Thursday, May 31, 2012

Entirely too relevant to my life right now....





Revisiting the "first carry gun" question, 5 years or so later

So a few years back, I wrote several different pieces about concealed carry for first timers; both gun newbies, and carry newbies, though surprisingly enough, never in a single post for just the "first carry gun" question precisely.

A few days back, I got a question from a German immigrant to Washington state, who has been asking a lot of "newbie" type questions lately:

"I am planning to get me a concealed carry license. Being from Germany almost everything regarding carrying a gun is new for me, I have read about it though. My question is now: I am a fan of big caliber. In some states you have to do your "training" for the license with an automatic to be allowed to carry both types of actions. Which gun is good for a newbie like me? It should have man-stopping power, so should be more than a .38/9mm.
Thank you"

I figure now is a good time to address the question again; as so many people are starting to carry concealed, since the 2008 elections, and in preparation for the 2012 elections.

The first thing for our questioner, is that in Washington (and most other states) you don't have any qualification restrictions. Once you're licensed, it's for any firearm that is legal to carry.

The rest of the answer is more complicated however... much more complicated.

So, the basic rules for choosing a carry gun...

  1. 1. The first, and most important thing to deal with; you shouldn't carry any gun, until you are completely comfortable with shooting, you are safe and proficient with firearms in general, and you are ABSOLUTELY SURE you are mentally and emotionally prepared and able, to shoot another human being in self defense. Otherwise, you are a danger to yourself and to others.
  2. You should only a gun that you are completely comfortable with. You must be completely familiar with your guns characteristics, manual of arms, and in particular the failure modes and recovery drills for that weapon, before you carry it for self defense.
  3. You should only carry a gun that you have tested extensively, using the ammunition and holster(s) you intend to carry it with; and wearing the clothing you intend to wear while carrying. Things that seem like they will work, often don't. The time to find out is on the range, not when someone is charging at you with a knife. Extensively means hundreds of practice draws from concealment, and hundreds of rounds fired (I personally consider 500 rounds an absolute minimum).
  4. Carry a gun that you can and WILL carry; all day long, every day, no matter the weather or the occasion (this is why most most folks serious about self defense with firearms have multiple carry guns... different guns for different conditions and situations).
  5. Carry a gun that you can shoot, and WILL shoot, regularly, with the ammunition you intent to load while carrying it. By regularly I mean at a minimum several magazines worth or cylinders full, once per month... and preferably more.

Now... as to specifics, that's a little more difficult.

As I said above, you need to carry a gun you are comfortable with, that is reliable, that you can shoot, that you can carry well...

What that is, is very different for everyone. What works for your body, your lifestyle, your work, your choice of clothing... It's unique to you.

My general recommendation, is that you try out a lot of different guns, and see what feels good. Rent them at a range, borrow friends guns; shoot as many guns as possible, as much as possible.

The "default" recommendation is that you buy a Glock, M&P, or XD; because they are relatively inexpensive, reliable, easy to shoot; all are available in three frame, barrel, and grip sizes, with common ergonomics, controls, and manual of arms; and all are available in the three most common defensive chambering selections in the U.S. (9mm, .40s&w and .45acp) in all three sizes.

In general, I think the "default" recommendation is a good one. I usually own at least one or two of those three types of guns at any given time (if not all three... or even multiples of all three in different sizes and chamberings).

... and I always end up selling them, because I just don't like them all that much. They don't "speak" to me on an emotional level, or interest me esthetically. I appreciate them all mechanically, and as a gunsmith and an instructor, I recommend them to friends, customers, students; and to you, my readers...  I just don't like them that much

My personal preference for double action semiautomatic pistols, are SIGs (in particular, I prefer the SIG P220 carry elite in .45acp, and the P229 elite, in .40, 9mm, or .357sig); but they are considerably more expensive than the big three striker fired options (none of the three "default" guns is a traditional double action. All have some variant of the "safe action" concept, which is functionally similar to double action). I just prefer the ergonomics, feel, natural point, and looks of the SIG.

Also, I generally carry 1911s (in all three common sizes - 5" "government", 4" "commander" and 3" "officers", and in .45acp or 10mm) as my primary sidearms; however, I don't recommend them as carry guns for anyone other than experts, or at least those who will train every week (this applies to single action firearms in general. They have a more complicated manuals of arms, and additional failure modes, which beginners shouldn't have to try to worry about under stress).

As to chambering... I really see very little reason for a beginner to chose anything but 9mm or .45acp. Yes, there are plenty of other chamberings to choose from, that are effective for self defense; but for a beginner, it's generally best that you choose a common chambering. 9mm and .45acp are the most common centerfire handgun chamberings in the U.S. and more defensive and practice loadings are factory available (and generally at a lower price) in them, than any other.

As I said above, I personally like 10mm and .357sig ( in addition to 9mm and .45), but as with single action handguns, I think both chamberings should only be considered for self defense by experts. Both have quite sharp recoil, muzzle blast, and report; and they are both extreme penetrators.

.40 S&W is also very popular (third in the U.S. behind 9mm and .45acp; and second in law enforcement behind 9mm... in fact by now, it may be more popular for LEOs than 9mm). It is marginally more effective than high pressure defensive loadings of 9mm, and marginally less effective than high pressure defensive loadings of .45acp. You generally gain one or sometimes two rounds capacity over .45 or you lose a round compared to 9mm. In exchange for that, you get sharper recoil and muzzle blast than either, and generally a higher price than either.

My personal opinion... Unless you want to shoot .357sig as well (.357sig is based on the .40s&w cartridge. In general, guns chambered in .40, can be easily converted to .357sig with a barrel and spring change), there is little reason to choose .40 over either .45 or 9mm.

Alternately, a medium frame revolver in .357 magnum can be an excellent carry choice; if you are physically comfortable with carrying a revolver of that size. Some peoples bodies work well with concealing revolvers, some don't. In general, you want more than a 2" barrel (because 2" barrels cut the effectiveness of the load greatly) and at most a 4" barrel (because anything longer is difficult to draw from concealment).

Some medium frame revolvers even have 7 round cylinders now. 7 rounds of .357 magnum is going to be just as effective (or possibly moreso) as 7 or 8 rounds of .45acp.

Actually, I'd say that in general, 6 or 7 rounds of .357 magnum are just as good for self defense, as 10 or 12 rounds of .45acp, 9mm, or .40... Even 5 or 6 rounds of .357 are pretty strong medicine for discouraging unpleasant people from doing unpleasant things; and frankly, as a non LEO civilian shooter, if you need more than 5 rounds of .357 magnum to address your immediate problems... well, you've got worse problems than a handgun can handle.

