Rational Survivability

Security-related news from the week…

Two hundred grand
is what you’ll pay,
for that illegally-scored music
says the RIAA.

Big data breaches make a really bad rap,
Think ABN Amro, eBay and the GAP.
Retailers recovering from a big breach black eye
Tell the Payment Card Council
"We hate PCI"

The Representative’s children
download images of lust
He thrilled some high schoolers
with an eyeful of bust!

The Feds were determined
to save Arnie’s day…
nuked ca dot gov
and the ‘Net went away

Extra screen RC toys,
says the ole TSA
next thing you’ll know
they’ll take your Webkinz away

The poor DHS
they’re feeling quite small
They DDoS’d themselves
with a big "Reply-All"

Microsoft’s looking
to increase their wealth
by putting online
your records of health

You’d think that a government
like that of Big Mass.
wouldn’t send out my social
and show their incompetent ass

The experts are puzzled
they say "Storm’s a bot!"
The one thing they’re sure of
is something it’s not.

It’s not easy to corner
it’s causing us fear
for the nextgen of malware
is already here

The Great Firewall of China
Oy!  Vadda mess!
Now it turns out
they block RSS!

The House Committee on Commerce
probes the wiretapping NSA
While the Air Force tried bombs
to make enemies gay?

And finally a comment
on Ex-czar Richard Clarke
whose ideas on security
leave our rights in the dark

We don’t need any more laws
to control what you can’t,
stick to fiction my friend
I’ll take care of the rants

/Hoff

Another week has come and gone
and still the Internet hums along.
Despite predictions that are quite dour
like taking down our nation’s power.

Government security made the press
vendors, hackers, the DHS.
Google Apps and Cross-Site-Scripting,
through our mail the perps are sifting.

TJX, Canadians found, deployed Wifi
that wasn’t sound.
VMWare’s bugs in DHCP
shows there’s risk virtually

HD Moore’s become quite adroit
at extending the reach of Metasploit
hacking tools found a new home
run ’em on your cool iPhone!

Speaking of iPhone
Apple’s played a trick,
hack your phone
it becomes a brick!

Missile silos for sale, that’s a fact,
but it seems the auctioneer’s been hacked!
Applied to Gap as would-be clerks?
They lost your data, careless jerks!

Microsoft updated computers in stealth
which affected the poor machines good health
It seems the risk analysis battle’s won
who needs ISO 2-7-00-1?

Maynor was back in the news,
as his sick days he did abuse.
He claimed to contract Pleurisy,
but was at home with Halo3.

More fun’s in store with M&A
another deal, another day;
Huawei and 3Com getting hitched
who knows if TippingPoint gets ditched?

It’s never boring in InfoSec
Like watching a slow-mo car-crash wreck.
I wish you well my fellow geek
until this time, same place, next week.

/Hoff

I’ve created a monster!

Well, a humble, well-spoken and intelligent monster who — like me — isn’t afraid to admit that sometimes it’s better to let go than grip the bat too tight.  That doesn’t happen often, but when it does, it’s a wonderful thing.

I reckon that despite having opinions, perhaps sometimes it’s better to listen with two holes and talk with one, shrugging off the almost autonomic hardline knee-jerks of defensiveness that come from having to spend years of single minded dedication to cramming good ideas down people’s throats.

It appears Amrit’s been speaking to my wife, or at least they read the same books.

So it is with the utmost humility that I take full credit for nudging along Amrit’s renaissance and spiritual awakening as evidenced in this, his opus magnum of personal growth titled "Embracing Humility – Enlightened Information Security" wherein a dramatic battle of the Ego and Id is played out in daring fashion before the world:

Too often in IT ego drives one to be rigid and stubborn. This results
in a myopic and distorted perspective of technology that can limit ones
ability to gain an enlightened view of dynamic and highly volatile
environments. This defect is especially true of information security
professionals that tend towards ego driven dispositions that create
obstacles to agility. Agility is one of the key foundational tenets to
achieving an enlightened perspective on information security; humility
enables one to become agile.  Humility, which is far different from
humiliation, is the wisdom to realize one’s own ignorance,
insignificance, and limitations of intellect, without which one cannot
see the truth.

19th century philosopher Herbert Spencer captured this sentiment in
an oft-cited quote “There is a principle which is a bar against all
information, which is proof against all arguments and which cannot fail
to keep a man in everlasting ignorance – that principle is contempt
prior to investigation.”

The security blogging community is one manifestation of the
information security profession, based upon which one could argue that
security professionals lack humility and generally propose contempt for
an idea prior to investigation. I will relate my own experience to
highlight this concept.

Humility and the Jericho Forum
I was one of the traditionalists that was vehemently opposed to the
ideas, at least my understanding of the ideas, put forth by the Jericho
forum. In essence all I heard was “de-perimeterization”, “Firewalls are
dead and you do not need them”, and “Perfect security is achieved
through the end-point” – I lacked the humility required to properly
investigate their position and debated against their ideas blinded by
ego and contempt. Reviewing the recent spate of blog postings related
to the Jericho forum I take solace in knowing that I was not alone in
my lack of humility. The reality is that there is a tremendous amount
of wisdom in realizing that the traditional methods of network security
need to be adjusted to account for a growing mobile workforce, coupled
with a dramatic increase in contractors, service providers and non pay
rolled actors, all of which demand access to organizational assets, be
it individuals, information or infrastructure. In the case of the
Jericho forum’s ideas I lacked humility and it limited my ability to
truly understand their position, which limits my ability to broaden my
perspective’s on information security.

Good stuff.

It takes a lot of chutzpah to privately consider changing one’s stance on matters; letting go of preconceived notions and embracing a sense of openness and innovation.  It’s quite another thing to do it publicly.   I think that’s very cool.  It’s always been a refreshing study in personal growth when I’ve done it. 

I know it’s still very hard for me to do in certain areas, but my kids — especially my 3 year old — remind me everyday just how fun it can be to be wrong and right within minutes of one another without any sense of shame.

I’m absolutely thrilled if any of my posts on Jericho and the ensuing debate has made Amrit or anyone else consider for a moment that perhaps there are other alternatives worth exploring in the way in which we think, act and take responsibility for what we do in our line of work.

I could stop blogging right now and…

Yeah, right.  Stiennon, batter up!

/Hoff

(P.S. Just to be clear, I said "batter" not "butter"…I’m not that open minded…)

So Rich and Rich, the ex-analytic Dynamic Duo, mount poor (ha!) arguments against my posts on the the Jericho Forum.

To quickly recap, it seems that they’re ruffled at Jericho’s suggestion that the way in which we’ve approached securing our assets isn’t working and that instead of focusing on the symptoms by continuing to deploy boxes that don’t ultimately put us in the win column, we should solve the problem instead.

I know, it’s shocking to suggest that we should choose to zig instead of zag.  It should make you uncomfortable.

I’ve picked on Mogull enough today and despite the fact that he’s still stuck on the message marketing instead of the content (despite claiming otherwise,) let’s take a peek at Captain Obvious’ illucidating commentary on the matter:

Let me go on record now. The perimeter is alive and well. It has to
be. It will always be. Not only is the idea that the perimeter is going
away wrong it is not even a desirable direction. The thesis is not even
Utopian, it is dystopian. The Jericho Forum
has attempted to formalize the arguments for de-perimeterization. It is
strange to see a group formed to promulgate a theory. Not a standard,
not a political action campaign, but a theory. Reminds me of the Flat Earth Society.

I’m glad to see that while IDS is dead, that the perimeter is alive and well.  It’s your definition that blows as well as your focus.  As you recall, what I actually said was that the perimeter isn’t going away, it’s multiplying, but the diameter is collapsing.  Now we have hundreds if not thousands of perimeters as we collapse defenses down to the hosts themselves — and with virtualization, down to the VM and beyond.

