Author Archives: deanwebb

Repentance and Resurrection

Leave a reply

I had a dream recently in which I was bearing witness against another person at the Judgment Bar of God. I felt the severity of the situation and the magnitude of each word that I said. I wasn’t there to tell part of the truth and be done – I had to testify of everything, I was compelled to do so.

The person I was testifying against was a politician, and I bore witness of what I saw and experienced during his administration. As I did so, he turned his face away from me, towards a darkness. At that point, I thought of the scripture about how the wicked will desire for mountains to fall upon them, so that they would not have to face such judgment. I note that my testimony was solicited purely for injuries suffered by the nation because of his misrule – his personal matters were not for my testimony, as I had only second-hand knowledge of such. I also knew that he was not alone as a ruler – all who have held power are held to account for it. Those who want to repent and to be made whole face that pain of truth and bear the burden of their mistakes. Those who are yet proud and unrepentant turn towards the darkness and wish to be as far as possible from God so that the pain of memory and truth does not trouble them.

As I bore witness, I also felt my own soul, troubled by what I knew would face me: the testimony of those who I had wronged and harmed in my life. But I resolved not to turn to the darkness. I wanted to face the pain and pass through it. I knew that I would be resurrected and that I would have a chance to choose better, without the clouding effects of misleading men to steer me wrong. I would have cleaner choices, and I could train myself with a millennium of doing better so that I would be made whole, perfect and complete in my repentance.

Resurrection is not an end of itself, or a gateway to an end-state. It is every bit the ushering in of a new phase of existence, as momentous as birth or death. We are taught that we are not all resurrected at the same time – in my dream I felt my place in that line. I knew that, because of my sins, I was not to be the first to be resurrected. But I also knew that, because of the good I had done and to the extent I had accepted Christ as my Savior, I would also not be the last. There would be people who I had clashed with in life that accepted the Gospel in death that would be resurrected before me. There would be people who I had looked up to and admired for their righteousness in life that had deeper demons than I could see that would be resurrected after me. Part of repentance was in forgiving others that I might be ready to live among them in righteousness and in not being judgmental, that I might welcome in others when they were ready to join with me in righteousness.

We were all in line, we would all have a turn. The most righteous would be the first to be raised, that they might prepare a place for those yet to come, each in turn preparing to welcome in more and more to do the work needed to welcome in more. We would do this with love, and I felt that compassion. I feel it again as I recall it.

But I also recall the pain of my soul as I remembered those who I harmed with my decisions. My repentance here is to prepare me to face the pain of judgment. I do not believe that I will face a wink and a nod and a free pass to heaven just because I made a few good choices here and there. Judgment is a full accounting of my life. I am allowed to feel joy for the good I have done, but I am also responsible for feeling the pain of my evils, if I am to cleanse those evils from myself and become perfected in Christ, able only then to return to Heavenly Father.

I want to be good, and part of that want means that I must face judgment and not turn away from truth. If I truly want to be one with my Heavenly Father, I need to be able to see the totality of my life and know where the atonement will make me whole because of the pain I feel for those sins now. The more I can repent of and make restitution for here and now, the less pain I endure in my judgment – and the more work I will be able to do to show love for my fellow humans, my brothers and sisters.

But I also know that there are sins in me that I am not yet aware of, that I have not yet repented of, that I have not yet made restitution for. The mortal oubliette in my person is opened up and brought into light in that judgment. The dream I had made me search inside my memory for when I had done wrong, and I found those episodes, and it pained me deeply. That is the first step to restoration, and I am glad for it, but I have more to do. I am not anxious about not being first in line to be resurrected – I am thankful that I am in line and that I know that I emerge into new life when I am ready for it. I hope to be there as quickly as I can be there, and that that all hinges on my willingness to repent today.

The Opposite Gospel

Leave a reply

In the year that the government ordered a tax audit, Joe Carpenter took his family out of the USA and took up residence in an overseas tax shelter. There, little Joe Carpenter, Jr. was born. Everyone called him “JC” because his dad told them to.

Joe Sr. said, “JC are great initials. They’re mine. If he’s going to inherit my business, he’ll need initials like I have. Everybody call him JC, or you’re fired, and I’ll have the local police arrest you and deport you, even if you’re a resident in this fleabag nation!” Because Joe Sr. had lots of money, everyone who worked for him pretended to love his ideas.

A few days after JC was born, several dictators sent representatives bearing gifts to visit the child. In return, Joe Sr. lobbied Congress to drop business sanctions against those nations so that he could invest in them. When some Congresspeople objected to dropping sanctions against nations where the dictators would torture and execute people for no reason, Joe Sr. said that those politicians hated America and should be replaced by business-friendly politicians. He then supported the campaigns of white supremacists to replace those Congresspeople and said that was good.

