It seems like so long ago that I read the Opposites board books to the kids when they were toddlers. And it was. Today XX2 and the Boy turn 9. It’s hard to believe how quickly the time has flown. Just yesterday I was emailing with an old colleague and I figured his youngest daughter must be in college by now. Turns out she graduated last year and is now in a PhD program. I’m no spring chicken anymore, that’s for sure.

On a more dour note, yesterday we remembered the tragedy of 9/11. For us the contrast between 9/11 and 9/12 couldn’t be more pronounced. When the twins were born in 2003, the emotions around 9/11 were still very raw. Yet, after a challenging pregnancy, including carrying close to 13.5 pounds of baby for 37 weeks, the twins showed up the day after. Talk about opposite emotions. But that’s not all that’s opposite. I look at the twins now and they seem like polar opposites. It’s not just their respective genders. XX2 is loud and over the top. The Boy is pretty shy and reserved. Their interests are different. Their strengths are different. Their weaknesses are different. What they eat is different too. It’s like looking at Yin and Yang every day.

Obviously dealing with opposites can be challenging at times. But we not only tolerate, we embrace their individuality. We push the kids to be their own people and have their own interests. To find their likes, understand their dislikes and hopefully spend more time doing the former than the latter. They need to embrace the fact they are different from each other, from XX1, and from us. Even though they were born on the same day, that shouldn’t define the twins or their relationship.

It was funny visiting camp with them, where we met a bunch of folks who had no idea they were twins. Brother and sister clearly, but also individuals. They weren’t constrained by being in the same grade, getting on the same bus, or having the same family friends. They could just be XX2 and the Boy. They’re lucky, as they’ve always had someone to play with and talk to, even before either could really talk.

It’s true that many siblings have that kind of bond, but with twins it’s different. They not only share a birthday, but they share some kind of strange bond that outsiders can’t understand. They probably won’t appreciate it until they get older, but they don’t need to. For now, we’ll live in the moment and wish them a Happy 9th Birthday!

-Mike

Photo credits: Yin Yang Candy originally uploaded by FadderUri

Incite 4 U

1. Research, not hyperbole: The first I heard of the supposed AntiSec/FBI/Apple UDID ‘hack’ last week was via email from a journalist I respect. He was checking in on the plausibility of the scenario. I was out of the office, but after a bit of research my response was (real cut and paste here): “I can’t really say anything informative. Could be true, could be BS, could be data they got from another source and then are pretending is from the FBI. No real way to know what’s true, and the folks who do this sort of thing like using a lot of disinformation.” Thanks to David Schuetz (@DarthNull) we have evidence the data came from an app vendor. The initial denials from the FBI and Apple, and the vendor saying they think it was them, reinforce this. As we continue our journey into the days where chaotic actors directly manipulate the press through social media, perhaps we should keep a little skepticism on the table. (Great work David!) – RM
2. Targeted, not targeted attacks: It’s great that guys like Jay Jacobs have the time to mine security data and sometimes come across some pretty interesting ideas. Many of us make decisions mostly based on anecdotal evidence, which is usually close enough to point you in the right direction. But being able to analyze and quantify things can be cool. Jay just finished up a series examining what he calls opportunistic attacks (Part 1, Part 2), which are basically non-targeted attacks. But that gets back to how you define targeted. We tend to think about a targeted attack as focused on a specific organization, but as Jay shows, the bad guys are actually targeting by focusing their recon activities. They looked for a specific port, usually sending just one packet, and if they didn’t find it open, they moved on to the next target. Evidently it’s a big world and they don’t want to spend a lot of time going deep into a site to find an issue that may or may not be there, so they just move on. So these attackers are actually targeting, but a specific vulnerability rather than a specific victim. – MR
3. A long way to go: Tom’s IT has a visual history of cryptography. What struck me, when looking at cryptography in this way, is how backwards it all seems. Simplistic, unscientific, and less than parlor trick obscurity. It dawns on you just how bad cryptography has been until very recently, and with the rate of change we are seeing, how much further we need to go. When I learned cryptography, DES was widely used and shipping 40-bit encryption algorithms out of the country would get you locked up for violating federal munitions restrictions. There was still a sense of mystery to it. Like most technologies, we have improved exponentially at algorithms and understanding attacks in just the last 10-15 years. But something about this visual representation makes me think we are still in the dark ages of this science. – AL
4. Maximizing your pen test: Good post here on the SpiderLabs blog about how to get the most from your pen test. Yes, it’s a lot of common sense, but that’s okay. Far too many folks apply precious little sense in their daily activities. Their point is to not waste the pen testers’ time with simple stuff, which can be identified and remediated before they get there. Duh. Not sure I totally buy into the idea of telling the pen tester what data is the most important to you (that’s pretty obvious), but you should disclose systems they shouldn’t touch, since you don’t want them knocking down the proverbial power grid because they didn’t know it was there. Just understand your adversaries are not bound by the same code of ethics. But he doesn’t mention being very clear what you want from the test. Do you want to check a box, or do you want to find out what’s truly exposed? Be honest with yourself and your testing firm, and you’ll save a lot of time and heartburn. – MR
5. Political gridlock meets steamroller: I suspect many of you, like me, are completely fed up with our dysfunctional congressional system here in the US. As a left-leaning independent I tend to blame one side more than the other, but to be honest I barely see any differences between the parties any more. If there ever were differences. Gridlock is the norm, and nothing gets done. That’s why I’m not surprised the President who authored an op-ed in the New York Times on cyber-security appears to be ready to implement an executive order on the issue after my local senator (McCain) killed potential legislation. It appears to be pretty focused, doesn’t include all the usual “public/private partnership” garbage, and will surely piss off all sorts of people. That’s the real “American Way.” – RM
6. Time for comments – PCI style: With the upcoming Payment Card Industry’s community meeting, specific sections of several PCI standards are up for discussion. Like a Blue Moon, in that it only comes every few years, the PCI Council is considering modifications and clarifications to the standard. Walt Conway does a great job of covering the 5 main comment areas of PCI-DSS under discussion: vulnerability scanning, defining ‘scope’, clarification of service provider responsibilities, self-assessment questionnaires, and passwords. Personally I’m more interested in closing security loopholes, like having ‘point-to-point’ encryption really be ‘end-to-end’, rather than point-to-point between as many points as you want. I’m also interested in a clear position on digital wallets or Near Field Communication or anything having to do with mobile payment trends. Finally, as Walt mentions in the article, a good definition for “high value tokens” would be useful. But if PCI-DSS influences your day job check out the article. – AL
7. It takes a village: Tomorrow I’m launching a new series on Denial of Service (DoS) attacks, as they are becoming an increasingly popular tactic – both to knock down sites and to hide exfiltration and other badness. One of the key mitigation tactics is to have a device onsite which communicates with a service provider to know when to move traffic to a scrubbing center to basically clean the traffic before it hits your network. That requires both a signaling protocol and a group of device vendors and service providers to support that protocol. Of course, it’s too much to expect a single protocol standard, so we will see competing partnerships pushed into the market to convince customers of market dominance. For example, Arbor recently added a Singapore-based service provider, and expect more relationships to be announced over the next few months. – MR