For all of us, the problem is well defined. We need to protect sensitive data that is stored on our IT devices. However, we need to be careful to avoid common security solution pitfalls. Typically, the sensitive data problem can be broken down into these phases.
Sensitive Data Protection Strategy
1. Define Sensitive Data. Protect "sensitive data" as defined by our
local policies. Things like SSN, CCN, Driver's license #'s, Bank
account #'s, Passport #'s, FERPA/HIPAA/GLB protected data items are
generally agreed to be "sensitive data". We can use NIST, PCI,
Educause and other guidelines to help us define sensitive data but for
the most part, the aforementioned items will be a good subset of these
sensitive data definitions.
2. Find the "Sensitive data". Where is sensitive data likely to be
stored? Do you know where all of your servers on your campus network
are? Database servers (Oracle, MySql, Postgres, MSSQL, Filemaker Pro),
www servers if not properly designed and configured, end user systems
(desktop/laptops), mobile devices (USB, CD, Backup media, smart
phones, lpads, etc.) are likely storage places. Use commercial tools
like IdentityFinder or freeware tools like Cornell's Spider, our
Find_SSN, UT-Austin's SENF. Realize that these tools may not find ALL
of the sensitive defined in step 1. But it is a good start. The
resistance to using these tools is the complaint that it a) generates
lots of false positives b) requires the user to examine all of these
files c) tells the user or sysadmins what they don't want to know.
Some of these tools will not run on all 3 of the common platforms
(Windows, Mac, Unix/linux). Most big DB servers are Unix/linux based.
3. Beware making a distinction about where the sensitive data is
stored. Who cares whether it's stored on a mobile device or DB server?
The problem is still there -- it must be protected at rest and in
transit. A flat out statement saying ANY sensitive data must be
protected regardless of WHERE it's stored simplifies the enforcement
mechanism of our sensitive data standards. Having said that, mobile
devices like smart phones introduce a whole new set of issues for
safeguarding email attachments sent to them.
4. How is sensitive data used? It's absolutely critical for security
officers and policy writers to understand the business processes that
use sensitive data. Protection solutions must be tailored to address
these processes. Some of the ways we've discovered sensitive data is
used include:
a. single user/single folder - the user puts all of the sensitive
data files in a single folder/directory.
b. multiple user/one person with write access - multiple people
access the sensitive data folder in Read mode. Only one person
has write access to the file or folder.
c. multiple user/multiple people with write access to files in a
folder - most common environment for offices that handle sensitive
data (Controller's office, HR, Registrar, Grad School, Admissions, etc.).
d. Email attachments to internal users - using wide variety of email
systems (Exchange, Imap, Gmail, etc.). Some solutions are
effective in this case where you send an email to another
internal (to your EDU) user.
e. Email attachments to external users - we all have to send
sensitive data to external agencies. They may NOT support your
encryption schemes. For example, we probably have to send reports
to the Feds, state or NCAA regulatory agencies.
Institutional research groups, athletic associations within our
EDUs are prime users of this function, I suspect.
Encrypting email attachments is a critical task.
5. Encryption is the catch-all method for protecting sensitive data.
In our research over the past 2 years, we've found NO enterprise wide
encryption solution that is "cost-effective" in the EDU environment.
The key phrase is "cost effective". There are commercial solutions
that address a segment but they are expensive the more licenses have
to be granted. There are solutions that work well in the Windows world
but not the Mac or Unix/linux world. Some people want to say you can
only use Windows systems to store sensitive data. What about the big
enterprise DB server? I've heard people talk about whole
disk encryption (on-the-fly encryption aka OTFE) as solutions.
However, we need to fully understand how OTFE works.
OTFE (Whole Disk Encryption) Issues
Tools like Bitlocker, GuardianEdge and Truecrypt's whole disk
encryption option were some of the items mentioned to us as a
control for securing data at rest. A number of you have told me
that Full Disk Encryption satisfies the at-rest part of your standard.
Beware the sense of false security full disk encryption may bring.
1. Full disk encryption (FDE) schemes such as Bitlocker and True Crypt
use on-the-fly encryption techniques to encrypt the disk. A friend of
mine describes OTFE as "On-the-fly encryption (OTFE), also known as
Real-time Encryption, is a method used by some encryption programs,
for example, disk encryption software. "On-the-fly" refers to the fact
that the files are accessible *immediately after the key is provided*
and in the case of FDE encryption, the key is provided at boot. While
the files on disk are still encrypted at rest, the keys are in memory
and decryption occurs "On-the-fly" upon file access (not at rest). So
once booted, ANYONE WITH READ ACCESS may read (decrypt) the files."