I generally don't recommend a large frame revolver (any revolver in .41 magnum or larger is going to be large frame) for concealed carry, because most people can't comfortably carry them concealed (I can just barely do so, and I'm a VERY large man... and it takes a particular choice of holster, cover garments etc...). You are better off with a smaller gun, that you can carry in more situations, with more clothing variations etc...

The absolute best piece of advice I can give you once you've selected a couple options is, BUY GOOD BELTS AND HOLSTERS.

A good belt or two, and several good holsters, can make carrying almost any reasonably sized gun, relatively easy and comfortable. Even slightly mediocre belts or holsters will make carrying any gun, an uncomfortable chore.

For a backup, deep cover, or otherwise "the gun you carry when you can't carry your bigger gun"; the conventional recommendation is a compact .38spl or .357 revolver (like the S&W J frame) or .380 auto (like the KelTec p3at).

We call them pocket guns, because they slip into your pocket; preferably first thing in the morning, every morning, not coming out until you get undressed for bed. That way you always have a gun when you need one.

That's why I have a pocket gun... actually I have several.

As it happens, I own, and recommend, both of the guns above; particularly with the option of adding a laser sight. Although you should train to use your sights as much as possible; there are some situations where sights aren't all that useful... as it happens, those are often the situations you really need your backup gun in. And even if you have a chance to use your sights, on most backup guns the sights are barely there, or at best hard to see, anyway. Laser sights help compensate for all of those factors.

So... confused yet?

Once you actually buy a carry gun (or peferably at least two carry guns) I  want you to do two things:

First, Shoot them... a lot. As much as you possibly can. Shoot them two handed, strong handed, and weak handed. Shoot them at very close range, as well as at medium range. Shoot them at moving targets. Shot them while on the move. Shoot them in defensive pistol competiton... just shoot them as much as possible.

Second, CARRY THEM. Carry them all day, every day, everywhere you legally can.

CARRY THEM all the time... because you don't need a gun most of the time, but when you need one, you REALLY need one.

Wednesday, May 30, 2012

Open Letter to a Phoenix Starting to Rise

Hi. You don't know me, and you'll probably never know me. I get the feeling that if I were to talk to you directly I'd only make you more uncomfortable.

You're obviously very uncomfortable. I know how you feel.

I'm the woman behind you in the checkout line, the only non-express checkout line in the entire store open at 8:30 on a Wednesday. It's quiet. That's why I'm here right now, keeping housewife hours. That's also why you're here.

You don't have to tell me what's going on. Your life circumstances are written all over you, in your demeanor, your clothes, what you're buying, the way you won't meet my eyes. You're in your early twenties, though most people would guess older. Stress does that to you. You're polite and quiet and you're waiting patiently for the person in front of you to finish so the cashier can ring up your milk, cereal, juice, eggs, and fruit.

I don't even need to see the little paper slips you hand the cashier to know that's how you would pay.

You're wondering why I'm waiting patiently behind you instead of going to one of the express lines. I could, that's true. You might also be wondering why I, a woman in my early thirties with a basket that makes clear I'm not worried about how I'll pay, would be waiting so patiently and smile at you for the second you look at me.

I'm there because I want you to see a friendly face, and because I want to make clear that if you didn't look like you'd break out into a run the moment someone noticed you, I'd talk to you.

Don't let the huge bag of dog food and container of fabric softener fool you. I've been at the exact same spot you are now.

You're either pregnant or have a little one at home. If I had to guess, pregnant. You either have no support or your support is stretched thin due to other circumstances. You've got a roof over your head and access to a washing machine, but not much else.

You could have been a spiritual, mental, and emotional copy of me as I was 8 years ago. Fresh out of a bad marriage with a toddler and a baby, living with my parents and my youngest brother. No money all around, the bills are barely paid, and the entire family laid low by my circumstances and my brother's recent health crisis. 6 people in one three-bedroom house in a small town in Arizona and one of those people could still die at any moment. A freak infection combined with a genetic abnormality killed my brother's kidneys. The medical crisis wiped both him and my parents out of all available cash. Then I came to live with them 2 months later.

Some people look at you and see only the result of bad decisions. I know better. I know shit happens, life gets fucked up, and your entire world can burn to the ground in an instant. Bad decisions often play a part, but are almost never the whole story.

I remember walking into the AZ Department of Economic Security office and applying. I remember being approved for food stamps, cash assistance, and medical coverage. I also remember the nice woman who helped me and how she told me she knew I wouldn't be on assistance for very long.

I didn't understand how she knew. Being a small town I thought maybe she knew my parents (I'd never lived there before) and drew her conclusions from them.

Now, looking at you, I can see what she saw in me. You're clean. Your hair hasn't been cut in a while but it's combed and tied back. Your clothes are showing wear but they're clean and hole free. You're not wearing any makeup and there's not an single show of frivolity on you. You're polite, you know exactly what qualifies for WIC and didn't buy anything else, and you handed the pen back to the cashier after very carefully signing your name. Your coupons are well organized, not balled up or crinkled. Most of all, you're dying of shame every moment you spend standing there while the rest of us wait but you're still there, shopping when you think the fewest people will be there to see you and when you will cause the least amount of waiting for others.

There's not an ounce of entitlement in your body. You're doing this because you must, not because it's a choice.

I know.

I spent exactly one day on cash assistance. Didn't even receive any cash benefits. The day after I applied I received the call that I'd gotten the part-time job I'd applied for and that I was expected to show up for training the next week. I'd work as a clerk at that state park for anywhere from 10 to 40 hours a week for the next 2 years.

My supervisor at the state park used to be like you too. She knew what it was like. She moved heaven and earth to make my schedule work with my court appearances. She told me stories of when she was on assistance and how she'd drive 40 miles to get groceries so know one she knew would see her.

My father holds a membership to that state park now. He goes there every Sunday to walk his dog on the trails. He'll probably support the park for the rest of his life because he knows what the park did for me. He tells me it's all because he likes the trails and tours. I know better.

I used my state medical coverage to treat my chronic health problems. I made sure the kids saw their doctor, got their checkups, got their vaccinations. I hated every second of my dependence on state medical, but I used it.

