Do I Miss Teaching?

It’s been about 5 years since I decided to end my career as a teacher and return to IT. People still ask me from time to time if I miss teaching. The short answer is no, but the long answer is yes.

For the short answer, I love not just my current job, but my current career. Once I had started back in IT, not one day did I wake up and desire to return to the classroom that I had left. I had dreams about teaching, but they involved either dull routine that I was glad to have left behind, or they were about packing up and leaving. Both gave me a sense of closure, that I was done with the profession.

Which leads to the long answer, the “yes”. Truth is, I was missing the classroom my whole last year of teaching. The work I had been able to do, both in the 90s as well as the 00s, that was no more by 2012-2013. School administrations no longer trusted a teacher’s ability to exercise professional discretion in preparing and delivering coursework. When I was doing IT work in the late 90s, I often yearned for the classroom. I had the same yearning during my last year of teaching.

Being forced to buy into the culture of testing that now exists meant selling out on my hopes of continuing to be the kind of teacher that could be flexible enough in the classroom to find a way to make a critical difference in people’s lives. I know I couldn’t impact everyone and that I could come off as a pompous ass to a lot of people… but I also knew that I had a much bigger audience that liked what I did and, within those audiences, I could make connections that would help guide lives.

All that was evaporating before my eyes as I saw mid-level administrators, living in fear of budget cuts that would axe their positions in a heartbeat, spread a culture of fear. Their jobs were safe if they could convince top administrators that their jobs were necessary to maintain the almighty test scores. This was happening not just in my district, but pretty much every urban and suburban district with 2 or more high schools.

So yes, while I miss teaching, I also know that what I once had is gone. It’s not coming back. I can think about the good times, but I have to move forward. I am fortunate and grateful that I have been able to return to IT. I’m working with people that trust my professional discretion, and that makes all the difference.

The Earth Wrapped Up As a Scroll

What is meant by the expression, found in the Bible and elsewhere, about “the Earth wrapped up as a scroll”? Several things, all at the same time, because of the precision of God’s language.
1. When one finishes reading a scroll, one wraps it back up before returning it to the shelf upon which it is stored. The Earth, at the end of its time, will be prepared to return to where it once was – wrapped as a scroll.
2. In addition to the simile’s implication of return, there is also the implication of finality. There is a time, after which, we do not continue to experience time as such, but return to where God is: and where God is, there is no time.
3. Physics. Particularly those of a higher-dimensional order. Just as we can take a line of string, let that represent one dimension, we can bend it through a second for it to meet itself as a circle. Just as we can take a sheet of paper, let that represent two dimensions, we can bend it through a third for it to meet itself as a tube.
Given that God exists in a realm where time is not a relentless crumbler of mountains, such as we see it, but a direction that goes this way and that, then it stands to reason that the realm of God has sufficient dimensions necessary to behold the whole of creation as one.
Therefore, it stands to reason that with those sufficient dimensions, they would include those sufficient to bend the earth so that it meets itself in a higher-dimensional construct our language has not words to describe, but God’s language would, and precise ones, at that.
Speculation – the “wrapping together” would be, perhaps, a similar preparation as what was required for Moses, Abraham, and others to behold God? That all things must be transfigured in order to return to God and that, without a pure soul to match the pure body, we endure pain and discomfort in God’s presence, so much so that it would be best described as a burning lake of fire, or some other nigh-unthinkable torture to our minds?
Yet, such tortures are scripturally described solely as natural phenomena. There is no mention of God or any servant of God, or even Satan or his followers, meting out such punishments. These phenomena arise naturally, out of conditions brought about via a dichotomy of a pure body housing an impure spirit. The only cure for which is an appropriate distance from God.

Maturity in Belief

Often, I see people that claim to have a belief in something, but then go on to undermine the ability of others to share in that belief because these people are too strident or over-the-top in trying to present their views. To them, things are so crystal clear: what could be wrong with someone that does not agree completely with their views? Are they ignorant? Or are they willful enemies?

By leaving out the ability of others to judge things differently, which I call spiritual immaturity, such people are prone to hardline views, are less able to forgive, are more likely to use contentious or confrontational language and, ultimately, commit acts of violence. They will do these things, all the while believing that they are in the right and are justified in their actions.

Spiritual maturity, on the other hand, allows one to accept that other people will walk other paths. Indeed, that each person walks a unique path, some in a similar direction, others not. A spiritually mature person would hope to influence the path of another, but will also recognize when such influence is either unwanted or won’t be understood, or both – and then, in such cases, to refrain from attempting such influence.

Sadly, the spiritually immature can see this maturity as a threat to their own narrow views and lash out against it as heresy, putting it on the same level as their paranoid reactions towards supposed enemies outside their faith. To the immature, the mature can seem as traitors from within because they will not join in crusades or other acts of forcible conversion. Rather, they live and let live and somehow seem to allow evil to flourish.

In truth, it is the mature person that is not allowing evil to color his or her actions and pervert his or her beliefs.

I’ve been the immature person before, thinking that standing my ground in a heated argument lasting for hours was a sort of victory. In truth, it was all wasted words, as I did not convince the others of my views and served only to make them more ready to disagree with anything I proffered in the future. I’ve been that way about my religion, my politics, my views on music, my tastes in arts, and so many other subjective areas. It’s taken me many years to develop the ability to let others have the last word, even when it contradicts what I’ve been trying to say. It’s a sort of long game for me, because if I’m known to let others have a fair say, then I’m more likely to be listened to in the future by those I disagree with. And, maybe in that future day, my arguments might find their way into the hearts and minds of those others that disagree with me today.

