When you have resources you are supposed to give back. That’s what they teach you as a kid, right? There are folks less fortunate than you, so you help them out. I learned those lessons. I dutifully gave to a variety of charities through the years. But I was never passionate about any cause. Not enough to get involved beyond writing a check.

I would see friends of mine passionate about whatever cause they were pushing. I figured if they were passionate about it I should give, so I did. Seemed pretty simple to me, but I always had a hard time asking friends and associates to donate to something I wasn’t passionate about. It seemed disingenuous to me. So I didn’t.

I guess I’ve always been looking for a cause. But you can’t really look. The cause has to find you. It needs to be something that tugs at the fabric of who you are. It has to be something that elicits an emotional response, which you need to be an effective fundraiser and advocate. It turns out I’ve had my cause for over 10 years – I just didn’t know it until recently.

Cancer runs in my family. Mostly on my mother’s side or so I thought. Almost 15 years ago Dad was diagnosed with Stage 0 colon cancer. They were able to handle it with a (relatively) minor surgery because they caught it so early. That was a wake-up call, but soon I got caught up with life, and never got around to getting involved with cancer causes. A few years later Dad was diagnosed with Chronic Lymphocytic Leukemia (CLL). For treatment he’s shied away from western medicine, and gone down his own path of mostly holistic techniques. The leukemia has just been part of our lives ever since, and we accommodate. With a compromised immune system he can’t fly. So we go to him. For big events in the South, he drives down. And I was not exempt myself, having had a close call back in 2007. Thankfully due to family history I had a colonoscopy before I was 40 and the doctor found (and removed) a pre-cancerous polyp that would not have ended well for me if I hadn’t had the test.

Yet I still didn’t make the connection. All these clues, and I was still spreading my charity among a number of different causes, none of which I really cared about. Then earlier this year another close friend was diagnosed with lymphoma. They caught it early and the prognosis is good. With all the work I’ve done over the past few years on being aware and mindful in my life, I finally got it. I found my cause – blood cancers. I’ll raise money and focus my efforts on finding a cure.

It turns out the Leukemia and Lymphoma Society has a great program called Team in Training to raise money for blood cancer research by supporting athletes in endurance races. I’ve been running for about 18 months now and already have two half marathons under my belt. This is perfect. Running and raising money! I signed up to run the Savannah Half Marathon in November as part of the TNT team. I started my training plan this week, so now is as good a time as any to gear up my fundraising efforts. I am shooting to run under 2:20, which would be a personal record.


Given that this is my cause, I have no issue asking you to help out. It doesn’t matter how much you contribute, but if you’ve been fortunate (as I have) please give a little bit to help make sure this important research can be funded and this terrible disease can be eradicated in our lifetime. Dad follows the research very closely as you can imagine, and he’s convinced they are on the cusp of a major breakthrough.

Here is the link to help me raise money to defeat blood cancers: Mike Rothman’s TNT Fund Raising Page.

I keep talking about my cause, but this isn’t about me. This is about all the people suffering from cancer and specifically blood cancers. I’m raising money for all the people who lost loved ones or had to put their lives on hold as people they care about fight. Again, if you can spare a few bucks, please click the link above and contribute.


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Zombie software: Every few years a bit of software pops up that advocates claim will identify users through analysis of typing patterns. Inevitably these things die because nobody wants or uses them. That old technology looking for a problem problem. Over the years it has been positioned as a way to keep administrative terminals safe, or for use by banks to ensure only legitimate customers access their accounts. And so here we go again, for the 8th time in my memory, a keyboard-based user profiler, only now it’s positioned as a way to detect users behind a Tor session. What we are looking at is a bit of code installed on a computer which maps the timing intervals between characters and words a user types. I first got my hands on a production version of this type of software in 2004, and lo and behold it could tell me from my co-workers with 90% certainty. Until I had a beer, and then it failed. Or when I was in a particularly foul mood and my emphatic slamming of keys changed my typing pattern. Or until I allowed another user on the machine and screwed up its behavioral pattern matching because it was retraining the baseline. There are lots of people in the world with a strong desire to know who is behind a keyboard – law enforcement and marketers, to name a few – so there will always be a desire for this tech to work. And it does, under ideal conditions, but blows up in the real world. – AL
  2. Endpoint protection is hard. Duh! With all the advanced attacks and adversaries out there, it’s hard to protect endpoints. And in other news, grass is green, the sky is blue, and vendors love FUD. This wrapup in Network World is really just a laundry list of all the activity happening to protect endpoints. We have big vendors and start-ups and a bunch of companies in between, who look at a $5B market where success is not expected and figure it’s ripe for disruption. Which is true, but who cares? Inertia is strong on the endpoint, so what’s different now? It’s actually the last topic in the article, which mentions that compliance regimes are likely to expand the definition of anti-malware to include these new capabilities. That’s the shoe that needs to drop to create some kind of disruption. And once that happens it will be a mass exodus off old-school AV and onto something shinier. That will work better, until it doesn’t… – MR
  3. Hippies and hackers: According to emptywheel, only hippies and hackers argue against back doors in software. Until now, that is. Apparently at the Aspen Security Forum this week, none other than Michael Chertoff made a surprise statement: “I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door … ” All kidding aside, the emptywheel blog nailed the sentiment, saying “Chertoff’s answer is notable both because it is so succinct and because of who he is: a long-time prosecutor, judge, and both Criminal Division Chief at DOJ and Secretary of Homeland Security. Through much of that career, Chertoff has been the close colleague of FBI Director Jim Comey, the guy pushing back doors now.” This is the first time I’ve heard someone out of the intelligence/DHS community make such a statement. Back doors are synonymous with compromised security, and we know hackers and law enforcement are equally capable of using them. So it’s encouraging to hear from someone who has the ear of both government and the tech sector. – AL
  4. Survival of the fittest: Dark Reading offered a good case study of how a business deals with a DDoS attack. The victim, HotSchedules, was targeted for no apparent reason – with no ransom or other demands. So what do you do? Job #1 is to make sure customers have the information they need, and all employees had to work old-school (like, via email and phones) to make sure customers could still operate. Next try to get the system up and running again. They tried a few options, but ultimately ended up moving their systems behind a network scrubbing service to restore operations. My takeaways are pretty simple. You are a target. Even if you don’t think you are. Also you need a plan to deal with a volumetric attack. Maybe it’s using a Content Delivery Network or contracting with a scrubbing service. Regardless of the solution, you need to respond quickly. – MR