Getting old just sucks. OK, I’m not really old, but I feel that way. I think I’m suffering from the fundamental problem Rich described a few weeks ago. I think I’m 20, so I do these intense exercise programs and athletic pursuits. Lo and behold, I get hurt.

First it was the knees. My right knee has bothered me for years. And I was looking at the end of my COBRA health benefits from my last employer, so I figured I’d get it checked out before my crap insurance kicked in (don’t get me started on health insurance). Sure enough there was some inflammation. Technically they called it patellar tendinitis. My trusty doctor proscribed some anti-inflammatories and suggested a few weeks of physical therapy to strengthen my quads to alleviate the issue.

But that took me out of my pretty intense routines for a few months. That wouldn’t normally be a huge problem, but softball season was starting, and I had lost some of my fitness. OK, a lot of my fitness. I was probably still ahead of most of the old dudes I play with, but all the same – when you aren’t in shape, you are more open to injury.

You know how this ends. I plant the wrong way crossing home and I can feel the jolt through my entire body. My middle back and shoulder tighten up right away. It wouldn’t be the first time I’ve pinched a nerve, so I figure within a day or two with some good stretching it’ll be fine. I take a trip and three days later try some yoga. Yeah, that didn’t work out too well. I made it through 10 minutes of that workout before saying No Mas. Since when did I become Roberto Duran? Oh crap, this may be a bit more serious than I figured.

It probably didn’t help that the next day we loaded up the family truckster and drove 7 hours to see the girls at camp. When I woke up the next day I could hardly move. I’m not one to complain, but I was pretty well immobile. Once we got to Maryland, I got a deep tissue massage. No change. My doctor called in some relaxants. I tried to persevere. No dice. I flew home to see my doc, who thought there was a disc problem. An MRI would confirm.

And confirm it did. I have a degenerative disk (C5-6 for those orthopedists out there). It took about two weeks but finally settled down. I’m going to try to rehab it with more PT and more stretching and less impact. I don’t want to do shots. I definitely don’t want to do surgery. So I’ve got to adapt. P90X may not be the best idea. Not 6 days a week, anyway. I can build up a good sweat doing yoga, and maybe I’ll even buy that bike the Boss has been pushing for. Or perhaps take a walk. How novel!

I’m not going to settle for a sedentary existence. I like beer and food too much for that to end well. But I don’t need to kill myself either. So I’m searching for the middle ground. I know, for most of my life I didn’t even know there was a thing called middle ground. But as I get older I need to find it. Because life is a marathon, not a sprint. I can’t go back to the future in a broken down DeLorean, now can I?

-Mike

Photo credits: “Lateral X-Ray of Neck Showing Flexion | Donald Corenman, MD | Spine Surgery Colorado” originally uploaded by neckandback

