Disclaimer: I’ve had some very indirect dealings with the OSC this year.

But still, if you’re going to wipe your drive with 7 passes (I think that’s what a “Seven-Level Wipe” means), don’t call Geeks on Call or at least have the common sense to get them to do the invoice “right”. Better yet, ask your 15-year-old neighbor kid how to do it. Or look it up on the Internet, it’s not like somebody’s going to be able to look through your browser history after you’re done with the hard drive. =)

I think the moral of the story is this: Keep black ops black ops by not involving people who generate a paper trail.

• MREs and Bad News
• Clearances and Economy of Scale
• Towards Actionable Metrics
• Personnel Turnover
• Blame it all on John Hughes….

Let’s introduce people to a manufacturing concept: that of zero defects and the zero-defects mentality.

See, life in the army during peacetime (and rarely during wartime) sometimes means that you are always “inspection-ready”. In some of the units I’ve seen, they were big on inspections. They would have a formal barracks inspection every week and informal inspections daily. If this seems a little obsessive, then you are right.

So what happens in units like this? Well, people start working around the system: they live out of their cars! If you’re going to do that, why don’t you skip the barracks altogether and just issue people cars to live in? Well, because obviously then the management would expect to inspect the cars for orderliness.

Of course, what does this have to do with security? Well, in most companies and the government in particular, you’re trying to project a zero-defects image to your customers. That’s the way the business and marketing side works. Marketing and security don’t mix precisely for this reason: one is trying to project an image of perfection, the other needs understanding of flaws and risks in order to make informed decisions. I won’t even go into security vendors, but you should be able to extrapolate now what I feel about some of them.

But in security, we’re not doing ourselves any favors by presenting a zero-defect facade to the rest of the world. Sometimes you need disclosure if you want to change the world. That’s why Adam Shostack is so gung-ho on breach disclosure, and I think disclosure is working to the extent that the public gradually is getting over the stigma attached to a breach at least enough to differentiate the “typical breach” with the “holy sh*t that’s an obscene breach!”

Looking at FISMA report cards in particular, it’s turned somewhat into a “management via public disgrace” activity. Not bad in some cases, but then again, it’s not exactly the kind of information you put out there when you’re expecting positive change–you’re encouraging everybody to show a zero defects face out of self-preservation.

Adam has a phenomenal idea that he presents in his breach research: using the public health model for IT security. We have to be able to track breaches back to the root cause in order to prevent it further. If I take my network and connect it to your network, I have a right to know what vulnerabilities you have. Carry this public health model maybe a bit too far, I’m now sleeping with all the people you’ve slept with, and if you come down with an STD, I have a right/need to know.

The good news is that this is where the Government is headed: disclosure with business partners. I’m not sure how it will all work out in the end and if even culturally the Government can make it work, but it has potential to be a good thing.

• And in This Corner, Special Publication 800-60
• Been Off Teaching
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• In This Corner, the Business Reference Model
• Monks, Compliance, Risk, and Government

Ah yes, more vendor spam, only this time, it came in a dead-tree version.

URGENT SECURITY NOTICE FOR $FooCorp:

IDENTIFIED AS SENDING SPAM

Dear Rybolov:

It has recently come to our attention that $FooCorp is sending spam. The end is nigh, we have the solution, send us a big bag of cashola and we’ll look the other way.

Ok, so I paraphrased. Actually, I was so amused I took it home to show my wife. =)

And as “evidence”, they enclosed a printout of IP addresses that are spambots. That’s cool and all, but none of those match $FooCorp’s IP range. Hmmm… could it be that these are spambots that are sending email from compromised machines outside of anything that $FooCorp controls? I think that’s the case…

But wait, they sell a “reputation guarantee service” that I can buy to be whitelisted because all these spammers using my domain for a return address have sullied my brand name. Wow, I don’t know why I didn’t think of it before. Oh yeah, it’s because it sounds like a protection racket: “You got a really nice SMTP relay there, I wonder what would happen to you if it became ‘unuseable'”. =)

Maybe I should set up a business doing the following (slashdot-stylie business model):

• Build email filter list (easy, just throw some grep and sed action at my spam box and I’ll have a good start)
• Sell the blacklist to people who want to block spam
• Sell the ability to be whitelisted to people who want to send email and end up on the wrong side of the list
• ???
• Profit

Now I know these guys, they make solid stuff and have a good reputation out there in the market. But they need to understand something: I find it offensive that that they think I don’t know my own IPSpace, and I don’t buy products from people with a marketing department that uses scare tactics like this.

