Chalk it up to either not having enough time, or not having a critical mass of friends who use it to exclusion, but it’s just so difficult to remember to log in and check it,   much less update it with any frequency.

In an effort to “fix” that I added functionality that will cross post my blog entries (like this one) over to Google+

I still doubt I’ll end up logging into Google+ any more frequently than I do now (at least for the near future), but at least my account there won’t languish quite as much as it currently is.

[Update: Apparently my understanding of the plugins I used was incorrect.  I can post to Google+ and have it show up in my blog here, but not vice versa, as apparently Google hasn't released that portion of their API.   This is lame.  It also has killed my desire to continue down this front for now.]

A vulnerability is most assuredly bad,   but a threat much more so.

Vulnerabilities are weaknesses in a system; weaknesses which may or may not result in a compromise of that system.

Threats are vulnerabilities with a high probability of being exploited, where that imminent exploitation is likely to result in a compromise of the contents of that system.

Threats are far more damaging, and far more costly.  You should pay attention to them.

True danger comes when looking at vulnerabilities in a system and attempting to prioritize.  Frequently this is done without assessing real threat first, which leads to poor decisions and far greater risk.

My buddy Jason pointed me to Alarm.com,  which is the technology behind the offerings of quite a few alarm companies now. It uses a cellular connection to connect your alarm back to alarm.com servers where you can monitor it via the Internet (and smart phones) and interact with your system from anywhere in the world. It also features some tie-ins to home automation systems, which at the time I was also exploring.  It sounded perfect.  For what I wanted – it was perfect.

I contacted Alarm.com for references of companies selling their service as a product offering, since Alarm.com doesn’t sell directly to the consumer. They recommended a company called FrontPoint Security, as they would sell me the equipment I needed (and the monitoring of the alarm), but allow me to spec out the components I needed / wanted and do a quick easy installation myself (This was something I was looking for at the time, I wanted to do the install myself). Alarm.com helpfully passed my information on to FrontPoint and I received a call from the company.   I ended up talking with their Chief Operating Officer, Peter Rogers.  Peter helpfully answered every question I could come up with and was a pleasure to work with.  I got the components I needed spec’d, ordered, and installed in very short order.  It was painless and I had a working (and pretty damn cool) alarm system.

I blogged about the system on my sister blog – YWGAV (on hiatus) – a few times.  FrontPoint noticed this and contacted me about some of the interesting things I was doing with their system. I felt comfortable endorsing their services as their support operations were top notch and the company was treating me very well as a customer. I was extraordinarily happy. I tested new service offerings and equipment (their network video services) and provided feedback.

I stopped having much time for home automation over the past couple of years, and didn’t do much more with the alarm system. It was working and doing what we wanted of it – that was good enough for me. Until we moved.

A few weeks after we moved – taking the alarm system with us (one of the reasons I wanted to own the equipment and be able to install it myself – I can take it wherever I want) I got a call from the central station to notify me of a fire alarm from my system. I figured this might be the result of a malfunction signal my system was reporting from our smoke detector, which got lost somewhere during the move.  I called them back and cancelled the alarm. The fire department showed up anyways as apparently their policy is to check an alarm out even if it’s cancelled – just to make sure.  A quick call to FrontPoint got that malfunctioning sensor off our account, and I figured that was the end of it.

I was wrong.

Late last week – around 130 in the morning on Friday – our phones rang. Being half asleep and neither Ann nor I being on call, we ignored them and fell back asleep. A few minutes later the doorbell rang. A lot. Looking outside we saw a couple of fire trucks sitting in front of our house, and firefighters in full gear clutching axes and appearing ready to burst in and save the day.  It kind of looked like the set of Rescue Me (had it been set in a suburb of Indianapolis…).

Apparently, the call we had ignored was from the central station to let us know there was a fire alarm from our house.  Except now, we don’t HAVE a fire alarm.   We tried explaining to the fire department, but they wanted us to call the central station and get the alarm cancelled.  While Ann was on the phone with the central station the fire department received an all clear call from their dispatch and finally left.   The central station then said that someone had entered the code into our alarm panel to cancel the alarm.   Neither Ann nor I had touched the panel.

For those keeping score – we now have two instances where the fire department was erroneously dispatched to my house for a fire alarm.  On BOTH occasions my actual alarm unit failed to issue an alarm locally, nor did it issue an alarm via SMS or Email, as it’s configured to do.

I called FrontPoint customer support expecting that they would be their usual helpful selves and would get this latest issue sorted out quickly. To my surprise, and disappointment, that has not been the case.

