I don’t give a crap about my hair. Yeah, it’s gray. But I have it, so I guess that’s something. It grows fast and looks the same, no matter what I do to it. I went through a period maybe 10 years ago where I got my hair styled, but besides ending up a bit lighter in the wallet (both from a $45 cut and all the product they pushed on me), there wasn’t much impact. I did get to listen to some cool music and see good looking stylists wearing skimpy outfits with lots of tattoos and piercings. But at the end of the day, my hair looked the same. And the Boss seems to still like me regardless of what my hair looks like, though I found cutting it too short doesn’t go over very well.

Going up? Going down? Yes.So when I moved down to the ATL, a friend recommended I check out an old time barber shop in downtown Alpharetta. I went in and thought I had stepped into a time machine. Seems the only change to the place over the past 30 years was a new boom box to blast country music. They probably got it 15 years ago. Aside from that, it’s like time forgot this place. They give Double Bubble to the kids. The chairs are probably as old as I am. And the two barbers, Richard and Sonny, come in every day and do their job.

It’s actually cool to see. The shop is open 6am-6pm Monday thru Friday and 6am-2pm on Saturday. Each of them travels at least 30 minutes a day to get to the shop. They both have farms out in the country. So that’s what these guys do. They cut hair, for the young and for the old. For the infirm, and it seems, for everyone else. They greet you with a nice hello, and also remind you to “Come back soon” when you leave. Sometimes we talk about the weather. Sometimes we talk about what projects they have going on at the farm. Sometimes we don’t talk at all. Which is fine by me, since it’s hard to hear with a clipper buzzing in my ear.

When they are done trimming my mane to 3/4” on top and 1/2” on the sides, they bust out the hot shaving cream and straight razor to shave my neck. It’s a great experience. And these guys seem happy. They aren’t striving for more. They aren’t multi-tasking. They don’t write a blog or constantly check their Twitter feed. They don’t even have a mailing list. They cut hair. If you come back, that’s great. If not, oh well.

I’d love to take my boy there, but it wouldn’t go over too well. The shop we take him to has video games and movies to occupy the ADD kids for the 10 minutes they take to get their haircuts. No video games, no haircut. Such is my reality.

Sure the economy goes up and then it goes down. But everyone needs a haircut every couple weeks. Anyhow, I figure these guys will end up OK. I think Richard owns the building and the land where the shop is. It’s in the middle of old town Alpharetta, and I’m sure the developers have been chasing him for years to sell out so they can build another strip mall. So at some point, when they decide they are done cutting hair, he’ll be able to buy a new tractor (actually, probably a hundred of them) and spend all day at the farm.

I hope that isn’t anytime soon. I enjoy my visits to the place that time forgot. Even the country music blaring from the old boom box…

– Mike.

Photo credits: “Rand Barber Shop II” originally uploaded by sandman

Recent Securosis Posts

Yeah, we are back to full productivity and then some. Over the next few weeks, we’ll be separating the posts relating to our research projects from the main feed. We’ll do a lot of cross-linking, so you’ll know what we are working on and be able to follow the projects interesting to you, but we think over 20 technically deep posts is probably a bit much for a week. It’s a lot for me, and following all this stuff is my job.

We also want to send thanks to IT Knowledge Exchange, who listed our little blog here as one of their 10 Favorite Information Security Blogs. We’re in some pretty good company, except that Amrit guy. Does he even still have a blog?

  1. The Securosis 2010 Data Security Survey Report Rates the Top 5 Data Security Controls
  2. New Paper (+ Webcast): Understanding and Selecting a Tokenization Solution
  3. FireStarter: It’s Time to Talk about APT
  4. Friday Summary: September 17, 2010
  5. White Paper Released: Data Encryption 101 for PCI
  6. DLP Selection Process:
  7. Monitoring up the Stack:
  8. Understanding and Selecting an Enterprise Firewall:
  9. NSO Quant Posts
  10. LiquidMatrix Security Briefing:

