December 2009
S	M	T	W	T	F	S
« Oct		Feb »
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Archive for December 2009

Lies

29. December 2009 by Revelator.

As 2009 draws to a close I thought I might ponder, muse if you will, about the state of OPSEC and all that has happened in OPSEC during the year…or I could do the third installment of my running discourse about fortune cookies.

I’ve decided on the fortune cookies…

The day was March 17, 2008 (it’s still there - check it out) - I could no longer hold back and had to do that fateful first Fortune Cookie entry. And it felt good. My basic premise was that Fortune Cookies rarely had fortunes in them. Instead they had statements about living and other such crap. Nine months later (December 5, 2008) I was fed up again and wrote the second in the series about Fortune Cookies. And now, after a stop at Panda Express the other day I am compelled to write the third in my continuing Fortune Cookie Saga…

Look, I’m a basic guy. Keep it simple. When I open a Fortune Cookie I want to see a fortune damn it! I don’t care what it says and I don’t believe a word I read but if you are going to call it a Fortune Cookie then I believe I deserve a fortune - even a weak one. Come on, I know that the McRib isn’t really rib meat - it’s just a great sauce so I’m Ok with almost right but I can’t stand by and be lied to by the Fortune Cookie wrapper itself. If they were called Words of Wisdom and Other Such Crap Cookies then I’m good with them but they are not - they are called Fortune Cookies and (I say again) I want to see a fortune damn it!

Waiting till the end of the meal (as I believe tradition requires) I opened my latest Fortune Cookie and here is what the tiny white paper had printed upon it; “Treat yourself to something of quality.” Now I’m not sure by what standards you may define “fortune” but I’m pretty sure this statement would not qualify. And just so you won’t think this was a one off aberration allow me to share a couple of more “fortunes” with you:

A smile is your personal welcome mat. Not mine - have you seen my teeth lately? A statement - and not true.

A truly rich life contains love and art in abundance. Says who? By the way - I have much love but little to no art in my life so I guess, by definition, I’m screwed out of a truly rich life. Another statement - and false.

Competence like yours is underrated. Know what they call underrated competence? Incompetence - that’s what it’s called when its underrated. Under appreciated is quite another thing. I could live with that. It’s still not a fortune though. Nope, another statement that is not only false but misleading.

Have a beautiful day. Bite me. Not even a true statement but an order. I do not take orders from cookies.

There’s no such thing as an ordinary cat. Logically, it would seem to me that at any given time there is one cat in the world who is smack dab in the middle of cat extremes. This cat then, would have to be the one who is ordinary - until he or she dies leaving the next one who is, again, the one who is in the middle of the extremes and by definition; ordinary.

You are working hard. Not a fortune and certainly not true.

You have a shrewd knack for spotting insincerity. Found it. So I guess that one is true - but still not a fortune, merely a lucky guess.

Truth be told I have received a number of “fortunes” in my Fortune Cookies over the years. Here are what I consider decent fortunes:

Now is a good time to buy stock.
Now is the time to go ahead and pursue that love interest!
You are in good hands this evening.
You will inherit a large sum of money.

See what I’m saying? To my knowledge only one of those came true but again, this is not my point. Truth in advertising - that’s all I’m looking for. When I crack it open I want a fortune damn it!

Happy New Year’s y’all.

Keep the Faith
Revelator

Lies - The Rolling Stones

Posted in BS | Print | No Comments »

Merry Christmas, Baby

24. December 2009 by Revelator.

Every year there are a number of Christmas movies I have to watch; “Scrooged”, “Elf”, “It’s A Wonderful Life” and the original “How The Grinch Stole Christmas”. And in each of these movies I have some favorites lines and moments but every year there is one quote that stands out for me. It’s from Scrooged - Bill Murrey as Frank Cross: “It’s Christmas Eve. It’s the one night of the year when we all act a little nicer, we smile a little easier, we cheer a little more. For a couple of hours out of the whole year we are the people that we always hoped we would be.”

