There are very few aspects of my life I don’t track, tag, analyze, and test. You could say I’m part of the “Quantified Self” movement if it weren’t for the fact that the only movement I like to participate in involves sitting down, usually with a magazine or newspaper.
I track all my movements during the day with a Jawbone Up (when it isn’t broken). I track my workouts with a Garmin 910XT, which looks like a watch designed by a Russian gangster, but is really a fitness computer that collects my heart rate, GPS coordinates, foot-pod accelerometer data, and bike data; and can even tell me which swimming stroke, how long, and how far I am using in my feeble attempts to avoid drowning. My bike trainer uses a Kurt Kinetic InRide power meter for those days my heart rate is lying to me about how hard I’m pushing. I track my sleep with a Zeo, test my blood with WellnessFX, and screen my genes with 23andMe.
I correlate most of my fitness data in TrainingPeaks, which uses math and data to track my fitness level and overall training stress, and optimize my workouts whichever data collection device du jour I have with me. My swim coach (when I use him) uses video and an endless pool to slowly move me from “avoiding drowning in a forward direction” to “something that almost resembles swimming”. My bike is custom fit based on video, my ride style, and power output and balance measurements; the next one will probably be calibrated from computerized real-time analysis and those dot trackers used for motion capture films. Every morning I track my weight with a WiFi enabled scale that automatically connects to TrainingPeaks to track trends.
I can access nearly all this data from my phone, and I am probably forgetting things.
Some days I wonder if this all makes a difference, especially when I think back to my hand-written running and lifting logs, and the early days using a basic heart rate monitor with no data recording. Or the earlier days when I’d just run for running’s sake, without so much as headphones on. But when I sit back and crunch the numbers, I do find tidbits that affect the quality of my life and training.
I have learned that I tend to average three deep sleep cycles a night, but one is usually between 6-8 am, which is when I almost always wake up. Days I sleep in a bit and get that extra cycle correlate with a significant upswing in how well I feel, and my work productivity. When the kids are older I will most definitely adjust my schedule – getting that sleep even 1-2 days a week make a big difference. I am somewhat biphasic, and if I’m up in the middle of the night for an hour or so I still feel good if I get that morning rest. With a new baby coming, I will really get to test this out.
I am naturally a sprinter. I knew this based on my athletic history, but genetics confirms it. I was insanely fast when I competed in martial arts, but always had stamina issues (keep the jokes to yourself). As I have moved into endurance sports this has been a challenge, but I can now tune my training to hit specific goals with great success and very little wasted effort. I have learned that although I can take a ton of high-intensity training punishment, if I am otherwise stressed in life at the same time I get particular complications.
I am in the midst of tweaking my diet to fit my lifestyle and health goals. I have a genetic disposition to heart disease, and my numbers prove it, but I have managed to make major strides through diet. Without being able to make these changes and then test the results, I would be flying blind. I’m learning exactly what works for me. This helped me lose 10 pounds in less than a month with only minimal diet changes, for example, and drop my cholesterol by 40 points.
Not all of the data I collect is overly useful. I’m still seeing where steps-per-day fit in, but I think that is more a daily motivator to keep me moving. The genetics testing with 23andMe was interesting, but we’ll see whether it affects any future health decisions. Perhaps if I need to go on statins someday, since I don’t carry a genetic sensitivity that can really cause problems.
It’s obsessive (but not as obsessive as my friend Chris Hoff), but it does provide incredible control over my own health. Life is complex, and no single diet or fitness regimin works the same for everyone. From how I work out, to how I sleep, to what I eat, I am learning insanely valuable lessons that I then get to test and validate. I can’t emphasize how much more effective this is than the guesswork I had to live with before these tools became available. I plan on living a long time, and being insanely active until the bitter end. I’m in my 40s, and can no longer do whatever I want and rely on youth to clean up my mistakes.
Data is awesome. Measure, analyze, correct, repeat. Without that cycle you are flying in the dark, and this is as true for security (or anything else, really) as it is for health.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Mike Rothman: RSA Conference Guide 2013: Cloud Security. Rich did a good job highlighting one of the major hype engines we’ll see at the RSA Conference. And he got to write SECaaS. Win!
- Adrian Lane: LinkedIn Endorsements Are Social Engineering. As LinkedIn looks desperately for ways to be more than just contact management, Rich nails the latest attempt.
- David Mortman: Directly Asking the Security Data.
- Rich: The Increasing Irrelevance of Vulnerability Disclosure. Yep.
Other Securosis Posts
- RSA Conference Guide 2013: Application Security.
- I’m losing track – is this ANOTHER Adobe 0-day?.
- Big Data Holdup?.
- ECC Certificates About More Than Speed.
- Tuesday Patchapalooza.
- RSA Conference Guide 2013: Endpoint Security.
- Incite 2/13/2013: Baby(sitter) on Board.
- Cycling, Baseball, and Known Unknowns.
- Saving Them from Themselves.
- Macworld: The Everyday Agony of Passwords.
- RSA Conference Guide 2013: Identity and Access Management.
- Low Risk Doesn’t Mean It Won’t Kill You.
- TidBITS: Isolate Flash Using Google Chrome.
- Karma is a Bit9h.
- Flash actively exploited on Windows and Mac; how to contain, not just patch.
- PCI Guidance on Cloud Computing.
- Oracle takes another SIP of Hardware.
- Friday Summary, February 8, 2013: 3-dot Journalism Version.
- Network-based Threat Intelligence: Following the Trail of Bits.
- RSA Conference Guide 2013: Network Security.
Favorite Outside Posts
- Mike Rothman: Confessions of a Corporate Spy. “Corporate Spy” seems a lot sexier than it is. This Inc. Magazine article goes into the tactics of competitive intel gathering. This stuff happens in the real world, and not just on tiger teams…
- Adrian Lane: A Chinese Hacker’s Identity Unmasked. Great read on identifying a malware author through the trail of professional ‘bread-crumbs’ during their career.
- James Arlen: A Most Peculiar Test Drive. I think there’s a reason to talk about this article in an infosec light. Something about “Trust but Verify” and “Keep The Data Until You’re Sure You Don’t Need It” and “Instrument Your Systems To Validate Claims”…
- David Mortman: Inclusivity Is Not A Double Standard: Why Forbes is Wrong about Women in Tech.
- Rich: The Liquidmatrix RSA party list. How can I be the only one to submit this?
Top News and Posts
- Key Figure in Police Ransomware Activity Nabbed
- Using CryptoStick as an HSM from the Mozilla security blog.
- DHS watchdog: DHS can search all your devices within 100 mi of US border.
- For those who remember Stepto from his security days, he’s now blogging with Wil Wheaton!
- Want to pwn a building?
- How Lockheed stopped the RSA hackers. Would love to learn more about this.
Blog Comment of the Week
This week’s best comment goes to Walt, in response to PCI Guidance on Cloud Computing.
I want to toss in two cents worth on what I liked about the Cloud SIG’s guidance, but from the very limited perspective of a QSA. You captured it at the end of your post, Adrian: “This is a really good guide for private cloud and on-premise virtualization. But I’m skeptical that you could ever use this guidance for public cloud infrastructure. If you must, look for providers who have certified themselves as PCI compliant – they take some of the burden off you.”
From one QSA’s perspective, you got it. That seems to be the intent of the SIG, and I think they did a pretty good job of clarifying things and providing a merchant-centric focus.
There also were some real pearls in the report (and maybe even a hidden, secret message or two), for example:
– Get hold of the Executive Summary of the CSP’s ROC. Yes, part of it is proprietary, so a redacted copy of the relevant parts is fine. As far as I can tell, this is the first time any PCI SSC guidance has gone beyond telling merchants to ask for the AOC, which in this case is next to useless. Was I the only one to see this? I wish the statement had been on page 1.
–A CSP’s PCI compliance does not transfer directly to the client. Strike one blow for (a necessary) repeating of the obvious to counter the sales spiel. Once again, the SIG has reinforced the notion that while you can catch the flu, you can’t catch PCI compliance. What a shame it is still necessary.
–Monitoring the CSP’s compliance and security is ongoing. You don’t get to set it once and forget it.
–The Appendices, especially Appendix C, is worth the price of reading the first 50+ pages. Merchants are told not just to assign responsibility for each PCI requirement, but actually to document how the client and CSP will actually meet their responsibilities. This is good stuff.
You are right that the SIG focused on private cloud solutions, but that is because these will be the easiest to make PCI compliant (and secure). Using my PCI/QSA lens to read the document, that perspective/advice is pretty much what I expected to hear. That the SIG spent time exploring best practices for other cloud delivery models is a bonus.