After a long think this weekend (while not on pain meds) - I still believe that standards & policy bodies for infosec - are still way out of touch with the day-to-day challenges and operations of a security apparatus. It's great to generate data, but have it support decisions. 🧵 If I were to ever think of developing a standard, especially one that relied on collecting data. I'd work backward from what I want as an outcome - versus throwing the kitchen sink in to collect "all the things" & then try tying stuff together with tools. However...

Well, I'm able to walk again today. Slowly, but... was actually able to leave the bed after 12+ hours...

Value your mobility & motion while you can... you never know when an injury the becomes a permanent disability. I took my younger years for granted.

https://twitter.com/webjedi/status/1543734077160816641

... I will also add... when you see me, and I move to sit down when we are talking, or lean, or move slowly at a conference... this is generally what I'm hiding or dealing with. I have a pretty high pain tolerance - a unique thing I believe - but there's times it's too much.

I do have several ideas for security products/services, but figure if I can't code them myself, it's not worth sharing. Problem is, they'd be useful to the community because they take a wider approach to risk scoring, technical complexity, and nature of a threat environment. Doing reviews of some work streams for some reviews I've performed in the past and present, there's lots of good "bubbles" but not something holistic in the approach. It comes from folks living in those silos/streams/bubbles, and that's an issue.

So the one thing folks need to know about DC multi-lateral conferences, is that not much new or substantial ever gets said. Especially a time boxed one with limited attendance. The @WhiteHosue #opensource one is no exception & here's a telltale sign. The fact that every major corporate participant had a press release or blog post ready was a sign there were talking points, and limitations to a bit of creative suggestions. I'm sure side convos happened, but... not during the event. Usually scripted heavily.

Headlines for the day.

As somebody who led a group to modernize case management at the IG, when dealign with such things as evidence and legal docs, we were cognizant of file issues.

This is just laughable. However, there's also more to this...

https://twitter.com/JohnLegere/status/1432378840882585601

Before I jumped to the private sector, I had interviewed around in DC for another Federal role, which included interviewing for the CIO role at the US Tax Court.

Talking to them about their tech choices, while rather modern in name, were still limited, because...

So... I think I have a rather interesting talk idea about a "black hole" zip code and fake street addresses I noted earlier.

Funny about zip codes, especially when you enumerate them... you trip over all sorts of other things you probably aren't supposed to. Whatever I detail here, is from OSINT, I only gathered this from what folks have hinted at an my own research, so let's roll down this rabbit hole. I didn't sign a non-disclosure agreement about it, so this will be as if I heard it in a public space.

Guess who now has a cop bike… the best part is that lovely weather sealed radio box with power outlets for a mobile compute/wifi snarfing platform.
(Just under 20k miles… with all the functional bells and whistles… traffic will never be the same) Looks like the box of goodies (parts) also included a mobile radar emitter.

This is gonna get fun.

I love the ridiculous abuse of having a studio setup for music that is also my day-to-day office... playing surround mastered music soothes me after a busy day of trying to 8-gazillion things... with 3-gazillion thing to do before nightfall...

current playlist: P. Gabriel "Hits" "Don't Give Up" with Ms. Bush is quite the inspiration...

I know I'm an outlier - but I'm literally taking a required course on something I gave a presentation on officially for my org... I do really wonder what my score at the last quiz will be... I hope it's not some weird CISSP "grey area" answer BS - LOL Wonderful..., the first "test" - the "pros and cons" of OSS had at least three answers which, while classified as "cons" actually aren't if put into context when in a mature or at least accepting org for FOSS. Lovely.

Will be issuing feedback to course devs.

BTW, a little primer that got buried in a recent thread - but is applicable for the "Why didn't the US Government do better for the #SolarWInds since we there so much money and resources at it..." - the simple answer is, "we didn't , actually" and here's a little why. #thread I officially became a Fed in 2010, but was a contractor in 2006/2007 and an FFRC staff 2009/2010, so I got back a ways... but the Federal budgeting process has changed a little in that time... thank you deficit spending.

Nope, nope, nope, nope. You tickle the wrong sh*t and that's the end of things. You will hear it from agency leads as well as mission folks. Imagine tickling a dam control system at BOR, and whoops, flood. VA hospital... the folks there need at least a ride-along. #BadIdeasOfBad

https://twitter.com/BobbyChesney/status/1341847609250603010

There's reasons that you have permissions being granted, and it's not to hide stuff, but there are systems at NIH & CDC (lab systems), LE systems at multiple agencies, CIP at Interior, medical at VA that require scheduling to not affect operations - this is just dumb on its face.

You know, reading this NYT, I have a theory... & oddly it’s maybe traced back to the #CDM program. This was the first government-wide effort to enumerate agency infrastructure, down to core components & architecture. Which could explain why #SolarWinds was an effective vector 1/ So they say they got into Treasury D.O. accounts (Departmental Offices). But thinking, if this went back always for 2019 and prior, I think about how casually docs for CDM were shared between the agency leads and the contractors doing CDM. nytimes.com/2020/12/21/us/… 2/

so everybody seems to have harped on the FB/Twitter/Insta post about the pizza food truck owner and his @Grubhub bill and subsequent minuscule take-home. However, there's a little more to unpack, and while I'm not defending either, always look at your data and ask questions. 1/ He had 46 orders for a total of $1042.63 - $22.66/order avg. - which, if a regular pizza joint in a highly populated area, is sort of average for a 16" pizza. - if a food truck "long" pizza, that's like two takeaway orders. And note, he said "food truck", so this isn't B&M 2/

it still hurts when I sit in a conference talk where government "cyber workforce" discussions occur, and they still beat the same drum that hasn't worked for years, and realize that none of them come to things like BSides, Defcon, Shmoo, and others to have a realistic discussion they merely talk about frameworks and policies, but nothing actually actionable or results... granted, having also sat in on agency discussions where there was a lot of, what could be best described as "whining", but no after action to address those concerns...

It still boggles my mind that we will have people flock to conferences about the latest and greatest thing, and then come back to their org wanting to do that latest and greatest, but not be willing to invest in the basic work required to share up and mature the org to fix stuff. "I want to do $buzzword_tech" while not even taking a moment to possibly get all their systems to a maintainable standard, reliable inventory and maintenance cycle, and repeatable and reliable processes. Again, like building the Burj Khalifa on quicksand. gizmodo.com/without-trucks…

I figured it was worth a little explainer for the Anti-Deficiency Act and relation to IT operations and shutdown activities. I write as somebody who's been through a few in various roles... (1/12) To clarify on the “it’s a static site, why can’t they…” comments. Each agency affected typically has a mix of appropriated funding: “no-year” & annual, each with time limits of when and what it can be spent on as well are... (2/12)