I drove 1 1/2 hours to Tucson once a week to do blood tests and physicals while I went through kidney donation screening for my brother. Every time I went to Tucson I packed up the big cooler and used up my food stamps at a grocery store there. The food in Tucson was cheaper and better quality than what was available in the small town I lived in. Even though my food options weren't restricted my choices resembled yours. Bread, milk, cheese, pasta, juice. Staples, not convenience foods. I cooked from scratch and maximized my food stamps. I hated the food stamps, but used them anyway.

The only personal items I bought were bought for necessity's sake. The only recreation I had was either free or necessary to my sanity.

That's how I lived, much like how you're living now.

I know you'll get through this. I can tell. It's also written all over you. You're ashamed, you're hating every minute, but your back is straight. You won't look me in the eye, but you're not beaten either. If I had to guess, every bit of energy you're not spending on your child you're spending on surviving and then on making life better. No time for makeup or non-essentials but time to do your laundry and clean yourself up so you can be out applying for work. It's 8:45 on a weekday. You're not sleeping in or at home sulking. You're out being useful.

16 months after I landed in AZ I moved out of my parents' house and into an apartment. I held two jobs, one part-time (still at the state park) and one full time. I'd met my husband a few months before but we weren't together. I no longer qualified for state assistance, nor did I want it. 16 months from despair to independence.

If you'd been able to talk, that's what I would have told you. 16 months is how long it took for me to rise from the ashes of what used to be my life and make myself a new life. Whenever life goes horribly wrong (which it often does) I look back at that accomplishment and know that if my entire life is destroyed again I will rise like a phoenix once more. I did it once, I can do it again.

You can too, and you're already on your way. Brush the ashes off and get to living. Your new life is out there waiting for you.

Mel

Monday, May 28, 2012

Memorial Day


Memorial Day

The finest tribute we can pay
Unto our hero dead to-day,
Is not a rose wreath, white and red,
In memory of the blood they shed;
It is to stand beside each mound,
Each couch of consecrated ground,
And pledge ourselves as warriors true
Unto the work they died to do.

Into God's valleys where they lie
At rest, beneath the open sky,
Triumphant now o'er every foe,
As living tributes let us go.
No wreath of rose or immortelles
Or spoken word or tolling bells
Will do to-day, unless we give
Our pledge that liberty shall live.

Our hearts must be the roses red
We place above our hero dead;
To-day beside their graves we must
Renew allegiance to their trust;
Must bare our heads and humbly say
We hold the Flag as dear as they,
And stand, as once they stood, to die
To keep the Stars and Stripes on high.

The finest tribute we can pay
Unto our hero dead to-day
Is not of speech or roses red,
But living, throbbing hearts instead,
That shall renew the pledge they sealed
With death upon the battlefield:
That freedom's flag shall bear no stain
And free men wear no tyrant's chain.
-- Edgar Guest


Recessional

God of our fathers, known of old,
Lord of our far-flung battle-line,
Beneath whose awful Hand we hold
Dominion over palm and pine
Lord God of Hosts, be with us yet,
Lest we forget lest we forget!

The tumult and the shouting dies;
The Captains and the Kings depart:
Still stands Thine ancient sacrifice,
An humble and a contrite heart.
Lord God of Hosts, be with us yet,
Lest we forget lest we forget!

Far-called, our navies melt away;
On dune and headland sinks the fire:
Lo, all our pomp of yesterday
Is one with Nineveh and Tyre!
Judge of the Nations, spare us yet,
Lest we forget lest we forget!

If, drunk with sight of power, we loose
Wild tongues that have not Thee in awe,
Such boastings as the Gentiles use,
Or lesser breeds without the Law
Lord God of Hosts, be with us yet,
Lest we forget lest we forget!

For heathen heart that puts her trust
In reeking tube and iron shard,
All valiant dust that builds on dust,
And guarding, calls not Thee to guard,
For frantic boast and foolish word
Thy mercy on Thy People, Lord!

-- Rudyard Kipling


To Absent Companions, and Fallen Comrades...

Christopher J. Byrne IV
USAF (Ret.)



Image from: GU Comics

Tuesday, May 22, 2012

The only good thing about a 148.4 mile daily round trip...

Is that it isn't technically a commute.

I'm a contract consultant, with a dedicated primary business location (with it's own phone lines, internet service, computer equipment, entrance and exit etc...), completely separate from the living area of my home. My clients site is not in the same metropolitan area as my home.

Even better, I'm working in one state, and paying taxes in my home state, as local income. That makes it VERY clear, that my clients site is not my "primary work or business location".

Also, I'm technically on a less than 1 year contract, both for my client, and for my parent consulting company (yes, I'm technically a small businessman, contracted to the big consulting company, then further contracted out to the small company).

There is really no legal way the IRS can try to claim that I am a direct employee, or that my primary place of business is my clients site.

So, my 148.4 mile per day round trip isn't a commute; it's travel to and from a clients site, and is therefore tax deductible at the standard IRS mileage rate for 2012 of $0.55 per mile.

On Wednesday, it will have been a month since I started work (4/23 to 5/23), with one day taken off (my birthday, April 27th); and this is what my mileage log summary shows for the past month (today, and tomorrow extrapolated from the previous record):


Report 2012/04/23 - 2012/05/23

BusinessRateVehicleMiles  Mile Deduction  ExpensesTotal
Crispin Enterprises 0.555  cadillac sts  2503.8  $1,389.62  $0.00$1,389.62
     vstrom  742.0  $411.83  $0.00$411.83
Total:  3245.9  $1,801.45  $0.00$1,801.45
Grand Total:  3245.9  $1,801.45  $0.00$1,801.45

That's for one month.

For the next seven months it's going to be a bit less (since I'm probably going to be working from home one day a week), at more like $327 a week for the remaining 31 weeks of the year, minus three weeks (between vacation and holidays)... That's a total mileage deduction of just about $11,000. Oh and I can also take a deduction for the portion of my loan interest that covers my business usage.

Of course... I am putting 3000 miles a month on my vehicles; and all the maintenance and depreciation cost that incurs (a full years deduction would come to just about $20,000; and as a small businessman, isn't subject to the 2% limit).

Right now, the depreciation on my STS is something like $3,000 a year base, plus mileage... Call it $6,000 total at current used car pricing. My actual expenses (projecting to a full years mileage and costs) for fuel are something like $6,000. My actual expenses for maintenance are something like $3,000 (two major maintenance periods a year, plus two additional oil changes, plus a set of tires a year, plus incidentals).

So, I'm coming out a bit ahead on the standard mileage rate with the STS; and well ahead when I'm using the bike (which gets about 1.75x the mileage of the car, and has basically zero depreciation from what I paid).

