If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. Thanks for visiting and happy hacking!

It’s even funnier when you know about the Frankenchrist album trial just a couple of years later.

Bookmark to:

You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees.  Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here.  Caveat:  it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book?  Well, that’s a good question.  Have a look at some of the staffing plans in the plum book, and you’ll see something missing:  Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers.  Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s.  So what’s the difference?

Well, political appointees (SES) are appointed by the President.  They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists.  Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better?  Well, if you want survivability, then GS-scale is the way to go.  If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

Bookmark to:

My friend, the Wee Bonny Graydon McKee, has his own company and a new blog.  Graydon is from Atlanta, helps us teach with the Potomac Forum, and just finished his Masters in Information Assurance.  Pretty good guy all around.  Check him out at Ascension Risk Management and fire up your RSS reader.

Bookmark to:

OK, whoever named this product should be shot:  Ashampoo Magical Security.

However, as much as I love sprinkling on the Magic FISMA Fairy Dust, “Magical Security” is craziness.

I won’t go into too much detail on hackers, shampoo, washing, and South Pacific.  I have a feeling I’ll get plenty of comments to that effect.

Bookmark to:

So we had a great bit of weather yesterday.  I had just gotten back from lunch with Chris from How Is That Assurance Evidence (pretty smart guy, similar content to myself, worth checking out some time) when  I got a tweet from the National Capitol Region Battlespace which is a civil-defense kinda organization but they have a good condensed tweet feed.  Anyway, the contents was this:  “Severe weather has entered NCR. Frequent lightning, tornado warnings for VA suburbs.“  Ooooh, tornado drill time, shut down the home servers, make sure Mrs Rybolov is wearing real shoes not sandals and get ready to bolt to the basement when you hear the train coming through your house.  Where’s Mogull to make a pithy saying about how twitter might have finally gotten a legitimate use.  =)

Meanwhile, less than 5 miles away at Dulles Airport, Jennifer Leggio was grounded and all but abandoned by the UAL crew who headed to the bunkers, so she had to wheel an elderly nun to safety (BTW, that’s fairly heroic/good-samaritan-like all things considered).  I think she finally got home today around late afternoon.

Parts of the DC area lost some power (Falls Church proper still doesn’t have power), including my server, which didn’t come back up when the power came back on because, well, I borked up LILO previously and didn’t know it.  After a trip over to see it this afternoon, everything is back to working.

Now from a blogging sense, this was the worst time for me because the day before I put up a slideshow about “What you can learn from the US Government” and now that my server’s back up, I’ve most likely dropped off everybody’s rss feeds.  The preso’s still there, go check it out.

After the storm blew through, NCR Battlespace sent the link to this beautifully evil picture of clouds in Alexandria:

Impending Evil photo by Joseph J D’Angelo

Bookmark to:

Interesting blog post at Freedom to Tinker about government releasing the raw data.  It makes the security geek in me cringe because well, most of the data that the government has is PII, and I know that the typical government reaction is to say “not only no, but h*ll no!!”  I mean, after all, most of our goal in the Government is to keep the data from reaching the citizens and evil-doers–giving away data is a cultural clash.

Yes, transparent government is a pretty good goal.  I think the authors of Freedom to Tinker have forgotten that not all Government data is fit for public consumption.  The problem is one of sanitization:  how do you clean all of the PII out of data before you release it to the public?  Not only that, but because of the size of the data sets, most likely you need an automated method to sanitize it.  I think that because of the sanitization factor that the Government would not gain that much efficiency by outsourcing the data presentation to others.

As with all things in security, this is nothing new.  There’s a little-known project (First Rule of “Fight Club” being what it is…) known as Radiant Mercury that does exactly this with classified data.  You can check out the basic concept in quasi-official presentations here (.pdf caveat) and here.

If we were going to make all this data available, we would need an unclassified version of Radiant Mercury to filter out all the PII and “Sensitive but Unclassified” bits.

Now as far as letting second parties build interfaces into the raw data, I’m torn on it.  On one hand, private industry can provide access to data “Now at Web 2.0 Speeds!” but on the other hand, then the Government loses control over the presentation and, by extension, accountability for the content.

Bookmark to:

In amongst all the usual ISC2 spammings, this one should perk the interest of my blog readers:  The Government Information Security Leadership Awards.  Nominations are open until July 25th.

Bookmark to: