It’s funny how different folks have totally different perceptions of the same things. Obviously the idea of freedom for someone living under an oppressive regime is different than my definition. My good fortune to be born in a certain place to a certain family is not lost on me.

Now that is free toilet paper... But my wacky idea of freedom took on an interesting meaning this past weekend. The Boss was out of town with one of the kids. So I was responsible for the other two, and that meant on Saturday I started the day helping out our friends at their son’s birthday party. After much fun on the kickball field and making sure none of the little men drowned in the pool, I took the boy, XX1 (oldest girl), and two of his friends home for a few hours.

When the interlopers were retrieved by their parents a couple hours later, I had to drop XX1 off at yet another birthday party. But this one involved a sleepover, so once I dropped her off I had one less thing to worry about. Back home with the boy, about an hour of catch (the kid has a pretty good gun), some hydration and a snack, and then time to send him off to his own sleepover.

So by 6:30pm, I had shed my kids and felt freedom. So what to do? The Braves were out of town, I’m not a big Maroon 5 fan (they were in town), and no movies really interested me. So I decided to do something I very rarely do on a weekend: Be a slug. I got some Chinese food (veggie fried rice FTW) and settled down in front of the Giants NFL pre-season game and then a few stand-up comedy specials streamed via Netflix.

About every 10 minutes I’d pause the TV for about 30 seconds and just enjoy. the. silence. No one asking me for a snack or to play a game or to watch TV or to just be annoying. No kids to pick up from this place or that. No to-do list to weigh over my head. No honey-do projects that had to be done. Just silence. And it was good.

I know I should be kind of embarrassed that for me, freedom (at least in some sense) is about no one needing me to do anything. But it is. I’m happy 99% of the time to be doing what I like to do. But every so often it’s nice to just shut it down and not feel bad about it. Like everything else, that feeling passed. About 12 hours later, when I had to retrieve the kids and get back in the hamster wheel. But I did enjoy it, however fleeting it was.

– Mike.

Photo credits: “Freedom is a Toilet Tissue” originally uploaded by ruSSeLL hiGGs

Recent Securosis Posts

We Securosis folks are big fans of beer. Especially strong beer. You know, the kind you need to get in Canada. So we decided to import some help from up north in the form of new Contributing Analysts James Arlen and Dave Lewis. Yes, you know them. Yes, they are smart guys. And yes, we do have plans for world domination. Don’t say we didn’t warn you.

  1. Backtalk Doublespeak on Encryption
  2. Webcasts on Endpoint Security Fundamentals
  3. Data Encryption for PCI 101: Encryption Options
  4. Data Encryption for PCI 101: Introduction
  5. Friday Summary: August 20, 2010
  6. Another Take on McAfee/Intel
  7. McAfee: A (Secure) Chip on Intel’s Block
  8. Acquisition Doesn’t Mean Commoditization
  9. Various NSO Quant posts:

Incite 4 U

It was only a matter of time. This week Rich finally realized that he gets no extra credit for writing more in an Incite. Though he’s right, when you point to a well-written piece, layering more commentary on top kind of defeats the purpose.