When JC was 12, Joe Sr. brought him to work one day. While Joe Sr. was in a meeting, JC wandered off. Joe Sr. had no idea that his kid wasn’t with him until 3 days later, when he found JC in the board room, pointing his finger at upper management and screaming at them that they were all spineless dungheaps, not fit to work for his dad if they couldn’t turn their profitability around. Joe Sr. smiled and said, “That’s my boy. What he says, goes. Any of you that he fired, I want you out of here before lunch.” And it was so.

And so JC developed, day by day and week by week, into the kind of executive his father had been. When JC was 30, Joe Sr. retired as CEO and put JC into that position. Joe Sr. retained his position as Chairman of the Board, but let JC call the shots, both for daily operations as well as long-term corporate strategy.

Well, there was one interim CEO in there because Joe Sr. had to retire suddenly and leave the USA over a particularly nasty sex scandal. Joe Sr. appointed John Waterman as interim CEO until JC was available to officially start in that role.

Before he took over as CEO, however, JC took a 40-day vacation to a desert beach resort. He ate well and partied for every one of those 40 days. At the end of the 40 days, Satan came to him and said, “JC, if you bow down to worship me, I’ll give you all that you want.”

JC said, “My father told me about you. Send your contract to legal to let my boys have a look at it, and we should be good to go.” They shook hands and then went over to hang out with Jeffrey Epstein.

When JC got back from Epstein’s place, he want to see John Waterman. Now, John had been accepting praise for his role as interim CEO, but he always said that JC would be 10 times better than him, easily. Some of the activist shareholders were questioning Waterman’s hiring decisions, saying that they didn’t come from good business schools. Waterman replied, “Look, I don’t care if the guy is from Wharton or community college, I want someone who does what he’s told. I can make a manager out of anybody, if they just do exactly what I tell them to do.”

Anyway, JC goes to see Waterman. They have a big production that was staged for the media in which Waterman says he’s not worthy to share the same podium as JC, and JC tells Waterman, “You’ll share the podium because I told you to!” They have a good laugh and the business press just ate it up like candy.

JC brought in his own team of C-level executives, 12 of them, to spread his vision to the company as a whole. He raided a seafood processing company for a number of their execs, and also had a former IRS high official – JC was well-connected. His COO and right-hand man was one of those seafood guys, Pete Rock. JC and Pete made a great team.

JC didn’t bring in Waterman, though. There were some outstanding corporate tax issues from when Joe Sr. was in charge, so JC decided to hand the IRS Waterman’s head on a platter as the fall guy for the tax problems.

When JC took over officially, he called for an all hands meeting. This is what he said:

“We’re really blessed to be here today, especially those of us with big options packages. It’s going to be like heaven for us when they vest.
“Speaking of heaven, Carpenter Industries is canceling all paid bereavement leave, effective immediately. I want you worrying about profits for the living instead of memories of the dead. We’re like sharks here, keep moving or you die.
“Nobody gets nothing if you’re meek and quiet. You want to inherit the earth? Be like me, brash and bold!
“And if you want more of this politically incorrect talk, I’ll keep it coming.
“I want you to go after profits, without mercy. If you don’t, I might just fire you, without mercy.
“If you want to get a commendation from my dad, then you better get one thing straight: He doesn’t give prizes to Boy Scouts or little goodie two-shoes types. You don’t get a bonus from him that way.
“I’m not my father’s son because I’m a peaceful sort or anything like that. I go for the blood, I go for the jugular. Business is war, and that’s what we do here, war!
“And I got no time for so-called whistleblowers. As far as I’m concerned, those people are traitors and I’ll go after you with every legal trick in the book. I’ll bury you. So think twice before you decide to call 60 Minutes or anything like that.
“Just remember, I only insult my friends. The rest can go to hell. So if you’re mad about anything I say, good news, you still have a job where you get to hear it. You’re welcome.
“No doubt, you’ve heard in church, ‘Thou shalt not kill.’ Well, I got no place for that here. I need killers, real dyed-in-the-wool killers who will get Carpenter Industries more profitable than it’s ever been. You better not get caught, I’m telling you now, because I got no room for losers, but I also got no room for people without a killer instinct. Do yourself a favor and quit now, make room for someone who’s got the guts to be rich.
“We’re also introducing a stack ranking system. If you’re working alongside a fool or an idiot, tell your boss! Get that guy the hell out of here!
“I do need to stress that you all follow our company guidelines on sexual harassment so that we don’t get sued. Again.
“Anyway, I’m a real eye for an eye kind of guy. That’s how I want it to be around here. Somebody screws you, you screw them right back, but double, got that?
“All right, meeting over, get back to work or you’re fired.”

