The grout in my shower isn’t merely cracking, it’s starting to flake out in chunks, backed by the mildew it spent years defending from my cleansing assaults. Our hallway walls downstairs are streaked like the protective concrete edges around a NASCAR track. Black, gray, and red marks left behind from hundreds of minor impacts with injection-molded plastic vehicles. The carpet in our family room, that little section between the sliding glass door to our patio and the kitchen, looks like it misses its cousins at the airport.
In other words, our house isn’t new anymore.
This is the second home I have owned. Well, it’s the second home a bank has owned with my name attached to it. The first was an older condo back in Boulder, but this is the house my wife and I custom ordered after we ere married.
I still have the pictures we took the day we moved in, before we filled the space with our belongings and furniture. Plus all the minor things that lay waste to the last of your post-home disposable income, like window treatments and light fixtures. It was clean. It was exciting. A box of wood and drywall, filled with the future.
That was about 9 years ago. A year before I left Gartner, and near when I started Securosis as a blog. Since then the house isn’t the only thing that’s a little rougher around the edges. Take me, for instance. I’m running a little light on hair, some days I can barely read my Apple Watch, and I’ve never recovered the upper body strength I lost after that rotator cuff surgery. I won’t even mention the long-term effects of a half-decade of sleep deprivation, thanks to having three kids in four years.
Even Securosis shows its age. Despite our updates and platform migrations, I know the time is coming when I will finally need to break down and do a full site refresh. Somehow without losing 90 research papers and 19,000 blog posts. No, those aren’t typos. We also haven’t seen significant blog comments since Twitter entered the scene, and while we know a ton of people read our work, the nature of engagement is different. But that’s fine – it’s the nature of things.
We are busy. Busier than ever since my personal blog first transformed into a company. And the nature of the work is frankly the most compelling of my career. We don’t really write as much, although we still write more than anyone else short of full-time news publications.
Pretty soon I need to have the house painted, fix some cracking drywall, and replace some carpet. This house isn’t full of potential anymore – it’s full of life. It’s busy, messy, and sometimes broken. That only means it’s well used. So the next time you find a blog post with a broken image, or our stupid comment system snaps, drop us a line. We aren’t new, exciting, or shiny anymore, but sure as hell we still get shit done. Even if it takes an extra week or so.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Critical Security Capabilities for Cloud Providers
- Massive, Very Bad Java 0-Day (and, Sigh, Oracle).
- The Power of Immutable.
- The Economist Hack: Good Intentions, Bad Execution.
- Summary: Distract and Deceive.
- CSA Guidance V4 Content on GitHub.
Favorite Outside Posts
- Rich: Trey Ford’s SecTor Keynote – Maturing InfoSec: Lessons from Aviation on Information Sharing. Trey is a pilot. Although I considered not putting this link in until he takes me up for a hop next time he’s in town. But that would be selfish.
Research Reports and Presentations
- Pragmatic Security for Cloud and Hybrid Networks.
- EMV Migration and the Changing Payments Landscape.
- Network-based Threat Detection.
- Applied Threat Intelligence.
- Endpoint Defense: Essential Practices.
- Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications.
- Security and Privacy on the Encrypted Network.
- Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
- Security Best Practices for Amazon Web Services.
- Securing Enterprise Applications.
Top News and Posts
- Apple user anger as Mac apps break due to security certificate lapse. You had one job…
- Latest Android phones hijacked with tidy one-stop-Chrome-pop. You had one job…
- Tor Project claims FBI paid university researchers $1m to unmask Tor users. This is an interesting situation. There have always been close ties between academic researchers and law enforcement and defense. But if you cross the line from generic research to specific targets, or it involves ‘human’ testing that typically requires an IRB approval, it certainly crosses an academic boundary. And if law enforcement hires civilians to perform actions they are legally restricted from, that also seems more like garbage you would see on a CBS police procedural. I’ll leave this one for the lawyers.
- With just a password needed to access police databases, the FBI got basic security wrong. I was talking with a client today who asked if they had to use MFA on their (SAML authenticated) cloud accounts because they didn’t require it internally for admins. I told them that’s a great way to end up in the headlines. And, oh yeah, also turn it on for cloud.
- Comodo Issues Eight Forbidden Certificates. You had one… oh, nevermind.
- November Patch Tuesday Brings 12 Bulletins, Four Critical.
- Massive Hack of 70 Million Prisoner Phone Calls Indicates Violations of Attorney-Client Privilege. Guess who needs to write a post on data retention?