Incite 7/17/2013: 80 añosBy Mike Rothman
If you want a feel for how long 80 years is, here are a few facts. In 1933, the President was Herbert Hoover until March, when FDR became President. The Great Depression was well underway in the US and spreading around the world. Hitler first rose to power in Germany. And Prohibition was repealed in the US. I’ll certainly drink to that.
Some famous folks were born in 1933 as well. Luminaries such as Joan Collins, Larry King, and Yoko Ono. Have you seen Larry or Yoko lately? Yeah, 80 seems pretty old. Unless it’s not. My father-in-law turned 80 this year. In fact his birthday was yesterday and he looks a hell of a lot better than most 80-year-olds. He made a joke at his birthday party over the weekend that 80 is the new 60. For him it probably is.
He has been both lucky and very healthy. We all think his longevity can be attributed to his outlook on life. He has what we call jokingly _the Happy Gene.. In the 20 years I have been with the Boss I have seen him mad twice. Twice. It’s actually kind of annoying – I probably got mad twice already today. But the man is unflappable. He’s a stockbroker, and has been for 35 years, after 20 years in retail. Stocks go up, he’s cool. Stocks go down, he’s cool. Clients yell at him, he’s cool. He just doesn’t get bent out of shape about anything.
He does get fired up about politics, especially when I intentionally bait him, because we see things from opposite sides. He gets excited about baseball and has been known to scream at the TV during Redskins games. But after the game is done or the discussion is over, he’s done. He doesn’t hold onto anger or perceived slights or much of anything. He just smiles and moves on.
It is actually something I aspire to. The Boss said a few words at his party and summed it up perfectly. She had this entire speech mapped out, but when I heard her first sentence I told her to stop. It’s very hard to sum up a lifestyle and philosophy in a sentence, but she did it. And anything else would have obscured the beauty of her observation.
Worry less, enjoy life more.
That’s it. That’s exactly what he does, and it has worked great for 80 years. It seems so simple yet it’s so hard to do. So. Hard. To. Do. But for those, like my father-in-law, who can master worrying less… a wonderful life awaits. Even when it’s not so wonderful. Happy Birthday, Sandy. I can only hope to celebrate many more.
Photo credit: “Dad’s 80th Birthday Surprise” originally uploaded by Ron and Sandy with Kids
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
The Endpoint Security Buyer’s Guide
Continuous Security Monitoring
Database Denial of Service
Security Analytics with Big Data
Newly Published Papers
- Quick Wins with Website Protection Services
- Email-based Threat Intelligence: To Catch a Phish
- Network-based Threat Intelligence: Searching for the Smoking Gun
- Understanding and Selecting a Key Management Solution
- Building an Early Warning System
Incite 4 U
Social responsibility: Before I get too far I need to acknowledge that this is definitely a bit of he said/she said. Now that has been put out there, what we know is that Microsoft released a patch for a bug discovered and released on the full disclosure list by security researcher Tavis Ormandy (who works for Google, but I think that’s incidental here). Microsoft stated last week that the bug is being actively used in targeted attacks after it was disclosed.. Tavis was clear that he didn’t notify Microsoft before posting the details publicly. Here’s what I think: we all have a social responsibility. While MS may have treated Tavis poorly in the past – justified or not – his actions put the rest of us at risk. It’s about users, not Microsoft or the researcher. If Tavis knew the bug was being used in the wild, I support full disclosure. If the vendor doesn’t respond or tries to cover it up and users are at risk, disclose publicly and quickly. But at least give them a chance, which requires thinking about the impact on everyone else first. To be balanced, vendors have a responsibility to respond in a timely fashion, even if it isn’t convenient. But to release a bug with no evidence that anyone else is using it? That doesn’t seem responsible. – RM
Identity theft fullz up: Interesting research hit this week from Dell SecureWorks, per a Dark Reading article, about seeing complete packets of stolen information (fullz), including healthcare information, appearing in marketplaces for $1,200 or so. With a full kit an attacker would have everything they need for identity theft, including counterfeit documents such as driver’s licenses and health insurance cards. Also interesting were that credit cards with CVV can be had for $1-2 each, although a prestige card (such as AmEx Black) can cost hundreds. This is Mr. Market at work. Prices for commodities go down but valuable information still demands a premium. It appears online game accounts are a fraud growth market because turning virtual items into real money can be easier due to less stringent fraud detection. – MR
