During the week of July 4th in the US we cannot help but think about independence. First of all, it’s a great excuse for a party and BBQ, right? To celebrate our escape from the tyranny of rulers from a far-off land, we eat and drink beer until we want to puke, and blow up fireworks made in other far-off lands. Being serious for a moment (but only a moment, we promise), independence means a lot of things to a lot of people, and now is a good time to revisit what it means to you, and make sure your choices reflect your beliefs.

I guess this is better than independence yours...

With the recent media frenzy around Snowden and NSA surveillance, many folks are questioning how the government justifies their actions under the heading of defending independence. Lots of folk aren’t sure which presents a greater threat to our independence – the bad guys or the government. Regardless of which side of that fence you take, folks in the US at least have an opportunity to discuss and exercise our rights to maintain that independence. Many folks, in many countries, take to the streets in protest every day, fighting like hell to get half the rights Americans have. So as you slug down your tenth beer on Thursday, keep that in mind.

The truth is that I don’t really think much about those macro issues. I’m one of the silly few who still appreciate that living in the US affords me opportunities I couldn’t readily get elsewhere. I choose to be thankful that the founding fathers had the stones to fight for this country, and the foresight to put in place a system that has held up pretty well for a couple hundred years. Is it perfect? No, nothing is. But compared to the other options it is definitely okay. I struggle to be optimistic about most things, but I’m pretty optimistic about the opportunities ahead of me, and I’ll be drinking to that on Thursday. And I may even drink some American beer for good measure.

But independence has a different context in my day-to-day life. I spend a lot of my time ensuring my kids grow up as independent, productive members of society. Whether that means leading by example by showing them a strong work ethic, providing for their needs (and my kids want for nothing), or helping them navigate today’s tech-enabled social-media-obsessed reality, the more we can prepare them for the real world the less unsettling their path to adulthood will be. That’s why we send them away to camp each year. Sure it’s fun (as I described last week), but it also allows them to learn independence before they are really independent.

A side benefit is that the Boss and I get a few weeks of independence from the day-to-day challenges of being actively engaged parents. I’m not sure what the Founding Fathers would have thought about sending their kids away to camp (although I’m sure the political pundits on cable news has an idea – they know what the founders would have thought about everything), and I don’t much care. It works for us. And with that it is time to head down to see the Braves scalp the Marlins tonight. Summer camp isn’t only for kids.


Photo credit: “Independence Mine State Park” originally uploaded by Kwong Yee Cheng

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Database Denial of Service

API Gateways

Security Analytics with Big Data

Newly Published Papers

Incite 4 U

  1. (Certified) content is king: Mozilla’s new mixed content blocker feature rolled out with the beta release of Firefox version 23. The feature provides three basic advantages: content privacy, man-in-the-middle (MitM) protection, and multi-site validation. It provides these capabilities by forcing HTTP to HTTPS and validating site certificates. All content is encrypted, and provided the site certs are valid, you get reasonable assurance that you are connected to your intended site. Content from non-HTTPS sources is ignored. I am one of the last at Securosis who continues to use Firefox as my primary browser. It has a bunch of weird usability anomalies but I find my combination of basic features and security extensions (NoScript, Ghostery, & 1Password) indispensable. – AL
  2. You must tuna SIEM: Yes, that is a lame play on the REO Speedwagon album (You Can Tune a Piano, but You Can’t Tuna Fish), but Xavier’s point “Out of the Box” SIEM? Never is right on the money. These tools need tuning, period. Xavier “… demonstrate[s] that a good SIEM must be one deployed for your devices and applications by you and for your business!” It cannot be generic – the out-of-the-box stuff provides a starting point but requires substantial work to be operational and useful in your environment. Xavier even includes screen shots and pokes fun at built-in compliance reports. One-click PCI reports? Not so much. This post is full of win! But don’t lose sight of the point. Monitoring out of the box is not very useful. Just dealing with the noise would be a full-time gig. So make sure that any planned deployment has adequate time and resources allocated to tuna SIEM. Unless you want some more very expensive shelfware. – MR
  3. Spurn the scumbag, update the law: Over the past twenty or thirty years technology has moved so rapidly, and changed society so fundamentally, that our laws haven’t come close to keeping up. The problem is exacerbated by lobbying efforts and elected officials and aides who lack the fundamental knowledge (or even basic curiosity) to develop anything approaching effective legislation. Our copyright, patent, and criminal laws are a mess. One particularly egregious example is the well-intentioned Computer Fraud and Abuse Act (CFAA). This is the law being used to wrongly convict “Weev” (Andrew Auernheimer), the guy who skimmed AT&T’s website to grab unprotected email addresses using randomly generated iPad device IDs. I have little doubt Weev was out to cause harm, but this successful application of the law has a chilling effect that could allow prosecutors to bring criminal charges against anyone using any software or service on the Internet in a way the owners didn’t explicitly authorize. That is an incredibly broad and capricious definition of a criminal act. – RM
  4. Patterns and perspective: Jim Bird points out the difficulty of using design patterns after systems are already built – especially given that developers probably wouldn’t recognize a pattern right in front of their face, and might even have used an antipattern. Jim’s point is that, when re-factoring, confusion over what pattern applies and working through generally difficult code makes design patterns less valuable. He is right in general, because an average coder does not understand patterns. But for secure code development I argue the opposite. The same design patterns should come into play repeatedly for coding applications securely, because the same basic attack patterns appear over and over. As with educating coders on how to use source code management and adhere to code standards, they need to understand the basic threats every application they build is subject to (yes, start with the OWASP Top 10 list). They don’t need to know all the patterns, but they need to become proficient at identifying and fixing the three or four patterns they will see for the rest of their career. – AL
  5. Security education requires context: As obvious as it sounds, you need to ensure any proactive security educational efforts will be fully understood by your intended audience. For example, Israel’s IDF uses kosher eating rules to remind soldiers about information security (behind a reg wall – BOO!). The message in this case is not to connect consumer devices (mobile phones, etc.) to the military network, by comparison to eating milk and meat (a no-no for those keeping kosher). It may seem like a curious analogy but it is clear and obvious to those steeped in the dietary laws. That’s what you want – obvious analogies with a better chance to be remembered and applied. – MR