Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Introducing the BSOFH.

It’s 7 am.  I’ve cracked open my first Diet Coke with Lime of the day to wash down my cold pizza (excuse me, Italian Cheese Toast).  I wade through the dozens of alert messages in my inbox (oho, we’ve found ANOTHER f*****g virus?? Do tell), and the overnight spam mailings from security vendors ("Learn the top 10 ways to crash Vista while securing your ROI!").  I scrutinize my calendar, close my eyes, and choose one meeting appointment at random to delete (without notifying the organizer, of course).  Then I fire off an order to one of my team to produce an arbitrarily chosen report—this time on the number of non-system accounts in a particular division whose crackable passwords contain any part of the user’s name.  That’ll keep him tearing out what’s left of his dreadlocks for two full days, seeing as how we don’t have the infrastructure to produce ANY automated reports other than firewall logs.  I also send out an edict to disable the Blackberry server on the false rumor of a new zero-day exploit so that all the top brass actually have to pay attention at their meetings today.

Yep, I’m the Bastard Security Officer From Hell. 

Contrary to popular belief, I was actually born this way.  I’ve always enjoyed torturing people, making up arbitrary and complicated rules, reading their secrets, and wielding disproportionate power.  It comes from my being the oldest in the family and having wimpy siblings.  I heartlessly manipulated them, stole their desserts, and then beat the snot out of them if they dared complain.

These days, of course, in the corporate world, I don’t beat the snot out of people.  That’s what I have ex-military drones on my staff for.

I started out my career as a BOFH, but I found that it still involved too much work and not enough policy-making.  You can issue a lot more ridiculous commands in the name of security, and what’s more, you get to see them enshrined in corporate policy.  Better yet, I get to demand stellar customer service from the system administrators without having to lift a finger to click my own mouse.

Besides, I’ve found the one club that I can wield even over the CEO and Chairman of the Board.  I can make all the executive management cower in their seats, even if they haven’t got a single skeleton in their closet for me to expose.

It’s the C-word.

C*mpliance.  Whoever invented that word was one sadistic mofo.  It’s got shades of National Socialism mixed with the dusty funk of 65-year-old auditors, with a couple of power ties from the ‘80s thrown in.  I can use it to justify any expenditure, kill millions of trees in a single reporting period, and give sweet desk jobs to all of my friends, no matter which consulting company they work for.  I can turn my 5-year-old’s artwork into a PowerPoint slide and make the management think it’s the newest ITIL model.  Then I can rotate it 90 degrees, flip it 180, and sell it to them the following month all over again.

Fear, Uncertainty & Doubt are even more powerful than Smith & Wesson.  I give our lead attorney nightmares just by whispering the letters “SSN” in his shell-like ear.  I send the latest privacy breach news stories around to every manager to explain why I’m going to insist on another round of security testing before they’re allowed to release their emergency code fixes. 

These sorts of fears don’t tend to impress the lowest levels of staff, though.  They don’t really care what happens to company data as long as they can listen to their bootleg mp3s and watch their DRM-cracked DVDs during business hours.  Threats and intimidation, however, work just fine on their brutish little minds.  I had our web filter error messages customized to say, “You have tried to visit an unauthorized site.  Take your hands off the keyboard and begin removing all personal items from your cubicle.  Security and Human Resources officials will be arriving at your location in 3 ... 2 ... 1 ...”

Our CFO needed a new office chair after seeing THAT one on his screen.  It was great.  We were watching on the webcam, of course.  From then on, we had only to mention the words “hotcpasex.com” to get him to approve every year’s budget.

Today, though, I’m going to play Yahtzee with our firewall ACLs.  We’ll roll the dice and disable whatever comes up.  Three dice for the last two octets of the IP address, and the last two dice for the port number.  Then if someone complains, I’ll make him fill out a change request form in triplicate to get it opened up again.  Gotta keep records for the C-word, y’know.

I think it’s going to be another beautiful day in SecurityLand.











(Simon Travaglia is my hero.)

Posted by shrdlu on Saturday, August 18, 2007
(13) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: BSOFH: This is your identity and access management system on drugs.

Previous entry: Six degrees of security.

Comments

rybolov United States on 08/18  at  11:19 AM:

Ah, my favorite whipping boy, C*mpliance.  You can wield it like Odysseus’s bow, ready to shoot terror into the hearts of mere mortals who dare to play the security game.

pa5kl Netherlands on 08/18  at  01:24 PM:

Bad day in the office?

LonerVamp United States on 08/18  at  08:10 PM:

Instant classic! smile I want to see you audit that annoying deveroper’s cube/system at random right on the day of his big deadline!

And someday, I swear my web filter warning will say something just like that, even if only on April Fool’s!

Rob Newby Spain on 08/20  at  01:56 PM:

Y E S !

Ireland on 08/21  at  05:52 AM:

(Simon Travaglia is my hero.)

Tut, tut.  Don’t you remember the first commandment?
Bruce Schneier is the Lord, your God.  Thou shalt have no other Gods before him.

shrdlu United States on 08/21  at  09:11 AM:

There is no God but Bruce, and Simon is His Prophet?

Kai Roer Norway on 08/22  at  03:49 AM:

Help me get back into my chair now, will you...I’ve been laughing since last night :D

United States on 08/22  at  02:51 PM:

Simon Travaglia is my hero.

Don’t mess with his rights.

United States on 08/31  at  01:44 PM:

Every time I see Bruce’s name invoked as a godhead, I keep thinking back to the young guy at the SF conventions in the early 1980’s who obviously couldn’t get lucky except with the ladies who the rest of us wouldn’t touch with someone else’s d*ck.  He who grew up to be the Bruce Schneier that the rest of you worship today.

Heh heh heh.  The good old days.

Rob Newby Spain on 08/31  at  01:54 PM:

I for one do NOT worship Bruce Shneier, nor anyone else for that matter. Maybe a small amount of Mogull-envy. I think BS probably deserves a little more respect than being bothered with other people’s genitals near his friends however. I may be a grumpy bastard, but wouldn’t put someone down just for being unattractive.
Is this you by the way?

OK. You were hot. I admit it. wink

stever United States on 08/31  at  02:56 PM:

Yeah, it was the ‘80’s- we all looked like that, and he was younger then my crowd and we laughed at his youth, not the way he looked, which as you figured out, was no worse then the rest of us.  Colour me as cynical as Simon Travaglia, even at that age.

Rob Newby Spain on 08/31  at  03:37 PM:

If you’d laughed at me then (Midamericon was September 1976!) I would have cried, but then I was only 3 months old. You look pretty young in the picture yourself, Schneier must have been pretty weedy. smile
OK, I think I am quite jealous that you get to call Shneier a young whippersnapper.

shrdlu United States on 09/01  at  08:41 AM:

Come on, we all pooped in our diapers once.  We all knew net.celebrities Way Back When.

I can tell you, though, that Spaf has always been a hit with the ladies.  wink

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: