Home > De-Perimeterization, Information Security, Information Survivability, Jackassery, Jericho Forum > Captain Stupendous — Making the Obvious…Obvious! Jericho Redux…

Captain Stupendous — Making the Obvious…Obvious! Jericho Redux…

September 19th, 2007 Leave a comment Go to comments

Sometimes you have to hurt the ones you love. 

I’m sorry, Rich.  This hurts me more than it hurts you…honest.

The Mogull decides that rather than contribute meaningful dialog to discuss the meat of the topic at hand, he would rather contribute to the FUD regarding the messaging of the Jericho Forum that I was actually trying to wade through.

…and he tried to be funny.  Sober.  Painful combination.

In a deliciously ironic underscore to his BlogSlog, Rich caps off his post with a brilliant gem of obviousness of his own whilst chiding everyone else to politely "stay on message" even when he leaves the reservation himself:

"I formally
submit “buy secure stuff” as a really good one to keep us busy for a

<phhhhhht> Kettle, come in over, this is Pot. <phhhhhhttt> Kettle, do you read, over? <phhhhhhht>  It’s really dark in here <phhhhhhttt>

So if we hit the rewind button for a second, let’s revisit Captain Stupendous’ illuminating commentary.  Yessir.  Captain Stupendous it is, Rich, since the franchise on Captain Obvious is plainly over-subscribed.

I spent my time in my last post suggesting that the Jericho Forum’s message is NOT that one should toss away their firewall.  I spent my time suggesting that rather reacting to the oft-quoted and emotionally flammable marketing and messaging, folks should actually read their 10 Commandments as a framework. 

I wish Rich would have read them because his post indicates to me that the sensational hyperbole he despises so much is hypocritically emanating from his own VoxHole. <sigh>

Here’s a very high-level generalization that I made which was to take the focus off of "throwing away your firewall":

Your perimeter *is* full of holes so what we need to do is fix the problems, not the symptoms.  That is the message.

And Senor Stupendous suggested:

Of course the perimeter is full of holes; I haven’t met a security
professional who thinks otherwise. Of course our software generally
sucks and we need secure platforms and protocols. But come on guys,
making up new terms and freaking out over firewalls isn’t doing you any
good. Anyone still think the network boundary is all you need? What? No
hands? Just the “special” kid in back? Okay, good, we can move on now.

You’re missing the point — both theirs and mine.  I was restating the argument as a setup to the retort.  But who can resist teasing the mentally challenged for a quick guffaw, eh, Short Bus?

Here is the actual meat of the Jericho Commandments.  I’m thrilled that Rich has this all handled and doesn’t need any guidance.  However, given how I just spent my last two days, I know that these issues are not only relevant, but require an investment of time, energy, and strategic planning to make actionable and remind folks that they need to think as well as do.

I defy you to show me where this says "throw away your firewalls."

Repeat after me: THIS IS A FRAMEWORK and provides guidance and a rational, strategic approach to Enterprise Architecture and how security should be baked in.  Please read this without the FUDtastic taint:


Rich sums up his opus with this piece of reasonable wisdom, which I wholeheartedly agree with:

You have some big companies on board and could use some serious
pressure to kick those market forces into gear.

…and to warm the cockles of your heart, I submit they do and they are.  Spend a little time with Dr. John Meakin, Andrew Yeomans, Stephen Bonner, Nick Bleech, etc. and stop being so bloody American 😉  These guys practice what they preach and as I found out, have been for some time.

They’ve refined the messaging some time ago.  Unload the baggage and give it a chance.

Look at the real message above and then see how your security program measures up against these topics and how your portfolio and roadmap provides for these capabilities.

Go forth and do stupendous things. <wink>


  1. September 19th, 2007 at 01:26 | #1

    Give the man a chance, he's been stuck in a pit at Gartner for 7 years. 🙂
    "Stop being so bloody American" – I will be quoting you on that, forever.

  2. September 19th, 2007 at 06:00 | #2

    Trust me…that quote came out of the mouth of Ray Stanton who is the global head of BT’s business continuity, security and governance practice when I provided a sterling example of "being American."
    His words to me were actually much, much more impacting and, um, colorful.
    I was being an Ass, and I deserved it. The bizarre thing was that I was raised a Kiwi, was in Milan, and was told off by a Brit for being a Yank.
    Perhaps tha makes me a Continental Ass?