Perhaps this is why I’m drawn to teachings of live and let live that are common among Daoist philosophers, Zhuangzi in particular. Perhaps this is why I see value in the Zen koans. While I myself am neither Daoist or Buddhist, I find a sympathetic maturity in their sentiments, in the way they serve to remove masks and illusions that so often bedevil our views, and then allow us to better penetrate the darkness between our souls and enlightenment.

How Musicians Speak to the Press

I’m wondering how much stuff any person in a band says is due to contractual obligations to promote current work. How much of slagging previous work is considered necessary and appropriate to build up one’s current product?

ORIGINAL BAND: “Everything we’re doing now is bold and imaginative, we’re really like nothing else.”

PROMINENT TALENT GOES SOLO: “It was all rehashing of old blues numbers in Original Band, I got tired of going nowhere musically. I’m so glad that I can truly express myself on my solo albums.”

THE REUNION: “What I did as a solo artist, I had to do, had to get it out of my system. Just a flight of fancy. It’s so great to be making magic again with Original Band, the stuff we’re making now is as great as the old stuff.”

AFTER A DISPUTE OVER PERCENTAGES: “I have left Original Band, effective immediately. Please consult the legal firm of Dewey, Cheatham, and Howe for further comment.”

JOINS ANOTHER BAND: “The Original Band reunion was a disaster. Of course, you read about my departure in the press, and I’ll give you the REAL story after I mention how awesome and liberating it is to be with Another Band. These guys are amazing, this is the best work I’ve done.”

SECOND REUNION OF ORIGINAL BAND: “It’s like I never left home. This is the only real music I’ve ever done, my work with Original Band. Our new album will not disappoint!”

NEW ALBUM DISAPPOINTS, DOES ANOTHER SOLO ALBUM: “Most of the reason behind the second reunion was money. I wanted to make music, they just wanted the money. Such a pity. But I’m glad I can fly free again.”

GETS BACK WITH ANOTHER BAND: “We’re not doing the songs recorded by the guy I replaced. They’re not my music and, frankly, I don’t consider them to be truly Another Band. When I’m with Another Band, then, yes, you can be sure it’s really Another Band.”

PARTIAL REUNION OF ORIGINAL BAND: “Me and the guitar player, we were always the core of Original Band. We don’t need the other guys to play amazing stuff.”

FULL REUNION OF ORIGINAL BAND: “If it’s not all four of us together, it’s simply just not Original Band, full stop. Don’t let anyone say otherwise.”

DRUMMER OF ORIGINAL BAND DIES IN FREAK GARDENING ACCIDENT: “We will miss him dearly, but we will also carry on. Original Band will rise from the ashes and continue forth to newer, better triumphs.”

SLIGHT ISSUE REGARDING DISTRIBUTION OF MERCHANDISING PROFITS: “I’m glad to be done with those money-grubbers and, frankly, they can all go to hell, where they can join up with their ex-drummer.”

ISSUE IS RESOLVED, WORLD TOUR RESUMES: “Me and my mates are inseperable! God bless them all, and I wish our ex-drummer were here instead of ‘up there’, where I know he’s drumming with Hendrix.”

OFFERED MORE MONEY TO TOUR WITH ANOTHER BAND: “My heart has always been with Another Band. Original Band, sure I had some laughs with them. But Another Band is where I’ve always felt like I was freest to explore, where we could play like no other band in the world.”

And so on, and so on, and so on…

Prioritizing Security Spending

I’ll put on my manager/owner hat, since I have one laying about the house, and will look at the receiving side of my constant cries to emphasize security spending. There, it’s on, although it seems to restrict blood flow to the part of my brain that handles technological details… never mind, let’s get to budgeting!

First off, security is very important. It’s so important, I’ll use a few more “verys” to emphasize that importance. It’s very very very very very important. But, before I can pay for security, I have to pay for a few other things.

Out of my revenue, first to go through are my loan payments. If I don’t keep current on my merchant loan companies and business loans, I close my doors. That’s a certainty. Ditto for payroll, rent, and utilities. I have to pay those, on time, every month, or I *will* close my doors.

Next up, I have to pay for my materials that I use in my business, whether those materials be solid manufacturing inputs or intangible information, it’s what I use to make my stuff. Without those inputs, my business is no more.

Then there’s advertising. I have to have that, right? I also need money for fees, which I pay to local, regional, and national government authorities in order to stay in business. If I don’t pay those, my business will certainly not be able to operate.

Now, I’ve got some money left over. Part of me wants to have a little more for myself, to compensate for all those days I lived out of my office, getting this business off the ground. That’s why I went into business, right, to make a little something for myself, over and above what The Man would pay me in a regular gig? I’ve got a business partner, as well, and we’ve been through everything together, all these years. I’ve got to give him his cut, fair’s fair.

What’s left is my IT budget. Before anyone panics, let me assure you that there’s still quite a lot of money in that pot.

But, before I pay for any security, I need to pay for my existing licenses. If my PCs don’t have an operating system, they don’t run, and I don’t have a business anymore. Then I pay for my productivity software because what’s the point of having PCs if they don’t do anything useful? No, I must have word processors, spreadsheets, and email! No compromise on that!

If I have specialized software for my line of business, you better believe there are some big-time license fees to run that stuff. But, without it, I can’t produce what my customers want. Honestly, security is important to me, you saw how many “verys” I used up there, but I have to first allocate money for what’s core to my business.

