Introducing the BSOFH.
It’s 7 am. I’ve cracked open my first Diet Coke with Lime of the day to wash down my cold pizza (excuse me, Italian Cheese Toast). I wade through the dozens of alert messages in my inbox (oho, we’ve found ANOTHER f*****g virus?? Do tell), and the overnight spam mailings from security vendors ("Learn the top 10 ways to crash Vista while securing your ROI!"). I scrutinize my calendar, close my eyes, and choose one meeting appointment at random to delete (without notifying the organizer, of course). Then I fire off an order to one of my team to produce an arbitrarily chosen report—this time on the number of non-system accounts in a particular division whose crackable passwords contain any part of the user’s name. That’ll keep him tearing out what’s left of his dreadlocks for two full days, seeing as how we don’t have the infrastructure to produce ANY automated reports other than firewall logs. I also send out an edict to disable the Blackberry server on the false rumor of a new zero-day exploit so that all the top brass actually have to pay attention at their meetings today.
Yep, I’m the Bastard Security Officer From Hell.
Contrary to popular belief, I was actually born this way. I’ve always enjoyed torturing people, making up arbitrary and complicated rules, reading their secrets, and wielding disproportionate power. It comes from my being the oldest in the family and having wimpy siblings. I heartlessly manipulated them, stole their desserts, and then beat the snot out of them if they dared complain.
These days, of course, in the corporate world, I don’t beat the snot out of people. That’s what I have ex-military drones on my staff for.
I started out my career as a BOFH, but I found that it still involved too much work and not enough policy-making. You can issue a lot more ridiculous commands in the name of security, and what’s more, you get to see them enshrined in corporate policy. Better yet, I get to demand stellar customer service from the system administrators without having to lift a finger to click my own mouse.
Besides, I’ve found the one club that I can wield even over the CEO and Chairman of the Board. I can make all the executive management cower in their seats, even if they haven’t got a single skeleton in their closet for me to expose.
It’s the C-word.
C*mpliance. Whoever invented that word was one sadistic mofo. It’s got shades of National Socialism mixed with the dusty funk of 65-year-old auditors, with a couple of power ties from the ‘80s thrown in. I can use it to justify any expenditure, kill millions of trees in a single reporting period, and give sweet desk jobs to all of my friends, no matter which consulting company they work for. I can turn my 5-year-old’s artwork into a PowerPoint slide and make the management think it’s the newest ITIL model. Then I can rotate it 90 degrees, flip it 180, and sell it to them the following month all over again.
Fear, Uncertainty & Doubt are even more powerful than Smith & Wesson. I give our lead attorney nightmares just by whispering the letters “SSN” in his shell-like ear. I send the latest privacy breach news stories around to every manager to explain why I’m going to insist on another round of security testing before they’re allowed to release their emergency code fixes.
These sorts of fears don’t tend to impress the lowest levels of staff, though. They don’t really care what happens to company data as long as they can listen to their bootleg mp3s and watch their DRM-cracked DVDs during business hours. Threats and intimidation, however, work just fine on their brutish little minds. I had our web filter error messages customized to say, “You have tried to visit an unauthorized site. Take your hands off the keyboard and begin removing all personal items from your cubicle. Security and Human Resources officials will be arriving at your location in 3 ... 2 ... 1 ...”
Our CFO needed a new office chair after seeing THAT one on his screen. It was great. We were watching on the webcam, of course. From then on, we had only to mention the words “hotcpasex.com” to get him to approve every year’s budget.
Today, though, I’m going to play Yahtzee with our firewall ACLs. We’ll roll the dice and disable whatever comes up. Three dice for the last two octets of the IP address, and the last two dice for the port number. Then if someone complains, I’ll make him fill out a change request form in triplicate to get it opened up again. Gotta keep records for the C-word, y’know.
I think it’s going to be another beautiful day in SecurityLand.
(Simon Travaglia is my hero.)
(13) Comments • Permalink •
