26. August 2008 by Revelator.

An exerpt from SCIENTIFIC AMERICAN magazine, May 1908 (that’s right 1908 - 100 years ago…)

“Soon after the first reports were received regarding the flights being made by the Wright brothers in testing their aeroplane, a considerable number of newspaper correspondents visited the scene of the trials among the high and pointed sand dunes of the North Carolina coast south of Norfolk, Virginia. The brothers refused to make any flights, however, when the reporters were near at hand, and so the gentlemen of the press were obliged to keep in hiding nearly a mile away from the scene of operations, and to merely watch the machine from afar through spyglasses when it was flying.”

The term OPSEC may have been coined by the original Purple Dragon crew but many examples of OPSEC in action resound throughout history - this is but one more.

Keep the Faith!
Revelator

Enter Sandman - Metallica

Posted in OPSEC in History, OPSEC and Media, General OPSEC | Print | No Comments »

25. August 2008 by Revelator.

Here’s a random non-OPSEC thought: Do you think millions of twenty-something Chinese people are running around with American symbols/letters on their arms, necks and the small of their backs? Do you think their friends are coming up and asking; “Dude, is that American or what? What does that mean? Is that the symbol for luck or wisdom? Man, that is soooo cool.”

Somehow I don’t think so. And by the way, none of the Americans I see with these Chinese symbols/letters tattoo’ed into their skin look remotely Chinese. So I must confess, I don’t get it. But then I’m old. I think if I wanted to convey to people that I am honest, or lucky, or blessed with great wisdom then I would use the English language to convey this thought so that no one would ever have to ask me what that damn thing on my arm means.

By the way - I have six tat’s myself so I’m not picking on those who chose to get inked - I’m just saying.

Keep the Faith,
Revelator

China Girl - David Bowie

Posted in Uncategorized | Print | No Comments »

1. August 2008 by Revelator.

Every organization I’ve ever assessed, military or civilian, spent an inordinate amount of time, money, manpower and resources protecting information that had already been compromised. I know it doesn’t make a lot of sense but here’s one way way this happens. An organization has an outdated Critical Information List (CIL) - or one stolen from another…did I say “stolen”? I meant benchmarked. So they have a “benchmarked” CIL from another organization - either way, they find themselves (quite unwittingly) with a bad CIL. And then they go about trying to protect all the information on the CIL without giving any thought to the reality of the situation and they’re wasting time, money, manpower and resources.
But how do you know truly what is already known about your company or military organization? Get, or perform yourself, and Open Source assessment of your own organization. Start by looking in the mirror - cuz baby, you ain’t seen nothing yet if you haven’t done this. That’s right, start with looking at your own web sites. I’ve seen a lot of corporate (and military for some unknown reason) CIL’s that list items that are readliy available on their web site. And I’ve got to ask; “Why are you telling your people to protect what is already available in open source?”
Now, civilian corporations are going to have a tough time with this because if you don’t advertise your products and cabilities you will lose customers. You’ve got to deal with your marketing and advertising departments don’t you? Yep - that’s a tough one.
I’ve sat in a number of assessment in-briefs where I’ve been told that the information I was about to recieve was company proprietary and shouldn’t be talked about outside of the company and then they show me the exact information that I saw when I looked at their web site the night before! At this point, very early in the assessment process, it starts to get painful for them - this realization that we couldn’t ge through the in-brief without highlighting a significant security concern.
So, whattay gonna do now? Well, after you finish your Open Source assessment you most likely will need to rewrite your CIL so that it concentrates on protecting your truly sensitive or critical information that has yet to be compromised.
Can we hide that a military unit is deploying? Probably not. But can we protect where that unit is going and how long they anticipate being there? When hundreds of pizza’s start showing up a the Pentagon (or we keep the food court operating 24/7) can we deny that something is going on somewhere? No, but we can protect exactly what is going on and where it just might be happening. When a car company is developing a new model can they hide that this new model is coming out soon. Probably not. But we can paint the car in wierd ways and add some plastic molding to that competing car companies won’t get any good pictures of the car. Can we totally protect that we’re holding contract discussions with another company? Most likely not, but we can protect exactly what that contract will be for and how much it’s going to cost and how long it’s going to last. Was Henry Ford II able to protect the fact that the Edsel was coming out? No way. But did he protect the design? Absolutely not! Your’ve seen the car - there was no reason to protect the design. Same goes for the Pacer, the Gremlin and the Relient K. Focus here folks…
Spend your time, money, manpower and valuable resources protecting what isn’t already known.

Keep the Faith!
Revelator

You Ain’t Seen Nothing Yet - Bachman - Turner Overdrive

Posted in CIL, OPSEC Assessment | Print | 5 Comments »

20. June 2008 by Revelator.

     Dear OSPA Forum,

       I’m just an average guy who hasn’t ever really had much luck with OPSEC.  I’ve tried everything but nothing seems to work.  I’ve bought OPSEC drinks, I’ve sent presents, I’ve sweet talked and cajoled but no luck.  My friends are constantly busting on me cuz I can’t keep an OPSEC program for more than one date.   Trust me, I know what it feels like when doves cry.  Well, imagine my total surprise when just last week I met the OPSEC program of my dreams!  There she was sitting across the room all by herself.  I stole furtive glances in her direction but always turned away when she looked my way.  My track record was so bad that I didn’t dare approach her.  But then here she came - she was coming over to me.  Oh my God!  My mouth dried up and my tongue tied itself into knots.  Butterfly’s were conducting strafing runs on my stomach and my palms began to sweat.  Is she really coming over to me?  What will I say?  What will I do?  She was so hot!  Her dress left nothing to the imagination (and my imagination was screaming) and her eyes were boring through me right into my soul.