But I’m almost to security in my line-items. Let me first cover printing costs, VoIP services, Internet connections, and a new box fan for my server closet. As long as we keep the fans on and the door open, the servers won’t overheat. That’s a good feeling to have, the feeling you get when you know the servers won’t overheat.

Now that I’m ready to buy some security, please don’t bring up the issue of locks on the doors. I can lock the outside doors, but if I lock the door to the server closet, we’re finished as a going concern.

Looking at the budget, there’s not a lot, so maybe I should get the most important piece of security gear and hope it does most of the work I need it to do. I’ll get a firewall and pay for that annual license/maintenance.

Then there’s an antivirus program that’s only $21.95 per workstation when I buy in bulk, I’ll get that. I don’t know if it’s any good, but it’s at least something.

I need to buy a backup and recovery solution, so that’s going to set me back a bit.

I also have to pay for spam filtering and DDoS protection through my ISP, or I get shut down by spammers and/or DDoSers. This expenditure, in fact, should have come before the backup and recovery.

When I ask the guy that comes in twice a week after lunch to do my IT about what else I should get, he’s got a long list of cool stuff. But when I look at the prices he quotes for them, I have to shake my head. I really can’t afford to spend thousands on a big piece of hardware like a proxy server or an IPS. Maybe if I saved up, I could, but I can’t spend that kind of money right now. And don’t even talk to me about IP protection or UEBA or other big systems like that, there’s no way I can buy one of those solutions.

The thing is, security is a matter of maybe I’ll lose my business if I don’t have it. The other things are a matter of I *WILL* lose my business if I don’t have them. Will beats maybe, every time. That good feeling I have about the servers not overheating is countered by the worry I have that one day, maybe tomorrow, I’m the next small business that gets hit with something that the firewall, antivirus, and/or antispam-antiDDoS can’t deal with. But that’s a maybe, a roll of the dice.

Eventually, I learn to live with “maybe” and I just focus on running my business, the best I can.

And if all my PCs, unbeknownst to me, are secretly mining bitcoins for North Korea or participating in Mafia-run botnets, it’s no concern to me as long as I keep in business. What I don’t know doesn’t impact my bottom line.

I’m not being callow or flippant about wanting to emphasize security but simply not having the budget for it. That’s a reality. And if I get to where the “maybe” doesn’t nag at me anymore, then I can live with myself and my decisions.

I just took off my manager/owner hat and read that over. It does make sense to me. As a security person, I see all the breaches and crashes and outbreaks. But I don’t see that, for most people, these are only rumors, things that happen to someone else. Daily bashing away at firewalls, constant spam and DDoS, legacy malware trying to infect your PC like it’s 1999, those are the constants that happen to everyone. Businesses must protect against them. The other stuff, though, that’s in the realm of “maybe” and that’s not a strong enough case to justify a major expenditure, particularly one that could cut deep into the profitability of a firm.

Insecure Social Media, Russians, and US Elections

For social media companies, insecurity is an integral part of their business model. It’s all down to how they work. They want to sell advertising and their rates are determined by the popularity of the pages where the ads run. More popular pages means higher ad rates, so anything that boosts popularity also boosts revenue for the social media companies.

Of course, when accounts that are liking and following are found to be fraudulent, advertisers cry foul and demand a purging of those fake accounts and also a reduction in their ad rates. This creates an incentive for social media companies to obscure account ownership so that fake accounts are less likely to be discovered. There’s also an incentive to engage in clickfraud, but I’ll pass over that for now. Instead, I’d like to focus in on how those fraudulent accounts can do more than just hike up revenues.

The Russian intelligence agency Федеральная служба безопасности Российской Федерации (ФСБ) – FSB to English-speakers – has made use of misinformation and agitprop since it was the FSK, and before that the KGB, and before that the MGB, and before that the NKVD, and before that the NKGB, and before that the Cheka, and before that the Okhrana. One could say that misinformation and agitprop have been hobbies of Russian intelligence agencies for about 130 years. What is new for this age are the avenues available to the FSB to spread its poison messages.

Before social media concerns, Russians wishing to whip up extremist political movements and create internal discord in Western democracies had to buy their own presses and pay for their own mouthpieces, which could be quite expensive. If one of those were unmasked, then the expensive operation would be compromised and that expense and effort would go to waste.

But with FaceBook and Twitter and blogs, the FSB now has drastically reduced costs and much higher levels of cover. It’s Agitprop as a Service! Consider how easy it is to run multiple fake online accounts, compared to hiring multiple agents. These accounts generate interest and activity on social media, so they drive up ad rates – the firms that would be policing them in an authoritarian regime are protecting them in a capitalist system.

Even better for the FSB, the ability of extremist groups – particularly the far right – to sequester themselves from other news sources means that, once a message is injected into their media echo chambers, it will be repeated often enough so that, in the observation of Josef Goebbels, it will be held up as a truth. What shows up on RT.com will be tweeted and retweeted by FSB accounts active in far-right forums and will soon be heralded as non-fake news in outlets such as Fox, ZeroHedge, and Breitbart.

Back when ZeroHedge was more focused on the financial misdeeds of large banks in the wake of the Panic of 2008, I was an avid reader of stories posted there. But something changed over time, particularly in the run-up to the 2016 election in the USA. It went from examining financial issues as its primary focus and slid deep, really deep into pro-Trump positions with lots of posters on its boards echoing comments that could be classified as pro-Russian, anti-Semitic, racist, neo-fascist, and/or a combination of the previous.