Incite 4 U

1. Long live speeds and feeds: Coming from a networking background, I have a serious disdain for vendors differentiating based on speed. Or how many signatures something ships with. Or any other aspect of the device with little bearing on real world performance. After the 40gbps IPS rhetoric died down a few years ago, I hoped we were past the “my tool is bigger than yours” marketing. Yeah, not so much. Our pals at Check Point dive back into the speeds/feeds muck with their new big box, and NetworkWorld needs a visit from the clue bat for buying into the 1Tbps firewall. Check Point did map out a path to 1tbps, but it’ll take them 4 years to get there. But hey, a 1tbps firewall generates some page views. By the way, there are a handful of customers that even need 100gbps of perimeter throughput. But long live the speeds and feeds! – MR
2. I guess the parents were also in the room: When I worked for the State of Colorado, my first real IT job was as a systems and network administrator at the University of Colorado in Boulder. I had a wacky boss who wasn’t the most stable of individuals. When I got my Classified Staff status he informed me that I now didn’t have to worry about being fired. I quote, “even if you have sex with a student on a desk in front of the class, they’ll just suspend you with pay”. (When he finally went off the deep end it took them years of demotions to finally get him to quit). I’ve always thought of PCI QSA (assessment) companies that way. It has always seemed that no matter what they did, there weren’t any consequences. I wouldn’t say that’s changing, but a company called Chief Security Officers is the first to have its QSA status revoked. No one is saying why, but I suspect less than satisfactory performance, with consistency. – RM
3. CSA Vendor Guide: CSA is offering a Security Registry for Cloud providers in order to help customers compare cloud security offerings across vendors. The CSA has a questionnaire for each provider – basically an RFP/RFI – and will publish the results for customers. The good news is that this will provide some of the high-level information that is really hard to find – or entirely absent – from vendor sites. The bad news is the questions are ‘yes/no’, and if you have ever dealt with RFPs, you know that any answer is open to interpretation. You will still need to dig into the details, but at least this provides a starting point for seeing how vendors stack up. – AL
4. Can we get an XPress burial? I know big companies do things slowly. It can take months to upgrade a desktop when there are tens of thousands of them. Just understand that continuing to use Windows XP doesn’t help you stay ahead of the attackers. The folks at Avast did a study showing that 3 of 4 rootkits run on XP. But that’s not because 75% of PCs use XP – that number is down to about 50%. We all know correlation is not causation, so there may be a variety of reasons those XP machines are pwned. Organizations still on XP may not keep things patched, or might lack a strong control set. Who knows? But we do know that Windows 7 does a much better job of security. Nothing if foolproof, but you’ve got a much better shot with a modern OS. I’m just sayin’. – MR
5. Please light up the Shady Rat: Seems some other security vendors are not happy with McAfee’s marketing of their ‘Shady RAT’ discovery, and are venting their opinion on what it’s not. It’s not APT. It’s not the largest known data heist, and it’s not the largest botnet ever cracked. Now that I’ve had a chance to view the report, it’s interesting but lacking in actionable information. Some McAfee folks I spoke with at Black Hat had some interesting items to share, and they freely admitted they got lucky in finding the server that held all the raw information. But the report has limited value. To the security community it’s the raw data that would be valuable. I hope that will publish the specifics of what they find – at least to the research community – so others can benefit. I know! Hope is not a strategy. – AL
6. Life at the Con: While I had already been to Black Hat a couple times, about 6 years ago a colleague at Gartner recruited me to help out as a goon at both Black Hat and DefCon. Since leaving Gartner, I have made a much wider range of connections throughout the community, especially on the researcher site. What’s funny is that Black Hat basically exists only to provide someplace for the corporate types to feel more comfortable, even though the content between the two often overlaps (it’s also more ‘legitimate’, which makes getting budget to attend easier). This series of photos tries to highlight some of the differences, but doesn’t really capture it. For me DefCon has become my equivalent of summer camp – a place to see my friends, where the usual rules of corporate behavior are relaxed. I get to focus on a technical project for a change, use bad language without hearing about it in the evals, and have very geeky creative discussions that are nearly non-existent at the usual corporate conferences. It’s not that DefCon is ‘better’ – at least not for everyone – but it’s different and one of the only places we geeky hacker types can really let it all hang out. You should go at least once, if for nothing else than to see the sheer creativity. – RM
7. Bully 4 U: Our pal Paul Roberts delves a little into why we shouldn’t be surprised that many of the anon and LulzSec folks are barely pubescent. Hmm. Kids lack empathy. They learn from those around them. And they got their asses kicked on the playground, so they wanted to return the favor. Amazing what a little Slow Loris or LOIC on a nameless, faceless company or corporate cretin can do for a kid’s self-esteem. But thinking we can stop this kind of behavior is naive. The root cause is basically Darwinism. The big kids pick on the smaller kids. Now technology has made that physically diminutive kid an online giant, but the social dynamics have not changed. It’s about building themselves up at the expense of others. Yeah, that’s happened since the beginning of time. This time the aggressors don’t wear football letter jackets, but the underlying sociology is exactly the same. – MR