  1. Blocking and tackling on the network – Hey, you. It’s your conscience here. Dressed stealthily as an Incite to get you to remember the fundamentals. You know, little things like a properly segmented network can really improve your security. John Sawyer consults some of our pals (like JJ) to remind us that there are a bunch of devices (including embedded OSes and printers), which are vulnerable and really shouldn’t be on the same segments as our sensitive stuff. I’m sure the Great Intel will solve everything by embedding ePO within every chip out there someday. But in the meantime perhaps revisiting your network architecture, while not as fun as deploying another set of flashing lights from soon-to-be-extinct companies will have a bigger impact on your security posture. – MR
  2. How do you say B.S. in Spanish? – The big news this week is how a malware infected computer lead to the crash of Spanair flight 5022 (or the English version). If true, this would mean that malware caused deaths and serious destruction of property. And sure, the loss of airliner control conjures up Daemon-like images of destruction. The problem is the article has no details other than malware being found. Somewhere. We’ll make the bold assumption it wasn’t in the baggage turnstile software, but beyond that we don’t know. Most likely it was in one of the ground maintenance systems, where it may have masked some maintenance issue(s). That may or may not have contributed to the crash, but it’s a great story. What really happened and the extent of the malware’s impact is in question. Occam’s Razor would indicate some maintenance worker installed an infected version of Tetris on a Windows 95 PC to stave off boredom. Seriously, until there are some hard facts on this, I have to call tonterias on this steaming pile of insinuation. – AL
  3. When in doubt, blame M&A – Given the backdrop of the security acquisitions last week (INTC/MFE and HP/Fortify) we once again get to suffer from pontification on the hazards of M&A. To be clear, acquisitions usually suck for customers of the acquired companies. But I’d dispute the conclusion of this claim: Acquisitions blunting security innovation. There are plenty of reasons innovation has slowed down in the security space, but M&A ain’t one of them. By the time a company is acquired, they’ve already innovated (high multiple deal) or failed to find a market (fire sale). And when they say McAfee getting buried in Intel will impact innovation, I guess they forgot that McAfee was already huge and I wouldn’t necessarily say a real innovator. They definitely acquired decent technology, but to say they drove a lot of innovation isn’t right. I don’t know any highly innovative organizations as large as McAfee, except maybe Apple (ducks). – MR
  4. Applications are the small thermal exhaust port – Microsoft and other OS vendors are actually doing a pretty good job of improving the fundamental security of our operating systems. With help from AMD and Intel they have added anti-exploitation features with names like “ASLR”, “DEP”, and “Stack Overflow Protection”. But all that comes to naught if your application vendor provides you with a steaming pile of Bantha scat. Our latest chapter comes courtesy of a problem with how Windows loads DLL files (which all Windows applications use). It isn’t technically a vulnerability in the operating system itself, but in how certain applications use it. Essentially, if the application was coded poorly you can trick it into loading a DLL from a remote file share. If a bad guy controls that file share? You know the story. H D Moore was about to report this when the cat was let out of the bag by some other researchers. Make sure you read his post, and I’m sure this trick will soon be a favorite of penetration testers. – RM
  5. Another strategy based on putting 10 pounds of crap into a 2-pound bag – Yup, another day, another private equity firm buying real estate in the security business. This time it’s Thoma Bravo continuing to spend money like drunken sailors and acquiring LANDesk from Emerson. So that means T.Brav now owns Entrust, SonicWall, and LANDesk. Hmmm. What can you do with all of those names? Ah, maybe put them in a food processor and hope the resulting mixture doesn’t taste like gruel? There aren’t a lot of synergies between those three companies, except that they didn’t execute well and let a number of market transitions pass them by. But these investors are smart enough to raise a butt-load of capital to buy them, so perhaps they are smart enough to figure out how they broke in the first place. – MR
  6. When is a database a database? – The more I write about databases, the more I have to qualify when I am talking about a relational database platform or a database in the classic sense of just a simple repository. Like a flat file. I ran across Guy Harrison’s post on Why NoSQL, and he does a good job of describing the drivers behind the move away from traditional relational database platforms. But here’s my issue with the whole NoSQL movement … it’s really not a database. It’s an ad-hoc data association. For example, Amazon’s Dynamo is a hash table. A set of name-value pairs is a list. It’s basically an index, not a database. I think you can categorize SimpleDB as a database, but not Dynamo. Google’s BigTable is nothing more than an index into files: it doesn’t follow the relational or the network model. There is no control over data creation, and common formatting is the accidental byproduct of choosing to store similar information rather than data type constraints. There are really no queries, just a simple index lookup. ‘NoSQL’ to me is just a remindr that we lack a better way to say “No Database”, but I guarantee we’ll be stuck with this bad label forever as it’s short and catchy. – AL
  7. 1963799323.2748 Koruna – Looks like the Nuevo Riche are coming to Prague, and it’s not the Eastern European hacker mob. At least not overtly anyway. The AVAST folks decided to cash out a bit and take $100 million from Summit Partners for a minority stake. Yeah, you read that correctly. It converts to 1.9 BILLION Czech Republic Koruna. Maybe there is something to this Free AV stuff. Hey, if it’s not going to work, at least don’t pay a lot for it. Kidding aside, it’s a big world out there and every company believes they need AV, so all of these free AV guys probably have some more running room. And who says you need to be in Silicon Valley to build a big security company? Any bets on when they open up a Bugatti Veyron dealer in Prague? – MR
  8. Follow the rules – This may be my shortest Incite ever: go read Chris Hoff’s 5 Rules for Cloud Security. Do what it says. Especially the last point (don’t be stupid). – RM
  9. This is your industry. Gone. – [Not security-related] Seth Godin has always been way ahead. He’s one of my favorite bloggers out there because he’s a wonderful thought generator. Now he’s decided to abandon traditional book publishing because he already has a relationship with all the folks he wants to communicate with. I suspect a lot more will follow in his wake. Maybe not tomorrow, but see the recording industry? That pain is coming to book publishing right now. But authors don’t have the option to go on tour until they are 80 to support their drug habits. They are going to need to find other sources of revenue. Other ways to provide value to their readers. And this applies to all content providers, and yes – we Securosis folks are in the content business. Let’s just say our business plan isn’t based on book revenues. Though we’d be happy if you kept up appearances for a little while longer and bought The Pragmatic CSO. 😉 – MR