The impact of technology cannot be overstated. Not compared to when I was a kid. So we were having dinner over the weekend and XX2 started changing the lyrics to Michael Jackson’s Beat It, by crooning out “Eat It.” Of course, I mentioned that she was creative but hardly original and that Weird Al Yankovic recorded that exact song some 20 years ago. Then the Boy piped in with the chorus to Weird Al’s other Michael Jackson parody, “Fat.” Wait, what?

The Boss and I were amazed that he not only knew who Weird Al was, but another of his songs. Upon further interrogation, he admitted that a friend showed him Weird Al’s videos on the Internet. Then I launched into a story about how in the olden days, when MTV played actual music videos, you had to wait by the TV for a video you liked. That the first video I ever saw was the J. Geils Band’s “Centerfold”. I didn’t leave my room for a week after that. Not like today, where they just search YouTube and listen to what they want when they want.

Then the Boss talked about how she had to sit by the radio with her little cassette recorder in hand, waiting for her favorite songs. The art was in hitting the Record button (or more likely Record and Play simultaneously) at the perfect time. Not too early or you got a bunch of DJ gibberish, and not too late or you’d miss the first few bars of the song. Stopping recording was a similar high-wire act. Then we described the magic of the double cassette deck/recorder and how that made life a zillion times easier, so we could dub tapes from our friends. I guess now I need to expect a retroactive Cease and Desist letter from the RIAA for 30 years ago, eh?

The kid’s response was classic. What’s a cassette, Mommy? It’s hard to comprehend, but these kids have never actually seen a cassette tape. Well, they probably have, but had no idea what it was. I just traded in my old Acura that actually had a cassette player, but I last used it 7 years ago. They have no need to understand what a cassette is. Nor the hoops we jumped through to access the music we wanted.

I didn’t have the heart to further complicate things by describing the setup my brother and I had to record music, which included an old condenser mic and a reel-to-reel tape deck. I saved up for months to buy a blank reel-to-reel tape and I remember recording from Casey Kasem’s Top 40 every Sunday. Then I got my portable Panasonic cassette recorder, bought Kiss Alive II and was forever changed.

Then we told the story of the first Walkman units, and how liberating it was to be able to play cassettes without having to carry around a 30-pound boom box on your shoulder. And believe me – my boom box was huge, loud, and cool – requiring 8 D batteries. I’d get a hernia just lugging around extra batteries for that beast. Looking back, the Walkman was truly transformative. When I made the analogy to the iPod, but bigger and requiring tapes you could only fit 60 minutes of music on, they kind of got it. But not really.

Replaying that conversation in my mind makes me excited for the kinds of crazy stories our kids will tell their kids about those iPods and iPhones back in the olden days. And it also makes me feel old. Really really old. But then again, I can’t even imagine what my folks feel like, remembering when they first got TV…


Photo credits: Cassette Player originally uploaded by grundkonzept

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Endpoint Security Management Buyer’s Guide

Pragmatic WAF Management

Incite 4 U

  1. Another vendor ranking grid. Oh, joy! Our friends at NSS Labs have introduced a new way to compare security vendors, specifically the network security folks: their security value map. One axis is Block Rate, and the other is price per protected mbps. No, I don’t get it either. Actually I do, but I suspect most customers will find this chart of limited value. Especially when 80% of the products are in the ‘good’ quadrant. They must know that way too many users use the quadrant charts to make decisions for them. This chart might help compare devices but it doesn’t help make decisions. In fairness, I really like the work NSS does. Hardly anyone else really tests devices objectively, and I applaud their efforts to remove the bias of vendor-sponsored tests. I also understand the need to have a chart that vendors will license and the genius to set up the tolerances so the greatest percentage of vendors are in the right quadrant to license the report. And their research is very useful to customers who do the work and actually need to understand how devices work. But the other 95% of their audience will ask how they can ‘short’ list just about everything. – MR
  2. Fixing a problem that doesn’t exist: Most users don’t regard mobile security problems as a big threat, notes Ben Wood, Director of Research at CCS Insight. No kidding. Even on Android viruses and malware are not generally considered a big threat. Antivirus vendors would like to point out the one or two instances where malware has appeared hoping the FUD will drive a new wave of adoption. AV has had it good for a long time, generating more revenue than all other security products combined. And the vendors would like to continue this trend, but their model does not work for mobile. Attacks are addressed differently, either locked out of app stores or outright removed from devices. And even if an app gets busted, the mobile operating systems are far better architected to deal with attacks. They aren’t perfectly immune, but it’s much harder to totally pwn a device. So mobile AV is expensive ($29.99 per year), does not solve an actual problem you have, and might not come from a trustworthy vendor. What’s not to like? Whatever the mobile security market looks like in the future, you can bet it will not look like today’s desktop AV market. – AL
  3. Going on offense? The Dell SecureWorks guys posted some cool research on APT. They come to some interesting conclusions, especially regarding the size of state-sponsored bot networks versus crime syndicates committing financial fraud. It looks like online espionage networks are smaller and may get lost among the massive consumer botnets. But they have some interesting bubble graphs showing espionage networks and decomposing the mechanisms they use to obfuscate their location. It’s entertaining for SIEM vendors to still crow about geolocation – as if attackers reliably come from their home networks. But the most interesting tidbit of all (to me, anyway) was their concluding statement about private commercial entities attacking foreign militaries – ostensibly under the direction (or even under contract) from their own government. Obviously this stuff happens, but getting private companies involved blows away that proverbial line in the sand between a military operation and civilan/commercial. – MR
  4. You say tomato and I say nuclear destruction: Lachlan Urquhart asks: Do we need another word for cyber war? He outlines some reasons our discussions border on the absurd, “such as considering a cyber disarmament treaty similar to nuclear and chemical weapon arms control treaties.” Personally I enjoy the term “cyberwarfare” because it’s security FUD for governments. It’s a type of scarlet letter that allows me to quickly identify people with a different agenda which they are trying to sell as security. But if you want rational discussion, Lachlan point that the ‘war’ analogy is so far off that the rhetoric has turned into nonsense. We have seen technology easily traverse national borders during times of war, freely passing information and affecting change. It’s called radio. You have probably heard of it (no pun intended). We used to call broadcasts propaganda, and they changed the way people behaved. “Cyber” is just an extension of this old capability, with the added dimension that it affects objects instead of people. Radio is a familiar old technology that does not encourage fear nor drive us to action, but it’s a much better starting point for reasonable discussion of these issues and how to deal with them. – AL
  5. Step #1: Do something: Security metrics continues to stagnate – with a lack of precision, process, and activity. Folks collect what they need and only the largest of the large, the most mature, and the highest-profile roadkill (after suffering breaches) have moved to quantify their security operations. Okay – that’s an overgeneralization, but it’s not far off. Sensage’s Joe Gottlieb posted a 10 step process to get started with security metrics. The list is fine, and provides some decent pointers. But for starting out I favor a simpler approach: 1) Do something. 2) Pat yourself on the back. 3) Do something else. Of course we can refer back to Jaquith’s book and find out about good metrics and data aggregation platforms and all sorts of other stuff. But given the number of fires folks need to fight daily, metrics consistently fall to (off) the bottom of the list. So quick and dirty is a good start. Just don’t stop, and over time you will get somewhere. – MR
  6. AndyITGuy on awareness training: I wanted to share some link love with my long lost friend AndyITGuy, who evidently has a real job now and can’t blog too frequently – unlike some professional pontificators I know. He weighs in (somewhat late) on the security awareness training debate with a perspective similar to mine. “There are lots of discussions on whether or not awareness programs are worth the time, effort, and cost. The short answer is no. Most of them aren’t. Not because there is not value in making users aware but because the programs are crap. They are forced down users throat like a spoonful of Caster Oil. The only difference is that Caster Oil works.” He’s right. Companies don’t want to make the investment to roll out effective training, so the entire concept takes a severe hit. Will anything change? Nope. It’s easier to put another box in the rack and bitch at the vendor because you got breached. So that’s what many users will continue to do. – MR