Profile cover photo
Profile photo
Patrick McCulley
homo universalis
homo universalis
About
Posts

Post has attachment
Add a comment...

Post has shared content

#OPMhack and the Malfeasance of Leadership

In choosing the title for my first column on information security for @SiliconAllee, the subject matter and title of the column came to me immediately: 

"A Sound Security Strategy Begins with Leadership"

This title, and subject matter, directed specifically at the leadership in organizations came about as a result of my experiences over my 18 year professional career in Information Technology, starting first as a lowly bench tech at a local computer store. Throughout my 18 years, I have witnessed all manner of professional neglect and malfeasance by every level of labour, from tech-support representatives to CEOs. By far, the most egregious examples come from leadership - especially that which I encountered during my time as a Civilian Contractor in Iraq and Afghanistan. 

From June of 2007 to December of 2010, I worked as a civilian contractor in the sandbox: I was responsible for the unclassified and secret classification networks on two separate military bases, known by their acronym-colloquialisms of "NIPR" and "SIPR"; the astute reader may guess as to which acronym applies in each case. During my tenure, I witnessed (and vocally protested) a number of egregious violations of U.S. Department of Defense Information Assurance policies and best practices, which I both attempted to correct and reported to my superiors. The problems became so bad, and were ignored to such a point that they ultimately resulted in my willful quitting at the end of a 6-month contract in November of 2010. I had reached the limit of what I was willing to put up with, and I decided ultimately that the responsibility for those violations, despite my attempts to reverse them, would no longer be a source of personal stress.

Upon reading about the intrusion into the Office of Personnel Management, I instantly realized the implications: The OPM is the clearinghouse and repository for Standard Form 86 - the SF86 - the security clearance background investigation form. 

My data is in this database. 

I begin thinking about the violations of Information Assurance best practices and policies which I had encountered during my time in the sandbox, and I realized with sadness that this amount of security malfeasance was not relegated to warzone corner-cutting, but likely extended to the whole of the Department of Defense - a realization both sobering and rage-inducing. 

In both my personal and professional opinion, no greater responsibility exists than to that of persons within your area of responsibility. 

As a parent, this is to your children. 

As a military commander, this is not only to your subordinates, but to the mission as a whole.

As a politician, this is to every single person in your nation, and every person your policies affect. 

As a CEO, this is to your employees, your customers, and their associated loved-ones. 

As an IT professional, this is to the confidentiality and integrity of the personal data of all who fall under your watch, irrespective of the level of sensitivity, irrespective of their rank or title, irrespective of personal disagreements, grudges, political or ideological differences, and absolutely irrespective of your own personal shortcomings: You are the gatekeeper, the keymaster, the ultimately responsible individual upon whose shoulders the peace of mind of so many persons rests. 

When I first arrived in Iraq, it became immediately apparent that I was one of a very small number of persons who took the above concepts seriously. 

A fellow network administrator managed to bring down one of the networks - twice - through an incredibly amateur mistake, resulting in a full calendar day of downtime for said network each time. After the second incident, he was barred from working on the networks in any capacity, and fired. Yet, it took those serious incidents for anything to be done about his incompetence: I had already reported him for numerous procedural violations, and sent scathingly negative emails with regards to his professional competence to my superiors, highlighting only technical reasons why he should not be allowed to continue in his position. My superiors dismissed my concerns, as his on-paper qualifications greatly exceeded mine. The network admin in question claimed to have been a "Cisco netadmin for 25 years". The astute reader may do the math for themselves.

A PSTN switch operator on the same base was found by one of his colleagues to be purposely terminating calls of individuals whom he disliked, motivated (in self-advertisement) by his vocal racism and extreme right-wing political views. Together with the colleague who discovered his wrongdoing, we reported him to the Inspector General and he was subsequently fired. I heard through the rumor-mill that he was also arrested, yet I could not confirm that detail - I could only hope he was brought before the appropriate authorities.

On the same base, a lockdown incident occurred when one of the systems administrators found a computer in the "Network Neighborhood" complying to the unclassified network naming scheme on a private internet service run by a local Iraqi on the base. After a B-Hut (plywood shacks where we lived) by B-Hut search of the base, the offending system was finally located - and it was the personal laptop of another systems administrator, who had named it according to the unclassified schema. When questioned, he admitted that he had done so (and forgotten about it later) so that he could plug his personal laptop into the faster military internet connection to download Windows Updates. Instead of resulting in the termination of his employment, he was moved to a different base. The offending systems administrator had revealed to me beforehand that this was his first IT job: he previously worked as a personal trainer, and had no prior IT background. 

On the same base, I discovered that a Group Policy did not restrict the use of removable media - even for user-level accounts. I immediately brought this to the attention of the appropriate Information Assurance Security Officer for my region, complete with my outlined recommendation for remediation - and was promptly told that the restriction would not be implemented because the regional commander wanted to be able to use his thumb-drive. I was infuriated. I could not fathom the reasoning behind allowing such a flagrantly dangerous policy violation to continue, even if the order came from such a high-ranking individual: to me, this seemed to be an absolute recipe for disaster. 

Indeed it was. 

Unfortunately at this point I must omit a number of accounts of security violations which involved the classified network and its users, as the non-disclosure agreements I signed prohibit my discussion of them; even the general description of these violations would be in breach of that agreement. 

The unfortunate result of these violations was Operation Buckshot Yankee. 

I will leave it up to the imagination of the astute reader as to what this entailed and its associated implications. 

On another base, my superior two-tiers above regularly insisted (and pressured me with threats of write-ups, termination and other nastiness) that I take actions in the course of my daily work which required violations of Department of Defense security guidelines. My direct superior discovered that his CCIE certification was a forgery (he claimed his CCIE number to be 12345, which was clearly a different individual), on top of his many procedural violations. His malfeasance became so intolerable that it eventually drove me to quit, as my numerous reports of his violations went entirely unheeded: my concerns were dismissed as a "personal conflict" with the superior in question, and my concerns (entirely technical and procedural in nature) were dismissed out of hand. Upon announcing my resignation, I included a six-page letter which I CC'd to the military commander to whom I was also responsible, knowing that if I took the violations outside corporate channels that my concerns would be heeded, albeit at the cost of my future opportunities for employment in the same industry. As I waited for my flight from Afghanistan to Kuwait, I learned from a colleague that the superior in question had just quit: and been hired by a rival defense contractor for more than twice his previous salary.

In my humble opinion, the personal responsibility and accountability of leadership leaves no room for this type of misbehavior: the betrayal of the trust of the persons in your area of responsibility through negligence, carelessness, incompetence or willful malfeasance cannot be forgiven: these are choices, made consciously by the individuals involved, to betray the trust of persons who depend on them to perform the very duties which they themselves cannot, be they in a corporate, civilian contractor, military or parental capacity.  

People depend upon you. If you make the choice to let them down, you are a terrible person. 

My experiences in the sandbox had a tremendous impact upon my views on personal responsibility and accountability: I was tasked with ensuring the uptime and efficient function of the networks I was assigned to operate and maintain. I learned within the first week that important emergency medical communications were conveyed over my network, and that if the network went down, these communications could be affected. I realized that if my network was down, and the military was forced to utilize an alternate method of communication, time would be lost: an extra 30 seconds in calling for a medical evacuation helicopter could mean the difference between life and death for a wounded serviceperson. I made a mental resolution that this would not happen on my watch: I would not let anything come between me and the responsibility I felt towards my fellow human beings in that environment, who depended upon me directly to do their jobs. 

Unfortunately, this philosophy does not seem to be shared by every other individual, as highlighted in the accounts above.

Unfortunately, the malfeasance, lack of accountability, irresponsibility and fucking incompetent malaise of charlatanism appears to be a systemic disease within both the public and private sectors, with regards to information security. 

The #OPMhack does not surprise me in the slightest.