Threats abound. End points are attacked. Protecting assets is more
and more complicated and more and more expensive. Network security is
hard for the typical end user to understand: all those packets, and
routes, and NAT, and PAT. Much simpler, say the
de-perimeterizationists, to leave the network wide open and protect the
end points, applications, data and users.

It’s an ironic use of the word "open."  Yes, the network should be "open" to allow for the most highest performing, stable, resilient, and reliable plumbing available.  Network intelligence should be provided by service layers and our focus should be on secure operating systems, applications and readily defensible data stores.  You’re damned right we should protect the end points, applications, data and users — that’s the mission of information assurance!

This is what happens when you fling around terms like "risk management" when what you really mean is "mitigating threats and vulnerabilities."  They are NOT the same thing.  Information survivability and assurance are what you mean to say, but what comes our is "buy more kit."

Yeah, well, the reality is that the perimeter is being reinforced
constantly. Dropping those defenses would be like removing the dikes
around Holland. The perimeter is becoming more diverse, yes. When you
start to visualize the perimeter, which must encompass all of an
organization’s assets,one is reminded of the coast of England metaphor.
In taking the measure of that perimeter the length is dependant on the
scale. A view from space predicts a different measurement than a view
from 100 meters or even 1 meter. Coast lines are fractal. So are network perimeters.

"THE perimeter" is not being reinforced, it’s being consolidated as it comes out of firewall refresh cycles, there’s a difference.  You accurately suggest that this is occurring constantly.  The reason for that is because the stuff we have just simply cannot defend our assets appropriately.

Folks like Microsoft understand this — look at Vista and Longhorn.  We’re getting closer to more secure operating systems.

Virtualization is driving the next great equalizer in the security industry and "network security" will become even more irrelevant.

Why don’t the two Richies and the faithful toy-happy squadrons of security lemmings get it instead of desperately struggling to tighten their grasp on the outdated notion of their glorious definition of "THE perimeter."  That was a rhetorical question, by the way.

De-perimeterization (or re-perimeterization) garners panic in those whose gumboots have become mired in the murky swamps of the way things were; they can’t go forward and they can’t go back.  Better to sink in one’s socks than get your feet dirty in the mud by stepping out of your captive clogs, eh?

The threats aren’t the same.  The attackers aren’t the same.  Networks aren’t the same.  The tools, philosophy and techniques we use to secure them can’t afford to be, either.

Finally:

Disclaimer:  I work for a vendor of network perimeter security appliances.
But, keep in mind, I would not be working for a perimeter defense
company if I did not truly believe that the answer lies in protecting
our networks. If I believed otherwise I would work for a
de-perimeterization vendor, if I could find one. 🙂

I can’t even bring myself to address this point.  I’ll let  Dan Weber do it instead.

/Hoff

Sometimes you have to hurt the ones you love. 

I’m sorry, Rich.  This hurts me more than it hurts you…honest.

The Mogull decides that rather than contribute meaningful dialog to discuss the meat of the topic at hand, he would rather contribute to the FUD regarding the messaging of the Jericho Forum that I was actually trying to wade through.

…and he tried to be funny.  Sober.  Painful combination.

In a deliciously ironic underscore to his BlogSlog, Rich caps off his post with a brilliant gem of obviousness of his own whilst chiding everyone else to politely "stay on message" even when he leaves the reservation himself:

"I formally
submit “buy secure stuff” as a really good one to keep us busy for a
while."

<phhhhhht> Kettle, come in over, this is Pot. <phhhhhhttt> Kettle, do you read, over? <phhhhhhht>  It’s really dark in here <phhhhhhttt>

So if we hit the rewind button for a second, let’s revisit Captain Stupendous’ illuminating commentary.  Yessir.  Captain Stupendous it is, Rich, since the franchise on Captain Obvious is plainly over-subscribed.