The slide in bias was obvious to me. I’ve been a follower of non-corporate media since the 1980s, and I know the difference between an investigative journalism piece and a partisan propaganda paper. ZeroHedge had definitely lost a lot of the former and had gained a lot of the latter. As the onslaught of Russophilism, antisemitism, racism, and neofascism increased, I felt a need to get out of that news source and seek out alternatives. In so doing, I did a lot of searching. In those searches, I was stunned to see how many other outlets were parroting the sludge from ZeroHedge, like they were sheep from Animal Farm bleating out “four legs good, two legs better!”

From all this agitation in stirring up the far right, Russia knows it is destabilizing America. The heads of the FSB know that the American far right will prove Pushkin right at every turn: it will reject ten thousand truths in order to cling to the lie that justifies itself. This is how I know Judge Moore is highly likely to win the Senate election in Alabama. The Russian Twitter choir is singing his praises and millions of far-right users of social media are echoing those sentiments, actively and belligerently.

Judge Moore, of course, is a hand grenade being lobbed directly at the US Senate. The man has shown a pattern of serial sexual predation against minors. If he wasn’t running as a Republican for the Senate, he’d be the focus of a true crime show right now. Russian tweets and far right echoes claim falsely that his accusers have either forged evidence against him or recanted their claims. Those lies allow his supporters to push hard for his election. If Moore is elected, it will roil the Senate as many senators will demand that he not be seated and that Alabama send a different favorite son to the Capitol. Each house of Congress can do just that, accept or reject the people sent to it – and Moore is ripe for rejection.

If Moore is rejected, it will split the Republican party even deeper. The Republicans are already incapable of putting together a coherent legislative agenda. With a Moore rejection, it will be practically open war between the different halves of the Republican party.

If Moore is not rejected, it will split the Republican party even deeper, but in a different way. Instead of Moore’s supporters repeating Russian propaganda that they were robbed, it will be outraged moderates, unable to stomach being in the same political caucus as a sexual predator. Bear in mind that the stalking of multiple daughters of single women, all around the same age, all in roughly similar ways, is an actual pattern of sexual predation. We have documentation of this. We have multiple testimonies to this effect. This is a sexual predator that the Russians, through insecure social media, are helping to force down the GOP’s throat.

When we look back to what happened in Georgia and Estonia in the decade prior to 2016, we see exactly the same thing. We see the social media misinformation. We see the political manipulation of extremists. When we look at Ukraine after the USA toppled a pro-Russian government there, we see even Russia providing armed assistance to extremists there. That fact chills me, especially in light of how many on the far right hinted at taking up arms if Trump wasn’t elected in 2016.

I doubt if they actually would have taken up arms on their own, but if they were whipped up by their social media echo chamber and shipped a few thousand AK-15s, maybe they would cross over that tipping point. If that were to happen, I have no doubt that a US Army would crush that insurrection… and then spend decades dealing with low-level guerrilla warfare, all fueled by continued echoing of Russian lies in social media echo chambers.

While there is increasing agitation on the left in the form of the antifa movement, there just isn’t as much militancy in the American left, especially after the legacy of peaceful, antiwar protests. These are not minds that will have much fertile soil for violent rhetoric. They’re also more likely to turn out one of their own if he or she is found to have feet of clay. Witness their abandonment of big donors found to be serial sexual harassers. Witness their pressure on their own political caucus to resign from office, rather than persist in running for it or remaining in place.

No, the fertile ground is in the neofascist mind. The Russians make those pushes in Greece, in Germany, and in the USA. And while I find Steve Bannon to be more of an Austrofascist than a Nazi (the strong affinity for Catholicism is a dead giveaway for Austrofascists), I don’t think such fine details matter either to the Russians or to the minds the Russians poison every day with their lies.

So how do we solve this problem? The market won’t solve it. In fact, the free market will fan these flames because the business model of Twitter and other outlets is to spread misinformation if that means more ad revenue. But in a world of multiple email addresses, how do we limit a person to just one Twitter account? In a world of VPNs and TOR exit nodes, how do we keep too many FSB-driven accounts from affecting social media? When these fake accounts actually started out years ago with softer agendas, and have loads of historical content, how do we build an algorithm that can identify a friend from a foe? Or a friend from a foe yet to reveal itself?

Hamilton 68 http://dashboard.securingdemocracy.org/ is a project that, instead of looking for the artillery shells of propaganda, seeks out the guns. While it does not claim to have discovered all sources of Russian disinformation on social media, it has found some significant signals amidst the noise. There’s some hope yet in the intel they are able to derive from extensive signals analysis. This is what any good intel agency does: read all the news to see where stories originated and how they are disseminated.

Right now, the Russian social media barrage is striving to elect Roy Moore to the US Senate. But, merely by getting the Republicans to cling to him like a piece of driftwood in a shipwreck, they’ve already demonstrated their control over that political faction. In the days and weeks to come, be certain that the Russians will continue to tug on that leash and the far right will follow every jerk and tug.

Insecure Social Media, Russians, and US Elections: Agitprop as a Service.

History as a Game Review

As I played a World War Two grand strategy game, I was wondering what if the men who led nations through that conflict were actually playing a game of that conflict that gave them the outcome they historically experienced. How would they praise or complain about the “game” they played? So I decided to write…

NORWAY: I thought this was a fun little nation-building sim and then WTF??? I get invaded by Germany??? I didn’t do anything, and then, suddenly, no warning, I got totally pwned. I got to keep one unit with my new British allies, yay. And why my nation? Sweden’s the one that had all the iron ore! Obviously, the AI in this game is broken, it makes no sense at all.