On this Christmas Eve (and for as long as you can hold on to it) we should all try to be the people that we always hoped we would be.

Merry Christmas everyone.

Keep the Faith!
Revelator

Merry Christmas, Baby - Written by Lou Baxter & Johnny Moore; sung by many

Posted in Movies | Print | No Comments »

‘Zat You, Santa Claus?

24. December 2009 by Revelator.

Alright now settle down, settle down. Everyone take your seats and let’s get this thing started. Plenty of room up front folks…come on down - don’t be shy. That’s right - fill in all the seats. And you guys leaving the extra seat open like you do in the theater…that’s not gonna fly in here; move it on over. Doesn’t mean your dating just cuz your elbows touch. Oh come on! Who’s cell was that? You? Well ain’t you special… Everyone, I would like you to meet that one special person to whom the rules don’t apply. Could a couple of you gentlemen who abided by the rules please escort this gentleman to the door, take his badge and fling him into the new falling snow? Thank you very much. Dutch? Could you make sure to terminate his security clearance please? Thanks.

Boys, this is serious business and you will either follow my rules or….well, you’ve seen what happens when you don’t follow the rules.

Where’s my clicker? Thanks. Slide, the first - here’s your target. Surprised? Wondering just what the hell is going on here? Well, wipe those stunned looks off your faces cuz this is indeed your target and we have a very small window of opportunity to grab this guy and that time is fast approaching.

So your saying to yourself; “I’ve seen this guy a thousand times - I could walk half a block from here and just grab him.” Yes, you could grab him…but it wouldn’t be him. Remember when we found out that Saddam had look-a-likes attending meetings and such in his stead? Well, this guy has taken this strategy to insane new levels. In our estimation he has over 27,000 doubles working all over the world and trust me when I tell you we don’t have the budget to round them all up and run DNA tests on each one so we need to figure out just how to get the real one; something people have been trying to do for long about two hundred years now. Oh, he’s crafty this one - don’t ever underestimate this man.

And here’s the worst thing about this guy - he understands our intelligence systems and how to manipulate those. Wait there is one more thing - he see’s what you are doing. Some how he has each and everyone of you under surveillance 24 hours a day. For example, he knows that you are here now and later he’ll know what you are doing too. It is very hard to track a target like that let me tell you.

Back to the intel systems - he’s on to us. How do we know? Here’s how:

1. We know exactly what he looks like and we can’t find him.
2. We know exactly what he wears and we can’t find him.
3. We know exactly who his wife is but no one has ever actually seen her.
4. We know where he lives but we can’t actually find it.
5. We know exactly what he drives but we can’t find that either.
6. We know exactly when he will be out among us yet we can’t find him.
7. We know is flight routes but still can’t shoot him down.
8. We know who works for him but no one has ever seen one of his employees.

So, we know everything about this guy and yet for all our efforts no one can find him and bring him in. That is why your were brought here. You are the best of the best in your fields and we think if anyone can find this guy it will be someone in this room. Let me add that I think the one mil we’re offering as a reward just might incentivize each of you a bit.

Fellow OPSECers, I was thinking about Santa this morning and I’ve come to the conclusion that Santa must have the best OPSEC program EVER! How else can you explain items 1-8 above? Seriously. Dude has it mastered. Sure, NORAD follows him every year but still no one has been able to shoot him down. I’m just saying…
You find another program that protects info better than this and I’ll put you right at the top of my Christmas List.

Keep the Faith!
Revelator

‘Zat You, Santa Claus? - Louis Armstrong (and many others)

Posted in BS | Print | No Comments »

Tell It Like It Is

18. December 2009 by Revelator.

This is just unfreakingbelievable!