I spent my time in my last post suggesting that the Jericho Forum’s message is NOT that one should toss away their firewall.  I spent my time suggesting that rather reacting to the oft-quoted and emotionally flammable marketing and messaging, folks should actually read their 10 Commandments as a framework. 

I wish Rich would have read them because his post indicates to me that the sensational hyperbole he despises so much is hypocritically emanating from his own VoxHole. <sigh>

Here’s a very high-level generalization that I made which was to take the focus off of "throwing away your firewall":

Your perimeter *is* full of holes so what we need to do is fix the problems, not the symptoms.  That is the message.

And Senor Stupendous suggested:

Of course the perimeter is full of holes; I haven’t met a security
professional who thinks otherwise. Of course our software generally
sucks and we need secure platforms and protocols. But come on guys,
making up new terms and freaking out over firewalls isn’t doing you any
good. Anyone still think the network boundary is all you need? What? No
hands? Just the “special” kid in back? Okay, good, we can move on now.

You’re missing the point — both theirs and mine.  I was restating the argument as a setup to the retort.  But who can resist teasing the mentally challenged for a quick guffaw, eh, Short Bus?

Here is the actual meat of the Jericho Commandments.  I’m thrilled that Rich has this all handled and doesn’t need any guidance.  However, given how I just spent my last two days, I know that these issues are not only relevant, but require an investment of time, energy, and strategic planning to make actionable and remind folks that they need to think as well as do.

I defy you to show me where this says "throw away your firewalls."

Repeat after me: THIS IS A FRAMEWORK and provides guidance and a rational, strategic approach to Enterprise Architecture and how security should be baked in.  Please read this without the FUDtastic taint:

Rich sums up his opus with this piece of reasonable wisdom, which I wholeheartedly agree with:

You have some big companies on board and could use some serious
pressure to kick those market forces into gear.

…and to warm the cockles of your heart, I submit they do and they are.  Spend a little time with Dr. John Meakin, Andrew Yeomans, Stephen Bonner, Nick Bleech, etc. and stop being so bloody American 😉  These guys practice what they preach and as I found out, have been for some time.

They’ve refined the messaging some time ago.  Unload the baggage and give it a chance.

Look at the real message above and then see how your security program measures up against these topics and how your portfolio and roadmap provides for these capabilities.

Go forth and do stupendous things. <wink>

/Hoff

Uncle Mike suggested that I be tasked with something worthy of my "innovation" title.

I thought that while I let something else percolate around in my little brain, I should flex my creative muscle a little and demonstrate the value I add to the security community.

It’s all about giving back, people.

Had I adequately prepared, I would have had 3-4 coffees prior to writing this, but I’m in Reston, VA and it seems you need a jet car to get anywhere.  I should have chartered that chopper.

So I am stuck here, decaffeinated and trying to get this other idea out of my brain and down on "paper" before my head explodes.

(Read to the cadence of ‘Twas the Night Before Christmas)

Remember when firewalls were firewalls, my friend?
it suggested our security problems would end.
They promised the perimeter breach to abate,
but alas became products we just loved to hate.

The attackers got smarter, and the exploits malicious,
the perimeter’s holes made the threatscape pernicious.
Sadly the breaches were never quite stopped,
whilst we measured our value in per packets dropped!

IDS soon was added, let us know we were sunk
yet we kept buying more costly security junk.
So we took the bit blocking, tuned our IDS mess,
yet again our risk metrics still didn’t trend less

As we patiently waited for our career ascension,
it seems IDS died, but LONG LIVE PREVENTION!
While signatures worked and were certainly handy
NBA as a feature would surely be dandy.

We looked for the good stuff and blocked bad behavior,
but NBA wasn’t our security savior.
But now we blocked traffic all up/down the stack
we were sure to have something to repel an attack.

UTM came along, married IPS to AV,
our security god boxes hummed along merrily.
And finally it came, our salvation arrived
NAC promised to secure us from all the bad guys.