Between that, the rest of my uncompensated and unreimbursed business expenses, and all my other business, and personal deductions (and of course, being unemployed for the first four months of the year, and the big pay cut I took from my previous job); my taxable income (and therefore my tax burden) for 2012 is going to be... low. VERY low.

In fact, so low, I think I will have covered my expected tax burden for the year before fall (between my unemployment, the taxes my wife has paid, and the last months taxes paid from the new gig, I've already covered more than 1/4 of it).

So, at least there's that.

How I'm maintaining sanity, with 3 hours a day on the road

Or at least, how I'm maintaining sanity when it isn't raining...



Not the dog (Zoe is peeking through the fence there), the bike.

Specifically, a 2004 Suzuki DL1000 V-Strom.


This particular V-Strom is equipped with the Kappa Suzuki hard luggage system, factory heated grips (installed after delivery), and is powerlet wired for heated vest, and pants; and for dash power.

The original owner also modified the factory throttle bodies (removing the secondaries), put a throttle body remote sync setup in place, installed a K&N air filter, and replaced the factory windscreen with a Windstrom Manta. I also bought it with a nearly new chain, and a nearly new set of Metzler Tourances on it (they should last me at least a year, maybe more).

He also had the motor and clutch completely rebuilt (I have full maintenance records) and had the motor blueprinted at 30,000 miles.

Honest to god, the bike really is just about perfect, and might as well be brand new.

So.... When exactly did I get a motorcycle? Since I haven't mentioned it until recently and all?

Last year, I got a contract that had me living in San Francisco during the week. The contract looked like it would go for at least six months, maybe a year; and I was extremely tired of being stuck using cabs to get around, and having to rent a car to leave the immediate area around the city.

Bringing a car down to the city was impractical... and frankly, would've been more irritating than cabs and rental cars (SF is VERY car unfriendly); so I decided to buy a bike, as a low cost commute, runaround, and general "get out of town" vehicle.

I found this V-Strom, with extras, being sold by its original owner (an MSF riding instructor, who, with his wife, owned six different motorcycles), at well below market price (I only paid $3,500 for it. Blue book was $4500 plus the accessories); in near perfect condition, excepting the pretty high mileage (39,000 miles. this guy RODE his bikes).

Unfortunately, literally the week after I bought the bike, the contract was cancelled; and I never rode it down to San Francisco. In fact, I was only able to put a few hundred miles on the bike last year, having bought the bike shortly before the cold weather hit.


I have to say, as my first "modern" liter bike (I've had other 1000cc bikes before, but not in more than 10 years; and none made after the early 90s) I was completely unprepared for how powerful the bike is, for such comparatively light weight (about 455lbs dry, or about 520lbs wet, with the luggage).

By todays standards that's no lightweight (some of the 600s are under 410lbs wet, and several 1000s are under 450lbs wet), but I grew up with a CB750 (under 70hp at the crank, and about 560lbs wet), and a V65 Magna (116hp, but over 600lbs wet).

From the factory, the bike has just under 100hp at the crank (and most owners who dyno them report about 80-82hp at the rear wheel). With current mods, its probably a tiny bit more (the bike is so well maintained, I don't expect any power loss from wear). With nothing but boltons and a good retune, the bike can be set up to produce 112-118 horsepower at the crank, and nearly 100hp at the rear wheel.

The bike is also tuned for low end torque... or rather, low end for a Japanese bike. 60% of the torque and horsepower are available under 4500 RPM (with a 7850 rpm redline), coming to a torque peak of 77ftlbs at  6500 rpm, and 98hp at 7500rpm.

It's got enough power, and torque; that even as big as I am, Mel and I can two-up the bike quite comfortably (though that is technically over the bikes max gvwr)... and the suspension and brakes can handle us without a problem as well.

For night riding, the headlights on this thing are incredible; at least in comparison to what I'm used to. I've got more, and more useful, light throw than in my car or truck.

Oh, and I really like the luggage. You can fit a surprising amount of "stuff" in them... so much that I could easily see camping or touring the bike (with some comfort mods of course).


That isn't to say the bike is perfect. For one thing, it's DAMN tall. I'm 6'2" with a 34" inseam, and when the suspension is setup to allow my wife and I to two-up, I can barely stand flatfooted with my weight fully on the bike; and am on my toes with my weight off the bike.

There's a good reason for that of course. As an adventure bike, it's intended for rough road riding; with additional ground clearance, and suspension travel... But I don't know how average height riders can manage the bike, never mind shorter riders.

For me, both the stock windscreen, and the manta, are WAY too low, too small, and badly shaped. Combined with the shape of the fairing, there is almost no pocket of calm air, and there is some high speed buffet (and a fair bit of wind noise).

Also, I don't care for either the stock gearing, or the stock AFI tune (which is far too lean in most RPM ranges, and too rich in others... most likely for california emissions standards. California bikes also include a catalyst, but use the same fuelmap).

Apparently I'm not the only one, because the three most popular major functional mods for the VStrom are changing the gearing, retuning the bike, and replacing the windshield.

I'm going to need another windshield, no way around it. An extra extra tall and wide one; probably the CeeBaily extra high touring windshield. The Manta just isn't cutting it for me. I may also need to buy a Madstad adjustable windshield mount bracket for it, to fine tune the windshield angle, height, and undershield venting.

The stock gearing is neither fish nor fowl, nor good red meat. With the stock tune, there is an irritating flatspot/dip in the power curve between 3500 and 4000rpm; which, coincidentally, is the exact RPM range the bike will cruise in at common road speeds in every gear. Also, with the stock gearing, sixth gear (overdrive) is damn near useless; cruising at over 80mph at the top of the flatspot, and running below powerband at almost any highway speed.

The stock sprocket combination is 17/41, with a 525 chain (which I consider too light for a 1000cc bike, particularly one with this much power). I've picked up a 16/43 sprocket set on a 530 chain, and a DID gold 530 xring chain to go with them.

That ought to make my drivetrain bulletproof; at the same time moving the sweetspot in the powerband between power and fuel economy, right to the cruise points in all gears at common road and highway speeds (you can check out the differences at http://gearingcommander.com)

The tuning issue is addressed with a Dynoject Power Commander III USB, which can remap the fuel and igntion maps, and eliminate the flatspots (also add something like 6-8hp in stock configuration if remapped well; and up to 16hp when combined with an air filter, and modified or performance exhaust). I ordered one last year, but haven't installed it yet.