The Book of Mormon and Liberation Theology

Leave a reply

For those interested in the socio-political details of The Book of Mormon, this is a compelling article for consideration. http://research.uvu.edu/potter/bomliberation.pdf

The notion that The Book of Mormon has a thread of liberation theology in it was something I was recently considering and, prior to putting out my own thoughts on the matter, I wanted to see what was already out there. I find Dr. Potter’s assertions that the liberation theology in The Book of Mormon to be not just “a preferential option for the poor”, but also a stark warning to those with wealth and privilege to be most agreeable.


Bear in mind that while liberation theology shares with Marxism a criticism of capitalism, it by no means agrees upon the actions necessary to correct the abuses of capitalism and the social divisions and stratifications necessary to maintain a capitalist society. While Marxism would have workers of the world unite in a struggle, The Book of Mormon argues instead that the rich should humble themselves, give of what they have to the poor, and to use power in service, rather than to demand servitude.


As a church that has a long history of being predominantly white and English-speaking, with a patriarchal system, The Church of Jesus Christ of Latter-day Saints is itself putting forward a message that it is worldwide, multicultural, and home-centered, with that home equating roles performed by husband and wife, particularly in terms of spiritual authority. It is a mistake to equate the Nephites with white Americans with conservative 1950s political views. It is a mistake both of history as well as self-perception.


It is even a mistake to equate the Nephites with the Church: how often do prophets preach to the Nephites because of their rejection of their message? Better to equate the Nephites with the Lamanites, both descended of the same parents, as well as parent-culture. Both can be blinded by lies. Both can be caught up in pride. And both can be redeemed by the same gospel message.


And so, members of The Church of Jesus Christ of Latter-day Saints have this document that stresses the importance of community, of shared experience, and of material sacrifice, while condemning those who seek after riches, who place the self above the community, and who seek to create or perpetuate unequal social systems. I’m going to finish reading this document and will likely have more to say on this matter going forward.

Hell Hath No Fury Like an Admin Scorned

Leave a reply

Take a good look at this guy, because he may be potentially more devastating you your company than a major natural disaster. He is an admin, and he’s not happy about going to work every day.

network admin from Citibank was recently sentenced to 21 months in prison and $77,000 in fines for trashing his company’s core routers, taking down 90% of their network. Why did he do it? His manager got after him for poor performance.

I don’t know how the manager delivered his news, but it was enough to cause that admin to think he was about to be fired and that he wanted to take the whole company down to hell with him. Thing is, he could have done much worse.

What if he had decided to sell information about the network? What if he had started to exfiltrate data? What if he had set up a cron job to trash even more network devices after his two-week notice was over? And there could be worse scenarios than those… what can companies do about such threats?

It’s not like watching the admin will keep the admin from going berserk. This guy didn’t care about being watched. He admitted to it and frankly stated that he was getting them before they got him. His manager only reprimanded him – who knew the guy was going to do all that just for a reprimand? But, then, would the company have endured less damage if it had wrongfully terminated the admin, cut him a check for a settlement, and then walked him on out? So what about the other admins still there? Once they find out how things work, they could frown their way into a massive bonus and we’re heading towards an unsustainable situation, in which the IT staff works just long enough to get wrongfully terminanted.

So what does a manager do with a poorly-performing employee that’s about to get bad news? Or an amazingly good employee that nobody (including him) knows that he is about 10 minutes away from an experience that will make him flip out? Maybe arranging a lateral transfer for the first guy while everyone changes admin passwords during the meeting… but the second guy… there was no warning. He just snapped.

Turns out, good managers don’t need warnings. Stephen Covey wrote about the emotional bank account, and IT talent needs a lot of deposits because the demands of the job result in a lot of withdraws. A good manager is alongside her direct reports, and they know she’s fighting battles for them. That means a great deal to an employee. I know it’s meant a great deal to me. My manager doesn’t have to be my buddy, but if my manager stands up for me, I remember that.

Higher up the ladder, there needs to be a realization in the company that it needs to pay the talent what it is worth. I’ve known people that earned their CCIE, expected a significant bump in pay, and got told that company policy does not allow a pay increase of greater than 3% in a year. They leave the company, get paid 20% more to work somewhere else for a year or two, and then their former employer hires them back for 20% more than that. By that time, though, they’re now used to following money and not growing roots to get benefits over time. By contrast, maybe a 20% bump – or even a 15% bump, maybe – could have kept the employee there.

What are the savings? Not just the pay. The firm doesn’t have to go through the costs of training someone to do the job of the person who’s left. The firm retains the talent, the talent is there longer and now has a reason to try to hold on to those benefits, and there’s a sense of loyalty that has a chance to develop.

