Incite 9/27/2012: They Own the NightBy Mike Rothman
Our days just keep getting longer and longer. When the kids were younger afternoons and early evenings were a blur of activities, homework, hygiene, meals, reading, and then bed. Most nights the kids were in bed by 8:30 and the Boss and I could eat in peace, watch a little TV, catch up, and basically take a breath. But since XX1 entered middle school, things have changed. The kids have adapted fine. The Boss and me, not so much.
Now it’s all about dividing and conquering. I handle the early shift and get the twins ready for school. They are on the bus by 7:20 and then I usually head over to some coffee shop and start working. The Boss handles XX1 and has her on the bus at 8:10, and then she starts her day of working through all the crap that has to happen to keep the trains running.
The twins get off the bus at 3pm or so. Then it’s homework time and shuttling them off to activities. XX2 isn’t home until 4:30; then some days she can get an hour or two of work in, and other days she can’t. Inevitably she gets home from dance and has to start her homework. She usually wraps up around 10, but I usually get enlisted to help with the writing or math. And there are nights when XX1 is up until 11 or even later trying to get everything done.
So there is no peace and quiet. Ever. We find ourselves staying up past midnight because those 90 minutes after all the kids go to bed are the only time we have to catch up and figure out the logistics for the next day. Which assumes that I don’t have work I need to get done.
I know Rich has it harder right now with his 2 (and soon to be 3) kids under 4. I remember those days, and don’t miss the sleep deprivation. And I’m sure he misses sleeping in on weekends. At least I get to do that – our kids want us to sleep as late a possible, so they can watch more crappy shows on Nick Jr. But I do miss the quiet evenings after the kids were sleeping. Those are likely gone for a little while. For the next 9 years or so, the kids own the night.
Photo credits: We Own The Night originally uploaded by KJGarbutt
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Defending Against Denial of Service (DoS) Attacks
Securing Big Data
Incite 4 U
Responsible is in the eye of the beholder: My personal views on disclosure have changed a lot over the years. If you haven’t changed your views in the last 10 years you are either a hermit or a religious zealot – the operating environment has changed a lot. And the longer I have watched (and participated) in the debate, the more I realize it seems to be more about egos than the good of the public. And I fully mean this on all sides – researchers, vendors, users (but less), government, and pundits. Take Richard Bejtlich’s latest post on vendors or researchers going public when they find command and control servers. He expresses the legitimate concern that whoever finds and publicizes this information may often be blowing a law enforcement or intelligence operation. On the other hand law enforcement and intelligence agencies sure don’t make it easy to report these findings, and researchers might be sitting there watching people get compromised (including their customers). This is a hard problem to solve – if we even can. Just ask the Stratfor guys who were materially damaged while the FBI was not only watching, but ‘assisting’ the attack via their confidential informant. Better communication and cooperation is probably the answer, but I have absolutely no confidence that can happen at scale, even if some companies (including Richard’s employer) have those ties. No, I don’t have an answer, but we all need open minds, and probably a bit less ego and dogma. – RM
The mark of a mature market: You can joke about the SC Magazine reviews operation. How they rarely actually test products, but instead sit through WebEx demos run by experienced SEs who make every product seem totally awesome. And that may be true but it’s not the point. It’s about relative ratings as an indicator of a mature market. If you look at SC Mag’s recent group test on email security devices, you’ll see 9 out of 10 products graded higher than 4 1/4 stars (out of 5). That 10th product must really suck for 3 stars. But even if you deflate the ratings by a star (or two) you’ll see very little outward differentiation. Which means the product category has achieved a lowest common denominator around a base set of features. So how do you decide between largely undifferentiated offerings? Price, of course… – MR
Progress, at a glacial pace: I disagree with Mike Mimoso about the Disconnect Between Application Development and Security Getting Wider. We have been talking about this problem for almost a decade with not much improvement, so it certainly can feel that way. But I can say from personal experience that 10 years ago even the companies who developed security software knew nothing about secure code development, while now these is a better than even chance that someone on the team knows a little security. Have their processes changed to embrace security? Only at a handful of firms. The issue, in my opinion, is and has been the invisible boundary around the dev team to shield them from outside influence. Developers are largely isolated to keep everyone else from having undue influence over features and functions. This also keeps distractions and external reprioritization attempts to a minimum. Isolation by design. So CISOs, don’t be surprised by a rebuff when you waltz in with your WAF/IDS/pen test results. Regardless, in the same way IT is no longer isolated from business realities, developers are making adjustments to account for the competing priorities required by secure code development and incident response. – AL
The pendulum swings towards cloud: It seems that we are all going to be seeing a lot of success stories like Netflix talking about getting rid of data centers and moving everything to the cloud. As the hype cycle drives closer to the peak of inflated expectations, everyone will be rushing headlong to get rid of their stuff and virtualize whatever they decide to keep. Obviously this changes how we do security, so you should start getting familiar with cloud security concepts sooner rather than later. Like maybe getting a CCSK (hint, hint). But the pendulum will inevitably swing back and end up somewhere in the middle. I’m old enough to remember a similar cycle when folks decided to outsource IT entirely. Those companies (including GM) are now retooling their IT infrastructure because the outsourcers didn’t get it done. The cloud will play a major role in IT architecture moving forward – but it cannot make up the entirety of IT infrastructure. – MR
Meeting a troll: This one relates only slightly to security, but it’s a worthy read. Leo Traynor, a blogger I haven’t previously heard of, managed to track down and meet a vile troll who not only made death threats, but even sent frightening packages to Leo’s home. I’ve been lucky to mostly avoid these situations over the years, despite being pretty public and personal online. Once, a while back, I did help track down a malicious attacker/troll who engaged in anti-Semitic behavior. Most of these people collapse completely when confronted, and rely on the anonymity of the Internet to express compulsions that would otherwise land them in jail. I think even many of our cybercriminals – especially the younger ones – get wrapped up in negatively reinforcing communities that encourage them to indulge in activities they know are wrong and dangerous. Another time I was talking a lot with a talented young hacker who clearly, and slowly, was pulled away from a potentially great career into criminal behavior due to ongoing negative social reinforcement. Hell, I personally did things when I was younger that I now regret, even though the laws and culture weren’t as clear then. But deep inside I knew they were wrong, and by the age of 14 I managed to choose a different direction. Ah, peer pressure, conspiracy theories, and youth. – RM
Members only: Rupert Goodwin’s article on DRM will dim your world made me chuckle. I totally share his attitude that most closed systems limit – unnecessarily – my use of digital products. Vendors try to exclude legitimate uses of things I paid for. And I’m right there with Rupert, wishing Adobe would quietly go away, along with their knack for making awful product decisions. But the fundamental problem is not just Adobe – it’s the way these organizations use DRM, which is technology designed to provide exclusivity. A core principle of DRM is that it is used by small groups who want to keep others out. Why? Security provided by a DRM solution is only as good as the least trustworthy member! Correct use of DRM allows sharing of information among a group of people. It’s closed by design! Broad deployment is inherently a misuse of DRM technology. It’s equally ironic that firms who want total control over their content employ DRM. Then they try to sell said content to everyone they possibly can, and get miffed when their customers actually want to use the content they paid for! DRM cannot keep content safe when its users don’t want it that way. Then DRM just pisses customers off, and they a) don’t buy the stuff, or b) bypass the controls in order to do what they want. As a consumer of egoods, vote with your wallet: if it has DRM, don’t buy it. – AL