Incite 4 U

  1. What’s my risk again? – Interesting comments from Intel’s CISO at the recent Forrester security conference regarding risk. Or more to the point, the misrepresentation of risk either towards the positive or negative. I figured he’d be pushing some ePO based risk dashboard or something, but it wasn’t that at all. He talked about psychology and economics, and it sure sounded like he was channeling Rich, at least from the coverage. Our pal Alex Hutton loves to pontificate about the need to objectively quantify risk and we’ve certainly had our discussions (yes, I’m being kind) about how effectively you can model risk. But the point is not necessarily to get a number, but to evaluate risk consistently in your organization. And to be flexible, since the biggest risk usually shows up unexpectedly and you’ll need to react faster to it. But to me, risk is driven by what’s important to your organization, so if you aren’t crystal clear about that, you are doing it wrong. Psychoanalysis or not. – MR
  2. Never tell me the odds – Sometimes we do things in security “just because”. Like changing an end user’s password every 90 days without any evidence that it prevents current attacks (despite the huge inconvenience). Cory Doctorow has a good article at The Guardian that further illustrates this. It seems his bank has given him a device that generates a one time password for logging into their site. Good. It uses 10 digits. Huh. If you think about the math, aren’t 4 digits more than enough when each one-time password is single-use, with a lockout after 3 failures? I never really thought about it that way, but it does seem somewhat nonsensical to require 10 digits, and a bigger inconvenience to the user. – RM
  3. Killer DAM – IBM’s acquisition of Netezza went largely unnoticed in the security community, as Netezza is known for business intelligence products. But Netezza acquired Tizor and has made significant investments into Tizor’s database activity monitoring technology. With what I consider a more scalable architecture than most other DAM products, Tizor’s design fits well with the data warehouses it’s intended to monitor. But with IBM making a significant investment in Guardium, is there room for these two products under one roof? Will IBM bother to take a little of the best from each and unite the products? Guardium has class leading DB platform support, balanced data collection options, and very good policies out of the box. Tizor scales and I like their UI a lot. I don’t think we will know product roadmap plans for a few months, but if they combine the two, it could be a killer product! – AL
  4. The Google Apps (two) factor – It’s a bad day when the bad guys compromise your webmail account. Ask Sarah Palin or my pal AShimmy about that. Account resets can happen, locking you out of your bank accounts and other key systems, while the bad guys rob you blind. So I use a super-strong password and a password manager (1Password FTW) to protect my online email. It’s not foolproof but does prevent brute force attacks. But Google is pushing things forward by adding an (optional) second factor for authentication. This is a great idea, although if they reach 2% adoption I’ll be surprised. Basically when you log in, they require a second authentication using a code they send to a phone. I’ve been using this capability through LogMeIn for years and it’s great. So bravo to Google for pushing things forward, at least from an authentication standpoint. – MR
  5. Do no harm – HyperSentry looks like an interesting approach to validating the integrity of a hypervisor. Kelly Jackson-Higgins posted an article on the concept work from IBM, about how an “out-of-band” security checker is used to detect malware and modification of a Xen hypervisor. It is periodically launched via System Management Interrupt (SMI) and inspects the integrity of the hypervisor. This of course assumes that malware and alterations to the base code can be detected, and the attacker is unable to mask (quickly) enough to avoid detection. It also assumes that the checker is not hacked and used to launch attacks on the hypervisor. But it’s being released as software, so I am not sure whether the code will be any more reliable than the existing hypervisor security. It’s a separate tool from the hypervisor, and if it was enabled such that it could only be used for detection (and not alteration), it’s possible it could be set up such that it’s not simply another new vector for attack. Personally I am skeptical if there is no hardware support, but nobody seems to be interested in dedicated specialized hardware these days – it’s all about fully virtualized stuff for cloud computing and virtual environments. – AL
  6. How to pwn 100 users per second – One of the great things about a web application is that when you patch a vulnerability it’s instantly patched for every user. Pretty cool, eh? Oh. Wait. That means that every user is also simultaneously vulnerable until you fix it. As Twitter discovered today, this can be a bad thing. They recently patched a small cross site scripting flaw, and then accidentally reintroduced it. This became public when users figured out they could use it to change the color of their tweets – and the march of the worms quickly followed. What’s interesting is that this was a regression issue, and Linux also recently suffered a serious regression problem as well. Backing out your own patches? Bad. – RM
  7. Log management hits the commodity curve – Crap, for less than my monthly Starbucks bill you can now get Log Management software. That’s right, the folks at ArcSight will spend some of HP’s money on driving logging to the masses with a $49 offer. Yes, Splunk is free, and there are heavy restrictions on the new ArcSight product (750mb of log collection per day, 50gv aggregate storage), but the ARST folks told me they are charging a nominal fee not to be difficult and not to pay for toilet paper, but instead to make sure that folks who get the solution are somewhat serious – willing to pay something and provide a real address. But the point is there isn’t any reason to not collect logs nowadays. Of course, as we discussed in Understanding and Selecting SIEM/Log Management, there is a lot more to it than collecting the data, but collection is certainly a start. – MR
  8. Iron Cloud – It’s not security related, but is this what you consider Cloud? Cloud in a Box? WTF? Who conned Ellison into thinking (or at least saying)”big honkin’ iron” was somehow “elastic”? Or calling out Salesforce.com as not elastic in comparison? Or saying there is no single point of failure in the box, when the box itself is a single point of failure. Don’t get me wrong – a couple of these in one of those liquid cooled mobile data center trailers would rock, but it’s not elastic and it’s not a ‘cloud’, and I’m disappointed to see Ellison drop his straight talk on cloud hype when it’s his turn to hype. – AL
  9. Tools make you dumb (but is that bad?) – John Sawyer makes a good point that many of the automated tools in use for security (and testing) take a lot of the thinking out of the process. I agree that folks need to have a good grasp of the fundamentals before they move on to pwning a device by pressing a button. And for folks who want to do security as a profession, that’s more true than ever. You need to have kung fu to survive against the types of adversaries we face every day. But there are a lot of folks out there who don’t do security as a profession. It’s just one of the many hats they wear on a weekly basis and they aren’t interested in kung fu or new attack vectors or anything besides keeping the damn systems up and squelching the constant din of the squeaky wheels. These folks need automation – they aren’t going to script anything, and truth be told they aren’t going to be more successful at finding holes than your typical script kiddie. So we can certainly be purists and push for them to really understand how security works, but it’s not going to happen. So the easier we make defensive tools and the higher we can raise the lowest common denominator, the better for all of us. – MR