On a final note: Shortly before my resignation from civilian contracting in 2010, I received a request from a U.S. Army General - a request which violated DOD security policy. I delivered, in person, my response that I would not complete the requested action; the general asked me "Why?" - I responded "Because it is a violation of DOD security policy sir." 

His response: "Oh. Never mind then - carry on."

(Edited, for spelling. Oops.)
Add a comment...

Let's talk about this footage for a moment:

You're seeing the very first attempt at something so complex it can only be described as truly future-tech: a self-guided, re-usable rocket, landing, vertically, on an automated ship. The only reason it crashed, is the hydraulic fuel ran out. Next time, they're going to top off the hydraulic tanks, instead of leaving them half empty (who does that?).

That's how good our technology has become. Tesla's gigascale battery factory is about to make the electric car an affordable reality for the common buyer, churning out battery packs charged by efficient solar panels on its roof. 3D printing is revolutionising manufacturing, as the world begins the next industrial revolution. The self-driving car will put transport and taxi drivers out of a job, and the self-sailing ship will put container crews out of business.

Change is coming.

https://twitter.com/Alex_Parker/status/556183781770395648
Add a comment...

No Quarter to Science Deniers

I made a New Years Resolution for 2015: 

I will attempt to clash with as many science-deniers, dudebros and bigots as I possibly can, in the most antagonistic manner possible. 

Why? What's the point? What good does it do, to antagonize anti-vaccine folks, climate-deniers, science-deniers, religious bigots and right-wing totalitarians? Shouldn't clear, fact-based communication and tolerance & understanding be the way to win hearts and minds? 

No. 

Here's why: Their minds are already made up. Their hubris consumes their thought process. No amount of evidence provided, no matter from how many experts, no matter how many independent lines leading to the same cause, nothing will change their minds. This particular brand of people are more willing to trust their own delusional grasp on reality, than on experts in their field. 

These people are willing to believe celebrities like Jenny McCarthy over actual statistics on the use and effectiveness of vaccines over the last century. They prefer to believe conspiracy theorists like Alex Jones, Art Bell and Matt Drudge, rather than the legions of scientists who have dedicated their life's work to climate studies. 

They are beyond reason, beyond any attempts at rational communication: they are wholly convinced of their correctness. 

The choice to "believe" crazy crap like "vaccines cause autism" or "humans are not responsible for climate change" is a choice: choices do not have to be respected in the same manner as things which are out of your control (skin color, bodytype, sexual orientation). 

A choice says more about your character than any other singular thing observable about you: your skin color is irrelevant. Your sexual orientation is irrelevant. Your height, weight, complexion, eye color, teeth, even your choice of clothing pales in comparison to the way you choose to conduct yourself when it comes to matters in which you are clearly not an expert. If you choose to ignore scientists, if you choose to say things like "I don't believe in global warming", you are displaying something to the world which cannot be condoned: your character is so shallow and fearful that you cannot overcome your own hubris and admit that you don't know what the fuck you're talking about. 

As such, I refuse to respect that choice: I refuse to be civil to science-deniers, vaccine-deniers, climate-deniers and every other brand of delusional fuckwhistle: a choice is a choice, and your choice to believe crazy crap is fair game for my fucking vitriol, since rational discussion and multiple lines of evidence bounce right off your thick skull. 

Signed, 

Sick of your bullshit
Add a comment...

Post has attachment
Add a comment...

Post has attachment
3 hour practice session - still life, fruit. Source photo: http://www.pxleyes.com/photography-picture/4b97e566d8dff/pears.html
Photo
Add a comment...

Post has attachment
Practice - still life
Photo
Add a comment...

Post has attachment
Re-learning how to paint, from the ground up. This is the first one I've completed using a new technique, a study of a still from "Oblivion". Enjoy.
Photo
Add a comment...

Disastrous Practices - Part 3: The importance of security considerations on uptime and profitability. 

http://news.siliconallee.com/2014/04/29/disastrous-practices-part-3/
Add a comment...
Wait while more posts are being loaded