If an employee has a sense of loyalty, feels like compensation is commensurate with skills, and has a manager that fights real battles, that employee is better able to ride out the storms of the job and not snap without warning. If that manager has to encourage an employee to do better, maybe then he’ll try harder instead of trashing all the routers.

There may be no way to completely prevent these damaging outbursts from happening, but the best solutions for people’s problems aren’t technological. They’re other people, doing what’s right.

A Night at the Outsourcer

4 Replies

Driftwood: All right. It says the, uh, “The first part of the party of the first part shall be known in this contract as the first part of the party of the first part shall be known in this contract” – look, why should we quarrel about a thing like this? We’ll take it right out, eh?
Fiorello: Yeah, it’s a too long, anyhow. (They both tear off the tops of their contracts.) Now, what do we got left?
Driftwood: Well, I got about a foot and a half.

After talking with people from companies whose experiences with their outsourcing‍ contracts can be best described as “disappointing”, I wonder if they didn’t have the equivalent of the‍ Marx Brothers‍ representing them in their contract negotiations. I’m not saying that the corporate lawyers were idiots‍ , just that they may have been outclassed by the outsourcers’ lawyers. This is a specialized situation, after all.

Like the company doing the outsourcing, the outsourcer wants to maximize profits. Outsourcers are not charitable organizations, offering up low-cost business services to help the hapless firm with IT‍ needs. They want to get paid, Jack! Some may want a long-term, quality relationship with a client, but there are plenty out there that want to sign a contract that, on the surface, looks like it will reduce costs, but it contains hidden standard business practices‍ that will rake the clients over the coals.

One of the biggest gotchas in an outsourcing contract is the fact that the relationship between a company and its IT is no longer one of company to employee, but company to contractually provided service. That means the “one more thing” that managers like to ask for from their employees isn’t an automatic wish that will be granted. Did the contract authorize that one more thing? No? Well, that will cost extra, possibly a lot extra.

Another loss is the ability to say, “I know that’s what I wrote, but what I meant was…” as a preface to correcting a requested change. In-house staff can be more flexible and adapt to the refinement of the request. Outsourced staff? Well, it seems as though the staff were engaged to make a specific change, so there’s a charge for that, even though you decided to cancel the change in the middle of it. Now, the change you requested needs to be defined, submitted, and approved in order for us to arrange staff for the next change window…

There’s also the limit on the time-honored technique of troubleshooting the failed change and then making the troubleshooting part of the change. Consider a firewall change and then discovering that the vendor documentation left out a port needed for the application to work. In-house staff have no problem with adding that port and making things work. Outsourcers? If that change isn’t in writing, forget about it until it is. And, then, it may be a matter of rolling back the change and trying again, come the next change window.

Speaking of firewalls, that brings me to the “per line of code” charge. If the contract pays by the line of code, prepare for some bulky code if the contract does not explicitly state that lines of code must be consolidated whenever possible in order to be considered valid and, therefore, billable. Let me illustrate with an example.

My daughter is 14 and has zero experience with firewall rules. I asked her recently how many rules would be needed for two sources to speak to two destinations over five ports. She said five rules would be needed. I then gave a hint that the firewall help file said that ports could be grouped. Then, she proudly said, “one!”

While that’s the right answer for in-house IT staff, it’s the wrong answer for an outsourcer being paid by the line. 20 is the right answer in that case. It blew her mind when I told her how many different firms I’ve heard about that had 20 rules where one would do. As a teenager with a well-developed sense of justice, she was outraged. So long as contracts are signed that don’t specify when, how, and what to consolidate, she will continue to be outraged.

I didn’t have the heart to tell her about how some outsourcers contract to provide services like email, but the contract did not outline all the things we take for granted as part of email but which, technically, are not email. Shared calendars? Not email. Permissions for an admin assistant to open a boss’ Inbox? Not email. Spam filtering? Not email. Email is the mail server sending/receiving to other mail servers and allowing clients to access their own inboxes. Everything else is not email, according to the outsourcers’ interpretation of the contract. Email is just one example, and all the other assumptions made about all the other services add up with the above to create a situation in which the outsourcing costs significantly more than keeping the work in-house.

This can have significant impact on security. Is the outsourcer obligated to upgrade devices for security patching? Is the outsourcer obligated to tune security devices to run optimally? Is the outsourcer required to not use code libraries with security vulnerabilities? If the contract does not specify, then there is zero obligation. Worse, if the contract is a NoOps‍ affair in which the customer has zero visibility into devices or code, then the customer may never know which things need what vulnerabilities mitigated. There may be a hurried, post-signing negotiation of a new section about getting read rights on the firm’s own devices and code… and that’s going to come at a cost.

