Here inside the beltway we have a wonderful tradition every 4 years:  Election Year Follies.

For those of you not up on current events, Election Year Follies have started a year early, with the Democratic-held Congress messing with the Republican-held White House.  It’s not a good year to be a political appointee.

I’m waiting to see what really happens next year when they’re all too exhausted from playing games and still have to campaign.  This brings me to one of my favorite quotes:

“To retain respect for sausages and laws, one must not watch them in the making.” –Otto von Bismark (ref: Wikipedia)

Now of course, we all care what this has to do with security, right?  My corollary to OvB is that people who like security products and IT products in general should never see them being made.  I think it’s more often true than not.

• On Vacation
• My 2 Obsessions this Week
• Learning GovieSpeak: The Plum Book
• Government Pre-Election Slowdown has Started
• An Open Letter to the Next President of the United States

I’ve thrown rocks at children. Many children, in fact. I’m not too proud of it, but it’s something you do when you’re in Afghanistan.

In fact, contrary to what you hear about opium poppies being the #1 crop in Afghanistan, truth is it’s the #1 cash crop. There is a crop that is more prolific even than the poppies, and that crop is rocks.

Now when we would roll up into a village, we were the neatest thing to happen there since Genghis Khan. Some of these villages were so remote, they asked us if we were the Russians because last that they heard, the Russians were the invaders.

Being interesting to the locals means that you get flooded with kids. They come from everywhere. You can stop your patrol out in the middle of the desert with nobody in sight for 3 kilometers, and within 10 minutes you will be surrounded by kids. They all ask for the same thing: pens. They need them for school. The ones with more advanced English skills would say something like “I am student, give me pen”.

On one of the first long patrols that I was on, we went to one village and the kids gathered around. The adults in the village threw rocks at them to chase them away.

Needless to say, I was utterly shocked the first time I saw it. But after a couple of weeks when the initial shock wore off, I started to notice something: when the adults would pick up a rock, the kids would smile and start to do little dekes left and right as if to say “am I gonna go this way or am I gonna go the other way?”

Then it dawned on me: throwing rocks at kids is a national sport. Not much else to do out in the desert except rock-throwing.

After a month of being in-country, I started throwing my own rocks at the kids. I would throw it slow–lobbing more than anything–just to let them know that they needed to stand back a little bit.

There’s a point to this little story, and that point is that after you’ve been in Afghanistan for long enough, a rock is the solution to any problem that you have.

Case in point: you park the truck on a fairly steep slope. You’re worried that it might roll away in the middle of the night. Solution? Put a head-sized rock under the tires.

Case in point: some guy dies and you need to bury him. It’s a massive PITA to dig a grave, so what do the locals do? That’s right, they build a rock pile right there.

Case in point: You’re bored and have nothing to do. Stack rocks up to build towers. The original theory as explained to me is that the locals don’t have HBO at home, so they stack rocks.

Case in point: You need protection from bullets. Instead of digging, stack up some rocks and build a fighting position. The bonus is that it blends in with all the other rocks on the hillside.

The ultimate act of rocks-as-solutions was one of the last patrols I did. We were in an irrigated area and needed to cross a ditch. There was a bridge but it was too narrow. So we took some large rocks, dropped them into the ditch, and put one side of the truck on the bridge and the other side on the new rock bridge.

I’m still trying to figure out what IT security problems I can fix with a rock, other than the obvious “You want to do what? Film marketing material in the data center? *smack smack smack* You sure about that?” or “My level of pain is equal to your level of pain.”

And as far as the kids and pens for them, after a month of being there, we started writing back home asking for school supplies and we handed out pens, paper, and soccer balls everywhere we went. I even made a habit out of giving beanie babies to the girls and gum to the boys.

See? I’m not a total jerk. =)

• Blog Statistics and Search Strings
• Working with Interpreters, a Risk Manager’s Guide
• Does Good, Cheap Colocation Still Exist?
• Internet in the Remote Desert
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit

They just don’t make bands like this anymore. Anyway, the Talking Heads are still relevant even today: “We got computers. We’re tapping phone lines. You know that that ain’t allowed.”

