Incite 9/3/2014: Potential
It starts with a blank slate. Not entirely blank because some stuff has happened over the past few months, which offers hints to where things will go. But you largely ignore that data because you want to believe. Maybe this time will be different. Or maybe it will be the same. All you can see is potential. Yet soon enough the delusions of grandeur will be shown to be exactly that – delusions.
No, I’m not talking about self-help or resetting your personal or professional lives. I’m talking about the NFL season. It starts on Thursday night and I’m pumped. I’m always pumped for football. Sure, there were some college games over the weekend, and I enjoyed watching those. But for me nothing compares to the pro game.
Will my teams (the Giants and Falcons) recover this year? Will their off-season efforts be enough? Will the other teams, who have been similarly busy, be even better this year? Can I look forward to being excited about the NFL playoffs in January because my teams are in, or will I be paying attention to the bowl games to look for high draft picks for next year? Like I did this past January/February.
So many questions, but all I have now is optimism. Why not? I’ve been following the beat reporters covering my teams every day. They tweet and file reports about practices and injuries and dissect meaningless pre-season games. It’s fun for me and certainly better than chasing down malware-laden sites claiming to have celebrity nudie pictures. My teams have holes, but that’s OK. You forget about those in the build-up to the first week. There is plenty of time over the next four months to grind my teeth and wonder why they cut this guy or call that play. No second-guessing yet – there isn’t much to second guess. Until next Tuesday morning anyway.
Soon enough we’ll know whether the teams are real. It’s always fun to see which teams will surprise and which will disappoint. Soon the suspense will be over. It’s time. And I’m fired up. I’ll be in the GA Dome on Sunday. You know, that guy losing his voice as the Falcons take on the Saints. Same as it ever was.
Photo credit: “NFL Logo” originally uploaded by Matt McGee
The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.
Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.
- August 18 – You Can’t Handle the Gartner
- July 22 – Hacker Summer Camp
- July 14 – China and Career Advancement
- June 30 – G Who Shall Not Be Named
- June 17 – Apple and Privacy
- May 19 – Wanted Posters and SleepyCon
- May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling
- May 5 – There Is No SecDevOps
- April 28 – The Verizon DBIR
- April 14 – Three for Five
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.
The Security Pro’s Guide to Cloud File Storage and Collaboration
Leveraging Threat Intelligence in Incident Response/Management
- Quick Wins
- The (New) Incident Response & Management Process Model
- Threat Intelligence + Data Collect = Responding Better
- Really Responding Faster
Trends in Data Centric Security
Understanding Role-based Access Control
NoSQL Security 2.0
Newly Published Papers
- The 2015 Endpoint and Mobile Security Buyer’s Guide
- Open Source Development and Application Security Analysis
- Advanced Endpoint and Server Protection
- Defending Against Network-based DDoS Attacks
- Reducing Attack Surface with Application Control
- Leveraging Threat Intelligence in Security Monitoring
- The Future of Security
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7
Incite 4 U
Foole and Boobage: As alluded above, the Intertubes exploded over the weekend – not with news of things that matter, like global unrest, tentative ceasefires, NASCAR, college football, or even more ice-bucketry. Everyone was aflutter about seeing some celebrity boobies. Everyone now has an opinion about how the hack happened, even your general mass media sites chock full of security expertise. Yes, that was sarcasm folks. As usual, don’t believe everything you read on the Internet – a lot of speculation is wrong. I have no inside information and neither does our resident Apple Fan Boi, the Rich Mogull. Which means those folks probably don’t either, so they are coming up with plausible threat models that could have resulted in an attacker (or group of attackers) gaining access to the Photostreams of these celebrities, who evidently like to take pictures of themselves without shirts on. I’m certainly not judging that, despite the fact that folks get pretty uptight about seeing breasts in the US. I am judging the baseless speculation. At some point we may find out how it happened. Or we may not. At the end of the day, if you take nudie pictures and store them in a cloud service, other people may see them. Not that it’s right, but it’s reality. (PS: Dog yummy to anyone who gets the reference in the title.) – MR
Customer centric: Owen Thomas discusses the gaps Apple needs to address before they can enter the payments market, but his arguments assume Apple wants to go all in. If their goal is to provide mobile payments Apple doesn’t need to become a bank – they just need a willing partner to perform payment processing. It’s not like there aren’t dozens of companies willing to step in and provide those services. Customer affinity, metrics, and marketing are critical to most merchants’ businesses. If you believe – as I do – that the reason we don’t have better payment security in the US is because it would limit unfettered access to customers, you can make a case that Apple is not targeting payments at all. More likely Apple wants customer affinity, metrics, and all the marketing goodness that comes with being a bump in the payment chain. Using your magic iDevice for payments will provide better security than a magstripe, and Apple gets most of the marketing benefits without the risk or effort of being a bank. – AL
Working together EMEA style: The European police seem to be getting a little more serious about sharing information to track cross-border computer attacks. Europol named someone to lead the effort of coordinating international investigations into malware and other computer attacks. This seems like a great idea, if everyone stays on board. Of course it can crater if it becomes more about taking credit for a takedown or a cool new malware discovery than about protecting citizens. We’ve never seen that stymie cross-agency cooperations, right? They are doing a 6-month pilot, and I hope it is successful because sharing intel and leveraging resources is the only way to combat an increasingly global and distributed set of adversaries. – MR
Balloon-net: When you spend your time in large cities you forget much of the U.S. still has the “Can you hear me now?” problem. Fishing various lakes around the western US this summer, many of the small towns where I stopped lacked cell reception. Seriously. No coverage whatsoever. They got information via land lines and DirecTV. How 1998. In case you hadn’t heard about it, the Google Loon Project makes sense in these regions. Flying a bunch of Internet connected balloons in the stratosphere sounds looney but the trial they are running in New Zealand is working, and there is a genuine need here in the US. Before you think too hard about it, I have already submitted a “Hacking the 40th Parallel from 20,000 feet” presentation to Black Hat. – AL
A view into security research: I’m still trying to decide the relevance of the research effort to figure out why Google Translate would take standard Latin text and return geo-political message, as described by Brian Krebs. Setting my tinfoil hat aside, I think these two researchers illuminate a lot about the security research process. They find something interesting and then try to figure out meaning. Sometimes you find a gem. Other times it’s not so shiny. But either way, these folks spend a ton of time walking down dark alleys with no assurance of finding anything. That’s the research process, and for every gem, there are a lot of duds. Remember that no situation is glamorous 24/7 – at least not in the real world. – MR