Easier than making coffee: Gunnar Peterson’s keynote at CIS2013 was full of valuable witticisms (the entire presentation is on his blog) – but made a particularly profound point regarding code security: it needs to be so easy that a seventeen-year-old can do it time and time again without fail. Gunnar drew a parallel between Five Guys’ recipe for burger success against behemoth competitors: any product must pass this simple litmus test of simplicity and repeatability. They don’t offer coffee because the owner’s own sons couldn’t do it well enough – so they don’t sell it. It’s great that we talk about building security in – it’s the right thing to do. But we have an unfortunate tendency to assume that developers will become security experts – they won’t. Security must be packaged so it’s easy to use – preferably as part of the development environment – hiding the underlying complexities from the folks who need to use it. And that is why API gateways are so important. – AL
Irresponsible advice on firewalls: Sometimes I hate the SEO and link baiting titles that drive tech media. When I saw the title on this SearchSecurity post: No firewall? How disabling the firewall can improve network security, I figured it was Jericho 2.0. I was wrong – it’s worse. Joel Snyder maps out such a set of uncommon use cases it’s hard to believe. His first tip: use router ACLs. Really? Time machine, much? We moved away from router ACLs because unless you only connect to 5 networks managing the ACLs becomes unbearable. Then he suggest that using built-in host firewalls may suffice. In IaaS, for instance, you don’t have an option. But there are now tools to manage cloud-hosted firewall policies, because thinking
iptablesis a sustainable option for more than 10 hosts is silly. Finally he talks about data protection. Clearly folks need to protect data – but not to the exclusion of network protection. And he actually missed the biggest reason to look at doing simple firewall stuff in the cloud (or within a service provider’s network): DDoS. Network firewalls melt under volume attacks, but I still wouldn’t turn the firewall off. I’d just supplement it with a cloud-based service for DDoS mitigation. – MR
Gaining steam: Microsoft, in an effort to address user concerns over NSA access to email and Skype calls, in a recent blog post may have done the opposite. Most of the statements are qualified (e.g., “We do not provide any government with direct access”) (emphasis mine), or misdirection (e.g., “These changes were not made to facilitate greater government access”), and the post provides neither an affirmation nor denial that access is available to the NSA without a warrant. Instead they describe “direct and unfettered access to our customer’s data” – but the real question remains: is the NSA embedded in their networks and services? Indirect access with SSL keys is still access. There are good ways to respond to breaches and data privacy issues, and this isn’t any of them. Posts and non-clarifications like this just fuel the Snowden scandal. – AL
Minimum effective dose: We spend a ton of security money on things that don’t work. Defense in Depth has morphed into CYA in Depth, as we layer technology over technology, often without any proof that any of the layers reduce risk. Sure, it looks good on paper, but you know how that goes. It isn’t that the technologies are total failures, but we don’t implement them in optimal ways – often for very good reasons. So we focus on more and more layers instead of cutting out the bits that don’t work and focusing on core security controls which give us a fighting chance. Over at InfoWeek Roger Grimes suggests whitelisting is really the only alternative to ineffective layers for stopping malware. I agree whitelisting works up to a point – especially for servers – but it is still tough to implement on desktops, depending on how much freedom users demand. There are many new approaches to the malware problem which are worth looking it – including virtualization-based technologies, hardened operating systems, and so on – but most of these involve hardware and software upgrades and so require more time for mass market adoption. But if you want one quick fix that blocks malware (if you can live with the user experience), whitelisting can work. – RM
Don’t look behind the curtain if you don’t want to know what’s there: It is curious that folks continue to get into an uproar about the fact that companies exist to provide offensive technologies, mostly to governments. A few weeks back Wired did an expose on the NSA, and this article excerpts some of the stuff directly related to Endgame Systems. It seems Endgame is developing exploits for mobile devices. Them and lots of other folks, by the way. Of course, this is the kind of marketing no company really needs, but this has been going on for years. Everyone was in an uproar when their email spool indicated HBGary was pitching offensive technologies to government customers. Today it’s these guys and tomorrow it will be someone else. But Mr. Market still tells us that if someone is willing to pay for something, an enterprising company or individual will meet that need. Clearly many folks willing to pay for a good offense. Not just NFL teams. – MR