Pre-auth, and post-auth, we had tons of checks,
It still didn’t fix it, we need 802-dot-one-X!
Admission or Access, we must have control,
and deeper we went down the NAC rabbit hole.

So Cisco blew that one, and we all looked confused
should we turn on that feature that nobody used?
But relax, do not worry, we’ll secure that border,
find another new feature, want fries with that order?

Stand your watch, remain valiant, stand that post at your station,
for the next frontier’s here…YES!  Virtualization!
Like perimeter viagra, from our security Pfizer,
we’re all solid now, all hail…Hypervisor!

Blue Pills and Red Pills, detection’s a bust,
but protecting our VM’s security’s a must!
What to do, what to do…what next shall I add?
What new valley startup will become the next fad

Is it content, DRM, or perhaps DLP?
Ask Rothman, ask Mogull, just please, don’t ask me.

/Hoff

You think I make this stuff up, don’t you?

Listen, I’m a renaissance man and I look for analogs to the security space anywhere and everywhere I can find them.

I maintain that next to the iPhone, this is the biggest thing to hit the security world since David Maynor found Jesus (in a pool hall, no less.)

I believe InfoSec Sellout already has produced a zero-day for this using real worms.  No Apple products were harmed during the production of this webserver, but I am sad to announce that there is no potential for adding your own apps to the KermitOS…an SDK is available, however.

The frog’s dead.  Suspended in a liquid.  In a Jar.  Connected to the network via an Ethernet cable.  You can connect to the embedded webserver wired into its body parts.  When you do this, you control which one of its legs twitch.  pwned!

You can find the pertinent information here.

A Snort signature will be available shortly.

/Hoff

(Image and text below thanks to Boing Boing)

The Experiments in Galvanism frog floats in mineral oil, a webserver
installed it its guts, with wires into its muscle groups. You can
access the frog over the network and send it galvanic signals that get
it to kick its limbs.

Experiments in Galvanism is the culmination of studio and gallery
experiments in which a miniature computer is implanted into the dead
body of a frog specimen. Akin to Damien Hirst’s bodies in formaldehyde,
the frog is suspended in clear liquid contained in a glass cube, with a
blue ethernet cable leading into its splayed abdomen. The computer
stores a website that enables users to trigger physical movement in the
corpse: the resulting movement can be seen in gallery, and through a
live streaming webcamera.

    – Risa Horowitz

Garnet Hertz has implanted a miniature webserver in the body of a
frog specimen, which is suspended in a clear glass container of mineral
oil, an inert liquid that does not conduct electricity. The frog is
viewable on the Internet, and on the computer monitor across the room,
through a webcam placed on the wall of the gallery. Through an Ethernet
cable connected to the embedded webserver, remote viewers can trigger
movement in either the right or left leg of the frog, thereby updating
Luigi Galvani’s original 1786 experiment causing the legs of a dead
frog to twitch simply by touching muscles and nerves with metal.

Experiments in Galvanism is both a reference to the origins of
electricity, one of the earliest new media, and, through Galvani’s
discovery that bioelectric forces exist within living tissue, a nod to
what many theorists and practitioners consider to be the new new media:
bio(tech) art.

    – Sarah Cook and Steve Dietz

I was just leaving the office for a client dinner last night when I noticed I
couldn’t get to my TypePad blog, but I chalked it up to a
"normal" Internet experience.   

When I fired up Firefox this morning (too much wine last night to care) I was surprised to say the least.

I am just awestruck by the fact that yesterday’s PG&E  power outage in San Francisco took down some of the most popular social networking and blogging sites on the planet.  Typepad (and associated services,) Craigslist, Technorati, NetFlix etc…all DOWN. (see bottom of post for a most interesting potential cause.)

I’m sure there were some very puzzled, distraught and disconnected people yesterday.  No blogging, no secondlife, no on-line video rentals.  Oh, the humanity!