Hackers steal SKorean-US military secrets By KWANG-TAE KIM, Associated Press Writer Kwang-tae Kim, Associated Press Writer Fri Dec 18, 7:19 am ET

SEOUL, South Korea – South Korea’s military said Friday it was investigating a hacking attack that netted secret defense plans with the United States and may have been carried out by North Korea.

The suspected hacking occurred late last month when a South Korean officer failed to remove a USB device when he switched a military computer from a restricted-access intranet to the Internet, Defense Ministry spokesman Won Tae-jae said.

The USB device contained a summary of plans for military operations by South Korean and U.S. troops in case of war on the Korean peninsula. Won said the stolen document was not a full text of the operational plans, but an 11-page file used to brief military officials. He said it did not contain critical information.

Pardon? Did I read that wrong? Let me check…”He said it did not contain critical information.” Nope - I read it right. Still can’t believe it. I mean, are you kidding me? An 11 page Executive Summary of our South Korean defense plans (OPLAN 5027) contains no sensitive information? Am I dead? Did I go to OPSEC hell and not get greeted by the demon of OPSEC? I’ve met this demon before - his name is Ignorance - so I’m pretty sure I would know him if he was greeting me at the gates of OPSEC hell. Perhaps this is a dream? Damn it people - just saying something isn’t so does not make it not so. Sure that’s a horrible sentence but let me show one that is far worse: “He said it did not contain critical information.” See? Much worse.

And don’t give me that nonsense that denying it had critical information is our way of not confirming to the North Koreans that it did indeed contain sensitive information. You know who says stuff like that? People who don’t understand the adversary. To be so blind as to think that North Korea doesn’t have a damn good idea of what is essentially contained in OPLAN 5027 is the height of ignorance. Especially since you can find older versions of OPLAN 5027 in all it’s classified glory on the internet.

I’ll grant that the 11 page summary may have been unclassified but there is no way I’m going to grant it didn’t contain critical information. Unless the only definition you have of critical information is anything that’s classified - and we know that’s just not true. Too bad not everybody understands that these days.

Thanks to my good friend Kirk for letting me know about this.

Keep the Faith!
Revelator

Tell It Like It Is - Aaron Neville

Posted in Risk, Critical Information, BS, Vulnerabilities, Threat, Media, WWW, Computer Intrusions | Print | No Comments »

The Inteview - Part I

18. December 2009 by Revelator.

Today I want to share an interview I conducted with an OPSEC grey beard (GB) who insisted he remain nameless. Originally, I refused to do the interview with this particular stipulation but as you read on I think you’ll agree that even without identification the information shared is valuable enough to overlook the anonymity clause. We sat down in a small bar in a busy city near our nations capital. After ordering, I hit record and began the interview.

Rev: How long have you been in OPSEC?
GB: Since before they called it OPSEC.

Rev: What did they call it before they coined the term OPSEC?
GB: They didn’t call it anything - that’s the point isn’t it? It didn’t have a name. But we knew it as using your common sense - doing the right thing - being smart - protecting your ass from the guy trying to shoot it off.

Rev: Do you see OPSEC as primarily a wartime program?
GB: First, I don’t see it as a program - I see it as a way of life. But to answer your question up until very recently yes, it’s application was mainly in support of military operations - specifically wartime operations. But in the past ten years I think we have come to realize that every day is a wartime situation. Every conversation, every text, every tweet, every email could harm not only our all-volunteer military but also innocent civilians.

Rev: So would you say that in these times spreading the gospel is critical.
GB: Spreading the gospel, as you say, has always been critical. OPSEC can truly be a life saving art but if no one understands it and therefore no one uses it then its no more useful than the warnings on a pack of cigarettes. The most important step in the OPSEC process, as we know it now, isn’t even one of the five steps because it is a concept followed - if we’re lucky - by an action.