SWEDEN: Fun little nation-building sim, but kind of boring. I was pretty much just clicking through events and news reports and selling iron to Germany until they surrendered, then I just started selling it to England, lol. I’d recommend waiting for this title to be on sale, with a deep discount before you buy it.
Continue reading

Quick Start Guide

Welcome to your installation of Secure All the Things (SATT). We thank you for your purchase of our product and hope your installation process goes smoothly. We believe that SATT is the most secure network security solution on the market today. Your commitment to security has brought you here, and we are ready to walk that journey alongside you.

Wow, that was pretty over the top for marketing-speak. Franz Zimmerman saw boxes and arrows further down on the page. Boxes and arrows promised more comforting tech-speak, so he persisted in reading the SATT quick start guide.

In order for SATT to be secure, it requires a high degree of secrecy. This is why you are reading this quick start guide at a SATT safe house.

Yeah, that was a weird requirement. Franz had to take a cab to the airport, where a black SUV picked him up to take him to the safe house to read the guide. These SATT guys were serious about security, from the looks of things.

Your first step in your SATT installation will be to utilize shell companies in the purchase of a property that will house the SATT management servers. Below is a checklist of the requirements for each shell company.

Huh? What? Shell companies? Franz looked over the rest of the quick start guide, which was a single, laminated card, standard page size, printed on the front only. The boxes and arrows were a flow chart, about setting up shell companies, from the looks of things. Where was the listing of how much RAM or CPU cores the servers would need?
Continue reading

Writing InfoSec Fiction

When I first started serious creative writing efforts back in 1997, I had no idea that, 20 years later, I’d be writing about how to write InfoSec fiction. Not only did I not even know how to write fiction, period, InfoSec was pretty much a matter of having an antivirus program and locking the doors to the server rooms. And firewalls, I remember we had just started to have firewalls back then.

Well, enough reminiscing and pondering about how I found myself to be where I am now. I have a purpose, best I get to it.

First off, let’s cover how to write well. It’s not all that difficult. Here are the rules of good writing, as they were taught to me by good writers.

1. Show, don’t tell.

2. Nouns and verbs always beat adjectives and adverbs.

3. Some things are better left to the reader’s imagination.

4. Dialogue should sound like dialogue.

5. Get rid of as many “to be” verbs as you can.

1. Show, don’t tell… that’s the toughest one of all, because we want to explain our thoughts in great detail. Well, that’s technical writing, not fiction writing. How many stories, especially science fiction stories, have gotten bogged down because the characters start explaining all. the. things. The readers will figure out how stuff works as it gets used, don’t worry. Saying “The zapotron ray carved a massive opening into the reactor core, yet none of the radioactivity leaked out” is preferable to the characters spending multiple paragraphs about zapotron technology and why it would be preferable in this situation as compared to, say, an unobtanium battering ram.

In that above example, did I myself go into those technologies? I did not. And yet, each reader now has an idea about them. Show, don’t tell. If I do any more here, I’m telling, not showing, and I’m not about to slide into hypocrisy like that.

2. Nouns and verbs… Rushing beats running quickly. The giant beats the really tall and really big guy. If you have to use an adjective or adverb, make sure it’s not with a plain noun or verb. The exception to this would be in dialogue, where if a person is likely to violate good rules of writing in his or her speech, then it’s good writing to have the character talk that way.

3. Leaving things to the imagination… what’s more scary, the huge hairy spider looming over your right shoulder or… that… THING! AAAAAHH! IT’S COMING FOR YOU! RUN! RUN TOWARDS THE SPIDER!

See what I did there? Consider this an extension of “show, don’t tell.” As I tried to make something scarier than the gigantic spider, I conjured up a notion of something so awful and immediately threatening that your best hope was to run towards the very thing I suggested was fearsome at the beginning of the comparison. And now, by telling all about how I did that trick, I took all the fun out of it. Show, don’t tell, that’s the moral, here. That, and run towards the spider if you’re in that situation, for God’s sake.

Imagination is best when you want to create feeling and mood in your reader. Sometimes, it means ending a story before they want it to end, but, hey, that’s life and good writing.

4. Dialogue… there’s external dialogue. Like my English teacher once said, “When other characters speak, they can reveal so much more with carefully-chosen words, which you want on your side when you fight against Godless Commies.”

Then there’s internal dialogue. One option is to just explain things, but in a dialogue-y way, where you bend words and stuff like that. Stuff that drove my ultra-right English teacher up the wall. Or you can italicize. How do I reconcile my relationship to my English teacher? I mean, she was brilliant, taught me all I needed to know about grammar and writing… but that shrine dedicated to Mussolini in the back of the room? Really? Mrs. Paganini was a complicated person, that was for certain…

Above all, dialogue needs to sound like people talking. Stylistically, if a new character speaks, start a new paragraph. Try to not have a character say too much in one go, it can lose readers.

“You think those ideas work all the time?” a reader asked.

“They’ve served me well,” I said.

“How do I know this isn’t more of Mrs. Paganini’s neo-fascist propaganda?”

I thought a moment. “I guess you can tell it’s not that because one, I’m not wearing a paramilitary uniform, and, two, not once have I spoken about the need to invade either Ethiopia or Albania.”

