By the time most of you read this I will be on my way back down the east coast, shuttling all the kid’s stuff home after a summer of camp in the family truckster. 12+ hours in pleasant solitude as the Boss flies the kids home. They start school next Monday so we didn’t want them to sit in the car all day. So I’m taking one for the team, but it’s okay. I will spend the solitary time working over my world domination plans. Like I do on every long trip.

I’d be lying if I said I’m excited that summer is over. And I know my kids feel the same way. Not that they don’t like school, but they like vacation and camp a lot better. As they should. For the Boss and me, there is something about living carefree for a couple weeks without real parental responsibilities while the kids are away. If the Boss and I wanted to go out to dinner, we did. If we wanted to go to a Braves game, we did. If I wanted to play hooky so we could take a long weekend, we did.

But in the 10 months the kids are home we need to be a little more planned. The kids are old enough now to stay by themselves for short amounts of time, so we can be a little spontaneous, and we need to do that. Though it’s incredible how quickly you get back into the daily crap of washing dishes, doing laundry, and shuttling the kids around. It won’t be long before we area again mired in the daily battle to get homework done and get ahead of major projects. It goes with the territory.

To be clear, I am excited the kids are coming home. I missed them every day and the house was very calm and quiet. That was nice, but it will also be good to get back to the craziness of our lives. But the end of summer also marks the passage of time. Another season in the books. The start of another school year is one year closer to the kids moving out of the nest and making their way in the world. It’s a reminder that we need to cherish the time they are home. Both the fun stuff and the not-so-fun stuff.

I guess that’s the point. For 6+ weeks each summer I see the future. And it’s a good future. But those other 10 months are the present. And it’s a great present. Wrapped up in a bow and everything.


Photo credit: “Summer’s End” originally uploaded by Jeremy Piehler

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The Endpoint Security Buyer’s Guide

Continuous Security Monitoring

Database Denial of Service

API Gateways

Newly Published Papers

Incite 4 U

  1. Don’t blame the cloud: I often remind people that the cloud is no more or less secure than your traditional infrastructure – it’s just different. That said, for many organizations the cloud is far more secure because if you properly leverage public it you can outsource security to a provider with better security staffing and controls than you can afford. But, as NASA demonstrates in this piece from The Verge, you can outsource stupid. It seems NASA completely failed to comply with their own security and cloud policies by putting data in a public cloud that shouldn’t be there, failing to include security requirements in contracts, and not bothering to test security controls. Details, details. The cloud can make you more secure but it doesn’t make you smarter. And all this from the guys who built a big chunk of OpenStack. I suppose that explains a few things. – RM
  2. ETDR just rolls off the tongue – NOT! I guess you should take comfort in the fact that most analysts are very bad at marketing type stuff. I mean just look at some of the category names they come up with. The latest to draw my ire is Endpoint Threat Detection and Response (ETDR), although you can also put NGFW and NGIPS in the bucket of names I hate. It’s not that ETDR is wrong, but it’s ponderous. And a lot of these technologies aren’t limited to endpoints. I come down on the side of simplicity – only three letters in an acronym. So Endpoint Activity Monitoring and Advanced Endpoint Protection. And throw Perimeter Security Gateway into that mix as well. But in the end those with the biggest megaphones get to name the category, and that ain’t me… – MR
  3. Now go to work: Tim Wilson’s post Black Hat: Moving Security Outside The Lines captures the essence of why you should attend Black Hat. If you want to to understand how attackers approach hacking your stuff, the technical conferences are invaluable for learning the attacker mindset. If you’re an IT practitioner who wants to make stuff secure, you are in the wrong place – there really aren’t any step-by-step guides. Defense tactics and research are elsewhere. You go to BH, B-Sides, and DEFCON to learn what the really skilled people have done to break stuff, so you don’t have to. But to find practical applications of that research within your environment you need to do the work. That is what most folks forget. It’s not the hack, but what you do with the information that’s important. – AL
  4. New problems? Or new solutions? Bill Brenner has decided there is nothing new in security. The problem is that he’s wrong. To be fair, it seems like what he is trying to say is that we are dealing with the same problems over and over again. When you think about problems generically, such as malware and user behavior, how can you ever solve any of those? But to say nothing new is happening in security is ludicrous. I saw a few things at Black Hat that made me say Holy crap! So like Shimmy, I think there is plenty new to solve with variants of the issues we have been battling for years, and will battle for years to come. And that gets me fired up about the future of security. Maybe Bill just doesn’t know where to look. – MR
  5. Machines don’t lie: But they do have cruel senses of humor. Apparently Xerox has developed some scanner code that randomly alters scanned documents. How cool is that? It’s like a game to figure out whether your copy was actually a real copy. While it sounds like malicious OCR, it is being described at a bug in the symbolic representation of scanned characters. We place tons of trust in mature hardware (including copiers) to just work, but everything is driven by software, and you should place the same amount of trust in software as you do total strangers: not much. The particularly choice irony is that a friend – and Xerox employee – just received a totally messed up floorplan for their new home. For reals. – AL
  6. CSI script in 5 4 3 …: We tend to think of the Internet of Things as electronic luggage tags, door sensors, refrigerators, or fitness trackers, but we are network enabling pretty much everything on the face of the planet. Heck, I even saw a USB port at the top of a peak I recently bagged out in Boulder, CO (Bear Peak, for the curious). The question for society moving forward is whether we are going to build security into the mesh around us, or wait for it all to fall apart. Yesterday, Charlie Miller and Chris Valasek released the tools they used to hack a Prius and Ford Escape at DEFCON. It was their plan all along to release the tools, but Toyota’s false claim that you needed to pull apart the dashboard to execute the hack didn’t help. The research was interesting (and does require physical access to the vehicle), but this could be a much larger problem in the future for cars, planes, and all the other things manufacturers claim aren’t hackable – which often are, easily. – RM