interesting that it also comes down to social engineering and people mistakes. How often does security comes down to customer service staff, staff that is often high burnout, high turnover, low payscale? And yet we all demand easier stuff, processes, etc. Thanks for that link, tho, as I had passed over it thinking it was Brian’s original article mentioning this. For a not-highly-technical hack, it sure is involved.

We also decry password security like it’s a fad that shouldn’t go away. Yet now we get to whack our users’ knuckles about being smarter how all these things are tied together as well? Yikes. Or how to pick better password recovery options? What a fun game! :)

By LonerVamp


Your next Recovery Breakfast needs to include a roller coaster.  I love roller coasters!

By Dwayne Melancon


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.