This is the critical piece.
2. This is significant in that as long as the system is booted up,
your files are encrypted UNTIL they are accessed by a userid or
process owned by a userid that has READ access to the files in
question. World read access allows any userid to decrypt the file. A
process running under your userid's privileges can decrypt any file
you have read access and any malware running under your userid has
that same access.
3. Even if you are running OTFE of some sort, you should use an
additional encryption scheme like Truecrypt, PGP, GPG, or some other
system like RMS. Decrypt the file and folder only when you need to
access it. Yes, all we're doing is reducing the "decrypted" window but
this window is MUCH smaller than the one for OTFE-only systems.
4. Regardless of which encryption scheme you use, you should still run
Find_SSN/CCN, IdentityFinder or any of the other sensitive data search
tools frequently on your systems. Whole disk encryption should never
be used as a reason for not running these tools on your system. You
need to know exactly where all sensitive data is located
5. Full disk encryption does nothing to stop malware, viruses or
trojan software from reading your files. After boot, if I have read
access to your files, I have the files.
Is protecting our sensitive data an intractable problem? Given the
cost of enterprise wide solutions, it may be. It might be time for the
EDU community to band together as a consumer group seeking an
enterprise wide solution.
-rcm, 5/11/2010
Wednesday, May 19, 2010
Tuesday, March 16, 2010
How Vendor Software Undercuts Password Controls
The biggest problem with password controls such as aging, resets and adhering to
strength guidelines is that vendor applications are sometimes the crippling factor in enforcing your rules.
For example, earlier versions (circa 2005-2006) of Oracle (<=11i) have an inherent password weakness that defeats most sensible strength rules. Google for "oracle password weakness" or "An Assessment of the Oracle Password Hashing Algorithm" by Josh Wright/Carlos Cid or http://www.integrigy.com/oracle-security-blog/archive/2006/12/12/oracle-apps-password-weakness to see some of the issue. Basically, Oracle passwords were converted to uppercase, certain special characters were restricted because they are used in standard DB queries and the hash algorithm were weak. 'marchany', 'marchan', would generate the same hash. This problem has been fixed in newer versions of Oracle but I believe it's in the Oracle Security package. Please verify that.
Also, the Apache mod_security feature can cripple password strength by disabling ANY special characters in input fields (to prevent SQL injection) but the net effect is that passwords strength is seriously weakened. One of the guys who works for me couldn't log into a web app
because the web developers used mod_security and he had special characters in his password.
My point in all of this is that BEFORE you embark on a mission of enforcing password strength, aging, etc., that you examine how ALL of your password enabled apps treat password features like strength, aging, etc. You may find that you are forced into a lowest common
denominator.
strength guidelines is that vendor applications are sometimes the crippling factor in enforcing your rules.
For example, earlier versions (circa 2005-2006) of Oracle (<=11i) have an inherent password weakness that defeats most sensible strength rules. Google for "oracle password weakness" or "An Assessment of the Oracle Password Hashing Algorithm" by Josh Wright/Carlos Cid or http://www.integrigy.com/
Also, the Apache mod_security feature can cripple password strength by disabling ANY special characters in input fields (to prevent SQL injection) but the net effect is that passwords strength is seriously weakened. One of the guys who works for me couldn't log into a web app
because the web developers used mod_security and he had special characters in his password.
My point in all of this is that BEFORE you embark on a mission of enforcing password strength, aging, etc., that you examine how ALL of your password enabled apps treat password features like strength, aging, etc. You may find that you are forced into a lowest common
denominator.
Friday, March 5, 2010
Mobile Device Security
A couple of years ago, we started investigating the IT security of mobile devices and the 1st generation of smart phone. Grant Jacoby was the first of a couple of grad student who researched how to implement some sort of IDS on PDAs and smart phones. He discovered that the Windows Mobile OS doesn't allow access to raw sockets supposedly for "security" reasons. This restriction basically prevented us from writing any type of IDS program for that platform.