     And then she sat down!  I stared at her like a paralyzed deaf mute unable to do or say anything.  I was sure she would realize her obvious mistake and leave - but she didn’t.  And then she said something to me that I’d only heard in my fantasies; “Take me now or lose me forever.”  Well, somehow I managed to get to my feet and get her back to my place without crashing my car - and that’s when it got real interesting…

   Now you just know I’m not going to finish that story.  Nope - I’ll leave that to your sordid imagination.  All I wanted to do was give me a reason to mention the OSPA Forum.  The OSPA Forum is a place where any OPSECer worldwide can come to catch up, ask a question or just see what’s been going on.

     There are currently 20 members registered.  Of the 20 registered there are a good couple of bonafide subject matter experts who can help you with any OPSEC question you might have.  Currently there are 6 categories, 22 topic areas, 73 individual posts and well over 2000 views.  These numbers may not seem overwhelming to you but OPSEC is a relatively small community and we’re doing everything we can to support you, the practicing OPSECer.

     So take a moment and check it out.  Like the commercial jingle says… “And like a good neighbor, OSPA is there.”   http://www.opsecprofessionals.org/forum

 Keep the Faith!

Revelator

“When Doves Cry” - Prince

Posted in Program Management, OSPA, General OPSEC | Print | 2 Comments »

18. June 2008 by Revelator.

     Fellow OPSECers, I want to share with you an email the President of OSPA, Chris Cox,  sent to his Board of Directors.  I found it inspirational and educational.  I hope you will also.

     “I believe in OSPA.  I have the passion of a madman, which is only possible due to a wife that has the patience of a saint.  I believe because I know that I’m not the only one that understands that OPSEC saves lives and livelihoods.  I believe because I know that each of you understands that, and that our members have picked up on that belief and that passion.

     From the end user perspective, our message is out there.  It is making an impact and that is what saves lives.  Last estimate was that the semi-daily messages go to distribution lists totalling somewhere in the four figures, including almost 200 subscribers.  Layne’s blog is getting thousands of hits each week, and the OSPA OPSEC Academy is going to be a true sign of our impact.  It WILL be big - I guarantee it.

     Don’t forget that we’re doing what we set out to do - to raise awareness of OPSEC and to increase the capabilites of the OPSEC Community and to give people the tools that they need to save those lives and livelihoods.  And I’m proud to say we are doing that today.  We are making those impacts.  Of course, sometimes it is hard to see that direct impact from the Board of Director level but that doesn’t change the fact that every day, more and more people look to us and our site(s) for help and advice.  We’ve changed the world a little…we CAN AND WILL do more.

     We’ve received requests for assistance from three allied countries so far.  We’re working with groups of Domestic Violence centers and schools.  The Vanished Children’s Alliance (VCA) has asked for advice and guidance…the list goes on. 

     As for me, I just have to keep going back to what Layne said in the beginning: “We’re not here to speak for the Government or to represent the desires of the grey beards - we’re here for that poor SOB that’s in the trenches and needs effective OPSEC right freaking now!  We don’t offer high-level policy or theory.  OSPA will offer practical tools and experienced based guidance and advice that is designed to save lives.’

      If we forget that, then we really are obsolete.  That’s why I believe.”

Chris Cox, OSPA Prez

Keep the Faith!

Revelator

“What’d I Say” by Ray Charles

Posted in Uncategorized | Print | 2 Comments »

13. June 2008 by Revelator.

     A number of you have emailed me asking what is up with the entry titles so I figured I would explain.  For no real reason what-so-ever I began using song titles as titles for my entries.  The problem (apparently) is that not all readers know who performed the songs and I keep getting emails asking about the artist so I decided I would take some time and fill you in on the past artists starting with the title on this entry and working backward.  In the future I will include the artists name at the end of the entry for you curious few out there.

What’s Going On - Marvin Gaye

The Message - Grandmaster Flash and The Furious Five

Hot For Teacher - Van Halen

Welcome To The Jungle - Guns and Roses

You Can’t Always Get What You Want - Rolling Stones

Friends In Low Places - Garth Brooks

Purple Rain - Prince

Tumbling Dice - Rolling Stones

Thunder Road - Bruce Springsteen and The E Street Band

Reveloution #9 - Beatles

Here Comes The Sun - Beatles

Keep the Faith!

Revelator

Posted in Uncategorized | Print | 5 Comments »

13. June 2008 by Revelator.

     Hear ye!  Hear ye!  Hear ye!  I’ve got a message for you.  It’s not the most important one I’ll ever give or the best written one I’ve ever given but it does go to the heart of an argument that has been raging since the early ’70’s.  And the question is this: How long should a Critical Information List (CIL) be?

     The best CIL I’ve ever seen was in an organization that required all personnel to wear badges within the confines of the building.  The organization took their 12-item CIL - I say again their 12-item CIL - put it on a card and laminated it for all personnel to wear with their identification badge.  Each person in the organization had access to the CIL at all times.  This is about as good as it gets folks.