Another security angle: who owns the intellectual property in the outsourcing arrangement? Don’t make an assumption, read that contract! If the outsourcer owns the architecture and design, your firm may be in for a rough ride should it ever desire to terminate the contract or let it expire without renewing it.

I’m not even considering the quality of work done by the outsourcer or the potential for insider threat – those can be equal concerns for some in-house staff. The key here is that the contract is harsh, literal, and legally binding. That means vague instructions can have disastrous results. Tell an outsourcer to “make a peanut butter and jelly sandwich,” do not be surprised if the outsourcer rips open a bag of bread, smashes open the jars of peanut butter and jelly, mashes the masses of PB & J together, shoves the bread into that mass, and then pulls out the bread slices with a glob of peanut butter, jelly, glass, and plastic between them. He gave you what you specified: it’s not his fault that the instructions were vague.

There can be a place for oursourcing, particularly as a staffing solution for entry-level positions with high turnover. But every time I talk with someone from a place that either is currently in or is recovering from an outsourcing contract that went too far, I hear the horror stories. The outsourcers’ lawyers know what they’re doing and the firm’s lawyers fail to realize how specific they have to be with the contract language to keep from looking like they may as well have been the Marx Brothers‍.

Driftwood (offering his pen to sign the contract): Now just, uh, just you put your name right down there and then the deal is, uh, legal.
Fiorello: I forgot to tell you. I can’t write.
Driftwood: Well, that’s all right, there’s no ink in the pen anyhow. But listen, it’s a contract, isn’t it?
Fiorello: Oh sure.
Driftwood: We got a contract…
Fiorello: You bet.

Security Policy RIPPED FROM TODAY’S HEADLINES!!!

Leave a reply

I had a very sad friend. His company bought all kinds of really cool stuff for security monitoring, detection, and response and told him to point it all at the firm’s offices in the Russian Federation. Because Russia is loaded with hackers, right? That’s where they are, right?

Well, he’d been running the pilot for a week and had nothing to show for it. He knows that the tools have a value, and that his firm would benefit greatly from their widespread deployment, but he’s worried that, because he didn’t find no hackers nowhere in the Hackerland Federation, his executives are going to think that these tools are useless and they won’t purchase them.

So I asked him, “Do you have any guidance from above on what to look for?”

“Hackers. They want me to look for hackers.”

“Right. But did they give you a software whitelist, so that if a process was running that wasn’t on the list, you could report on it?”

“No. No whitelist.”

“What about a blacklist? Forbidden software? It won’t have everything on it, but it’s at least a start.”

“Yes, I have a blacklist.”

“Great! What’s on it?”

“Hacker tools.”

“OK, and what are listed as hacker tools?”

My friend sighed the sigh of a thousand years of angst. “That’s all it says. Hacker tools. I asked for clarification and they said I was the security guy, make a list.”

“Well, what’s on your list?”

“I went to Wikipedia and found some names of programs there. So I put them on the list.”

“And did you find any?”

“Some guys are running the Opera browser, which has a native torrenting client. I figured that was hacker enough.”

Well, security fans, that’s something. We got us a proof of concept: we can find active processes. I described this to my friend, and hoped that he could see the sun peeking around the clouds. But it was of no help.

“They’re not going to spend millions on products that will tell them we’re running Opera on a handful of boxes!”

He had a point, there. Who cares about Opera? That’s not a hacker tool as featured on the hit teevee show with hackers on it. And, to be honest, the Russian offices were pretty much sales staff and a minor production site. The big stashes of intellectual property and major production sites were in the home office, in Metropolis, USA.

So I asked, “Any chance you could point all that stuff at the head office?”

“What do you mean?”

“Well, it’s the Willie Sutton principle.”

“Who was Willie Sutton?”

I smiled. “Willie Sutton was a famous bank robber. His principle was to always rob banks, because that’s where the money was. Still is, for the most part. Russia in your firm is kind of like an ATM at a convenience store. There’s some cash in it, but the big haul is at the main office. Point your gear where the money is – or intellectual property – and see if you don’t get a lot more flashing lights.”

My friend liked that. He also liked the idea of getting a software whitelist so he’d know what was good and be able to flag the rest as suspect. He liked the idea of asking the execs if they had any guidance on what information was most valuable, so that he could really take a hard look at how that was accessed – and who was accessing it.

And maybe there were tons of hackers in Russia, but they weren’t hacking anything actually in Russia. And maybe said hackers weren’t doing anything that was hacking-as-seen-on-television. Maybe they were copying files that they had legitimate access to… just logging on, opening spreadsheets, and then doing “Save As…” to a USB drive. Or sending it to a gmail account. Or loading it to a cloud share…

The moral of the story is: If your security policy is driven by the popular media, you don’t have a security policy.

