Ok, we all know how to patrol in the woods looking for things to shoot. We’ve been doing that since the beginning of time, and really it’s ingrained nature for most people. Some people say that it’s why we developed bigger and better brains–so we could hunt more effectively.

Then the world changed. We went from being hunter-gatherers to living on farms to living in cities. And as you might expect, the amount of warfare conducted in cities has grown comparatively, from the Meistertrunk of Rothenburg in the middle ages to the burning of Atlanta during the Civil War to the Rattenkreig of Stalingrad to the mean streets of Baghdad. Truth of the matter is, nowadays cities are where the critical infrastructure is, and that’s where a modern army needs to learn how to combat and win against their enemies. In the US Army, we have a word for it: Military Operations on Urbanized Terrain, or MOUT (the department of modernization just told me that it’s now “OU” or “Urban Operations”).

One lesson from MOUT that there are many ways to kill people. Yes, you can shoot them (the good ol’ standby), but there are new ways: “anti-handling devices” (aka, booby traps and IEDs), channelization of traffic into better kill zones, better line-of-sight for snipers, ability to hide ambushes, short engagement ranges for anti-armor teams, etc.

In MOUT, you have to live with the fact that heavily barricading a building means it’s harder for the bad guys to get in and it’s also harder for you to get out if the building is on fire. It’s something to think about in the IT world where protecting against one type of attack means that you are susceptible to another attack: think dual-homing all your servers on a backup network to help with availability but meaning that if one server gets hacked, it’s a shorter path to the other servers.

Just like MOUT, there are many ways to “die” in the IT security world. Let’s see, this year it’s XSS, Ajax attacks, and USB drives. 5 years ago it was worms, virii and unpatched systems. Next year it will most likely be application vulnerabilities.

Now welcome risk management into that picture. Risk management means being able to triage the “bazillion ways to die” and come up with a list of the ones you need to fix now, the ones you need to fix over the next year, and the ones it doesn’t make sense to fix. In MOUT, it’s a question of “Do I spend the time putting in more wire and mines,” or “Do I need to work on blowing holes between rooms so I can move people and weapons internally?” or even “Which parts of the city do I rig with explosives and give away to the bad guys because they have no strategic value to me?”

• Core Belief #2 — Risk Management Uber Alles
• Puzzles v/s Mysteries
• When Acceptable Risk is Not Acceptable
• “Machines Don’t Cause Risk, People Do!”
• Risk Management and Crazy People, a Script Using Stock Characters

Let’s introduce people to a manufacturing concept: that of zero defects and the zero-defects mentality.

See, life in the army during peacetime (and rarely during wartime) sometimes means that you are always “inspection-ready”. In some of the units I’ve seen, they were big on inspections. They would have a formal barracks inspection every week and informal inspections daily. If this seems a little obsessive, then you are right.

So what happens in units like this? Well, people start working around the system: they live out of their cars! If you’re going to do that, why don’t you skip the barracks altogether and just issue people cars to live in? Well, because obviously then the management would expect to inspect the cars for orderliness.

Of course, what does this have to do with security? Well, in most companies and the government in particular, you’re trying to project a zero-defects image to your customers. That’s the way the business and marketing side works. Marketing and security don’t mix precisely for this reason: one is trying to project an image of perfection, the other needs understanding of flaws and risks in order to make informed decisions. I won’t even go into security vendors, but you should be able to extrapolate now what I feel about some of them.

But in security, we’re not doing ourselves any favors by presenting a zero-defect facade to the rest of the world. Sometimes you need disclosure if you want to change the world. That’s why Adam Shostack is so gung-ho on breach disclosure, and I think disclosure is working to the extent that the public gradually is getting over the stigma attached to a breach at least enough to differentiate the “typical breach” with the “holy sh*t that’s an obscene breach!”

Looking at FISMA report cards in particular, it’s turned somewhat into a “management via public disgrace” activity. Not bad in some cases, but then again, it’s not exactly the kind of information you put out there when you’re expecting positive change–you’re encouraging everybody to show a zero defects face out of self-preservation.

Adam has a phenomenal idea that he presents in his breach research: using the public health model for IT security. We have to be able to track breaches back to the root cause in order to prevent it further. If I take my network and connect it to your network, I have a right to know what vulnerabilities you have. Carry this public health model maybe a bit too far, I’m now sleeping with all the people you’ve slept with, and if you come down with an STD, I have a right/need to know.

The good news is that this is where the Government is headed: disclosure with business partners. I’m not sure how it will all work out in the end and if even culturally the Government can make it work, but it has potential to be a good thing.

• And in This Corner, Special Publication 800-60
• Been Off Teaching
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• In This Corner, the Business Reference Model
• Monks, Compliance, Risk, and Government

2 blogs from Wired caught my eye today:

• Mom and Lawyer in Montana Hunts Terrorists on the Interweb

• Woman Volunteers to be a “Pain Ray” Guinea Pig

Maybe it’s just me today, but is this like watching a train wreck to anybody else? So fascinating I can’t put it down.

