17. March 2008 by Revelator.

So, I’m at my local Chinese joint and after a very nice meal I eagerly await the delivery of my Fortune Cookie.  What wonder of the future will it foretell or perhaps what evil must I avoid this week?  When it arrives it is my custom to eat the whole cookie before reading the fortune thus ensuring that I have “earned” the fortune given me.  I don’t trust people who tear open the wrapper, bust the cookie in half, tear out the fortune and then toss the cookie aside.  It shows a lack of respect for a 99 year old tradition with it’s roots in the mystical environs of either L.A or San Francisco.  Either way - it’s just rude, man.  So after I eat the cookie I slowly unbend the small paper in anticipation of the prophesy that fate has put into my hands.  Here is what it said:  “Society prepares the crime; the criminal commits it.” 

What the?!  THAT’S my fortune?  Is that even a fortune?  I mean, they are called “fortune” cookies right?  What the hell?  It’s not even uplifting.  At this point I am teetering on outrage and in danger of embarrassing my long-suffering wife.  Instead of taking it out on the staff my oh-so-patient wife convinces me to take a long pull on the Plum Wine and check myself.  So I did.  I mean, it’s not the restaurants fault so why take it out on them? 

 Some time passes and out of curiosity I ask my wife what her fortune read.  She adeptly dodged the subject which made me even more curious and after some time I convinced her to show me her “fortune.”  Here is what it said:  “You love challenge.”  Well what the hell kind of fortune is that I ask you?  Fortune?  That’s not a fortune!  And by the way - my wife doesn’t love challenge.  Sure she likes a good challenge every once in a while but generally she is challenge averse.  She would much rather go through life without any challenges of any kind and I love her for it.  So, it’s not a fortune but it is also not true!  Now I’m just pissed so I ask for some more Fortune Cookies to simply check to see if we just got some bum cookies and that the world had not actually turned on its ear. 

Here is what I saw:  “The laws sometimes sleep, but never die.”  “Do something unusual tomorrow.”  “The young have youth and beauty, wisdom is for the old.”   

OK; I give up.  Sleeping laws; an order to disturb an otherwise serene day; and then my wife, who has and cherishes her ageless beauty, is told that she isn’t beautiful any more - but it’s OK cuz she’s wise.  Trust me when I tell you this - given the option she will choose beautiful over old and sage every time.  I’ve decided to give up on the whole fortune cookie concept.  I’ll honor Chu Yuan Chang in my own way without the frustration of the now horribly misleading “fortune” cookie.

By the way, according to 14th century legend is said that when the Mongols ruled China, a revolutionary named Chu Yuan Chang planned an uprising against them. He used mooncakes to pass along the date of the uprising to the Chinese by replacing the yolk in the center of the mooncake with the message written on rice paper. The Mongols did not care for the yolks, so the plan went on successfully and the Ming Dynasty began.  It is claimed that the Moon Festival celebrates this with the tradition of giving mooncakes with messages inside. Immigrant Chinese railroad workers, without the ingredients to make regular mooncakes, made biscuits instead. It is these biscuits that may have later inspired fortune cookies.
Today’s OPSEC lesson: Protect the plan - create a dynasty.

Your OPSEC fortune: You will meet a tall, dark and handsome man who will use information against you.

Keep the Faith!

Revelator

Posted in History | Print | No Comments »

5. March 2008 by Revelator.

     “That’s not OPSEC.”  The scene is day one of an OPSEC assessment.  This is my first time out with this team so I’m still trying to feel out how they go about the process.  While the team is in the badge office waiting for badges I notice there is a computer screen with red ”SECRET” stickers top and bottom facing the gathered group at the customer service desk.  Mind you, we’re not the only ones there trying to gain facility access.  Among those waiting with us were gardeners, janitors, plumbers and other  uncleared day workers.  So, I turn to one of the senior members of the team and mention that we should identify this in our report and was told; “That’s not OPSEC.”  While I didn’t want to get deep into what is and isn’t “OPSEC” I did mention that I thought we had a responsibility to the office supervisor to tell him that he should turn that screen around, and keep it turned around, so that uncleared couldn’t possibly see potentially “SECRET” information.  I was told in no uncertain terms that this was not “OPSEC” and therefor not our responsibility.  The Assessment Chief later corrected this problem but the individual in question never once waivered from his stance.

     So what is OPSEC?  Is anything OPSEC?  A strong case can be made that every item in an OPSEC Assessment report can be traced back to requirements of some other security program.  The scenario above was clearly a Computer Security issue but it is also an Information Security issue.  FOUO in the trash? - Information Security.  Not locking your computer screen when you leave your desk? - Computer Security.  Privacy Act info in the recycle? - Information Security.  Allowing people to piggyback into the facility? - Physical Security.  Organization member talking about sensitive information during a speech at a conference or putting sensitive information in a professional publication? - Information Security.  Talking around sensitive or classified on the phone or email? - Communications Security, Computer Security, Information Security.  Cell phone in a secure area? - Physical Security.  Public release of new product or emerging technology? - Information Security, Personnel Security.  Give long time visitors the safe combo and then don’t change it when they leave?  Catching on yet?

     There are many more examples I could give but hopefully you get the point.  On the other hand, did you think of instances that weren’t covered by my examples?  What about always marshaling convoy vehicles at the same time in the same place?  What about using the same routes?  What security program covers mission or business indicators?  Who is the security rep responsible when your unit doesn’t have a program in place to change its call-signs?  What program to you call on to stop the intel dissemination capabilities of the spouses club? 

     I’ve spent many hours in debate with people I respect and while we may disagree in one or two of the gray areas we all (but one) agree that it is essentially ALL OPSEC when it comes to our responsibilities as OPSEC Program Managers or members of an assessment/survey team.  Bottom line: Our job is to make our unit or company more secure.  And we don’t do this by arguing over weather a vulnerability, indicator or security violation is OPSEC or not.  See a problem - fix a problem.

One last thought - if you see me at the National Conference and I hear you say “That’s not OPSEC” - you owe me a cold one.

Keep the faith!

Revelator

Posted in General OPSEC | Print | 1 Comment »