My reader nodded, satisfied in my answer.

5. Getting rid of “to be” verbs. Remember up in 2, where I talked about nouns and adjectives, how I said “beats” instead of “is better than”? Getting rid of is, are, will be, was, all those “to be” verbs will force you to use actual action words, and that moves the story forward in an interesting way.

***

OK, so those are the rules of good writing. I’d also recommend reading Socrates’ “Poetics” for some tips. It’s a short piece and well worth your time. It’ll also explain why that huge race sequence in “The Phantom Menace” was such a beat-down… put effects ahead of plot and character…

I’d also recommend reading things that help the InfoSec mindset. Look to Eastern Europe for fiction authors and look to trade journals for jumping-off points for stories.

My reading list will include films, but since I use subtitles, I’m still reading them, aren’t I?

Arkady and Boris Strugatsky – Roadside Picnic; Stanislav Lem – Everything he wrote, go for Cyberiad, Solaris, and Memoirs Found in a Bathtub; P.D. Ouspensky – The Strange Life of Ivan Osokin; Vladimir Savchenko – Self-discovery

For the films, go to the Mosfilm YouTube channel and watch Solaris, Stalker, Kin Dza Dza – those are the intro to Soviet sci-fi, which is much more cerebral and psychological than US sci-fi, which tends to resolve issues through violence and/or application of brute physics.

While you’re on Mosfilm, consider also Ivan the Terrible (Ivan Grozny), Ivan Vasilievich Changes Careers, and White Tiger (Belyy Tigr). The first is a pair of films that was Game of Thrones stuff decades before HBO, the second is a wild time-travel romp, the third is about a man who can speak with tanks in WW2.

Also consider the Czech film, “Tomorrow I’ll Wake Up and Scald Myself with Tea”. Why? It’s about things going wrong, and that’s what security is all about.

Once you’re paranoid and twisted in your thinking, you’ll read trade journals and start to get ideas about how things go wrong. You’ll read marketing materials from vendors that promise the moon and see holes in their logic that may deliver a shattered earth instead of a new world. You’ll see reports on outages and mentally explore what’s not reported, how much worse it could be.

Then, you’ll want to write that story.

***

We’ve gone from fiction writing to science fiction writing (briefly) and now we’re ready to deal specifically with InfoSec fiction writing. There are no rules for it yet, because as far as I know, there’s only a handful of people trying to write it, and I’m one of them. So I’ll go into my philosophy, and I’ll try to show instead of tell as much as possible.

The short story is ideal for InfoSec fiction. The short story in sci-fi takes a small concept, a gimmick, and toys around with it. The gimmick is the center of the story, so it won’t last very long at all. It’s not a character, so it shouldn’t be pushed all that far. There will be people and things reacting to, planning to use, and being affected by the gimmick, but the gimmick is the center of attention.

Consider a story about a guy using Internet-enabled footwear that’s also equipped with a flash drive and a toner-like device that can pick up signals from network cables. Fun will be had in the story, but it’s over as soon as he visits the coffee shop and uploads his stolen data to the highest bidder. Maybe it’s over now, but that’s how it goes with the gimmick. It’s a short story, but a merry one.

Writing a longer story runs the risk of getting preachy. If your characters are starting to launch into long dialogues explaining best practices, you are writing an editorial at best and a user manual at worst. If your tale has legs and it’s going to travel into the land of 10-40K words, you’re into novella country, and that demands a different focus for your writing.

Novellas have to be character-centered. This means the focus is not on the technology, but on a person using/affected by the technology. The exposition is about the character in relation to that technology, and the temptation to get preachy will try to overpower you. Resist. Stay with that character and his or her moral journey, as he or she struggles with A Big Decision. For it to be InfoSec related, the Big Decision needs to be related to that technology. A plot in which a jilted lover considers killing his former love becomes an InfoSec plot when he ponders the killing by way of a drone strike, homed in on the former love’s cell phone location… and then, to his horror, he realizes the drone strike took out an innocent because the former lover dropped the phone in the parking lot and the innocent picked it up to go return it to the nearby store’s lost and found. The actual strike and realization would be the climax of the story, unless we want this to be a psychological tale about the killer being caught and being sentenced to work out his problems with an AI counselor… that may have a few flaws in its code…

Novels are big things. If you’ve got the nerve to write an InfoSec novel, good luck with that. If you can keep from preaching and make it all about a group of characters dealing with a world changed by a technology, you’ve got a sci-fi novel. To make it InfoSec, those characters deal with a world changed by the *flaws* in a technology.

That’s the biggest part of InfoSec writing, in my view. We confront the promise of better living through technology and poke at the weaknesses in that premise. We ask what can possibly go wrong and then unleash that vulnerability on our characters. Sometimes, our characters are resilient and deal with the problem. In such cases, I’d recommend no neat and tidy happy ending. The characters dealt with the problem, but now they live in a patched world, and they have to be on their guard just in case the patch introduced a new vulnerability.

An InfoSec writer also has to face a decision whether or not the story will be hard science or more Hollywood in its portrayal of technology. My style leans mostly towards hard science. I want things to be highly accurate. My characters will never ping 10.800.1.1. My characters will never have a program with a GUI that looks like it was designed by a special effects company. My characters plow through huge logfiles, they run Wireshark and pore over the captures, and they get mandatory reboots of their OS at the worst possible times.

