Incite 7/10/2013: Selfies

By Mike Rothman

Before she left for camp XX1 asked me to download her iPhone photos to our computer, so she could free up some space. Evidently 16gb isn’t enough for these kids today. What would Ken Olson say about that? (Dog yummy for those catching the reference.) I happened to notice that a large portion of her pictures were these so-called selfies. Not in a creeper, micro-managing Dad way, but in a curious, so that’s what the kids are up to today way. A selfie is where you take a picture of yourself (and your friends) with your camera phone. Some were good, some were bad. But what struck me was the quantity. No wonder she needed to free up space – she had all these selfies on her phone.

Felinis selficus...Then I checked XX2 and the Boy’s iTouch devices, and sure enough they had a bunch of selfies as well. I get it, kind of. I have been known to take a selfie or two, usually at a Falcons game to capture a quick memory. Or when the Boss and I were at a resort last weekend and we wanted to capture the beauty of the scene. My Twitter avatar remains a self-defense selfie, and has been for years. I haven’t felt the need to take a new selfie to replace it.

Then I made a critical mistake. I searched Flickr for selfies. A few are interesting, and a lot are horrifying. I get that some folks want to take pictures of themselves, but do you need to share them with the world? Come on, man (or woman)! There are some things we don’t need to see. Naked selfies (however psuedo-artistic) are just wrong.

But that’s more a statement about how social media has permeated our environment. Everyone loves to take pictures, and many people like to share them, so they do. On the 5th anniversary of the iTunes App Store, it seems like the path to success for an app is to do photos or videos. It worked for Instagram and Snapchat, so who knows… Maybe we should turn the Nexus into a security photo sharing app. Pivoting FTW.

As for me, I don’t share much of anything. I do a current status every so often, especially when I’m somewhere cool. But for the most part I figure you don’t care where I am, what my new haircut looks like (pretty much the same) or whether the zit on my forehead is pulsating or not (it is). I guess I am still a Luddite.


Photo credit: “Kitsune #selfie” originally uploaded by Kim Tairi

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Continuous Security Monitoring

Database Denial of Service

API Gateways

Security Analytics with Big Data

Newly Published Papers

Incite 4 U

  1. If it’s code it can be broken: A fascinating interview in InfoWorld with a guy who is a US government funded attacker. You get a feel for how he got there (he like to hack things) and that they don’t view what they do as over the line – it’s a necessary function given that everyone else is doing it to us. He maintains they have tens of thousands of 0-day attacks for pretty much every type of software. Nice, eh? But the most useful part of the interview for me was: “I wish we spent as much time defensively as we do offensively. We have these thousands and thousands of people in coordinate teams trying to exploit stuff. But we don’t have any large teams that I know of for defending ourselves. In the real world, armies spend as much time defending as they do preparing for attacks. We are pretty one-sided in the battle right now.” Yeah, man! The offensive stuff is definitely sexy, but at some point we will need to focus on defense. – MR

  2. Open to the public: A perennial area of concern with database security is user permission management, as Pete Finnigan discussed in a recent examination of default users in Oracle 12cR1. Default user accounts are a security problem because pretty much everything comes with default access credentials. That usually means a default password, or the system may require the first person to access the account to set a password. But regardless it is helpful to know the 36 issues you need to immediately address after installing Oracle. Pete also notes the dramatic increase in use of the PUBLIC permissions, a common enabler of 0-day database exploits. More stuff to add to your security checklist, and if you rely upon third party assessment solutions it’s time to ask your provider for updated policies. By the way, this isn’t just an issue with Oracle, or databases for that matter. Every computing system has these issues. – AL

  3. Want to see the future of networking? Follow the carriers… I started my career as a developer but I pretty quickly migrated down to the network. It was a truism back then (yes, 20+ years ago – yikes) that the carriers were the first to play around and deploy new technologies, and evidently that is still true today. Even ostriches have heard of software-defined networking at this point. The long-term impact on network security is still not clear, but clearly carriers will be leading the way with SDN deployment. given their need for flexibility and agility. So those of you in the enterprise should be paying attention, because as inspection and policy enforcement (the basis of security) happens in software, it will have a substantial impact on how network security happens. – MR

  4. No firewall for you: Getting rid of firewalls? Yep. That’s the basic message from the US Defense Information Systems Agency. They are moving from a network-centric segmentation model, where layers of network defense are defined by data classification standards, to a data-centric model. In a nutshell, information centric security is based on encryption, backed by identity and authorization management systems. It makes sense to move to a logical data security model that works regardless or network (public, private, cloud) or device, but the more interesting aspect is the huge mental shift for this organization to accept and embrace sensitive data moving in and through suspect environments. Which means it will likely never happen. – AL

  5. Squeezing every ounce of productivity…: An interesting article about the wave of meditation spreading around Silicon Valley. It has nothing to do with becoming more balanced, more mindful, or a better human. It is all about increasing productivity. Chasing every nickel knows no boundaries. These folks figure if they can get their employees more focused they can squeeze some more productivity out of them. Maybe they are right. I have been meditating for a number of years (yes, it helps). I can only hope these folks, after getting exposed to the practice by a corporate overlord looking for a productivity boost, learn that the increase in job effectiveness is really a minor benefit in the grand scheme of things. – MR

No Related Posts

I’m very interested in Adrian’s item under “No firewall for you” as I have heard a number of organizations discussing this.  I really want to hear some post-facto analysis from companies who go this route, to find out what differences (positive and negative) they experience.

Along those lines, I have been in conversation with a couple of companies who want to get rid of antivirus because they feel it isn’t adding value (at least in the data center).  Unfortunately, they both have to answer to PCI which explicitly requires AV so that is a bit of a problem.

In general, I think the more we can streamline the number of countermeasures and controls we have to manage, the better.  But it is definitely a “look before you leap” problem.

BTW - I’m with you on the selfies - definitely fascinating.  My daughter told me about “duck face” selfies, which are apparently a sub-class of the normal selfie.  You can find a lot of them on Flickr, too: face selfie

By Dwayne Melancon on

@Dwayne - that specific example is to get Rid of network complexities around tiered networks based upon level of secrecy. I’ve seen companies use this model through doc sharing apps and some DRM implementations but they are not common. Not sure who will talk but ill check.

As far as getting rid of AV given PCI ironically means more network segmentation.


By Adrian Lane on

@dwayne, amazingly enough I have an opinion on this as well. Sounds like a rehashed version of the old Jericho line of thinking. They called for the end of firewalls as well, and we all know how well that was received in the market.

Fact is, the port/protocol firewall isn’t very helpful to deal with advanced attacks. Thus the movement towards application awareness and a consolidation of functions on the perimeter. I’ve yet to talk to anyone that has really embraced this model, so I don’t really have an opinion on the true impact. Not yet anyway.

Regarding the AV discussion, remember there are cheap and borderline free alternatives for AV in the market. I know of a few organizations that have gone with these low end offerings to check the compliance box, but use more advanced techniques in the data center and on critical/at-risk devices.

The data center is a bit of a different animal and it’s likely easier to get a compensating control exemption from an assessor if you’ve locked down your servers with something like application white listing. Much harder on the endpoints because of the issues of breaking the security model with grace periods and the like…


By Mike Rothman on

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.