It’s hard to believe, but the summer is over. Not the brutally hot weather – that’s still around and will be for a couple more months in the ATL. But for my kids, it’s over. We picked the girls up at camp over the weekend and made the trek back home. They settled in pretty nicely, much better than the Boy.

All three kids just loved their time away. We didn’t force the girls cold turkey back into their typical daily routine – we indulged them a bit. We looked at pictures, learned about color war (which broke right after the girls left) and will check the camp Facebook page all week. But for the most part we have a week to get them ready for real life. School starts on Monday and it’s back to work.

But while we think they are getting back into their life at home, they have really just started their countdown to camp in 2013. Basically, once we drove out of camp, they started the other 10 months of the year. Any of you who went to sleep-away camp as kids know exactly what I’m talking about. They are just biding the time until they get back to camp. It’s kind of weird, but as a kid that’s really how you think. At least I did. The minute I stepped on the bus to head home, I was thinking about the next time I’d be back in camp.

Now it’s even easier to keep a link to their camp friends over the other 10 months. XX1 was very excited to follow her camp friends on Instagram. We’re making plans to attend the reunion this winter. The Boss has been working with some of the other parents to get the kids together when we visit MD over the holidays. And I shouldn’t forget Words with Friends. I figure they’ll be playing with their camp friends as well, and maybe even learning something! Back in the olden days, I actually had to call my camp friends. And badger my Mom to take me to the Turkey Bowl in Queens Thanksgiving weekend, which was my camp’s reunion. It wasn’t until I got a car that I really stayed in touch with camp friends. Now the kids have these magic devices that allow them to transcend distance and build relationships.

For the Boss and me, these 10 months are when the real work gets done. But don’t tell them that. And we’re not just talking about school. Each year at camp all the kids did great with some stuff, and had other areas that need improvement. Besides schoolwork and activities, we will work with each child over the next 10 months to address those issues and strengthen the stuff they did well at camp. So they are primed and ready next June. Remember, camp is the precursor to living independently – first at college and later in the big leagues. They’ll screw things up, and we’ll work with them to avoid those mistakes next time.

It’s hard to get young kids to understand the big picture. We try, but it’s a process. They need to make mistakes and those mistakes are OK. Mistakes teach lessons, and sometimes those lessons are hard. All we ask of them is to work hard. That they strive to become better people – which means accepting feedback, admitting shortcomings, and doing their best. Basically to learn constantly and consistently, which we hope will serve them well when they start playing for real.

If we can get that message across over the next 10 months, we will have earned our 2 months of vacation.


Photo credits: Countdown calendar originally uploaded by Peter

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Endpoint Security Management Buyer’s Guide

Pragmatic WAF Management

Incite 4 U

  1. It’s not over ‘til it’s over: Good luck to Rich Baich, who was recently named CISO of Wells Fargo. It’s a big job with lots of moving pieces and resources, and a huge amount at risk. He has his work cut out for him, but given his background he knows just how bad things can go. As Adam points out, Rich was CISO for ChoicePoint during their debacle, and some folks would have turned tail and found another area of technology to practice. That would have validated the clear myth that a breach = career death. But clearly that’s not true. As long as the lessons learned were impactful, executives living through experiences like that can end up the better for it. That’s why experienced CEOs keep getting jobs, even with Titanic-scale failures on their resumes. Investors and directors bet that an experienced CEO won’t make the same mistakes again. Sometimes they are right. As difficult as it is, you learn a hell of a lot more during a colossal failure than during a raging success. Take it from me – I learned that the hard way. – MR
  2. I’m with stoopid: It just friggin’ sad when someone says sensationalistic crap like How Apple and Amazon Security Flaws Led to My Epic Hacking. First because there was no ‘epic’ hacking. There was only epic stupidity, which produced epic fail. Apple and Google are only tangentially involved. The victim even stated a couple sentences in that “In many ways, this was all my fault.” You think? You daisy-chained your accounts together and they were all hacked. Of course you had cascading FAIL once the first account was breached. How about the author taking some real responsibility? If you want to help people understand the issue, how about titling the article “I’m with stupid: How I screwed up my personal security, and am now going to buy a personal password manager.” Then in the article you could say how Apple and Google contributed to the problem, but the focus should be on taking care of yourself. Don’t trust big corporations to take care of you, your security, or your privacy. Use password managers. Use multiple personas. Use different email accounts. Use two-factor auth when available. And if you’re feeling saucy, get an Amazon EC2 account and do all your browsing through a secure tunnel through their infrastructure. It’s not that hard. – AL
  3. Tools don’t DoS people, people DoS people: You are going to hear a lot about Denial of Service attacks (DoS) over the next few months. It seems to be the hot topic now, for good reason. But that also means you’ll read easy pieces like Easily available tools, botnets contribute to DDoS rise. It’s not that the story is so bad – it’s just obvious. You could have read the same story about nmap and Nessus a decade ago. To be clear, the tools don’t make the attack. The tools are just an indication of the maturity of an attack. The Metasploit framework (and earlier work done by Core Security) institutionalized running exploits as well. Same story, different attack vector. The attackers were running DDoS attacks before there were cookie-cutter tools and botnets. Now we see more because the tools allow unsophisticated attackers to get involved. But as the folks caught using a version of the LOIC learned, a fool with a tool is still a fool. – MR
  4. It’s whatever you want it to be: Do you need a firewall for your smart phone? I don’t think so. Between the walled garden app model, segregation of app functions, and virtual desktop technology, there are methods to control the data on phones and how applications it. Worse, I don’t see a model where mobile firewalls can be effective. Do I think corporations will buy mobile device firewalls for their employees? Yes, I do. And apparently so do the investors behind Lacoon Security, the mobile device firewall company that just received $2.5M in funding. IT departments understand firewall technology, and use it as an inexpensive filter to keep data on or off devices as they see fit. But this technology is a feature added onto a corporate mobile device management platform, at best. So by the time you start hearing about the “critical need” for firewalls on mobile devices, these features will be incorporated into another management platform, and morph into more generic content monitoring and mobile DLP capabilities. – AL
  5. As long as it’s policy, it’s cool: Interesting point here by the CEO of, regarding his ISP’s policy of deleting all log records after two weeks. This is mostly to protect their clients from shakedowns from pr0n producers, who prey on the embarrassment factor to get paid. Unlike many other ISPs who keep logs for 18-24 months, these guys blast their logs after two weeks. But this is actually useful in a bunch of other use cases. Remember the classic Microsoft anti-trust trial, where Bill Gates had to explain 3-year-old emails found under discovery? Some companies blow away email after 6 months as a matter of policy. Obviously your regulator may frown upon that and they may require you to keep records for a certain period of time. It’s up to you to clarify what records need to be kept and for how long, and then to build policies to only keep data you need. Especially if it can be used against you (like incriminating emails). Obviously there is an alternative, which is to do the right thing. But I know that’s not the way the world works. So if you’re worried about eDiscovery and skeletons in your closet get rid of what you can as soon as you can. As long as it’s a documented policy, doesn’t violate a compliance mandate, and is consistently enforced, you can get rid of the baggage. – MR