My initial call to support went alright – Phillip answered and dutifully took down all of the relevant information about the incident and promised to investigate and get back to me within a day or so.  He left a voicemail the next morning indicating that his investigation had discovered that the alarm had been triggered from our remote keypad.  This didn’t add up.  How could a remote keypad send an alarm signal – a fire alarm signal at that – with both of us sound asleep? How could someone enter the correct code to disarm / cancel the alarm when both of us were dealing with the fire department at the front door?   How come I completely failed to see this supposed activity from the remote keypad on my alarm.com logs that show all activity from my system?  (For those wondering – I *do* see activity from the night before, and I do also see us opening the door for the fire department at 1:43 AM, but I do not see ANYTHING between those two events.)  After Phillip followed up via email Monday morning I decided to pose those questions back to him – including screenshots of my alarm.com logs that show there was no activity on my system.  A near 48 hours later I have yet to receive any sort of response to those followup questions.

And that’s a shame.  I really liked FrontPoint.  It went beyond the equipment and the Alarm.com features – things I can get from a multitude of alarm companies locally now.  Their responsiveness and genuinely helpful support had been pillars of why I liked their company.  They had always been willing and able to make it right.

Now that they are apparently either not willing, or not able, to fix this issue – or even respond in a timely fashion – I’m left to wonder if perhaps it’s time I switch.

One thing is for certain – I can’t recommend this company any more. (See update 3 below)

[update 1 - 10/5/11]: Phillip from FrontPoint reached out shortly after this was posted.  A response is promised by close of business 10/5/11.

[update 2 - 10/5/11]: Received an email from Chris Villar – the CEO of FrontPoint in response to an email I sent prior to writing this post.  He’s engaged further resources on their end to address this issue for me.   Still concerned that it would take an email to someone that high up to get that level of effort, but appreciative nonetheless.

[update 3 - 10/5/11]:  Received a call, and email, from Philip Pearson (not the same Phillip from Update 1) – Director of Operations for FrontPoint.  He apologized for the sub-par response from support,  explained fully what happened,  why and how it happened, and what was done to fix it and prevent it from happening again.   While I will refrain from going into all of the technical details I will say the answer seems genuine and honest, it makes complete sense, and I’m comfortable that the company is taking steps to ensure it doesn’t happen again for me – or anybody else.   I’m satisfied with the end result, even if I’m not 100% happy with how things were initially handled.   I can appreciate when a company owns up to it’s mistakes and makes things right, which I feel they have done.

Last week, after my face had been itchy for a couple of days of bad allergies and with the temperatures soaring,  I decided it was time for a change.  I shaved it all off.

So here it is, a week later, and I’m still clean shaven*.   I remember now why I hated shaving and eventually stopped doing it.   I remember WHY I liked having a beard.  But now I also remember what it was like without a beard – something I had forgotten over the past five years.

Despite hating shaving, and liking a beard, I don’t think I’ll grow mine back anytime in the near future.   I’ll probably give it until the weather starts turning cold again.

Our first night of the trip we were looking for a place to eat in Vegas that wouldn’t be ridiculously expensive,  isn’t particularly touristy, and where we could get good beer.  The hotel recommended we go to Town Square and eat at Yard House.  We really didn’t know what to expect as we made our way from the hotel to Yard House, but any expectations were blown out of the water when we arrived and saw their beer selection.  Well over a hundred beers on tap.

The food was pretty good, too.

When we got back to Vegas for our return flights home we had time to grab some lunch.  Dad suggested we head to Yard House again, and we did.  I thought it fitting that the first and last meals we had on the trip were at the same place, bringing us full circle.

I’ve been to Vegas twice since that trip, both for business.  Each time I’ve made it a point to stop and have a bite to eat and a couple of very tasty beers at Yard House.  Each time I think of Dad and that fantastic trip.

Last August, as the summer was slowly winding down, Ann convinced me to start biking with her.  The Eagle Creek Greenway,  a walking/biking path that led to Eagle Creek Park, was next to our neighborhood and gave us a nice path to ride to the park.  It wasn’t very long before we were regularly doing 8-10 mile rides after work and on weekends.  I also found that I lost a lot of weight doing it.

I was hooked.

Back in those days we were riding $200 mountain bikes – the kind you can buy at any sporting goods stores – which were steel framed and heavy.  And slow.   Our attire consisted of whatever shorts we could find and a t-shirt.  We would regularly comment on the other riders out on their road bikes wearing the spandex stretchy bike shorts and jerseys and how they looked a bit silly.

Then, earlier this year we bought new bikes.  Road bikes.  

We quickly discovered why people wear bike shorts.  It’s not because of any misguided thought that they make you look good (few people truly enjoy them I suspect), but more for comfort while riding.   They’re padded,  making long rides possible without your butt getting too sore from being on the saddle too long. They’re a godsend.  You’ll wear them and learn to love them.

So, we had evolved to wearing the ridiculous shorts with t-shirts – we were not quite ready to wear silly looking jerseys.

Until now.