So, how could we create an IDS that would be effective on those platforms? We decided to look at the power output of the batteries to see if we could detect aberrant behavior. We discovered a number of things.
rcm
So, how could we create an IDS that would be effective on those platforms? We decided to look at the power output of the batteries to see if we could detect aberrant behavior. We discovered a number of things.
- Smart batteries are supposed to output their power readings every second. We discovered that interval varied from 1-9 seconds. So, much for standards.....
- For idle devices, we were able to detect anomalous behavior by monitoring the power output of the batteries.
- We couldn't determine the type of attacks but we can definitely say "something is attacking us" :-)
rcm
Monday, January 18, 2010
The Bagpiper & the Homeless Man - A true story
As a bagpiper, I play many gigs. Recently I was asked by a funeral director to play at a graveside service for a homeless man. He had no family or friends, so the service was to be at a pauper's cemetery in the Kentucky back-country. As I was not familiar with the backwoods, I got lost and being a typical man I didn't stop for directions. I finally arrived an hour
late and saw the funeral guy had evidently gone and the hearse was nowhere in sight.
There were only the diggers and crew left and they were eating lunch. I felt badly and apologized to the men for being late. I went to the side of the grave and looked down and the vault lid was already in place. I didn't know what else to do, so I started to play. The workers put down their lunches and began to gather around. I played out my heart and soul for this man with no family and friends.
I played like I've never played before for this homeless man. And as I played 'Amazing Grace,' the workers began to weep. They wept, I wept, we all wept together. When I finished I packed up my bagpipes and started for my car. Though my head hung low, my heart was full.
As I opened the door to my car, I heard one of the workers say, "I never seen nothin' like that before and I've been putting in septic tanks for twenty years." :-)
Thanks to Joe Morgan for this story.
late and saw the funeral guy had evidently gone and the hearse was nowhere in sight.
There were only the diggers and crew left and they were eating lunch. I felt badly and apologized to the men for being late. I went to the side of the grave and looked down and the vault lid was already in place. I didn't know what else to do, so I started to play. The workers put down their lunches and began to gather around. I played out my heart and soul for this man with no family and friends.
I played like I've never played before for this homeless man. And as I played 'Amazing Grace,' the workers began to weep. They wept, I wept, we all wept together. When I finished I packed up my bagpipes and started for my car. Though my head hung low, my heart was full.
As I opened the door to my car, I heard one of the workers say, "I never seen nothin' like that before and I've been putting in septic tanks for twenty years." :-)
Thanks to Joe Morgan for this story.
Sunday, December 13, 2009
Local Admin Rights for User: A Losing Battle?
I presume the primary reason for preventing local users from having
admin rights on their desktops is to keep them from installing "evil"
software.
If this is so, then my question to the group is "how long does it take
a desktop user to get a legitimate piece of software installed on
their desktop?" In other words, I have to use software package "A" to
do my job. How long does it take for "A" to be installed on my
desktop? My informal straw poll respondents noted the time range to be
anywhere from 1 day to 2 weeks.This is completely shocking to me.
Now, if my boss is breathing down my neck to finish a project by
tomorrow & I need software "A" to finish the project, I can't wait 1-7
days. The business process will trump this security process and a) I
go up the mgt chain to get an exception b) I bring in my personal
computer, load software "A" on it and get the job done.
So, I wonder why there has never been a survey with the question "How
long does it take to install a software package on a user desktop if
you restrict local admin rights?". This is the root cause of the
"never ending battle" that I keep hearing about. If you make the user
responsible for whatever they load on their machine AND enforce that,
then what is the danger of letting them do so? Well, people with no
local admin privs can still "infect" a machine by using their browser
so once again, what do we accomplish by "preventing" them from loading
software? Seems like nothing is accomplished, hence, the "never
ending" battle.
Call me silly, but I think there is an end to this battle but we don't
want to put in the effort to accomplish this. That end involves a)
enforcing user responsibility for their actions b) give them basic
training (you want to be able to install stuff, you have to sit in
this training) c) speed up legit software install requests.
I keep hearing about this losing battle with the users so why not
think of something radically different?
Just a thought for the holidays....
admin rights on their desktops is to keep them from installing "evil"
software.
If this is so, then my question to the group is "how long does it take
a desktop user to get a legitimate piece of software installed on
their desktop?" In other words, I have to use software package "A" to
do my job. How long does it take for "A" to be installed on my
desktop? My informal straw poll respondents noted the time range to be
anywhere from 1 day to 2 weeks.This is completely shocking to me.