     On the other hand, a good number of seasoned OPSEC professionals disagree with me on this subject.  They’ll tell you that a “comprehensive” CIL is the only way to ensure that all of your critical information will be protected.  Sound logic to be sure.  Unless you take into account the human factor.  I don’t know how many of you have photographic memories and can remember a 73, or 103 or 276 item CIL, but I sure can’t.  276 items!  Are you freaking kidding me?  How is this usable?  My personal experience is that when I’m shown a CIL with more items than my wife’s grocery list I tend to ignore it.  I know I can’t memorize it and if I’m on the phone or typing an email I most likely won’t consult the “Big Book of CILs” to see if I should be communicating the information.  But if you show me a list that I can wrap my brain around, say about 20 items, then I’ll study that sucker and be able to commit most of it to memory.  And even if I can’t memorize it I can pin it up somewhere in my cubicle where I can actually consult it quickly if need be.

     There are too many things in our complicated lives to remember already.  I’m forever writing things on sticky’s so I don’t forget them.  Then I’ve got the task list in my Microsoft Outlook so I don’t forget anything.  I’ve also got a long to-do list in my 7-Habits Daily Planner which is also loaded onto my Blackberry and then as a fail safe, I’ve got my wife around who is constantly reminding me of things I’ve already forgotten.  And when I do make it to the grocery store my wife will make a list for me because she just knows I’ll forget something.

     And finally on the subject of short CIL’s - remember the KISS Principle - Keep It Simple Stupid.  The shortest Critical Information List I ever saw had only one item.  “We are a military organization charged with protecting the freedom of the American peoples and their allies - keep your damn mouth shut!”  I could argue that there should probably me a couple of more items but damn it - I like their attitude.

Keep the Faith!

Revelator

Posted in Program Management, General OPSEC | Print | 2 Comments »

6. June 2008 by Revelator.

     Congratulations!  You finally finished.  Six months ago you made it through the OPSEC course.  Sure, you had an unrequited love for your instructor but so did the other 17 dudes in your class - get over it.  Back in the real world you found that you had purple blood flowing through your veins and you headed back to work ready to kick some OPSEC ass.  The spirit of the legendary Purple Dragon burned in your heart and soul and you began grinding your way through the five-step process.  You were a BEAST!  A big, fire breathing beast on an OPSEC bender. 

     You developed your new and improved Critical Information List like a crazed maniac who just discovered that mixing Monster Energy with a Red Bull and two diet pills will keep you rocking and/or rolling all night long…and then all day…and then all night long again.  Your threat research was focused and spot on and you knew exactly what threats were targeting your sensitive information.

     Vulnerabilities?  Indicators?  They didn’t stand a chance against a highly motivated OPSEC professional such as yourself.  No freaking way!  So you rolled on like the man-beast you are - ready for anything and everything. 

     Risk?  You don’t need no stinking risk!  You’re prioritizing risk better than David Lee Roth’s groupie-hunting roadie and you started to think someday you could actually get that OPSEC Certified Professional certification bestowed upon you as your beautiful wife looks on with love in her eyes.  Finally, you developed and institutionalized your countermeasures and you just knew the effectiveness of your new OPSEC program would certainly earn you the Individual Achievement Award at next years National OPSEC Conference.  You even searched on-line for hotels and flights to San Antonio.  Ahhhhhhh, the warm feeling of a job well done.  Sit back my friend - it’s Miller time.

     On the other hand (typically a backhand with a big ring on it) there is one thing you’ve missed.  One thing that is so critical to an OPSEC program that if left undone will render all your hard work worthless and you can kiss your coveted award goodbye.  Brothers and sisters I’m talking about feedback.  Think about it - without feedback how will you ever know if your carefully crafted countermeasures are working?  How will you ever know if your education and training is having any effect?  How will you know if your new visitor controls are working?

     A lack of feedback, in any endeavor, equals a lack of success.  Let’s take dating for example.  If you’re not paying attention to feedback on a first date, chances are you’ll never see a second date.  Whether you notice or not you’ll be receiving feedback all night long.  Some positive and some negative.  But even the negative feedback helps, doesn’t it?  If you’re paying attention you will learn real quick what dating measures and countermeasures are or aren’t working and you’ll be able to adjust accordingly.  Ignoring, or not seeking out, feedback can kill your program. 

     Have you seen people who ignore feedback?  I know you have.  Ever worked for that one guy or gal who just won’t shut the hell up?  You know the kind - the one that’s still yammering on even after you’ve wandered away and are strolling down the hall?  And ladies, I know you’ve been out in the social environment and there’s always that one guy who just won’t give up.  He’s trying to chat you up, or buy you a drink, or get you to dance and instead of getting your subtle hints he just thinks your playing hard to get and doesn’t realize that you don’t think his never-say-die attitude is all that charming and as a matter of fact if he says one more annoying word to you he’s gonna end up wearing that Appletini you’ve been nursing.

     All I’m trying to say is that you need to establish some feedback mechanisms for your OPSEC program.  You simply cannot succeed working in the blind.  You need to find out how, or even if, your OPSEC message is getting across.  You need to check to see if your countermeasures are working as designed.  Is the information you determined sensitive or critical being protected in the manner you desire?

     Be the beast!  One of the best feedback mechanisms you can employ is to get out there in the gen-pop and talk to people in your organization.  Get the feedback you need and adjust your program accordingly so that your program at least has an outside chance to succeed.  And guys, next time you’re out there searching for Mrs. Right or Ms. Right Now - keep your eyes and ears open.  You just might learn something.

Keep the Faith!