I've also snagged but haven't installed a HealTech GI-Pro gear indicator with ATRE (Suzuki does some stupid timing retard tricks to reduce emisions etc... The ATRE remaps the ignition timing to remove those stupid tricks), as the Vstrom only has a neutral indicator; and I like to have a positive indication of what gear I'm in.

I may, or may not, eventually pickup a performance exhaust. I like how quiet the stock exhaust is; but it is certainly ridiculously restrictive. Not only will a replacement produce more power, but it will actually improve the smoothness and power delivery, and with the right tune can even improve fuel economy.

Oh and for a bike that's intended for "adventure touring" I think it's nearly criminal that the bike doesn't include a centerstand (one is available as a factory accessory, or from the aftermarket, both around $250). I ordered one last year, but got it with the wrong bracket without realizing it. Thankfully, even though it's more than six months later, the seller is making good, and sending me the proper bracket and hardware.

On the "incidental" side of things, I've got phone and GPS mounts waiting to be put on, and hardwired (I'm going to install an accessory power block and some switches), some LED driving lights, and a throttle lock (also all waiting to be put on).

I may also pick up a reshaped, refoamed (stiffer foam), and heated, saddle; a set of wider mirrors (or mirror widener brackets) and a set of drop brackets for the pegs. They'll greatly improve my highway comfort... I'm perfectly fine with a two hour ride single up; but when Mel and I are 2 up, or going longer than two hours... Not so much.



Oh and look at the plate...

I swear to you, I didn't request this plate, it wasn't custom/vanity... The lady at the DMV just pulled it out of the pile, and I laughed out loud.


This being Idaho, she wasn't puzzled, she just said "so, you're a shooter then?"

Yeah... you might say that.

Monday, May 21, 2012

Patrol Platform

A friend, reader, and forum reader at the Guncounter forums put forth an idea yesterday that I thought might be interesting to talk about here.

"The Glock has replaced 1911s and other pistols in the hands of the police because a monkey can be trained to operate it and it is reliable even if not properly maintained.

I think the AK might be like the glock of rifles and would serve our police force better than the AR-15s.

In the hands of a trained operator* and when properly maintained the AR is a superior rifle to an AK. The AR is just as reliable, but easier to shoot well, and has a superior control layout. That said, at least 75% of the patrol force out there is incompetent, unmotivated, and downright stupid. Some of them shouldn't be issued anything more than an old 38, and no bullets. They will not undergo the training necessary to achieve proficiency with the operation of an AR, they will not practice with it to benefit from its accuracy, and they will not clean it to ensure its reliability.

The fact of the matter is that our cops are much like the group of people for whom the AK was designed. The reliability is an advantage because they won't maintain them, the lack of accuracy is not an issue since they can't shoot that accurately anyway.

So my argument is that instead of AR-15 rifles, our cops should be issued semi-auto AK-47 pattern rifles. Let the flame-war begin! "


Actually, I almost agree with him here, excepting the (intentionally... this person is a bombthrower by nature) inflammatory description of American patrol officers (there is SOME truth to the concept he's speaking of, but not to the degree he's talking about), and the two major problems that:

1. U.S. Police departments will almost certainly not be politically able to use AK pattern rifles.

I believe this one difficulty is insurmountable. The AK really is through of around the world, and particularly in the media, as a terrorist gun.

The sight of American cops shooting at American citizens (even if they are criminals) with AK pattern rifles, would be entirely politically unacceptable; even if the rifles were U.S. made, and looked nothing like the AK of the middle eastern terrorist etc...

2. An AK pattern rifle is longer, heavier, bulkier, less maneuverable, and more snagprone in vehicles, and tight quarters, than an AR pattern rifle of equivalent barrel length

Though this can be compensated for somewhat, with the right configuration and accessories; it can't be completely mitigated. Being made almost entirely of stamped or milled steel, the AK pattern rifle will always be heavier than the AR pattern rifle; and the receiver of the AK pattern rifle is considerably longer than the AR pattern rifle, and can't really be shortened.

And a few minor issues like:

3. The 7.62x39 round is louder, has more muzzle blast and recoil (though admittedly, not a hell of a lot), and is more likely than 5.56n to overpenetrate through obstacles (as opposed to people... and experience has shown that cops are far more likely to hit things other than people) while retaining wounding potential.

This of course could be compensated for by simply chambering the rifle in 5.56, or 5.45... or for that matter any number of other intermediate chamberings).

4. the AK pattern rifle is generally more difficult to adapt for accessories, adjustable stocks etc...

These accessories are actually very useful to the law enforcement mission and the mission impacting factors, of the patrol carbine. The issue is pretty easily addressed; however, when you do so, the rifle becomes just as expensive as an AR, negating one of the advantages of the AK platform.

Essentially, even excluding the insurmountable political issue; after modifying the AK platform to match the useful aspects of the AR which should be retained for the patrol carbine mission, I don't believe the AK platform presents sufficient advantage... or any advantage really... to warrant adopting the it over the AR.

All that aside... I think this is actually a good opportunity to address a more fundamental issue represented by the entire concept of the law enforcement patrol carbine.

In general, I believe that the U.S. law enforcement mission (at least in urban, and suburban environments, for local law enforcement) is better served by the patrol shotgun, than the patrol carbine.

Though I believe the patrol carbine is a useful tool to have, and we should retain it as an option available to officers; the patrol shotgun is more tactically appropriate and more mission appropriate, in most circumstances; and gives the officer more flexibility in response options, than the patrol carbine.

I have nothing against the patrol carbine. It fills a genuine need, while being familiar to many officers from military service and recreational shooting; as well as being understood and accepted by the general public (now anyway, more than 10 years post 9/11. When it was first becoming common in the early to mid 90s, it was a huge political issue).

...I just don't think the patrol carbine meets the urban and suburban law enforcement mission as well as another option might.

Note: I should say, I'm not exactly an original thinker in this. What I'm saying now has been said by hundreds of law enforcement trainers, and thousands of law enforcement officers, for years... But I have rarely seen this discussion in the gunblogger realm, and it's something I thought my readers might be interested in discussing, and in many cases may be able to contribute their firsthand or relevant knowledge and experience to

The two mission challenges addressed by the patrol carbine (as opposed to the personal sidearm, or patrol shotgun) are:

1. marksmanship and immediate response capabilities at 15-100 yard distances; to be able to rapidly respond to situations in that tactical regime without waiting for a SWAT callout.

2. Effective, immediate, response against lightly barricaded subjects (particularly those barricaded in or behind vehicles), or subjects wearing light to medium body armor; again, to allow an officer to rapidly respond to these situations without waiting for SWAT callout.

