Ok, we all know how to patrol in the woods looking for things to shoot. We’ve been doing that since the beginning of time, and really it’s ingrained nature for most people. Some people say that it’s why we developed bigger and better brains–so we could hunt more effectively.

Then the world changed. We went from being hunter-gatherers to living on farms to living in cities. And as you might expect, the amount of warfare conducted in cities has grown comparatively, from the Meistertrunk of Rothenburg in the middle ages to the burning of Atlanta during the Civil War to the Rattenkreig of Stalingrad to the mean streets of Baghdad. Truth of the matter is, nowadays cities are where the critical infrastructure is, and that’s where a modern army needs to learn how to combat and win against their enemies. In the US Army, we have a word for it: Military Operations on Urbanized Terrain, or MOUT (the department of modernization just told me that it’s now “OU” or “Urban Operations”).

One lesson from MOUT that there are many ways to kill people. Yes, you can shoot them (the good ol’ standby), but there are new ways: “anti-handling devices” (aka, booby traps and IEDs), channelization of traffic into better kill zones, better line-of-sight for snipers, ability to hide ambushes, short engagement ranges for anti-armor teams, etc.

In MOUT, you have to live with the fact that heavily barricading a building means it’s harder for the bad guys to get in and it’s also harder for you to get out if the building is on fire. It’s something to think about in the IT world where protecting against one type of attack means that you are susceptible to another attack: think dual-homing all your servers on a backup network to help with availability but meaning that if one server gets hacked, it’s a shorter path to the other servers.

Just like MOUT, there are many ways to “die” in the IT security world. Let’s see, this year it’s XSS, Ajax attacks, and USB drives. 5 years ago it was worms, virii and unpatched systems. Next year it will most likely be application vulnerabilities.

Now welcome risk management into that picture. Risk management means being able to triage the “bazillion ways to die” and come up with a list of the ones you need to fix now, the ones you need to fix over the next year, and the ones it doesn’t make sense to fix. In MOUT, it’s a question of “Do I spend the time putting in more wire and mines,” or “Do I need to work on blowing holes between rooms so I can move people and weapons internally?” or even “Which parts of the city do I rig with explosives and give away to the bad guys because they have no strategic value to me?”

• Core Belief #2 — Risk Management Uber Alles
• Puzzles v/s Mysteries
• When Acceptable Risk is Not Acceptable
• “Machines Don’t Cause Risk, People Do!”
• Risk Management and Crazy People, a Script Using Stock Characters

Cute, but it still leaves the data center geek in me wondering: how do you put virtualization in the controller without it being an in-band controller or without coupling the controller to the network in some insane way (ie, you have to buy the network from the controller company). I own one in-band controller and never will again because I do know how to spell “bottleneck”. =)

Thanks to Marcin from TS/SCI Security. Yes, people actually email me zombie links now.

• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–Walk with Zombies
• Wednesday Zombie Post–The Zombies
• Zombies on YouTube
• Wednesday Zombie Post–Zombie Name Generator

A couple of weekends ago my home ISP took all of its subscribers and moved us from public IP to behind a big 10-dot NAT cloud. Of course, we had a couple small service outages getting there, but at the end of it, we now are on private IPSpace. Probably nobody noticed but me. =)

From what I’ve seen over the past couple of years, typically broadband ISPs have been going the filtering route. Most of them block incoming http, smtp, and maybe all the NetBIOS/AD stuff (at least if they’re smart). Now not only do I have that, but it has become a case of “we can’t get here from there”.

This is a fun one to deal with. I was very used to the public IP way. I had a couple of incoming services available like SSH and IMAP over SSL to get my PDA to work. Now I had to shift it all to my “real” server. I guess that’s the way I should have done it from the start.

• Omigod, I’m Part of a Botnet?!?!?!
• My System Environment
• Does Good, Cheap Colocation Still Exist?
• Stress-Test Apache with Intent to Tune: BSOFH Tip for the Software Masochist
• The Rise of the Slow Denial of Service