Now, if my boss is breathing down my neck to finish a project by
tomorrow & I need software "A" to finish the project, I can't wait 1-7
days. The business process will trump this security process and a) I
go up the mgt chain to get an exception b) I bring in my personal
computer, load software "A" on it and get the job done.
So, I wonder why there has never been a survey with the question "How
long does it take to install a software package on a user desktop if
you restrict local admin rights?". This is the root cause of the
"never ending battle" that I keep hearing about. If you make the user
responsible for whatever they load on their machine AND enforce that,
then what is the danger of letting them do so? Well, people with no
local admin privs can still "infect" a machine by using their browser
so once again, what do we accomplish by "preventing" them from loading
software? Seems like nothing is accomplished, hence, the "never
ending" battle.
Call me silly, but I think there is an end to this battle but we don't
want to put in the effort to accomplish this. That end involves a)
enforcing user responsibility for their actions b) give them basic
training (you want to be able to install stuff, you have to sit in
this training) c) speed up legit software install requests.
I keep hearing about this losing battle with the users so why not
think of something radically different?
Just a thought for the holidays....
Tuesday, November 10, 2009
Pretty Fine: Every Guy's Nightmare
Every now and then I tell this story during our concerts as an intro to one of our songs.
This story is dedicated to all of the guys in the world who've made a fool of themselves. You know who you are.
I went to a Catholic high school and as you might imagine, contact with members of the opposite sex was limited to twice a day meetings. On special days, like religous holidays or school assemblies, we got an extra boost of the opposite sex.
The entire architecture of the school was designed to maintain this separation. The teachers were the Christian Brothers (of wine fame) and the Sisters of the Immaculate Heart of Mary (IHM). The school was a T shaped building complex with the stem of the T containing those facilities that couldn't be duplicated because of cost. Facilities like the cafeteria, science labs, gyms, library were fertile grounds for all sorts of adolescent mischief and fantasy, no doubt caused by exposure to the opposite sex. The Boy's and Girl's divisions were in the cross bar of the T. Boys occupied one side in a building painted in light blue and the girls occupied the other wing and yes, it was painted pink. These two wings were separated from the main stem by aerial walkways. We always imagined that individual wings could be isolated in the event of an impure thought by one of the adolescents with raging hormones. Which brings me to the point of this story......
I had a crush on a girl in my class. There, I said it. Guys, you know what I'm talking about. It was that type of crush where I memorized everything I could find out about her. She played basketball and I watched those games from the stands. I knew if I sat in the front desk by the door, I could see her walk by during class change. I knew that if I sat in a certain area in the cafeteria that she would look in my direction and wave. It wasn't until later (after returning her waves) that I realized she wasn't waving at me but rather at someone sitting behind me. Yes, I was a wave interloper, committing the worst faux pas, that of the return wave not meant for you. What a dork!
I remember the day well. It was a Saturday afternoon, early spring, crystal clear sky with just a hint of high clouds, temps in the 60's. It was that type of day that you knew only good things could happen. I came out of the gym heading to the exit where my dad was waiting for me. I have a basketball in my hands and had a pretty good game which for me meant that I didn't throw away the ball and I actually made a foul shot.
As I walk down the hallway, I look up and there she is. The object of my unrequited affection, the person with whom I had countless conversations in my mind, the smartest, coolest chick in the world and she was heading in my direction! This was my chance to atone for those return waves, those smiles, my invisibility. This was it! This was my chance to impress her with my command of the English language and my obvious athletic abilities.....the basketball, that orb of power and status in the high school world.
She approaches and I notice that she is looking at me. I KNOW there is no one behind me this time. There is no chance of mistaken identity. Because I was a musician and practice was a skill ingrained in me, I run through the upcoming conversation in my head:
Her: how are you? Haven't seen you in a while!
Me: Doing pretty fine, how are you! I see you're wearing running shoes. You must be a jogger.
Her: You're smart and I was going for an ice cream cone. Would you like to join me?
Me: Of course, I like nothing better than an ice cream cone after a hard day of basketball practice in the gym behind me where you're heading after talking to me.....
Me: Focus! Focus!