• Targeted Spam
• My Stalking Spammers
• Some Thoughts on Comments to My Blog…
• Once Again, I’m not a Bank!
• On Why I Blog… FUD is the Reason for the Writin’

OK, this post will be big today. For starters, I use Fortinet products, they’re the heart of my key infrastructure and I’m pretty happy with them.

1. It’s GAO, OMB, and the House Committee on Government Oversight and Reform, not GSA.
2. This blog posting is very unprofessional of you, sir. I would expect more from a Chief Marketing Officer. Will your CEO read about how you treat your customers?
3. Obviously you do not understand your customer base and you are unable to understand their pain points. That is not being a good partner. The appropriate answer is “let’s grab a conference room and talk this over, I want to fix this for you.”
4. You just provided that individual with his migration plan from your gear onto somebody else’s.
5. You need to get out walking more and get some better shoes.
6. Yes, the CIO and his CISO bear most of the responsibility, but if they fail, you fail. Until you understand that, you have much to learn about the Government.

What neither Richard nor his CIO “friend” realize is that it takes a partnership between the Government and the vendors to make it work. Yes, the agencies receive a FISMA grade, but really that failing grade represents the efforts of both the Government and industry. You need to understand that before you go hating on the agencies for low grades.

We all get frustrated dealing with each other. It’s hard for contractors and vendors to understand the Government unless they’ve worked as a GS-scale or SES. I know the contractor side, I know some of the Government side, but I don’t claim to know it all.

But to go out in public and criticize your customers is unthinkable, especially in DC, and especially from a Chief Marketing Officer. You don’t make any permanent enemies here if you can help it, you never know who will end up in charge after the next reorganization.

On the other hand, the purpose of the FISMA grades is to give people a reason to have these conversations. The Government needs to be going to its vendors and saying that they cost too much and don’t fix their problems. That’s supposed to happen, only Richard didn’t handle it well. Don’t tell me this is the first time something like this has ever happened to him.

I just expect more from a vendor and their head of marketing. Thank you for level-setting my expectations for your company, Richard.

• The Vendors are Already Jumping on the 07-11 Bandwagon
• Once Again, I’m not a Bank!
• No, FISMA Doesn’t Require That, Silly Product Pushers
• On Why I Blog… FUD is the Reason for the Writin’
• You Didn’t Outsource Your Responsibilities

Seth Godin’s take on bacn, the spam you get from social networking sites to let you know that somebody has replied to your comment.

Living with 3 socially-aware people (read: girls) aged 10 to 37, I have a simple solution:  procmail rules to kill all the MySpace/Facebook/$FooSpace notifications on my server so the 200+ pieces of mail never make it to the /dev/null inbox. =)

Word to social networking sites:  put the entire content of the response in the email that way users can decide if it’s worth their time to respond or if it’s just somebody saying “OMFG me 2 gf LOL”.  Your users shouldn’t have to go to your website to read every one of these.

And hats off to the Word Press blog  software–it does put the text of a blog comment into the email notification along with the link to moderate.  That’s the way things are supposed to be.

• Targeted Spam
• A Day in the Life of the Feedmaster
• Omigod, I’m Part of a Botnet?!?!?!
• Server Upgrades
• Realistic NSTIC

Basic test of intelligence: Marketer:CISO as ?:?

• Oil:Water
• Promises:Delivery
• Matter:Antimatter
• Optimism:Pessimism
• Lies:Truth
• FUD:Anti-FUD
• Cash Flow:Stagnation

Basically, the 2 don’t mix, and that’s why deep down inside I remain skeptical about anybody who can take what I do, productize/solutionize it, and start selling it to people.  Most of the time when I start thinking about it, I don’t think security scales the way that it needs to for people to make money on it.  Then I remember my core belief that security is no different from IT which is no different than business, we only think that it’s different.

After awhile in the security industry, you can’t help but be cynical about the whole deal.  Utimately, it’s the customer’s responsibility to secure their data–as a vendor, consultant, etc, it’s my responsibility to help, and sometimes that means going away because they aren’t ready for what I’m offering.

• Do You Know What FISMA Is?
• Core Belief #2 — Risk Management Uber Alles
• What’s Missing in the way the Government does Security?
• Observations on PCI-DSS and Circular Arguments
• Let’s Face it, Half the Security Industry is a Pyramid Scheme