I think one day we’ll all wake up to find out that the security industry has just been rehashes of Talking Heads songs all along and that nobody has had an original idea since 1982.

• Famous Quotes: George H
• The “C-Word”
• My Lunchtime Hobby: Collecting Badges
• Radio Nigel
• Friday Subversive Music–Devo

We’re laying people off, have been for several months. It makes life interesting–IT operations has high churn anyway (over half of the NOC staff was hired in the past 9 months), much less worrying about managing attrition for all the people you are chopping off the bottom of the heap. At any rate, we’re all constantly evaluating our chances of getting the axe on the next go-around. It’s all based in morbidly fascinating metrics and superstition, like how I imagine troops were in the days before the Normandy invasion.

I was told the following today by the manager for our server team:

Rich: “We’re never going to lay you off because nobody wants your job.”

Me: “Well, what if we decide that my job doesn’t need to be here?”

Rich: “You save us more than we pay you for your salary several times over. If we get rid of you, we’ll be spending 3 times your paycheck paying for all the things we got caught on during the next audit.”

Me: “Uh, thanks.”

I’m still not sure that having a job that nobody wants to do is a good thing. =)

• Back in Leadership Training
• CISO Trick: Know the Hiding Places
• Ah, I Remember the Fun of Being an Assessor
• Rybolov is Dead, Long Live Rybolov
• Personnel Turnover

You get used to seeing crazy and paranoid people tucked into the corners of DC. It’s what we have here.

Well, a couple of months ago, I was at a coffee shop (OK, it was Starbucks, my wife is a ho for their saccarine-sweet marketing, you can take away my burly-man exterior and give me a “yuppie” brand now) in Dupont Circle.

So anyway, there was this guy in there in a wheelchair and his own table who was selling pictures.  Yes, he was 95% con artist, but that’s OK.  The important part was his stories which were utterly whacked.

According to this guy, he was a colonel in the Air Force and has broken up his knee during a HALO jump.  He was an Arabic and Russian translator and was ethnically Ukranian.  Well, we can play that game, right?  Note to others:  never claim to speak a language in DC, NY, or Monterey unless you can actually speak the thing.  I probed him in Russian, all he knew was a couple standard phrases–more along the lines of tourist lingo than anything.

But now the best part is this: He claimed that Colin Powell was in actuality named “Colon” as in the Spanish version of “Christopher Columbus”.  This is a result of Powell’s Basque background which was covered up in order to appeal to the African-American vote for the Republicans.

Yes, you read right.  Basque.  Who knew? =)

• Self-Quote Time #2
• Is Myspace Satan?
• My 2 Obsessions this Week
• My System Environment
• Milestones

I bet nobody ever thought a System Security Plan would end up getting released to the world through a FOIA request.

Comments on the documents:

• The CI-100 DCS-3000 to EDMS System Security Plan is a little odd–why not just make it an interconnect document instead of a full SSP?  It’s just a strange way to manage things in my mind.
• The SSP, even though it’s from 2007, is way “old school”.  It doesn’t follow along the SP 800-53 catalog of controls that is pretty much down to a formula nowadays.  I guess the tech version is that the document has bit rot.
• The SSP details a technique to take a live feed of unclassified data and pump it into a classified system through a one-way serial cable (RS 232, remember what those are?)    =)   At any rate, it should be an interesting technique if you’re not used to dealing with that kind of interconnect.
• The Risk Assessment doesn’t describe what I would want to know, and that’s really the heart of my first comment.  Basically what I have is 2 systems that are connecting to each other, so what I want to know is what are the risks associated with each side and what is the risk of the interconnect itself.  Each side has their own security plan, so that’s why it’s an interconnect instead of a SSP.  But we haven’t addressed the security controls of the connection itself.
• There are some other minor annoyances, like “why are you grading the system on your ability to install ISS System Scanner” but I’ll leave those for you to go discover. =)

Have I jumped completely over the edge?  I think I have. =)

• One Catalog to Rule Them All
• Remembering Accreditation
• Feds to Embrace SaaS, End is Nigh for Security!
• Rebuilding C&A
• An Open Letter to NIST About SP 800-30