The first story seems like something right out of my Russian classes: the grandmother who hangs camouflage netting on the steeples of PeterburgPetrogradLeningradPeterburg to keep the fascist bombers from using them as aiming points.

Less-lethal weapons are cool to experiment with. I mean, um…. we never did get to lock Schmidt (all 250 pounds of pure muscle) in the shipping container and pop a stinger in after him, but with all the movies I’ve seen with bored joes tasering each other in a supply depot near you, less-lethal weapons seem to be the extreme sports of the year.

Here, watch some more pain ray guinea pigs.

• Blame it all on John Hughes….
• Pandemic Flu Exercise
• Election Year Follies
• Milestones
• Simple Thoughts on Simple Rocks

I’ve thrown rocks at children. Many children, in fact. I’m not too proud of it, but it’s something you do when you’re in Afghanistan.

In fact, contrary to what you hear about opium poppies being the #1 crop in Afghanistan, truth is it’s the #1 cash crop. There is a crop that is more prolific even than the poppies, and that crop is rocks.

Now when we would roll up into a village, we were the neatest thing to happen there since Genghis Khan. Some of these villages were so remote, they asked us if we were the Russians because last that they heard, the Russians were the invaders.

Being interesting to the locals means that you get flooded with kids. They come from everywhere. You can stop your patrol out in the middle of the desert with nobody in sight for 3 kilometers, and within 10 minutes you will be surrounded by kids. They all ask for the same thing: pens. They need them for school. The ones with more advanced English skills would say something like “I am student, give me pen”.

On one of the first long patrols that I was on, we went to one village and the kids gathered around. The adults in the village threw rocks at them to chase them away.

Needless to say, I was utterly shocked the first time I saw it. But after a couple of weeks when the initial shock wore off, I started to notice something: when the adults would pick up a rock, the kids would smile and start to do little dekes left and right as if to say “am I gonna go this way or am I gonna go the other way?”

Then it dawned on me: throwing rocks at kids is a national sport. Not much else to do out in the desert except rock-throwing.

After a month of being in-country, I started throwing my own rocks at the kids. I would throw it slow–lobbing more than anything–just to let them know that they needed to stand back a little bit.

There’s a point to this little story, and that point is that after you’ve been in Afghanistan for long enough, a rock is the solution to any problem that you have.

Case in point: you park the truck on a fairly steep slope. You’re worried that it might roll away in the middle of the night. Solution? Put a head-sized rock under the tires.

Case in point: some guy dies and you need to bury him. It’s a massive PITA to dig a grave, so what do the locals do? That’s right, they build a rock pile right there.

Case in point: You’re bored and have nothing to do. Stack rocks up to build towers. The original theory as explained to me is that the locals don’t have HBO at home, so they stack rocks.

Case in point: You need protection from bullets. Instead of digging, stack up some rocks and build a fighting position. The bonus is that it blends in with all the other rocks on the hillside.

The ultimate act of rocks-as-solutions was one of the last patrols I did. We were in an irrigated area and needed to cross a ditch. There was a bridge but it was too narrow. So we took some large rocks, dropped them into the ditch, and put one side of the truck on the bridge and the other side on the new rock bridge.

I’m still trying to figure out what IT security problems I can fix with a rock, other than the obvious “You want to do what? Film marketing material in the data center? *smack smack smack* You sure about that?” or “My level of pain is equal to your level of pain.”

And as far as the kids and pens for them, after a month of being there, we started writing back home asking for school supplies and we handed out pens, paper, and soccer balls everywhere we went. I even made a habit out of giving beanie babies to the girls and gum to the boys.

See? I’m not a total jerk. =)

• Blog Statistics and Search Strings
• Working with Interpreters, a Risk Manager’s Guide
• Does Good, Cheap Colocation Still Exist?
• Internet in the Remote Desert
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit

Robert Scoble has an interesting interview with founder and demo of Plazes.

It’s such a strange concept to me because I have spent most of my adult life making sure that people either didn’t track $us or to allow $us to track other people and what they are doing.  I just don’t buy off on the fact that people would volunteer their geolocation and current activity–I’m too much inclined to answer “Nun yo” if you ask where I’m at than I am to tell you the truth.

At this point about all I can do is shrug and say “Wow, the Web 2.0 kids are weird.” =)

Now all we need is for Al Qaeda to register and we’ll be golden.  “I’m sitting at a teastand in Quetta, here is my GPS grid and I’ll be here for a couple of hours.”

• Simple Thoughts on Simple Rocks
• Communicating the Value of Security Seminar Preview
• DC Demo Camp
• Idaho and Technology
• Making Press Releases

Computer lab that I cared for and kept running as a side job to keep from going crazy from the heat.  Check out the layer of dust.

You can read about my satellite adventures here.

• Wiebetech MJ-1
• It’s All Friggin’ Magic, Mkay?
• My Favorite Conspiracy Theory
• Internet in the Remote Desert
• Pandemic Flu Exercise