Revelator

Posted in Program Management | Print | No Comments »

30. May 2008 by Revelator.

     Firewall and system probing, Network File Systems application attacks, email attacks, vendor default password attacks, spoofing, sniffing, fragmentation and splicing attacks.  Where will it all end?  Since this is clearly our biggest security concern why can’t we fix it?  Why aren’t we throwing all our money, manpower and technical abilities at this problem?  Computer crimes cost us $32 million is 2006.  Boy, I’ll tell you what - somebody better do something quick.  Unless the computer isn’t our biggest security concern…

     But if (as I imply) the computer isn’t the biggest threat to the security of our organization or mission, then what is?  Here’s a clue - look above.  Didn’t you read all that stuff in the first paragraph?  Of course the computer is the biggest threat to the security of your organization/mission.  Or is it…

     Well, duh.  The computer and it’s evil spawn the INTERNET is just teeming with demon hackers who are trying to either crash or rape your system every minute of every day.  It’s all over the news!  Technology is killing security.  Punks who were born with Playskool See-n-Hack starter laptop kits are wreaking havoc all over the technosphere.  What’s an OPSEC Program Manager to do?  Hell, you’re not the IT Security dude.  You know nothing of firewalls routers and DMZ’s.  Face it partner - you’re screwed.  Unless…I mean, unless the computer is not the biggest threat to the security of your organization/mission…

    And here we are again.  What is, and will remain, the biggest threat to security in your organization is the person in the next cubicle, or the next stall, or the next chair, or sitting across from you at lunch asking you to pass the pink or yellow stuff that really isn’t sugar but will kill you just as fast.  Humans…whattaya gonna do?

     I can’t count the number of times I’ve been allowed into “secure” facilities by people who should have known better.  And you would be surprised how many buildings you can waltz right through when you’re wearing a UPS uniform and carrying a couple of boxes.  You can have the best physical security money can buy for your building but if smokers leave the back door propped open for convenience…establish a great password policy but if your people write their passwords down…carefully screen all information you put on your web page but if Marketing feels the need to publicize…

     The old saying is that we spend 80% of our security money protecting ourselves from outside threats while, in truth, 80% of our threat comes from within your own organization.  The next time you head over to the fridge to see if anyone has left a Klondike bar without a name on it take a look around - you are surrounded by people who will unmaliciously give away sensitive information at the drop of a hat.  They don’t mean to by the way.  They just haven’t been properly educated about how NOT to inadvertently give away sensitive and critical information.  That’s your job - now get to it!

Keep the Faith!

Revelator

Posted in Uncategorized | Print | 1 Comment »

23. May 2008 by Revelator.

     When I was an OPSEC Program Manager in the military I can’t tell you how much I appreciated when the boss called me in and told me that the “secret” deployment was in two days and they needed me to give the OPSEC okay to the plan.  Yeah, that was always fun - and rewarding too.  And then while I was in the corporate world I really enjoyed being told by a corporate honcho that the new product will be released tomorrow and do I want to look over the press releases that have already been sent out.  You know…just to make sure they’re all OK from a security perspective.  Ahhhhh, good times - good times.  That always made the job worthwhile for me.  I mean, what can bring more job satisfaction than knowing that you’re being brought into a mission or project at the precise moment that anything you might do will be a total waste of time?  Boy, it doesn’t get much better than that.  Assuming you have caught all the sarcasm that’s dripping off these words then I guess you’ve been there - done that - got the t-shirt - wore it - washed it - gave it to the “Poor OPSECers Fund Drive” - claimed it on your taxes.

     But when should OPSEC be put into our processes or our missions?  Is it during the planning phase?  It is sandwiched between planning and execution?  Does it happen during market research?  Does it come after product release or deployment?  Boy, this is a complicated decision.  So many factors, issues and considerations.  So many things to deliberate, considerate, cogitate, meditate and contemplate.  Seriously, there are just too many variables for me to answer that question.  Except maybe this way…OPSEC begins at birth!

     Every concept, idea or plan has an inception.  And from there it has a defined life cycle.  OPSEC must be considered in every step of the life cycle.  We don’t wait until our children are five years old and then start to protect them.  We don’t wait a year before we buy car insurance and we don’t wait until we’re wheels up before we start to add in some OPSEC.

     Now, I understand that if you’re a regular reader of this blog you most likely are a fairly seasoned OPSECer and you’re probably hip to this little pearl of insight.  So your challenge now is to educate your leadership and develop ways to ensure that you, as the OPSEC Manager, get invited to all those planning meetings that you’ve been missing.  So get out there and bang down some doors.  You need to be there - OPSEC needs to be there.  Make it so.

Keep the Faith!

Revelator

Posted in Uncategorized | Print | No Comments »

20. May 2008 by Revelator.

Q:  How much money does a full-time OPSEC manager make annually?

A:  It’s not about the money you self-serving SOB.

Q:  Which really comes first; Critical Information Identification or Threat Analysis?

A:  Some say OPSEC is an iterative process and you can do whatever step in the process whenever the hell it feels right.  Others would argue that if you don’t have a threat then who cares what your critical information is.  But for me - Saint Ron (Pres Reagan) listed CI identification first and that’s good enough for me.

Q:  What is the best way to get leadership support for my OPSEC program?

A:  There is no “best” way but here are some suggestions: begging, bribery, coercion, blackmail, threats, acid filled water pistol, doctored photos, water-boarding, repeated viewing of Molly Shannon skits from Saturday Night Live.  Folks, I really don’t have a solid answer for this one.  Some times you just get lucky and have leadership that understands OPSEC and its importance to the mission.  Other OPSEC Managers are just real good salesmen who convince management of the need for OPSEC.  If any of you out there have a good idea or war story please click the comment link and I’ll get it to the masses.

Q:  OPSEC says to avoid stereotyped activities but there is validity in the thought that if it worked once it will work again.  So isn’t OPSEC really saying that even though it worked once we really want you to try something different that may or may not work?  And isn’t this harmful to the potential success of the mission?