A note: I am qualifying myself with "urban and suburban" here, because there are some mission challenges in rural law enforcement, and in highway patrol, that may be better met by rifle caliber weapons. In these environments, an officer may be a very long distance (or long response time) away from backup, support, or enhanced capability response units.

Further, an officer may commonly encounter a need to respond to situations best met by a rifle. Dispatching wildlife, handling longer range engagements (lots of clear space around highways, and in rural areas, for hostile subjects to engage an officer), dealing with subjects that are more heavily barricaded or in deeper cover (or are barricaded at greater distances... particularly in or behind vehicles at greater distance), disabling vehicles; and in extremis, engaging rifle armed subjects (which, because of the time and distance involved, can't wait for a SWAT callout; if the organization even has such resources available).


I would advance the proposition that a better solution to the tactical challenge the patrol carbine addresses, at least for the urban and suburban patrol officer, may in fact be better addressed with a PDW concept weapon which gives armor penetration capability (such as the P90).

In general I would posit that the patrol officer does not need response capabilities for heavily armored, heavily barricaded, or excess of 100 yard situations; in which rifle caliber weapons would provide a decisive advantage over PDW concept weapons. These situations should be handled by SWAT or tactical response; or other heavy armor, and rifle equipped, response units.

The patrol officer is neither trained, nor equipped to handle this mission (nor should he be under normal circumstances), and should only be responding to these situations in extreme circumstances (except in a supporting role. Establishing and maintaining a perimeter, handling the public, etc...).

The PDW concept offers light weight, ease of maneuverability and handling, good ergonomics, rapid fire capability with little recoil, precision marksmanship within its accuracy envelope (100 yards and under), and armor penetration within its high percentage performance envelope (50 yards and under).

I believe these advantages and performance envelope are better matched to the needs of the urban or suburban patrol officer, than the advantages and performance envelope of the rifle caliber weapon.

As of 2012, there are several PDW concept weapons that have been proven effective in operational use (most notably the P90, but there are others).

I believe the PDW concept may not yet be mature enough to consider for wholesale adoption by American law enforcement (and I remain doubtful as to the general military mission for the class of weapon); however, it may present a better solution in general, to the patrol officers mission challenges, than the rifle caliber patrol carbine.

Sunday, May 20, 2012

Atmospheric


The original Washington Water Power Company Steam Plant , built in 1907 (on the site of a water power facility built in 1892).

The site is still owned by Washington Water Power Company (founded 1873), which has operated since 1998 as Avista Utilities. Part of the complex still houses some of Avistas offices; with other offices, shops, and food service, in the remaining space.

The main restaurant area is built around the original coal elevator, and some of the original powerplant machinery (and much of the piping, catwalks etc...); which have been preserved, and placed on display for patrons to see. It's a fascinating place to have dinner (and quite a good restaurant, though a bit pricey).

Thursday, May 17, 2012

Overheard in our household... Tell us how you REALLY feel...

Or rather, in our car...

So, the situation:

We're cruising I-90 near the Idaho/Washington border, heading towards route 95 (which hits the 90 at Coeur D'Alene), at plus 7.

We had been by that spot less than two hours before, and noticed a speed trap being worked by multiple Idaho State Police troopers (in their black Dodge Chargers... very cool/evil looking).

All of a sudden, a little black Acura, with smoked out (and blue tinted) headlights, taillights, turn signals, and license plate cover (and this was at twilight... so... yeah, you already know they're a douchebag); passes us at about plus 15.

Idaho troopers are almost always fine with +7, sometimes with +9; but anything +11 or more, and you're definitely going to be getting a ticket; particularly if you're an out of state driver (because they know you aren't likely to contest the ticket).
Chris: "Hmm... wonder if I should warn him about the speed trap up ahead...?" 
Mel: "Nah... he's from Washington" 
Chris: "Oh... well fuck'im then"
I should note, I have nothing against people from Washington state... some of my best friends are from, or live in, Washington.

Washington DRIVERS on the other hand...

I drive in Washington every day (my commute is almost exactly half in Idaho, half in Washington), and let me tell you; it's very apparent soon after you cross the border (basically from Liberty Lake on west), that the quality and skill of the drivers goes down, and the stupidity and homicidal/suicidal tendencies go WAY up.

Idaho drivers are frequently slow drivers (minus 10 is not uncommon); but they're MUCH more polite, more aware, and safer.

A Random Aside from "The Avengers".

A funny coincidence (and very slight spoiler)related to the film "The Avengers".

In the movie, a "BIG BATTLE"™ occurs around Tony Starks fictional headquarters in midtown Manhattan, the "Stark Tower".

Said fictional "Stark Tower", is sited on the spot of the world famous MetLife building (originally, the world famous Pan-Am building), at 200 park avenue; which happens to butt up against Grand Central Station. It's also just across,and a block down Lexington Avenue, from the Chrysler Building (at 42nd and Lexington).

Coincidentally, for a few months on a contract, I happened to work kitty corner across 42nd street from the Chrysler building; at Pfizer world headquarters (42nd, between Lex and 3rd).

During that time, I lived in two different corporate apartments in Manhattan. The first place was on the upper east side, at 86th between 2nd and 3rd (just down the block from Papaya King, and a couple more blocks from the park) , that had me taking the subway down from the 86th st. station, to Grand Central, every morning (I even occasionally walked it. 40 blocks isn't a "long" walk in the rural sense - about two miles - , but in Manhattan terms it's like hiking from Philly to Pittsburgh). The second apartment, was at 39th and 2nd; just five blocks down, and two blocks out, from the notional "Stark Tower".

Suffice it to say, I'm very familiar with the neighborhood.

At one point during the movie, there's a throwaway line I'll paraphrase as "We should get schwarma. I heard there was a pretty good schwarma place a couple blocks from here".

As it happens, I recognized where "Stark Tower" was right away, and of course remembered the neighborhood very well... So when I heard that line, I literally laughed out loud...

... Because there actually is (or was in the mid 2000's anyway) a really great schwarma place about two blocks south, and two blocks east, of the MetLife building... and I know personally how good it was, because I ate lunch there probably three times a week the entire time I was on that contract (more, when it was almost on my walk home).

Anyway... I thought it was funny... but maybe it's just me.

Friday, May 11, 2012

Audioblog test from the road

Audio recording @ Athol, Idaho (low bandwidth stream)



Download link: AnarchAngel AudioBlog 5-11-2012 MP3

As of right now, the text link works, the embed link doesn't. I'l fix that this evening after we get back from watching the avengers movie.