The Fallacies of Network Security

Leave a reply

Like the Fallacies of Distributed Computing, these are assumptions made about security by those that use the network. And, like those other fallacies, these assumptions are made at the peril of both project and productivity.

1. The network can be made completely secure.

2. It hasn’t been a problem before.

3. Monitoring is overkill.

4. Syslog information can be easily reviewed.

5. alerts are sufficient warning of malicious behavior.

6. Our competition is honest.

7. Our users will not make mistakes that will jeopardize or breach security.

8. A perimeter is sufficient.

9. I don’t need security because nobody would want to hack me.

10. Time correlation amongst devices is not that important.

11. If nobody knows about a vulnerability, it’s not a vulnerability.

Effects of the Fallacies
1. Ignorance of network security leads to poor risk assessment.
2. Lack of monitoring, logging, and correlation hampers or prevents forensic investigation.
3. Failure to view competitors and users with some degree of suspicion will lead to vulnerabilities.
4. Insufficiently deep security measures will allow minimally sophisticated penetrations to succeed in ongoing and undetected criminal activity.

I wrote this list for the purpose of informing, educating, and aiding any non-security person that reads it. Failing that, it serves as something that I can fall back on when commiserating with other security guys.

A Grim Observation

Leave a reply

This is a picture of the SM-70 anti-personnel mine, devised by East Germany to kill people scaling border fences to escape to the West. Its purpose was not to reduce the number of escape attempts, but to reduce the number of successful attempts. Over time, it did reduce the number of successful escape attempts, but it did not bring the total number of attempts to zero, nor did it bring the number of successful attempts to zero.

I bring this up to show that, even with the extremes that the DDR was willing to go to to prevent population exfiltration, it was an ongoing issue through the entire history of that nation. They killed violators of their policy, the killings were well-known and publicized, and yet the population continued to try to move west. This has implications for corporate security.

Namely, corporations can’t kill off violators of their policies, so those violators will continue to violate. The reward, whatever it may be for them, will face very little relative risk. Criminal penalties? Those are only for those who get caught by companies not afraid of the negative exposure. Most of the worst case scenarios, it’s a job loss for a violation. Considering that a big chunk of people that breach security are already planning to leave that firm, job loss is a threat only so much as it interferes with the timing of leaving the firm.

While the leaders of the DDR could take a long-term approach to their perimeter issues, most executives answer to a board that wants to see results this quarter, or within the first few quarters after a system goes live. Security is an investment, right? Well, where is the return on this investment?

Security is not playing a hand of poker. It is a game of chess. It is a game of chess in which one must accept the loss of pawns, even knights, bishops, rooks, and maybe even a sacrifice of the queen, in order to attain the ultimate goal. Sadly, chess is not a game that is conducive to quarterly results. Just as the person attacking IT systems may spend months doing reconnaissance before he acts, the person defending IT systems must spend months developing baselines of normal activity and acquiring information on what traffic is legitimate and what is not. The boardroom is not a good place to drive security policy.

But, quite often, the security policy does come from the boardroom, complete with insistence that the hackers be found as soon as the security system is in place. Once in place, anything that gets past the security system is seen as a failure of the system. There’s no concept of how many violations get through without the system in place and how many have been deterred by the system, just that security needs to work now, and failure is not an option… and other platitudes like that that make good motivational posters.

That’s simply the wrong mentality about security. Going back to the DDR – a lethal system with a long-term perspective and a massive intelligence network behind it – we see a highly effective system that nevertheless was defeated by those both determined enough and lucky enough. The leaders of the DDR did not scrap it until the DDR pretty much was no longer a going concern. With less ruthless security in place and a lack of long-term perspective and a failure to orchestrate all available intelligence sources, is it any wonder that IT security is such a problem for companies to get their arms around?

And if companies want to step up their potential penalties to include criminal charges, they cannot do so without first developing a proper concept of security. They will need to train employees in forensic procedures. They will need to get legal and HR involved more closely with IT – and to be more up-to-date on both the technology and the legal environment surrounding it. There will have to be decisions about what breaches must be allowed so as to collect proper evidence, and so on and so forth. We’re talking about the development of a corporate intelligence community.

And, even then, that’s no insurance. But, it’s a start. Most companies’ security policy is as effective as a substitute teacher ignoring all the students in the class. Some step up their game to that of a substitute screaming at all the students in the class. True security needs to have consequences, investigative procedures, and collections of data – and, even then, there will always be breaches. Security will not eliminate the problems, only reduce them.

Wet Economics and Digital Security

Leave a reply

A student once unwittingly asked a physicist, “Why did the chicken cross the road?” Immediately, the physicist retreated to his office to work on the problem.