I find myself getting closer to the wall. In fact, I'm getting so close to the wall, I'm tracing the mortar indentations on those cinder block walls. Focus! Be cool! This is your chance to impress her with your wit, smarts, musical and athletic talent. She's looking at me now and I'm starting to sweat. No problem! I just came out of the gym. She'll just think I had a hard workout.....oh yeah, my cool factor will jump up when she thinks about that. Yep, she's definitely looking at me and drifting to my side of the hall. Ok, time for the cool walk!
She's now 5 feet, 4 feet, 3 feet away and she stops in front of me and says:
Her: Hi there. Do you know what time it is?
I still remember the moment I replied to her simple question. It was 40 years ago and I remember every detail of the hallway, the lighting, her looking up at me with those inquiring eyes, that smile, those running shoes, the graceful way she held her hands, the feel of every nub on the basketball I was holding. To this day, I remember those things along with those words spoken by me so eloquently, so polished, so impressive:
Me: Pretty fine, how are you?
copyright 2009 randymarchany
This story is dedicated to all of the guys in the world who've made a fool of themselves. You know who you are.
I went to a Catholic high school and as you might imagine, contact with members of the opposite sex was limited to twice a day meetings. On special days, like religous holidays or school assemblies, we got an extra boost of the opposite sex.
The entire architecture of the school was designed to maintain this separation. The teachers were the Christian Brothers (of wine fame) and the Sisters of the Immaculate Heart of Mary (IHM). The school was a T shaped building complex with the stem of the T containing those facilities that couldn't be duplicated because of cost. Facilities like the cafeteria, science labs, gyms, library were fertile grounds for all sorts of adolescent mischief and fantasy, no doubt caused by exposure to the opposite sex. The Boy's and Girl's divisions were in the cross bar of the T. Boys occupied one side in a building painted in light blue and the girls occupied the other wing and yes, it was painted pink. These two wings were separated from the main stem by aerial walkways. We always imagined that individual wings could be isolated in the event of an impure thought by one of the adolescents with raging hormones. Which brings me to the point of this story......
I had a crush on a girl in my class. There, I said it. Guys, you know what I'm talking about. It was that type of crush where I memorized everything I could find out about her. She played basketball and I watched those games from the stands. I knew if I sat in the front desk by the door, I could see her walk by during class change. I knew that if I sat in a certain area in the cafeteria that she would look in my direction and wave. It wasn't until later (after returning her waves) that I realized she wasn't waving at me but rather at someone sitting behind me. Yes, I was a wave interloper, committing the worst faux pas, that of the return wave not meant for you. What a dork!
I remember the day well. It was a Saturday afternoon, early spring, crystal clear sky with just a hint of high clouds, temps in the 60's. It was that type of day that you knew only good things could happen. I came out of the gym heading to the exit where my dad was waiting for me. I have a basketball in my hands and had a pretty good game which for me meant that I didn't throw away the ball and I actually made a foul shot.
As I walk down the hallway, I look up and there she is. The object of my unrequited affection, the person with whom I had countless conversations in my mind, the smartest, coolest chick in the world and she was heading in my direction! This was my chance to atone for those return waves, those smiles, my invisibility. This was it! This was my chance to impress her with my command of the English language and my obvious athletic abilities.....the basketball, that orb of power and status in the high school world.
She approaches and I notice that she is looking at me. I KNOW there is no one behind me this time. There is no chance of mistaken identity. Because I was a musician and practice was a skill ingrained in me, I run through the upcoming conversation in my head:
Her: how are you? Haven't seen you in a while!
Me: Doing pretty fine, how are you! I see you're wearing running shoes. You must be a jogger.
Her: You're smart and I was going for an ice cream cone. Would you like to join me?
Me: Of course, I like nothing better than an ice cream cone after a hard day of basketball practice in the gym behind me where you're heading after talking to me.....
Me: Focus! Focus!
I find myself getting closer to the wall. In fact, I'm getting so close to the wall, I'm tracing the mortar indentations on those cinder block walls. Focus! Be cool! This is your chance to impress her with your wit, smarts, musical and athletic talent. She's looking at me now and I'm starting to sweat. No problem! I just came out of the gym. She'll just think I had a hard workout.....oh yeah, my cool factor will jump up when she thinks about that. Yep, she's definitely looking at me and drifting to my side of the hall. Ok, time for the cool walk!
She's now 5 feet, 4 feet, 3 feet away and she stops in front of me and says:
Her: Hi there. Do you know what time it is?
