The point of sending the kids to sleepaway camp is that they experience things they normally wouldn’t. They expand their worldviews, meet new people, and do things they might not normally do when under the watchful (and at times draconian) eyes of their parents. As long as it’s legal and appropriate I’m cool.

We got a letter from XX1 yesterday. The Boss and I really treasure the letters we get because it gives us some comfort to know that they are 1) still alive, and 2) having fun. All the kids go to Hershey Park at the end of their first month at camp. So I asked in one of my daily messages, what rides did she go on?

The letter told me she went on the SooperDooperLooper and also the Great Bear. Two pretty intense roller coasters. Wait, what? When we went to Six Flags over Georgia a few years ago, I spent the entire day coercing her to go on a very tame wooden coaster. I had to bribe her with all sorts of things to get her on the least threatening ride at Universal last year. I just figured she’d be one of those kids who aren’t be comfortable on thrill rides.

I was wrong. Evidently she loved the rides, and is now excited to go on everything. She overcame her fears and got it done, without any bribes from me. Which is awesome. And I missed it. I was with XX2 when she rode her first big coaster. But I missed when XX1 inevitably had second thoughts on line, the negotiations to keep her in the line, the anticipation of the climb, the screaming, and then the sense of satisfaction when the ride ends. I was kind of bummed.

But then I remembered it’s not my job to be there for absolutely everything. My kids will live their own lives and do things in their own time. And sometimes I won’t be there when that time comes. As long as they get the experiences and can share them with me later, that needs to be enough. So it is.

That doesn’t mean I won’t become a Guilt Ninja when she gets home. But I’ll let her off the hook, at a cost. We will need to make a blood oath to ride all the coasters when we go to Orlando next summer. Me, my girls, and a bunch of roller coasters. I don’t think it gets much better than that…


Photo credit: “Great Bear 2” originally uploaded by Steve White

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The Endpoint Security Buyer’s Guide

Continuous Security Monitoring

Database Denial of Service

API Gateways

Security Analytics with Big Data

Newly Published Papers

Incite 4 U

  1. Sideshow Bob: One of the advances big data clusters offer SIEM is the capability to collect more data – particularly as vendors begin to capture all network traffic rather than a small (highly filtered) subset. As Mike likes to say, that’s how you react faster and better. But stored data is of little use unless we do something with it – such as extract actionable intel from the data. This is why I stress that you need to stop thinking about “big data” as a lot of data – big data offers a fully customizable technology platform that can help you derive information from data you collect. Don’t be awed by the size – it’s what you do with it that counts. There’s a joke in there somewhere… A big data platform can also handle much larger data, but that’s a sideshow to the main event. – AL
  2. Pick a number, any number: I have long argued that we lack the fundamental structural frameworks to even consider measuring economic losses due to cybercrime. We can barely measure losses associated with physical theft – never mind IT. For example, how do you define downtime or response time, so you can measure is cost? I’ll bet your definition doesn’t match the person who sat next to you at your last conference, and neither of you really measures it consistently over the course of a year to produce valid statistics. This is why I slam all the Ponemon loss surveys – no matter how well the survey is built, there aren’t enough people in the world actually tracking these things to provide meaningful data. So it comes as no surprise that a report released by McAfee and the Center for Strategic and International Studies pegs cybercrime losses at somewhere between $300B and $1T. I give them props for honesty – they cite the problems I mentioned and more. But not even governments can make decision based on ranges like that. Maybe we should just say “bigger than a breadbox” and be done with it. – RM
  3. Make that a triple mocha grande exfiltration: One of our favorite Canadians (tied with Mr. Molson), Dave Lewis is now writing a blog for CSO Online, and doing a great job. Not that I’m surprised – Dave is not just an epic beard with security kung fu. The dude can write and come up with cool analogies, such as how data exfiltration is like a coffee ring on the table. Huh? Dave points out that like that inexplicable coffee ring, sometimes data is just lost. Then he goes through the fundamentals of incident response and data protection. Even telling a story or two from his days in the trenches. If I didn’t know better I would say he has been hanging out with windbag analysts a bit too much. – MR
  4. Spectacular, and not in a good way: Don’t run with scissors. Look both ways before crossing the street. Don’t put your fingers in electrical sockets. These are very basic things our parents taught us to keep us safe. At least yours should have taught you. Computer security is the same: Don’t use IE6, don’t use the same password for all websites, and don’t use open WiFi hotspots without connecting through a VPN. And if you are a developer you are told to avoid DES encryption! This has been true since the mid-90s! Even pinpad manufacturers retrofitted products in the late 90s, some with temporary triple DES workarounds, when basic DES was deprecated to the dustbin of unsafe technologies. So what the heck is going on with developers who deploy DES encryption in modern mobile devices? The SMS attack is well crafted, but SIM developers (carriers) are shooting themselves in the foot in a spectacular fashion – and we are getting caught up in their idiocy. – AL
  5. Bouncing back: Bad stuff happens to everyone. Sometimes it is as a result of your actions or inactions, and sometimes it is out of your control. Then you need to bounce back. There is an interesting HBR article about how Surprises are the New Normal; Resilience is the New Skill. Resilience is not actually a new skill, but let’s not nitpick. The author’s main point is to highlight the importance of learning from your mistakes and acknowledging your own role in defeat. Fail happens. How you deal with it, and how quickly you get off your can and move forward, is a key determinant of success. – MR
  6. Online Prisoners’ Dilemma: I think it is important to pay for what I use. I tip too much, pay real money for my ebooks, and buy all the Disney Blu-Rays for my kids. I generally try to be a good online and offline citizen. But sometimes companies make short-term decisions that hurt themselves in the long term. Take online advertising. I would like to support companies that provide free services I use, even if it means seeing some ads. But when the ads become too intrusive or track me without permission I start blocking. Which means I am always blocking because they are always intrusive. As Wired writes, anyone hoping for a modicum of privacy has to essentially use the same privacy techniques as online leeches and even actual bad guys. Technically some of these tools violate the Computer Fraud and Abuse Act. The law may be absurd, but so are the extremes many companies – including security companies – go to in order to track users and get marketing impressions. It is just one of the many ways your marketing and web teams may be creating security headaches for everyone. – RM