But, there are times where I want to go Hollywood. In these stories, I create a fantasyland where all is well, all is good, there is better living through technology for all… except, hey, what’s this little red button do? Ah, it reveals that the makers of this heaven were really humans and there are devils from our own day and age in those futuristic details! Here we are in the year 2877, but the world comes crashing down because the code is backward-compatible to run a DOS 5.0 program… in so doing, I’m able to point out the folly of assuming backward-compatible code is secure, but *without getting preachy*.

I just realized I was getting preachy about not getting preachy, so maybe I should leave the rest to your imaginations and end my essay here.

Or should I say “show, don’t tell” one more time? Where is Clippy to help me finish writing a story when I need him the most?

Matryoshka

Tommy Mothersbaugh caught an anomaly. For the first time in over a year of scouring security logs, he found something that shouldn’t have been there. He took the report to his boss, Mary Jordan. He knocked on her open door.

“What’s up, Tommy?”

“I think I got something here, Mary. It’s not much, but it’s something.”

“Whatcha got?”

Tommy held out the report and pointed at a traffic flow. “That’s a printer in our Panguitch office. Trying to reach a TOR exit node.”

Mary lifted up her glasses to squint at the tiny print. “Huh. You sure about that? Double checked it and all?”

“Yes. Something’s up with that.”

Mary set the report on her keyboard. “OK if I keep this for my report?”

Tommy nodded. “Anything else you want me to do for follow-up?”

“No, no, that’s OK, we just file our reports and then things move upstairs… By the way, I wanted to ask you something and I’ve got a few minutes before my next meeting. You want to get the door and have a seat?”

Tommy shut the door and sat down.

Mary propped her glasses up, over her forehead. “How would you like to do a field assignment? You’ve been doing good work here in Analysis, so it’s only natural that you eventually sample other types of work… if you’d like to.”

“Sure, yeah. I mean, yes, that would really be cool.” Tommy’s surprise turned to excitement. “Where would I be going?”

“Well, wherever they send you. You’ll go through an orientation and then the officer in charge will let you know your assignment. But we can get you there as soon as you like. Tomorrow, even.”

“Tomorrow?”

“Tomorrow.”

“Dude. That would be awesome.” If Tommy was a puppy, his tail would be wagging wildly.

“Well, pack up your desk and make room for your successor.” Mary’s smile got Tommy to jump up, shake her hand, and then zip over to his desk with his good news.

A short, waited interval after Tommy left, Mary opened up SightsAndScenes.com and clicked the “helpful” button by Barry7711’s review of The Dinner Bell restaurant in Muleshoe, Texas.

Instantly, a minor official in another nation received an alert on his phone. The text on Gleb Ivanovich’s phone read, “Text ACCEPT to 495 697 03 49 to receive information on your prize!”

Any English-language text with the phone number for the Kremlin was serious news. Gleb brought up his browser and checked which review for The Dinner Bell got an additional like. Following the liked review back to that user’s home town indicated where operational cover had been blown. And that cover had been blown in… Panguitch, Utah? What and where is a Panguitch? Even after looking up information on the tiny town, Gleb couldn’t believe it existed. Why they had bothered to put a system there that we had bothered to compromise, Gleb did not know. He shook his head and sent a PDF brochure of Bryce Canyon National Park to another minor official.

Sofiya Olegovna glanced over the brochure in Gleb’s email and checked the traffic records for that system. After a few clicks and a few presses of Page Down, she had the data she needed to review. Hmmm… we haven’t done anything with that system in a long time, a long long time… and neither have they. Was this something some other guys were doing? Sofiya thought some more and became certain. This was definitely the doing of some other guys. Sofiya moved to make her report to those who needed to know.

Mere moments later, a spam campaign sent out 3.2 million messages proclaiming the virtues of all-natural Xenon Hexafluoride capsules. Most of the spams were either eliminated by filters or deleted by the fools still suffering without antispam measures. There were, however, 2 people who did not delete the spams, but, rather, accorded them the most urgent of responses. One of those people was in a very quiet office in a very quiet building in a very quiet part of Northern Virginia.

The TINCAN monitoring project was one of the most demanding of analytical jobs, but one that had also produced much valuable intel. Cracking the Spam Code was possible only because of the incredible attention to detail by the steganographers working for TINCAN, searching for meaning in the grainy background images of the spams sent by agents of the rival power. Of course, the meaning in the images was always encrypted, but the one-way pad in the hands of TINCAN’s director provided the key, every time. And now, the urgent response from the person in the very quiet office brought a collection of letters and numbers to the TINCAN director for his one-way pad to work its magic.

Director Andy Garfield ran the decryption protocol. He nodded and dismissed the urgent responder, then contacted his counterpart in Systems Monitoring via a scrambled line. Even if a rival power or those other guys had access to the phone system, they wouldn’t be able to break the encryption on the line. And, besides, what was so unusual about two intel directors talking with each other?

As it turned out, the rival power *did* have access to the phone lines. And, while it was true that the rival power could not decrypt the phone conversation, the rival power nevertheless deduced that this particular conversation fit a pattern that had gone along with its recent spam campaigns. Agents and administrators within the bowels of the rival power’s intelligence community put the wheels in motion to bring the spam campaigns to a close. One or two more actual messages would be leaked, and then disinformation until they didn’t believe us anymore. After that, the spam would have served its purpose.

Director Claus Niklaus of Systems Monitoring answered Director Andy Garfield’s call. “This is Niklaus.”

“Hello Niklaus. Garfield here. How ya doin’?”

“Doin’ fine, Andy, yourself?”

“Got my health. Can’t complain. This a good time?”