A:  Helluva question.  I’ll leave this one to the readers to respond to - come on folks - send me your responses.

Q:  Why do all the posters tell me to “Think” OPSEC?  Wouldn’t it better if I “Acted” OPSEC? 

A:  Clearly.  “Thinking” something is great only of there is an action tied to the thought.  Why just the other day I “thought” drive the speed limit - but I didn’t actually drive the speed limit so what good was thinking it?  This morning I “thought” diet and then had four biscuits with about a quart of gravy.  And come Friday evening I’m pretty sure I’m gonna “think” about not having that next beer - I think y’all can tell where this is going.  Thinking OPSEC must be followed by performing some act of OPSEC.

Now I know that many of you have serious OPSEC questions.  This entry is just my way of getting the ball rolling.  If you have ANY questions about OPSEC that you would like answered please send them to me.  We’ll treat them seriously and try to get some good answers for you.  Of course we’ll also accept those sent in a humorous vain and do our best to respond in kind.

Keep the Faith!

Revelator

Posted in Uncategorized | Print | 2 Comments »

16. May 2008 by Revelator.

     Be they in high or low places you need friends if you want to do this thing we call OPSEC.  I guarantee you that your workload will go up and your success will go down without your own OPSEC professionals network.  People out there are doing some great and innovative things that you need to know about.  None of us should work in a vacuum.  Communicate with other OPSEC managers.  Join OSPA or the OPS.  You need to make a conscious effort to meet new people.  Go to the National OPSEC Conference or an OPSEC Forum.  Get out from behind your desk and get to a threat seminar.  When you get out to an event like a conference or formalized training you will meet people.  You can’t help it.  I make, at least, five good contacts at every event I attend.  That’s five more people I can call or email when I’ve got a question.  Five more people who I can share ideas with.  Five more people I can “benchmark” off of.

     Since our program here at the National Nuclear Security Administration, Nevada Site Office won the Organizational Achievement Award at the National Conference last month I get two or three calls or emails a week from people asking for assistance/help/guidance for some area of their program.  Trust me when I tell you there is no way this program would be where it is today without the help and valued assistance from people I now call friend (starting with Wayne Morris who built the program I was fortunate enough to inherit).  As for the calls for assistance, I do everything I can for these people.  When you’ve been as blessed as I have then you understand that you must give back to the community in any way you can.  Plus I feel I need to honor folks like Tom Ariosto, Wayne Morris, Lynne Clark, Dan Wilkinson, Joan Hellon, Scott Milliman,  Bill Feidl and Pat Sipes who have helped and guided me so much over the years.  I just hope that some day you are as fortunate as me to have such a fine OPSEC support network to reach out and touch when you’re in need.

     And when, not if but when, you attend one of these events don’t be afraid to walk up to someone and say “Hi, I’m Joe from Colorado Springs.  How are you today?”  You can start with me.  I’ll be your first contact (if it is me though and I just finished a 90-minute speech, please just follow me to the smoking area and chat me up there instead of keeping me away from the post-speech nicotine fix I need to bad).  Whatever you do, just get the hell out there and talk to someone new and get that network working.

Keep the Faith!

Revelator

Posted in Conferences, Program Management, General OPSEC | Print | No Comments »

15. May 2008 by Revelator.

     Everything is affected by OPSEC.  I say again, EVERYTHING is affected by OPSEC!  Just think about it.  The basic premise of OPSEC is that we’re trying to protect some…thing.  Be that information, physical possessions, or ourselves.  Whether we’re at work or at play.  So we unconsciously fill our daily lives chock full of countermeasures to the myriad of threats constantly raining down on us.  We wear sun block - we use unlisted telephone numbers - we lock our doors - we wear seat belts - we monitor our kids online activities - we wear girdles and butt-shapers - we have curfews for our children - we wear hairpieces and toupee’s and wigs and extensions - we make sure our hotel room isn’t on the ground floor - we dress our kids in full body armor so they can go ride their bikes, and we use industrial size shredders at home.

     Countermeasures are everywhere!  OPSEC is everywhere!  For the next minute or so I want you to try to come up with an example of an area of your mission or your business that isn’t affected by OPSEC.  At the risk of being redundant - everything in your organization is affected by OPSEC.  Financial, personnel, admin, ops, logistics, maintenance, Human Resources, contracting, supply.  From the Administrative Specialist you just hired to your CEO - from the lowest ranking enlisted member to your commander - from the number of cars in your parking lot to the sites you visit on the INTERNET - from your recall roster to that emergency supply order form - from contract rumors to merger scuttlebutt - it is all affected by OPSEC.  Or more to the point - by a lack of OPSEC.

     Go ahead - I dare you.  Think of something right now that isn’t affected by OPSEC.  When you think you’ve got one, click on the comments link and let the rest of us know.

Keep the Faith!

Revelator

Posted in Uncategorized | Print | 2 Comments »

13. May 2008 by Revelator.

     As some of you know I am blessed to have the honor and pleasure of travelling around this great country of ours giving speeches about OPSEC and Security Awareness.  At each and every stop on my tour I get asked about Ray Semko, AKA “The Diceman” or simply “Dice”.  I must admit it’s starting to get annoying when after each speech some well meaning audience member comes up and says something like; “Great speech!  You educated and entertained me and we don’t get that around here to often.  The last time was when that guy Diceman was in town.  He’s great - do you know him?” 

