What would you do if you could go back to school? Seriously. If you could turn back the clock and go back to grade school or even high school? No real responsibility. No one depending on you for food and/or shelter. Gosh, I’d do so many things differently. I’d buy a few shares of Microsoft when they went public (and I’d also send a note to my 1999 self to sell it). Ah, the magic of hindsight.

What I wouldn’t do is bitch about it. It’s funny that my kids were actually excited to go back to school. We figured they’d be bitching a lot more, especially given how much fun they have over the summer. Thankfully, they aren’t at the stage where they dread the end of summer vacation and the return to the structure and routine of the school year. The Boss is clearly doing something right because the girls jumped right in. The Boy not so much. Not because he doesn’t like school, but more because time he’s working is time he’s not outside playing ball with his buddies.

The biggest thing we try to get across every year is the importance of a strong work ethic. Unless there is an activity right after school, the kids grab a snack and jump right into their homework, which must be done, to The Boss’s satisfaction, before they can do anything else. We’re constantly harping on the fact that hard work can overcome a lot of mistakes and issues. Also that it’s okay to get something wrong and to make mistakes. But it’s not okay not to give it proper effort.

The most gratifying thing about it all? Seeing one of the kids “get it.” Last year XX1 spent countless hours preparing for a big test, and she aced it. She saw the direct correlation between hard work and positive results. Rich and I were joking the other day that we both did the bare minimum as long as we could throughout public school. We got by on our charming personalities. Okay, maybe not…

All the same, if we applied our current work ethic to our school endeavors? Who knows what we’d accomplish. But we would also miss out on a number of great parties and save some liver damage. Okay, a lot of liver damage. Oh yeah, the balance discussion. That’s one secret we won’t share until the kids graduate from college. So don’t ruin it for us, okay?

-Mike

Note: Yes, I’m kidding. All work and no play is not the way to go through childhood.

Photo credits: “Back to School Bong Sale” originally uploaded by designwallah

Incite 4 U

1. Fixing is the hard part: I’m kind of surprised at the tepid response to Microsoft’s $250k prize for advancement of exploit mitigation. Imagine that, folks get paid a bit for finding a bug and being able to exploit it, but now can get paid a lot for actually fixing the issue. I think this is great and we should all applaud Microsoft. First for finally understanding that for the price of one engineer (fully loaded), they could put in place a meaningful economic incentive for a researcher. But also to start driving toward a culture of fixing things instead of just breaking them. Stormy did a great job of making that case as well. – MR
2. And you thought your network was tough…: We often call the DefCon network “The World’s Most Hostile Network” since you can assume at least a few hundred – possibly thousands – of hackers are on it eating their latest software toys. What not everyone knows is that there are actually multiple networks at DefCon, some of which are probably reasonably secure, but that isn’t what I’m going to talk about today. Ryan Barnett over at Tactical Web Application Security wrote a great post on what web apps can learn from casino surveillance. I’m a huge fan of monitoring at all levels, and when it comes to web apps we definitely aren’t doing enough (in most cases). Ryan’s post does a good job of keying in on the main difference between apps and networks (spoiler – is has to do with who is allowed in). As a side note, back in Gartner days Ray Wagner (still there) and myself were proponents of using slot machine security standards for voting machines. But it seems the price of democracy doesn’t won’t cover the same security used for nickel slots. Then again the payout of the voting machines usually isn’t 97% either. – RM
3. DAM market maturing: The Database Activity Monitoring market continues to see activity, with GreenSQL receiving another $2.2 million in venture funding from Atlantic Capital partners. Like children, most startups are not very interesting until they are a couple years old. Companies need to mature both product functionality and vision. GreenSQL is reaching that point: their first product was an open source reverse proxy for SQL statements. Now they offer core SQL statement blocking function like other DAM vendors, but they also offer a performance boost through a database caching service as well. Like the rest of the DAM players, they are morphing into something else – with the addition of masking, usage profiles, and application specific rule sets. Integrating a number of previously separate functions into a more integrated offering. Yet another sign of an increasingly mature market. DAM(n) funny how that happens. With Imperva slated for IPO and lots of interest in the basic monitoring capabilities, expect continued M&A activity. I expect we’ll need to change the way we think about DAM into a larger database security context by this time next year. – AL
4. A different kind of hacking: Most of us were taught that two wrongs don’t make a right. The consistent attacks on law enforcement do nothing but endanger folks who make significant sacrifices. Our own Adrian provided some context about the situation in Arizona for this story about the continued posting of personal information about law enforcement officers. Pimply teens don’t realize what tends to happen when you mess with the livelihood of human smugglers. It’s hacking with a machete, not a computer. Maybe the bad guys already know where these officers live, but I suspect not. It’s just another weak rationalization these folks use to justify doing the wrong thing. – MR
5. FPE, we hardly knew ya! The PCI council announced ‘guidance’ for tokenization last week. Think of it as unofficial support for the technology. With a three year cycle time on revs to PCI, it will be ‘unofficial’ for a while. While I found many of the quotes about the tokenization guidance to be vague, the technical supplement prepared by the working group is fairly specific about what they feel is tokenization and what’s encryption. In a nutshell, Format Preserving encryption variants and tokens derived from hashing do not help you reduce PCI scope. And since the name of the game is scope reduction, that’s a bit of a problem for both technologies. Watch for lots more about this from us in the coming days. – AL
6. The first step is admitting you have a problem: Most people who spend significant time in security recognize it’s a series of waves, not a continuum. There isn’t much value in investing more into security than you need to keep losses to an acceptable level, yet attackers are always innovating. So it’s a constant game of hit/response as we fall behind, get ahead, stagnate, and fall behind again. This is completely normal, not IT specific, and backed by thousands of years of history. So it’s nice to see the TSA taking the first baby steps towards normalcy by exempting pilots from airport screening. Well, at one airport anyway. This was always one of the most extreme examples of security theater, especially considering those pilots could have licenses to carry guns on planes, and are sort of the ones who keep them from crashing into the buildings in the first place. Now what are the odds you will return the favor and drop desktop AV or password rotations? Yeah, didn’t think so. – RM
7. Occam’s Razor strikes again: Our friend LonerVamp points out that we security engineer types have a tendency to, uh, overcomplicate things. And he does it with great style: “I don’t think the answer to any, “help me secure this,” challenge should be to grab your favorite 600 page IT security book and thump it on the desk like you’re some pimp on Exotic Liability flopping your meat on the table.” It’s a reminder to not forget Occam’s Razor, which suggests we tend toward simpler solutions. In security that is even more critical because complexity is likely what caused the issue in the first place, so solving it with more complexity doesn’t work too well. Just as with writing, there is no need to use 100 words for what you can communicate in 10. – MR