Some days later, the physicist emerged and told the student, “I have a model that explains the chicken’s actions, but it assumes the road is frictionless and that the chicken is both homogeneous and spherical…”

In the last 50 years, economics has increasingly tied its models to frictionless decisions and homogeneous, spherical employees. These employees are as interchangeable with each other as are the widgets a company mass-produces. They show up to work at a certain wage and, since perfect competition in the labor market makes these models work, there is an assumption that the cost of labor is at a point where the market clears – no need to offer any more or less than that going wage rate.

As the world economy moved from regionalization to globalization and digital technologies made employees’ locations no longer tied to where a firm was legally chartered, the idea that costly labor in one market could be replaced with cheaper labor in another market fit well with the notion that employees were homogeneous, spherical physical bodies making frictionless decisions.

The biggest problem with the economic models that have dominated economic thought over the last 50 years is that, while they are great for predicting normal ups and downs in periods of relative calm, they are useless in times of massive upheaval. Put another way, they are like weather forecasting models that see category 5 hurricanes as “an increased chance of rain” or massive blizzards as “snowfall predicted for the weekend”. These models go blind in such unanticipated crises and are particularly useless for crises precipitated out of massive fraud and abuse. We saw the flaws of the models first in 1998, then in 2001, and again in 2008. We may soon see another round of flaw-spotting very soon, what with unease afflicting a number of major banks in germany and Italy…

But the second-biggest problem with the economic models is less obvious, and that’s because it involves the one thing everyone seems to leave out of their thought processes: security. Because the employees are not interchangable spheres and their decisions frequently involve friction, we can see security issues arising out of our reliance on those economic models.

The first is that employees are not widgets to be had at the lowest price: changing out a skilled veteran with many years at a firm even for someone with the same amount of experience from another firm involves a loss of institutional knowledge that the veteran had. The new person will simply not know many of those lessons until they are learned the hard way. In security, that can be costly, if not fatal.

It’s even worse if the new employee has significantly less experience than the veteran. I shudder whenever I hear about “voluntary early retirement” because it means all those people with many, many years at the firm are about to be replaced by people of vastly less experience. Because that experience is not quantified in the models used, it has no value in the accounting calculations that determined cutting the payroll to be the best path to profitability.

Then there’s the matter of the new employees – especially if they’re outsourced – not having initiative to fix things proactively. That lack of initiative, in fact, may be specified in the support contract. Both parties may have their reasons for not wanting to see initiative in third-party contractors, but the end result is less flexibility in dealing with a fluid security issue.

Remember the story of the Little Dutch Boy that spotted a leak in the dike and decided to stop it with his finger, then and there? What sort of catastrophe would have resulted if the Little Dutch Boy was contracted by the dike owners to monitor the dike, to fill out a trouble ticket if he spotted a breach, for the ticket to go to an incident manager for review, then on to a support queue with a 4-hour SLA to contact the stakeholders, so that they could perform an incident review and assess the potential impact before assigning it the correct priority? There would be a good chance that the incident would resolve itself negatively by the time it was graded as a severity one incident and assigned a major incident management team to set up a call bridge.

Security needs flexibility in order to succeed, and that kind of flexibility has to go along with the ability to exercise initiative. Full-time employees, costly though they may be, are more likely to be authorized to exercise initiative – and, if they’re experienced, more likely to use it.

On the matter of those decisions with friction… at any time, an employee can make an assessment of his or her working conditions and decide that they are no longer optimal. Most employees will then initiate either a job search process or a program of heavy substance abuse to dull the pain brought on by poor life and career choices, but others will choose different paths. It is those others that will create the security issues.

These others may decide that the best thing to do in their particular position is to get even with their employer for having created an undesirable situation. In the film “Office Space”, three of the main characters chose that path and created a significant illegal diversion of funds via their access to financial system code. They also stole and vandalized a laser printer, but that had less impact on their employer than the diversion of funds. In the same film, a fourth employee chose to simply burn down the place of business. Part of the popularity of the film stemmed from the way those acts of vengeance, in particular the vandalism of the printer and the sabotage of the financial system, rang true with the people in the audience.

We all knew an employer that, in our minds, deserved something like what happened in the movie. When I read recently of a network administrator deleting configurations from his firm’s core routers and then texting all his former co-workers that he had struck a blow on their behalf, I saw that such sentiments were alive and seething in more than one mind. As options for future employment in a region diminish as the jobs that once sustained that region go elsewhere, that seething resentment will only increase, resulting in ever-bolder acts of defiance, even if they result in the self-destruction of the actors initiating them.