    Yeah, I know him.  I mean, we’re not swapping love notes in gym class but we’ve had a beer or two together over the years.  Hell, he was the guy who convinced me to spend $300 on a custom robe and do my ”Revelator” speeches as they were intended - full out.  I first saw Ray speak at a National OPSEC Conference almost 10 years ago and he not only inspired me in my new chosen field but he also showed me that with enough knowledge and passion one single person could have an impact on many.  I set some significant goals that day and later that night he encouraged me to persue these goals with all my heart.  Each of those goals has been met and I thank the Lord for putting Ray in my life on that day and night. 

     And now we come to this - as I was searching the web in support of some far-flung OSPA initiative I ran across a web page dedicated to my friend Ray http://cicentre.com/dice/feedback.html.  Scanning the tabs on the left of the page I ran across one titled “D*I*C*E Store.  We’ll I just had to click on it didn’t I?  And as I scanned the list of D*I*C*E articles available for purchace I ran across these:                                                                                                                  D*I*C*E Boxer Shorts - a bargain at $19.99.  I was told that I could “enjoy the roomy comfort of our sexy boxers as underwear or sleepwear.  They’re 100% cotton, open fly…for thinking outside the boxers.  Boxers, because you don’t want to be brief.” 

     Now I have mad respect for Ray Semko and happen to think he is a true American Patriot but dude - no way can I buy these.  I see myself one day in a crowded bar where earlier I, and then Ray, wowed and inspired the audience with high-fever speeches and I’m yelling, “Hey Ray!  I’m wearing your underwear!”  Can you hear the deafening silence as every head in the bar turns to look at me with a mixture of distain and humor?  I can.  And for this reason you can all rest assured that that sentence will never cross my lips.

    And for those of you who keep asking me when Ray is coming to your town/base for a presentation check out the link above and ask him yourself.  Better yet - invite him out.  And one last thing - I’ve got a favor to ask; the next time you see a D*I*C*E speech go up to Ray afterwards and ask him if he knows when I’m coming to town again.

Keep the Faith!

Revelator

Posted in Uncategorized | Print | No Comments »

13. May 2008 by Revelator.

“Leaders are busy doing the things critics say can’t be done.”  You may have seen this quote before.  I read it in a book last week.*

As OPSEC Managers your creativity and the ability to see the road ahead are paramount if you wish to have any level of a successful OPSEC Program.  Beyond that is the fortitude to not only see the vision but to act on that vision.  As an OPSEC Manager you are frequently alone in your passion to push the program but you must not let this stop you.  You’ve got to be like The Bandit and have that “..we’re gonna do what they say can’t be done” attitude.  Rare is the unit/company who shouts Hallelujah! when the new OPSEC Manager shows up.  Rare are the times you will walk into a meeting and all will hail you as the savior of the mission.  Rarer still is the man or woman who can keep running into this wall of denial until it is broken down.

The sad fact is that you just may be the only one who truly cares about OPSEC.  At least this is the attitude that you need to have.  Don’t let people fool you - they don’t care…not really.  I’ve interviewed a number of OPSEC Managers who are quite sure they have the support of the people in their organization.  And I’ll ask them; “How’s your program working?  And they’ll go on and on about all the great stuff they’ve done.  Unfortunately, I get a different story when I interview people within the organization.  Invariably, members of the unit have no idea who their OPSEC Manager is and if they do actually know a name, they have no idea what the OPSEC program means to their mission.  What about you?  What about those of you who may have been hired or hand-picked as the OPSEC Manager?  Surely, you care about OPSEC.  Right?  Well, maybe.  And maybe not.  I’ve seen a lot of people get burned out by OPSEC because of the abnormally high frustration levels associated with repeatedly trying to accomplish something you know is right and getting beat down by leadership or those who run the mission.  I mean, you are just the OPSEC guy or gal, right?  Not only have I seen this - I’ve experienced it first hand, and it’s not pretty. 

You try to do a good job and you either don’t have the support of the big dogs or you’re kept too busy doing other “more important” tasks or, maybe, just maybe, you don’t really care about OPSEC at all.  Maybe it’s just a paycheck or a silly little additional duty.  I’ve met these people and I can see it in their eyes.  You can tell they just don’t have a passion for this stuff.  I can’t explain it but I’ll be honest with you - the passionate people are in the minority.  And it’s rather sad because you can’t be a half-assed OPSEC Manager.  You can’t simply satisfy the minimum requirements and expect to have a positive effect on the mission or the lives of those executing that mission.  You can’t send out an 18-slide PowerPoint presentation as your annual training and expect it to mean anything.  You can’t walk up to a group of shooters about to execute a mission and tell them they can’t do something because you say so.  You can’t be so removed from the leadership that they never think to call on you when they are making long-range plans.  You can’t stick your head in a sales or marketing meeting and shout “Think OPSEC” and expect it to positively effect the outcome of the meeting.  You can’t wait until all the jobs are posted and then run to HR and beat them down for putting too much information in job postings.  And you can’t expect your coworkers to give a you-know-what about OPSEC and how it effects the mission and their lives if you haven’t repeatedly told them - if you haven’t made it personal to them - if you haven’t fully demonstrated how it effects the personally.

Understand this; as a OPSECer you are outgunned and under-equipped for the job you’ve been asked to accomplish.  Boldness under such circumstances may seem almost foolish, yet boldness may be the one advantage to have.  Unlike those who lead in battle, your life may not be on the line as the OPSEC Manager - but lives, jobs, your co-workers welfare, and their families’ welfare may be.  Your program may have less muscle, so you will need more brains.  You have to reorient your thinking, behavior and strategy.  Pull off the sunglasses of pride and arrogance, and drop them in the nearest trash can - you’ll see the road ahead and the obstacles more clearly without them.  Then get yourself our on that road and kick some OPSEC ass!