I am, however, very happy for all of the people who were able to commiserate with one another as they apparently share the same gene that renders them ill-prepared for what is one of the most common outage causalities on the planet: power outages.

Here’s what the TypePad status update said this morning:

Update: commenting is again available on TypePad blogs; thank you for your patience.  We are continuing to monitor the service closely.

TypePad blogs experienced some downtime this afternoon due to a
power outage in San Francisco, and we wanted to provide you with the
basic information we have so far:

• The outage began around 1:50 pm Pacific Daylight Time
• TypePad blogs and the TypePad application were affected, as well as LiveJournal, Vox and other Six Apart-hosted services
• No data has been lost from blogs.  We have restored access to blogs as well as access to the TypePad application. There
  may be some remaining issues for readers leaving comments on blogs; we
  are aware of this and are working as quickly as possible to resolve the
  issue. (See update above.)
• TypePad members with appropriate opt-in settings should have
  received an email from us this afternoon about the outage.  We will
  send another email to members when the service has been fully restored.
• We will also be posting more details about today’s outage to Everything TypePad.

We are truly sorry for the frustration and inconvenience that
you’ve experienced, and will provide as much additional information as
possible as soon as we have it. We also appreciate the commiseration
from the teams at many of the other sites that were affected, such as
Craigslist, Technorati, Yelp, hi5 and several others.

I don’t understand how the folks responsible for service delivery of these sites, given the availability and affordability of technology and hosting capability on-demand, don’t have BCP/DR sites or load-balanced distributed data centers to absorb a hit like this.   The management team of Sixapart has experience in companies that understand that the network and connectivity represent the lifeblood of their existence; what the hell happened here in that there’s no contingency for power outages?

Surely I’m missing something here.

Craigslist and Technorati are services I don’t pay for, so one might suggest taking the service disruption with a grain of SLA salt (or not, because it still doesn’t excuse not preparing for issues like this with contingencies)  but TypePad is something I *pay* for.  Even my little hosting company that houses my personal email and website has a clue.  I’m glad I’m not a Netflix customer, either.  At least I can walk down to Blockbuster…

Yes, I’m being harsh, but I there’s no excuse for this sort of thing in today’s  Internet-based economy.  It affects too many people and services but really does show the absolute fragility of our Internet-tethered society.

Common sense obviously didn’t make the feature list on the latest production roll.  Somebody other than me ought to be pissed off about this.  Maybe when Data Center 3.0 is ready to roll, we won’t have to worry about this any longer 😉

/Hoff

Interestingly, one of the other stories of affected sites relayed the woes of 365 Main, a colocation company, whose generators failed to start when the outage occurred.  I met the the CEO of 365 Main when he presented at the InterOp data center summit on the topic of flywheel UPS systems which are designed to absorb the gap between failure detection and GenStart.  This didn’t seem to work as planned, either. 

You can read all about this interesting story here.  This was problematic because the company had just issued a press release about a customer’s 2-year uninterrupted service the same day 😉

Valleywag reported that the cause of the failure @ 365 Main was due to a drunk employee who went berserk! This seemed a little odd when I read it, but check out how the reporter from Valleywag is now eating some very nasty Crow … his source was completely bogus!

Many nation states find innovative ways of enforcing security in their stockades and jails.  We’ve got that crazy sheriff in Arizona who enables the prisoner’s fashion sense by outfitting them with pink jumpsuit couture and then there’s Gitmo.

Honestly, in the U.S. jails have become an effective method of obtaining 3 squares and a warm bed (albeit sometimes with somebody else in it) and quite honestly provide little in the way of taxpayer payback.

I say enough!  Let’s look abroad for inspiration.  Let’s see…the Taliban’s a little extreme, Brazil…that whole waxing thing is over the top…ummmm…

Aha! The Philippines have solved this problem.  It seems they have made an investment that truly demonstrates ROI in the security space.  It allows for both freedom of expression and entertainment whilst repaying the monarchy in a tribute to the King Of Pop.