  3. September 19th, 2007 at 10:11 | #3

    I thought it was odd that you said "I'll catch up with you later, mate" at InfoSec. Your antipodean roots still show.
    I think it makes you an Intercontinental Arse.

  4. September 19th, 2007 at 10:31 | #4

    So when will the Jericho Forum – Board of Managers (http://www.opengroup.org/jericho/board-of-management.htm) start throwing their weight around so that software and hardware developers start developing, testing, and certifying secure and cost effective applications and protocols while also determining usable methods for civilian level, multi-organization, data classification? Would their combined effort really matter in the grand scheme of economic and moral differences that affect international technology development?
    In other words, just how do they plan to monitor and enforce change control on every organization developing technology? Everybody just needs to play nice?
    Go forth and do good things,

  5. September 19th, 2007 at 11:23 | #5

    Why do we need a central organization to monitor and enforce anything? Jericho is trying to market an idea – a framework- that anyone can adopt of they feel it is worth the effort. If firms start demanding that their solutions fit their chosen framework, be it Jericho's or something else, then the vendors, developers etc. will start to do that. No one needs to be forced to do anything. How could you create a framework that fits for everyone at all times. A framework is a best guess, a model (w00t!) for achieving a certain end. If you don't like the end then don't use the framework. Over time, the framework can be tweaked by the USERS to suit their needs, they don't need to be dictated from a central body that can never have enough granular information to make efficient decisions for every business or individual in the world.

  6. September 19th, 2007 at 12:06 | #6

    Jericho isn't about monitoring and enforcing anything, it's just bringing awareness of how security should be applied to a wider audience. All of the management team have very high level positions in other organisations, as you can see from Cutaway's link.
    They aren't trying to push any technical framework, merely trying to influence security to be done better: https://www.opengroup.org/jericho/how-we-work.htm
    Which I wholeheartedly approve of. It's all very well us sitting back and saying "how's it different to x,y, or z?" but the fact is, Jericho's been going as a group for a long time now, and has remained bang on whilst other fads have waxed and waned.
    Whilst a few cynical security guys are sitting on their backsides criticising because it's "been done before", Jericho may eventually be getting somewhere.
    I hate to sound repetitive, but security is about education, and education needs a) someone to state the obvious, b) someone to keep stating the obvious and c) more repetition.

  7. September 20th, 2007 at 08:01 | #7

    I understand the goals. But in order for this to be effective an organization has to ensure that all of the products they implement adhere to this framework. At the very least they have to provide additional protections for the ones that don't and thus we revert back to creating a perimeter around them. Somethings in, somethings out.
    Ultimately, unless a product is directly related to security we are going to get a bunch of vendors who will look at the framework and think "Oh, that's nice." Then they will drive on with their next feature enhancement as usual because that is what generates the cash flow.
    I know I am a little pessimistic but I don't see how this changes the vendor mentality. I certainly hope that this or some other initiative catches the consumers eye so that they can start to vote with their pocket book. But until somebody starts holding them to this guidance provided by the commandments they are just going to address the ones that they can quickly and then tell you to do and find additional protections elsewhere.
    I guess that is where perimeter protections have gotten us. Specific duties are another tool's responsibility. But is that bad? No if it allows the vendors to concentrate on developing features for their technology and providing service to their customers instead of devoting time, money, and energy trying to solve all the problems in their product. That is what the perimeter means to some companies. And it is going to be a hard sell to change that momentum.
    I am all for building security into products. But not to the point that it stifles innovation. We are a service. We do not run the show. It is very apparent to me that Chris and Rich (hehe) have a much better chance to get vendors to listen and take this framework into consideration during their development process. I think it is something that they can and should be pointing to while saying "You should consider this during your development." But in the end admins are going to have to implement protections to the weakest link, which means they are going to have a perimeter and they are going to have to monitor it. Which means that security professionals are going to have to help provide that guidance as well.
    Go forth and do good things,

  8. September 21st, 2007 at 04:46 | #8

    Jericho In Pictures

    A couple of weeks ago in New York there was a Jericho Forum meeting. I have other obligations, or else I would be there in person. I think that Jericho is interesting, and from a Risk Managment standpoint, not at all something to casually dismiss.  …

  1. No trackbacks yet.