Keep the Faith!

Revelator

*The Centurian Principles by Colonel Jeff O’Leary (Ret)

Posted in Program Management, General OPSEC | Print | No Comments »

9. May 2008 by Revelator.

That’s right - Internet blogging is indeed the 9th revolution.  I’ve done all the research and historians have succinctly reported that out of all the revolutions throughout history blogging is the 9th.  That or I made all that up just so I could continue my recent habit of song titles as blog titles - you’re call.  Number nine.  Number nine.  Number nine.  Number nine…

From the Wikipedia Blog page:  A blog (an abridgment of the term web log) is a website, usually maintained by an individual, with regular entries of commentary, descriptions of events, or other material such as graphics or video. Entries are commonly displayed in reverse chronological order. “Blog” can also be used as a verb, meaning to maintain or add content to a blog.  Many blogs provide commentary or news on a particular subject; others function as more personal online diaries. A typical blog combines text, images, and links to other blogs, web pages, and other media related to its topic. The ability for readers to leave comments in an interactive format is an important part of many blogs.

Current estimates say there are in the neighborhood of 15 - 20 million blogs out there for your enjoyment.  Teenagers have created the majority of blogs.  Blogs are currently the province of the young, with 92.4% created by people under the age of 30.  Half of bloggers are between the ages of 13 and 19. Following this age group, 39.6% of bloggers are between the ages of 20 and 29.  (http://www.caslon.com.au/weblogprofile1.htm)

If you are even marginally in touch you’ve no doubt heard of the problems the military has had with military based, military support and personal blogs of military throughout the blogosphere.  Thousands of bloggers are putting information out there that from an OPSEC, or even a common sense perspective, should not be there.  On the plus side, the majority of these blogs are now espousing OPSEC and demanding that sensitive information not be put in comments on the blog.  Certainly this is a very good thing and while we’ve still got some problems out there it is good for an old OPSECer to see that the problem is correcting itself.  Here are some examples:

“The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops’ online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. “  By Noah Shachtman

Operational Security:  If you know where a soldier is deployed, the return date, or any other information, please never give this information out to anyone, ever. The enemy loves to search for pieces of the puzzle of how to hurt us any way they can. Never post last name, location, contact information, unit details, morale status or even rank of someone you know who’s deployed. In today’s world of terrorism, this is especially important.  http://www.honorguardbugler.com/2008/04/notes-on-opsec.html

I think it’s worth reminding OmniNerd users (many of whom have military affiliations through service, family or acquaintance) to be cognizant of the information posted.   OmniNerd received a news post on 5 August from the Army of the Mujahideen containing links to graphic videos depicting death and violence to US service members. This means OmniNerd’s content was profiled by terrorists either for the user base or the types of hosted discussions. While initially rejected, I posted the content here to serve as a reminder of who may be reading your posts and the threat still facing Western states.  http://www.omninerd.com/blogs/OPSEC_Awareness

OPSEC is the reason that organizations like Soldiers Angels or Anysoldier.com  don’t just post the addresses of deployed soldiers for everyone in the blogosphere to see. You have to join those organizations and be approved by them, to receive addresses.  OPSEC is the reason that I did not post the address of my fiancee’s son on this blog, when he deployed.  The people who wish to support him (and our unending Thanks! to all those great folks who have been sending him letters and care packages! are people I know, and feel comfortable giving his address.  OPSEC is the reason that Soldiers Angels says “Please do not post the name, etc. of your soldier, without his permission.” And it’s the reason that I usually redact the identifying information from any part of a note I receive that I do repost on here.  Http://journals.aol.com/kasee267/SupportingtheTroops/entries/2008/01/28/just-a-reminder…opsec/1542

And finally:  We’ve had quite a bit of OPSEC violation on the community recently. Just a reminder that you just can’t post dates, times, travels, discuss particulars about weapons, locations, etc. here. There ARE people out there who join communities like this to gather information. Don’t kid yourself.  Will it get someone killed? You don’t know. The safest bet is just don’t do it. If you’re not sure if you should say it, err on the side of caution and just don’t say it.                                                                                         So here’s a basic list of what not to say or do: 

DON’T post specific dates your SO goes on deployment, leaves for R&R, redeploys, PCS’s, or moves from one place to the next.

DON’T post specifics discussing weaponology, though that has not been an issue here, I’m just saying.

DON’T post where your husband is stationed if he is in a combat zone (i.e. what base he’s at in Iraq or Afghanistan).

DON’T post the times your husband will be in transit from base to base in a combat zone, or travel times, period.

DO black out or otherwise blur nameplace, unit and branch patches if posting pictures.

Those are the main infractions.

FROM HERE ON OUT I WILL DELETE WITHOUT WARNING ANY POST THAT VIOLATES OPSEC TERMS. 

I’m tired of reminding people. Call me bitchy, I don’t care. Read and follow the rules.   http://community.livejournal.com/militarylove/706293.html

Keep the Faith!

Revelator

Posted in OPSEC and the Web, Uncategorized | Print | No Comments »

6. May 2008 by Revelator.

     As I sit and try to come up with thoughts on the National OPSEC Conference a literary quote comes to me - “It was the best of times, it was the blurst of times.”  Did I say literary?  I meant cinematic.  And by cinematic, I meant The Simpson’s.