But then there are the others that take even more thought about their actions and see a ray of hope saving them from self-destruction in the form of criminal activity. Whether they sell their exfiltrated data for money or post it anonymously on WikiLeaks. The first seeks to act as a leech off of his employer, the second has a motive to make the truth be known. Both actually prefer that the employer’s computer systems be working optimally, so as to facilitate their data exfiltration.

In economic models, this should not be happening. People should be acting rationally and either accept lower wages or retrain for other jobs. In real life, people don’t act rationally, especially in times of high stress. So, what can firms do about this in order to improve security?

The answer lies in the pages of Machiavelli’s “The Prince”. Give them a stake in the enterprise that requires their loyalty in order to succeed, and then honor that loyalty, even if it means payroll costs don’t go down. It won’t eliminate criminals 100%, but it will go a long way towards not only limiting the number of criminals in one’s firm, but also will maximize the incentive for loyal employees to notice, report, and react to suspect behaviors. If a firm was once again a place where people could be comfortable with their job prospects for the years ahead, it would be less of a target in the minds of the unhomogeneous, unspherical employees whose decisions always come with friction. It would be a firm that would have better retention of institutional knowledge and expertise in dealing with incidents.

Now, will boards and c-level executives see things this way? Not likely, given that the economic models of the past 50 years dominate their thinking. Somehow, the word has to get out that econometric models are not the path to security. Security is not a thing, but a system of behaviors. If we want more security, we then have to address the behaviors of security and give employees a reason to embrace them.

The Right to Know and Institutionalized Ignorance

Leave a reply

I take the title for this from the Yes, Minister episode in which the bureaucrat, Sir Humphrey Appleby, saves the political career of Jim Hacker by not providing him with full information about an issue. In a nutshell, there are some things that are better for the people at the top to not know. Appleby explains that there is a certain dignity in ignorance, almost an innocence in saying with full honesty, “I did not know that.”

Now, consider your own firm and its security. What if there’s a conduit from the Internet to the DMZ, and from there on to the entire corporate network, including areas segregated for business-critical functions? And what if that conduit has been there for over 10 years? And what if your firm is due for a security audit or in the process of having a security audit? Does anyone in a high position – or any of the auditors, for that matter – personally benefit from this huge flaw being made known?

It’s highly and hugely embarrassing. It’s been there for 10 years, and the network people have known about it all along, but have grown tired of being ignored by the systems people that refuse to re-architect their system with security in mind, since that would significantly impact production. If the people on top and the auditing firm had to deal with this now, I could see the potential for more than one person to potentially get fired or put on a remediation plan because of it.

But if nobody officially knows about it, nobody has to officially do anything about it. The audit completes successfully and the auditors retain their contract to provide auditing services. The managers and executives can nod their heads that, yes, they’ve got their arms around this security thing and that things are looking pretty good on that front.

Yes, the execs and auditors have both a right to know and a need to know about that huge problem, but neither has a desire to have such highly embarrassing information made known. There’s a sort of institutionalized ignorance about the situation to the point where, if there was a breach via that conduit, an executive could legitimately protest at the engineers and developers, “Why didn’t you tellanyone about it?” Never mind that they did, but got ignored, tabled, distracted, re-prioritized, or otherwise sidetracked.

No, if something had been done right away, there’d be no problem. But this has festered and become toxic. It is best for the careers of those closest to it to ignore it. If it does result in a breach, then those at the top have to throw as much blame around as possible so that nobody will try to assign any blame to them, and that blame flows downhill to the very people that tried to inform about the issue to begin with.

In the episode, Appleby explains the difference between controversial and courageous:

“Controversial” only means “this will lose you votes”. “Courageous” means “this will lose you the election”!

Similar parallels apply to business. This is why I roll my eyes a little every time I hear an exhortation to innovate and think outside the box. Trust me, if I’m not following a specified process to innovate or doing a proper SOP for thinking outside the box, I’m doing something either controversial or courageous, with associated negative consequences.

It stands to reason that if I was to email directly a C-level person and copy all the management chain between me and him and then describe a situation as bad as the above, I’d be doing something highly courageous. If I do less than that, then institutionalized ignorance can keep anyone with a right to know the bad news from actually having to hear it, thereby maintaining their dignity in ignorance.

Apart from this being a cautionary tale about not developing a too-cozy relationship with one’s auditors, it’s also a very real concern about where a culture of permitting mistakes has to be in place in order for security to have a chance. Even monumental mistakes such as this 10-year marvel need to be allowed in order for the people responsible for fixing them to actually do something about them other than sweeping them under the carpet and pretending that all is well as they desperately seek employment elsewhere, before the situation blows up.

We’ve got the need to know and the right to know… but are we strong enough to know even when we lack the desire to know?