Ladies and germs, I present you the ensemble cast of inmates from the the Cebu Provincial Detention and Rehabilitation Center, Cebu, Philippines.  Hey, you slackers at Pelican Bay, nut up!

This truly is the "Thriller in Manilla!"

Wow.

Blue Man Group is teh pwned!

/Hoff

The location is far from classified; the Grand Visconti Palace in Milan Italy.  It’s a dirty job, but someone’s got to do it.  This is the nasty stuff though…the wet work. 

This is the stuff nobody else wants to do.  Even talking about it is painful.  Talking about it is what we’re trained NOT to do.  But I’m alone.  There’s noone coming for me.  This could be it.

I’m holed up in my hotel room on this assignment, awaiting extraction.  I’m fifty clicks from the LZ, the transpo isn’t due for another 6 hours.  Radio silence.

I knew that when I took the job that it meant lonely, dangerous work.  It’s 01:18am here now.  I’m delirious after an aggravating lack of sleep. 

My mission grinds on against the backdrop of reveling Italian supermodels drunk in the streets below, the enticing aromas of tagliatelle that permeates the very fabric of this country, and what can only be described as the Roman Jerry Spring(ieri) show bellowing through the thin walls of my room from the reveling assclowns next door.

I can’t sleep.  I mustn’t.  I want to, and I strain against the overbearing slabs of concrete that my eyelids have become.  Must.  Hang.  On.

It’s not because of the supermodels, the pasta or the Jerry special on midget tossing.  No, I can’t sleep because I am subject to the relentless onslaught of an attack as a direct counter-response to my bug hunting activities.   

This is where all the training pays off.  This is where intuition takes over.  Fear has no place in my world.  I will shed blood.  Some of it mine.  But I shall hold fast and like those from Rome and Sparta before me, I will emerge triumphant.

I am wounded.  I want to scrape away the pain but the more that I do, the worse it becomes.  My very soul itches.

The heat is unbearable.  The sweat drips into my eyes. I must focus.  I practice Tai Chi to center myself and prepare for what is assuredly coming.

My foe is an intelligent adversary.  In light and dark, he appears from stealth taking quick swaths at me; feeling me out for just how far I will go to defend against attack; my reach, my skill, my will.  He is lightning quick.  No warning until it is too late. 

The attack comes.  That sound that drills into my psyche.  It taunts me.  It mocks me.  The inevitable pain delivered again. Can’t.  See.

I must take action.  My body takes over.  The will to defend is overwhelming.  I stab the air.  Kicking, screaming, smacking. 

Slapping. 

Myself. 

I’ve poked myself in the eye with my thumb and backhanded my skull as I valiantly deflect the attack.  I try to hide under the cover of whatever I can shield myself with.  Furniture.  Bedding.  Pellegrino bottles.  I take evasive maneuvers.  Why won’t he stop!?  The pain of anticipation is worse than the wounds themselves.

I flashback to training.  Fight stealth with stealth.  I’ll wait for his recon; look for the flash and strike.  Must.  Seek.  Cover.

Should I wait it out in the closet — maybe the bathroom?

He’s coming again.  Relentless.  He appears, cloaked in deception and disdain.  Then, like that, he disappears.  I scratch at phantom wounds that aren’t there.  That sound!  Make it stop!

Ripping through the air; wildly grasping for swaths of atmosphere…hoping to grab hold of…something in the dark.  And squash it.  Die!

I want to deliver death swiftly.  Mercilessly.  Over and over again.  Uncaring, nasty, excruciating death.  Now.  This has gone on for hours.  I need to sleep.

But it is not to be.  I will be tormented all night until I can leave this hellhole and find solace in the airport awaiting the ride home.

I am now laying in my bathtub where it is safe.  The fan is on, Macbook Pro on my lap, wirelessly connected.  My only lifeline to the world.  To you.

My enemy cannot reach me here.  Perhaps he will retreat and try to strike again later.

F’ing Mosquitoes!

/Hoff