     As an OPSEC Conference it indeed was an outstanding event.  Great speakers, honored original Purple Dragons, record attendance, deserving award winners, fantastic location, free Starbucks coffee, snow, trinkets galore, OPSECers dancing on the “Coyote Ugly” bar, the Final Four at the ESPN zone and a chance to see old and dear friends.  As OSPA Vice President thought it was the second most stressful week of my life.

     And yet - here I am.  Here we are.  Still bloody from the battles but healing from the hurt.  Warm embraces come not in the light of day but in the shadows of the night.   Encouragement is not shouted from the mountain tops but whispered on the wind.  And yet; we fight on.

     As Goethe said “Encouragement after censure is as the sun after a shower.”   So I stand in the sun now; drenched in the encouragement of those of who care - showered in the strength of the true believers - lifted up by those in need.  And the OPSEC world spins on…

     Big Mama IOSS still rules the roost.  Big Daddy OPS is still the biggest and baddest society in OPSEC and OSPA is still that paradigm battling punk in the torn “Anarchy” t-shirt who just won’t go the $#&@ away.

      And the question isn’t where your loyalties lie.  Nor is it who side are you on.  No; the question that remains is this: What have you done for your OPSEC Brothers and Sisters today?   

Keep the Faith!

Revelator

Posted in Conferences, OSPA | Print | No Comments »

25. April 2008 by Revelator.

Layne “The Revelator” Marino has asked me to pass along the following message:

He’s alive, well, and will be back blogging soon. He’s currently TDY conducting OPSEC training, and is looking forward to checking in again.

Look forward to his next blog soon!

Chris Cox, OSPA President

Posted in Uncategorized | Print | 1 Comment »

24. April 2008 by Revelator.

While the conference was a rousing success for OPSEC, in general, some valid questions regarding OSPA were raised. To address those questions, OSPA is indeed a registered non-profit 501(c)(3), incorporated under filing 800132682. At the time of the conference, OSPA was recognized as a non-profit, while the bureaucratic formatilities were in process.

Also, OSPA’s web servers are located in Kansas city, not overseas, as was rumored.

Many of you contacted me with these concerns, and I thank you for sharing your thoughts with me. I truly hope that this clears up any confusion.

Chris Cox, OSPA President

Posted in Conferences, OSPA | Print | No Comments »

17. March 2008 by Revelator.

So, I’m at my local Chinese joint and after a very nice meal I eagerly await the delivery of my Fortune Cookie.  What wonder of the future will it foretell or perhaps what evil must I avoid this week?  When it arrives it is my custom to eat the whole cookie before reading the fortune thus ensuring that I have “earned” the fortune given me.  I don’t trust people who tear open the wrapper, bust the cookie in half, tear out the fortune and then toss the cookie aside.  It shows a lack of respect for a 99 year old tradition with it’s roots in the mystical environs of either L.A or San Francisco.  Either way - it’s just rude, man.  So after I eat the cookie I slowly unbend the small paper in anticipation of the prophesy that fate has put into my hands.  Here is what it said:  “Society prepares the crime; the criminal commits it.” 

What the?!  THAT’S my fortune?  Is that even a fortune?  I mean, they are called “fortune” cookies right?  What the hell?  It’s not even uplifting.  At this point I am teetering on outrage and in danger of embarrassing my long-suffering wife.  Instead of taking it out on the staff my oh-so-patient wife convinces me to take a long pull on the Plum Wine and check myself.  So I did.  I mean, it’s not the restaurants fault so why take it out on them? 

 Some time passes and out of curiosity I ask my wife what her fortune read.  She adeptly dodged the subject which made me even more curious and after some time I convinced her to show me her “fortune.”  Here is what it said:  “You love challenge.”  Well what the hell kind of fortune is that I ask you?  Fortune?  That’s not a fortune!  And by the way - my wife doesn’t love challenge.  Sure she likes a good challenge every once in a while but generally she is challenge averse.  She would much rather go through life without any challenges of any kind and I love her for it.  So, it’s not a fortune but it is also not true!  Now I’m just pissed so I ask for some more Fortune Cookies to simply check to see if we just got some bum cookies and that the world had not actually turned on its ear. 

Here is what I saw:  “The laws sometimes sleep, but never die.”  “Do something unusual tomorrow.”  “The young have youth and beauty, wisdom is for the old.”   

OK; I give up.  Sleeping laws; an order to disturb an otherwise serene day; and then my wife, who has and cherishes her ageless beauty, is told that she isn’t beautiful any more - but it’s OK cuz she’s wise.  Trust me when I tell you this - given the option she will choose beautiful over old and sage every time.  I’ve decided to give up on the whole fortune cookie concept.  I’ll honor Chu Yuan Chang in my own way without the frustration of the now horribly misleading “fortune” cookie.

By the way, according to 14th century legend is said that when the Mongols ruled China, a revolutionary named Chu Yuan Chang planned an uprising against them. He used mooncakes to pass along the date of the uprising to the Chinese by replacing the yolk in the center of the mooncake with the message written on rice paper. The Mongols did not care for the yolks, so the plan went on successfully and the Ming Dynasty began.  It is claimed that the Moon Festival celebrates this with the tradition of giving mooncakes with messages inside. Immigrant Chinese railroad workers, without the ingredients to make regular mooncakes, made biscuits instead. It is these biscuits that may have later inspired fortune cookies.
Today’s OPSEC lesson: Protect the plan - create a dynasty.

Your OPSEC fortune: You will meet a tall, dark and handsome man who will use information against you.

Keep the Faith!

Revelator

Posted in Uncategorized | Print | No Comments »