10 hours at work, 3 hours on the road... long damn day

I spent 9 hours today dealing with distributed botnet scans, floods, and relay attacks.

For those of us who are infosec professionals, and server or network admins; you all know how irritating, frustrating, and nearly futile that can be.

You can mitigate, and remediate, but not resolve.

Blocking subnets is only a partial solution. It doesn't work for very long, because the very nature of a distributed attack is such that it will simply shift to other subnets; and of course the same applys to blocking hosts.

And of course, that doesn't solve the problem of link saturation. You need to get your upstream provider to filter the traffic at their end... and you still have the same problem with shifting attack sources.

Oh and of course, when you blackhole entire netblocks, legitimate things sometimes break.

One lovely trick loved by botnetters is to compromise a host with a content distribution network front end (like Akamai), and using that to spread their attacks even further, hiding them in the legitimate traffic and making it effectively unblockable, unless you're willing to break a quarter of the entire internet into your site.

You can really go down a hole chasing this stuff down and trying to flyswat it.

I go fall down now.

Tuesday, May 08, 2012

When did I become the "policy" and "process discipline" guy?

When I started in this business (information technology in general, and information security in particular) I was the guy irritated by all the policy and process. The one who just wanted to get things done. The one who thought policy, and process, mostly got in the way.

In many ways I still think that.

All too often, organizations fall back on policy and process rather than thinking, or accomplishing something. People become so captured by the process, that they forget that there is a mission, and a goal, and a task that the process is intended to service; and the process becomes the mission itself.

Then all of a sudden, you're measuring your compliance to the process, and your progress in completing the process; rather than your success in meeting your goals, and furthering the mission; and your organization is failing, but you can't tell why, because your metrics indicate you're extremely successful...

...And you are extremely successful... in following the process.

It is a universal maxim of professional analysis (whether it be business analysis, process analysis, or security analysis) that you will get what you measure.

People will respond to their incentives, and if their incentives depend on meeting a metric, they WILL make sure they meet that metric (if it's possible anyway).

Even if there are no formal incentives, goals, targets etc... When something is being reported on, and someone who matters is looking at those reports, people will make sure those reports look good.

You get what you measure.

So, I have spent a large part of my career warning people, and organizations, against letting the process become the mission; and particularly against managing to metrics.

I believe that entirely.

HOWEVER...

Policy is important.

Process is important.

Process discipline is important.

Controls are important.

Documentation is REALLY important.

The further I get in my career, the more I realize how true this is... While never diminishing what I said earlier about process and metric capture being a problem; I see more and more that without process, and policy, and  documentation, and metrics...

You simply have no idea what you are doing, or why

Maybe being a pilot has something to do with it. Pilots are among the ultimate in process people, and in process discipline. At least good pilots are.

If you intend to survive very long as a pilot, you learn to do the same thing, the same way, first time, every time (at least once the process is set); leaving room only for changes necessary to your environment, or to improve your processes after EXTENSIVE validation, testing, and training on them.

Doctors are the same way.

There are many things in the military that are the same way.

Anything that presents a strong degree of stress, and a major risk that must be controlled, will exhibit the same pattern.

Why?

Because when you are put under stress, you WILL revert to what you have ingrained (or trained, or repeated, or become used to, depending on how formal you are and how much repetition there has been).

So, you better make sure you have something to revert to, or you will be paralyzed.

And you better make sure that something you revert to works, and is kept working.

And that as your situation changes, what you do is updated and you and your people are trained to account for it.

And that it's all documented, and reported on, so you can figure out what the hell you are did and why, when the time comes to return to normal.

Those elements, are the core of process management, process analysis, process improvement, and process discipline.

Ok, so.... what does that have to do with my title?

In the information security business, we have two major... let's call them process drivers.

The first is of course, the reason why you have the process in the first place; risk mitigation.

Our job is to manage risk, document it, place controls and mitigation around it, and develop policy, process, and tools for how to respond to a risk.

You need these, so that when that risk becomes a reality, and you experience an incident, or a compromise... or when you have to take immediate action to avoid one; you know what to do, why your doing it, and what to do if things continue to go wrong.

The second is something that can be an even stronger business motivator, that big scary pair of words: AUDIT, and COMPLIANCE.

Particularly in a regulatorily sensitive, privacy sensitive, financially sensitive, or physically security sensitive (or national security, or communications security, or operational security sensitive for that matter) operational regimes.

In my case, I've spent almost all my career working in banking, finance, medical, military, law enforcement, and government.

Every one of those sectors is sensitive to... basically all of those factors.

Now, I'm in a utility company; which is considered a "critical infrastructure" element by Homeland Security. VERY sensitive to all those factors.

In many environments, operational security grew organically, as an element of each of the operational and functional areas. Server operations took care of server security. Network operations took care of network security. Desktop support took care of desktop security.Often, there has never BEEN a telecom security function, or a document and information lifecycle management and security function, or  an operational risk analysis function, or any kind of cross domain operational security responsibility.

There IS however a heavy audit and compliance burden placed on the operational security functions served by the organization.

In our organization for example have to deal with federal critical infrastructure regulations, federal trade practice regulations, federal market regulations for our market, DHS (we are a "critical infrastructure element"), Sarbanes Oxley, PCI (we process credit cards, handle huge accounts of various kinds etc...), various other federal regulations (and regulators and auditors, and compliance officers), various interstate compact requirements, state regulations (and regulators, and auditors, and compliance officers) in three states; and of course the general privacy and information protection.

All of which must be AUDITABLE.

Audit and Compliance are cross domain.

Aggressively cross domain.

Audit and Compliance people like things to be EASY.

Like everyone else, they don't want to make any more work for themselves than they have to.

Audit folks really do have fairly simple needs from you. No matter how complex the language surrounding what they do can be, or how politically sensitive it can be; it's all logical underneath (at least if they're any good, and your organization has any sanity).

They want everything well documented. For every identified compliance requirement, identified audit risk, identified structural risk, or identified operational risk; they want to see a corresponding policy, a control for each policy, a process for each control, and a reporting and verification mechanism for each process.

Although it's not always absolutely necessary (frequently it is, but not always)... it's STRONGLY preferred that reporting and verification mechanisms include a persistent tracking function (in fact, it's usually called an audit function), localizing the performance of a task, or for that matter any change to an auditable datum, to a specific accountable individual or group.

Then they want at least documentation, and frequently training to support these policies and processes; ensuring that accountable individuals have signed off on their accountability, and have been given the tools necessary to ensure that they maintain compliance.