Over the weekend we went to Twin-Six and picked up a couple really cool jerseys.   They arrived yesterday and we took them on their maiden ride… and loved them.

We’re slowly evolving as cyclists.  Evolving in the equipment we use (and how we use it) as well as the clothing we wear.   We’re moving ever more from casual riders to (slightly) more seasoned.  We’re pushing ourselves – and our bikes – farther than we would have felt comfortable a year ago.  We’re feeling better about ourselves and are tending to lead healthier lives.

Most important – we’re having fun in an activity we can do together.

The jersey pictured above is the one I bought.   (Ann’s is here)

The only downside as we saw it was that our bikes of choice at the time were comparatively cheap $200 steel frame mountain bikes. My shifter was horribly messed , as was the rear derailleur, which caused my bike to randomly jump gears and made the riding experience… less than optimal. The bikes were heavy, the tires bulky, and the ride anything but smooth (or fast).  If we REALLY pushed ourselves we could maybe get up to 14MPH, but we’d quickly find ourselves quite winded.

My twitter friend Mike Grace (cool guy, follow him @mikegrace), got me to start using an iphone app called Endomondo to track my exercising. The geek-factor of having data and tracking and all kinds of other stuff got me even more interested in exercising – and drove me to go farther, faster, and more often. As a result – I started losing weight. Fast. 

That was all the catalyst I needed to make the plunge and become a cyclist. I knew I wanted a road bike to make climbs possible easier, and shifting a breeze.  I also knew I didn’t want something that weighed a lot – no more steel frames!  The last hurdle – to convince Ann.

A few weeks ago (weeks? try over a Month – wow time flies) Ann and I went to the local bike shop to look at what was available and get educated on bikes and what to look for.  The sales guy was very helpful in explaining the differences in the bikes and helping us figure out what we should probably be looking for given our goals. He also sized us for the frame so we’d know what size to get.  We were told we should wait a couple of weeks and come back when they were having their sale so we could get better prices.   We followed that advice.

A few weeks later we showed up to a madhouse.  There were people everywhere and you had to park a half mile away (possible exaggeration).  I was very worried that we wouldn’t be able to find bikes, but found a helpful sales guy who was able to help both myself and Ann find bikes we liked.

I ended up getting a Trek Madone 4.7, while Ann picked out the Trek Madone 4.5 (turns out convincing her to get a road bike was as easy as having her test ride one), and we couldn’t be happier.  The carbon fiber frames are feather light compared to the steel frames we had been riding.  The Shimano shifters and derailleur’s are ridiculously smooth compared to what I had been riding.  The biggest difference we noticed was that instead of topping out at 13-14mph as we had on our old bikes… we are now averaging 13-14mph, without really breaking a sweat. We’re just getting started too – I’m sure eventually we’ll get up to 20-30mph, and I can’t wait.

Oh – and for those of you wondering:  Yes, I do have a pair of those ridiculous spandex bike shorts and yes, I do wear them.

Oh – and for those of you wondering about the weight loss – I went from ~220 to ~188. I’m currently at 194 (weighed in last night).

Data breaches are a serious matter, regardless of what data was gleaned in the breach.  Even innocuous things such as name and email address are serious losses that could have a high potential damages,  and when you get into trade secrets and sensitive data around a massively deployed strong two-factor authentication scheme the ramifications are far reaching indeed.

Working in the AppSec space in infosec I am frequently asked how things like this can happen?  Is it that the companies themselves are lazy, complacent  – or worse – negligent?

No.

Nobody* wants to see data lost, least of all the company whose systems become compromised.  That’s a worst case nightmare scenario that keep us up at night.  Except in some rare cases, I wouldn’t consider these organizations negligent.  As RSA proved – you can have some of the best perimeter security in the world,  but that won’t necessarily protect you should you become a target.  The weakest link in the security chain has moved from the infrastructure to the people,  and attackers will almost invariably attack the weakest link.   Spear phishing and clever social engineering are two of the most serious threats facing businesses today – and recent news reports are showing why.

So, where do we go from here?   We learn.  We improve. We teach.

Much can be learned by everyone from these breaches.  As we learn more details about how these breaches occurred we can improve our security to protect against these new attack vectors.   Newer and better controls can be added to our applications and services which can help mitigate these new threats.  We can – and should – educate our employees about the dangers of social engineering and spear phishing.  We can use this opportunity to increase and refresh their security knowledge.

What we shouldn’t do is point fingers,  ridicule, or otherwise blast these vendors (at least with regards to the fact that they got hacked – their PR handling of the incident is open to criticism, should you feel the need).  Instead – lets learn from the mistakes made.  Let’s collectively improve.

We can do better.  We should do better.  Let’s take this opportunity to do so.

* Obviously the attacker does want to see data lost.  They don’t count