“Sure is. What’s eatin’ ya, succotash?”

“Well, Claus, it’s like this. You got a system in Panguitch that came up in analysis earlier today?”

“Yeah, just a while ago.”

“Well, I know all about it.”

“Ya don’t say… Huh. Thanks for the info, Andy.”

“Always a pleasure to help out, Claus. Hang in there, buddy.”

“Sure thing. Thanks a heap. See ya.”

“See ya.”

They both hung up and Claus leaned back in his chair. Only way Andy would have known that is if he’d intercepted and decoded a message from the rival power regarding the Panguitch system. Only way the rival power would know about that would be if they had a mole in his organization or a tap on his lines or a hack on his systems. Time to hire a rat-catcher, Claus figured.

The next problem Claus faced was that this wasn’t a direct operation of the rival power’s. Had it been, they wouldn’t have used the Spam Code that Andy’s TINCAN people were taking apart. That meant that the other guys were mixed up in this. The rat looked to the rival power for money and benefits, but the compromise on the Panguitch system could be laid at the doorstep of the other guys. Claus put in a call to Lauren Bishop, Director of Internal Investigations.

“Joyful Snow Pea Restaurant, can I help you?”

“Sorry, wrong number. I misdialed the third number.”

“OK, no problem, goodbye.”

Claus redialed, properly, and got Lauren on the phone and let her know about the mole, and how he may or may not be working for us or them, but definitely the other guys.

Meanwhile, the cashier at Joyful Snow Pea Restaurant knew exactly what to do, based upon Claus’ message. She placed an order for 2 dozen cans of Hunan-style water chestnuts to the trade attache at the Chinese consulate in San Francisco. The trade attache, in turn, sent an email to Shandong Huaye Tungsten & Iridium Tech Co., Ltd., requesting a quote for 600kg of pure tungsten rods, 100mm diameter. That email kicked off an alert that went straight to the head of Bureau Nine of the Ministry of State Security.

He wasted no time in getting up and moving as fast as he could without running to his boss, hoping to get there before the head of Bureau 8. The head of Bureau 8 had an unfair advantage, as his office was 10 meters closer than his own.

The head of Bureau 9 sped past the door of Bureau 8. He smiled. Those speed-walking classes had paid off a great dividend. He entered his director’s office and did his heel-toe, heel-toe walk right past the secretary, into the director’s antechamber. He pressed a button and waited.

Still no sign of Bureau 8. The head of Bureau 9 smiled as he heard the buzzer indicating the director was ready to receive a visitor. He walked in, normally this time, and said only, “Panguitch cover blown.”

The director nodded and dismissed the head of Bureau 9. The head of Bureau 9 nodded and exited. In the antechamber, he saw the head of Bureau 8 cooling his heels. “No need to see the boss now, I got here first.”

“Damn. Just my luck, I was in the water closet when I got the info.”

“You know it is Bureau 9’s job to protect this ministry from infiltration by foreign agents. Why do you always meddle in our matters?”

“You know damn well it’s Bureau 8’s job to handle counterintelligence. We have to keep tabs on you guys in Bureau 9 when you step into our territory.”

“Is that what you will tell the senior director? That we are in your territory?”

“No, this is a small thing, not worth a fight… but what might be worth a fight is your bureau removing our microphones. Your department is not above suspicion of counterintelligence.”

“Well if you want your microphones back, give us back our cameras! We have to be certain that our counterintelligence team hasn’t been infiltrated by foreign agents!”

The head of Bureau 8 thought a bit. “Two microphones for one camera?”

The head of Bureau 9 nodded in agreement. “Send the draft proposal to me today, I’ll sign off on it.”

Both men returned to their respective departments. The head of Bureau 8 then reviewed the budget for next year’s office supplies. He circled the amount proposed for printer toner and noted it should be reduced.

Three days later, Tommy Mothersbaugh was just outside Panguitch Middle School in Panguitch, Utah, wearing a brown shirt with a printer vendor’s logo prominently embroidered above the left pocket. His instructions were to remove a printer from the faculty workroom and replace it with a similar model. He was then to deliver the removed printer to the e-waste center in Hurricane, but was to get there by way of Orderville and Zion National Park.

Tommy also had instructions to park at Zion National Park and to go see the sights for ten minutes, leaving his vehicle unlocked.

Tommy arrived at Zion and parked his car near a bunch of tour buses loaded with Chinese tourists. They all debouched from the buses around the same time he left his van. Tommy walked away, glancing back at the mob of Chinese tourists. He went to the main office, figuring he’d use the bathroom while he was there. After using the bathroom, he walked around in the gift shop and accidentally bumped into one of the tour bus drivers.

“Oh, sorry! Please excuse me.”

“Not a problem, no worrying.” Tommy was struck at the thickness of the driver’s Russian accent. Then again, lots of immigrants got jobs as drivers, such was the nature of things. Tommy never was sure about what things he should ask questions about and what things he should just let pass without comment, so he guessed this was no big deal and forgot about it.

Tommy returned to his van and checked the insides. Nothing was stolen, and the printer looked like it hadn’t been touched. Tommy shook his head at the instruction that made no sense and drove on to the e-waste disposal center. This field work was just as boring as analysis work, but at least he got to see some beautiful countryside on this mission.

Meanwhile, back on one of the tour buses, the Chinese tourists were talking animatedly about a small piece of electronic gear they had removed from the printer as the bus driver nonchalantly checked to make sure the bus security cameras were running properly.