I still remember the moment I replied to her simple question. It was 40 years ago and I remember every detail of the hallway, the lighting, her looking up at me with those inquiring eyes, that smile, those running shoes, the graceful way she held her hands, the feel of every nub on the basketball I was holding. To this day, I remember those things along with those words spoken by me so eloquently, so polished, so impressive:
Me: Pretty fine, how are you?
copyright 2009 randymarchany
The Neighborhood
The Sunday ritual is always the same. I take my mom to church, and then we stop for lunch and afterwards, go visit my dad. My parents have been separated for 5 years now after 61 years of marriage. Someone asked them on their 55th wedding anniversary how long they’d been married. My dad answered “56 years” and my mom dope slapped him and said “it was 55 years”. My dad sighed and said “it seems like 56.” It was obvious the separation was going to happen but I suppose they were hoping it wouldn’t. Seems silly to me that mom wants to visit my dad after they separated but I guess it’s one of those things that I don’t understand.
My dad’s neighborhood is a nice place with long sloping greens that have the telltale lawnmower tire tracks that leave geometric patterns resembling Incan Nazca lines etched in the grass. The neighbors always have bright flowers that contrast with the lush spring and summer greens and yet still look good with the fall and winter browns. Mr. Simon, my dad’s new neighbor moved in the neighborhood recently so I don’t know much about him. Mrs. Hodges arrived about the same time my dad did. I continue walking and stop by to straighten out Sgt. Brown’s flowers outside his door. He was a Marine and a Korean War vet. I can imagine hearing him “talking” to his troops. I look up and see mom talking to dad from Ms. Collette’s place. Someone always knocks her flower pots over and I pick them up for her. She doesn’t thank me but I get the feeling she appreciates the effort. I start to swing back toward my dad’s place when I get to Mrs. Schaeffer’s place.
The separation has been hard on my mom and I head back to my dad’s place before my mom gets upset with him. Sometimes she gets frustrated with him and I have to listen to her rant about something he did. As I walk up the hill to his place, I see some new neighbors have arrived. One family appears to be a dad and his teenage son, a 16 year old kid. I’ll have to check later to see if he got his driver’s license. My dad’s immediate neighbors have their flowers out and they brighten up the place. My mom always complains that my dad’s flowers aren’t as good or pretty as his neighbors. What can I say? I come up to my mom and gently tug on her arm to let her know it’s time to go. “Who’s the new neighbor?” she asks. “The Youngs”, I reply, “I don’t know much about them.” My mom straightens out my dad’s entrance, always fussing with the plants. I check his entrance one last time and clean his nameplate, “Carlos Marchany, 1904-2004” before we leave only to return next Sunday.
©randymarchany, 2009
My dad’s neighborhood is a nice place with long sloping greens that have the telltale lawnmower tire tracks that leave geometric patterns resembling Incan Nazca lines etched in the grass. The neighbors always have bright flowers that contrast with the lush spring and summer greens and yet still look good with the fall and winter browns. Mr. Simon, my dad’s new neighbor moved in the neighborhood recently so I don’t know much about him. Mrs. Hodges arrived about the same time my dad did. I continue walking and stop by to straighten out Sgt. Brown’s flowers outside his door. He was a Marine and a Korean War vet. I can imagine hearing him “talking” to his troops. I look up and see mom talking to dad from Ms. Collette’s place. Someone always knocks her flower pots over and I pick them up for her. She doesn’t thank me but I get the feeling she appreciates the effort. I start to swing back toward my dad’s place when I get to Mrs. Schaeffer’s place.
The separation has been hard on my mom and I head back to my dad’s place before my mom gets upset with him. Sometimes she gets frustrated with him and I have to listen to her rant about something he did. As I walk up the hill to his place, I see some new neighbors have arrived. One family appears to be a dad and his teenage son, a 16 year old kid. I’ll have to check later to see if he got his driver’s license. My dad’s immediate neighbors have their flowers out and they brighten up the place. My mom always complains that my dad’s flowers aren’t as good or pretty as his neighbors. What can I say? I come up to my mom and gently tug on her arm to let her know it’s time to go. “Who’s the new neighbor?” she asks. “The Youngs”, I reply, “I don’t know much about them.” My mom straightens out my dad’s entrance, always fussing with the plants. I check his entrance one last time and clean his nameplate, “Carlos Marchany, 1904-2004” before we leave only to return next Sunday.
©randymarchany, 2009
Subscribe to:
Posts (Atom)