Rev: And what is that?
GB: Awareness! The most important OPSEC concept is awareness. If the people in your military unit or even your corporation don’t understand the “why” of OPSEC then you guys can take the OPSEC process and work it into the ground and it won’t be worth a damn because no one understands why you are doing it. And more importantly why they should use it. Listen; I’ve known guys who knew OPSEC cold…knew how to work each of the five steps, and could write an OPSEC plan so beautiful you would marvel at its magnificence. But some of these guys couldn’t sell the concept - they couldn’t show people how or why they should care about, much less use, OPSEC in their daily operations.

Rev: Is it true that the OPSEC process was at one time 12 steps and then 9 steps before we arrived at the five steps we have now?
GB: Absolutely. And it was 15 steps and 10 steps and one pretty highly placed, but ignorant, guy wanted it to be three steps.

Rev: Well, how many steps do you think it should be?
GB: To be honest, I wasn’t happy with the five steps when it first came out. I thought they left out two steps that I thought we’re pretty important.

Rev: Which were…?
GB: Not important now. People seem to be doing them just as a matter of course so I don’t want to upset those that are responsible for this process. But let me make another point before we move on; the average person in your organization doesn’t care how many steps it is. They don’t care about what you have to do to accomplish the five steps of the OPSEC process. You know what they care about if they care at all?

Rev: Tell me, please.
GB: Two things - what do I need to protect and how do I protect it. And that is all they should care about. The OPSEC Manager needs to do all the work and be able to answer those questions for the warfighter. If you can’t tell them what needs to be protected and how to protect it then what are you there for? To give the annual training? To fill the square? Bullshit. You are there to protect the mission and to protect life so if you can’t tell the trigger pullers what to protect and how to protect it then crawl back into your cubicle and work on your next PowerPoint presentation cuz brother they don’t need you.

Rev: Strong words sir.
GB: Yes they are. Look, I’ve worked at this too long and too hard to try to soften the blow of what I’ve learned over the years. You asked me so I’m telling you. I believe I’ve saved lives using OPSEC and if I couldn’t say that then why would I have stayed in OPSEC? For the glamour? For the glory? For the money? No, no and hell no! (long pause) In my military service I took lives… Since I laid down my weapon I have been trying to save lives and as I said I believe I have. (pause) OPSEC is important. It’s more than going to the conference once a year. It’s more than giving your annual briefing. It’s more than putting up a poster or two. Actually, it is all of that but so much more.

This is the end of part one of the interview. I’ll have part two for you soon.

Keep the Faith!
Revelator

Posted in History, General OPSEC | Print | No Comments »

All Shook Up

17. December 2009 by Revelator.

OPERATIONS SECURITY - OPERATIONS SECURITY - OPERATIONS SECURITY - OPERATIONS SECURITY. Everyone - say it with me now: OPERATIONS SECURITY!

If I read one more article, speech or blog entry that defines OPSEC as Operational Security I’m gonna go Elvis on my computer monitor. People, this isn’t difficult. Operations Security is a different concept than operational security. I’m not gonna go into a long dissertation about the difference because you should know what the difference is. But even as I write those words I realize I’m wrong. Generals, Lt Col’s, Master Sergeants, CIO’s even OPSEC Managers have written, or spoken operational security when speaking of OPSEC. And not just in general but typically something like this: “OPSEC, or Operational Security, is a 5-step…”
I honestly don’t know why this happens or what to do about it - I just know that every time it happens it sets us back just a little bit. OPSEC has a hard enough time getting accepted without people who should know better defining it incorrectly. In the world of OPSEC there is much room for disagreement on a number of topics but this isn’t one of them.
Which comes first; Threat or Critical Information development? Argue that all you want.
How should you define risk? Take sides and come out swinging.
What is the best way to prioritize vulnerabilities? Jump into the octagon and figure it out.
But - “Is it Operations Security or operational security?” is not open to debate.
So, to all of you getting it wrong I say: STOP THAT!

Keep the Faith!
Revelator

All Shook Up - Elvis

Posted in BS, General OPSEC | Print | 1 Comment »