When security people talk about something being "auditable", that is what we mean.

In my experience, many organizations tend to view audit and compliance folks as unreasonable, a hindrance, or imposing lots of unnecessary or silly or irritating, or just plain stupid and useless work, or process on them.

And sometimes, there is some truth to that. A lot depends on the attitude and training of the auditor, the culture of your organization; and whether the people in question are audit and compliance professionals, vs. people from other fields, or with other responsibilities, who have audit and compliance dropped on them.

Professional auditors and compliance specialists, are business and technical professionals who have the training, tools, and understanding to know that their job is about loss prevention, risk benefit analysis, and risk mitigation; not risk elimination or perfection, which are impossible.

Funny enough, that's a very large part of my definition of what makes a good information security professional.

For people who just have compliance dropped on them... This is something they didn't want to do in the first place, and now they are PERSONALLY responsible for making sure everyone in the organization follows the policies, and documents them, and doesn't screw up, and doesn't send the organization down in flames and OH MY GOD I CAN BE SUED PERSONALLY FOR THIS!!!!!

No wonder they get paranoid, and protective, and overly anal, and can be unreasonable, and adversarial. To these people, everything you do risks their entire lives and careers; multiplied by every person in your organization who has permissions to effectively hold a gun to their head if they don't do their job ABSOLUTELY PERFECTLY.

Which, of course, is impossible.

In my own personal experience, most PROFESSIONAL audit folks are competent, reasonable people, who are more than willing to work with you, providing you don't try to lie, cheat, get away with something, avoid them, or otherwise make their life, and their mission more difficult.

Don't make it "us vs. them", and they won't; and you can all get your job done more effectively.

Audit and compliance can be your best friend, or your worst enemy. As a security professional, or any person of responsibility (system administrator, manager, application owner, DBA etc...), you should look at audit and compliance as a major tool in your arsenal of justification. When you need to spend money, or make politically difficult changes, audit and compliance can be your strongest ally; because believe me, if your management has any brains whatsoever, they LISTEN to what their audit and compliance people say.

On the other side of things, I can't tell you how often I hear "we'd love to do that, but audit and compliance won't let us".

If you have professional audit and compliance people, and work with them, give them the information they need, understand how they do their job, and how important their job is...

..You may not get what you wanted at first, but if you are flexible and mission oriented rather than fixed on a particular tool or technique...

But it's very rare that your audit people won't work with you to help you find a way to meet the business need you are trying to meet, solve the problem you are trying to solve, or otherwise get the job done.

A good, competent, professional auditor, will recognize that in the real world, there are always exceptions.

As IT professionals we know that... sometimes it seems our entire jobs are nothing but dealing with the exceptions (in fact, if you're doing your job well, and have the tools you need to do so intelligently... it should be); and auditors understand that too...


But exceptions raise the final big issue for audit and compliance...

When it all comes down to it though, the absolute most important thing...

The thing, audit and compliance folks want to... in fact need to (because it is the very definition of their job, and they are accountable for it) make sure of...

No matter what exactly you've written down, as your policy, your control, and your process...

What they need to make sure of... Is that what you've written down...

... Is what you ACTUALLY DO...

You might be surprised at how often it isn't... or maybe not.

When there are exceptions to policy, and process, or there are spots where they break, or conflict... These things need to be approved by a person of responsibility, and they need to be documented.

That documentation needs to include an explanation of why the exception is necessary, how long it's necessary for (exceptions should either be temporary, with a definite expiration date, and a person responsible for making sure it's either renewed if necessary... and making sure that "renewed" doesn't become "permanent"... or removed; or they should be written into the core policy), what additional risk may be induced or exacerbated by exception, and how it's going to be managed; and if the primary process needs to be reviewed or changed, you need to include the actions necessary to make sure that will happen, and who is responsible for that.

Which brings me back to what I said way up above...

If you don't have documented policy, and process to support it, you have no idea what you are doing, or why.

Or rather, YOU may know what you are doing, and why... and the people you work directly with might know... But no-one else does.

What happens when, six months later, someone makes a rule in another department that interacts with an exception  made in your department, for an application managed by a fourth department, that interacts with a rule in a fifth department, that ends up breaking everything...

And no-one but Alan knows why the second rule is there, but they have to make everything work RIGHT NOW... And Alan is backpacking in Belize for six weeks...

At which point your senior management go insane, because they're losing money, and customers, and there's bad press... and they don't know who can fix anything, but they do know YOU are right in front of them, and it's YOUR fault if you can't fix it.

Then, when the fire is put out, the REAL carnage begins.

Because I guarantee you, whether you have well documented policy and processes or not, your management is going to hold you accountable as if you did; because even if they told you specifically NOT to have policies and processes or to ignore them etc... When things go wrong, you WILL be held accountable for everything you did, or did not do, and why.

...And when he gets back from Belize, Alan, and Alans boss, and his backup; are all going to be looking for new jobs.

Or, to be more positive about it, take it from the other side.

You are a contractor, brought in from the vendor that supports the computer system that everyone is blaming Alan for screwing up.

Your job is to figure out what went on, and how to fix it; without breaking things work, or breaking things that won't be obvious until they break something else a few weeks later.

If you don't have a full set of policies and processes, that are validated and updated regularly; and which match what staff actually DO; you won't be able to understand what is wrong, never mind how to fix it. You may even have to rebuild a system entirely... what if you don't know the full process, and its 4am on a saturday?

Scoped, managed, documented, and maintained properly; policy and process are your friend.

There is a principle in incident response, disaster recovery, and business continuance; called Continuity of Operations; with the strongly related ideas of Dependency Reduction, and Single Point of Failure Mitigation.

COO is the concept that when things go bad, no matter what, someone will be able to pick up the pieces, and get your organization back and operating at least at some minimum level, within a reasonable period of time.

You maintain continuity of operations, by making sure you have redundant systems, backups, tools, resources, links etc... and the policies, processes, and documentation  necessary; so that any responsible and privileged individual can follow your documented processes, and return to operations from them.

Along with that is dependency reductions. That's just what it sounds like; reducing the number of dependencies in your operations, so that there are fewer things to fail, and fewer things preventing or slowing down recovery in the event of failure.

Single Point of Failure mitigation, or SPOF mitigation; is about finding, understanding, and documenting a particular class of critical dependencies in your operation. The class of dependency which, if a single piece of the operation fails or is missing or unavailable, will crash the whole operation, or cause a major failure, induce a major risk, or prevent a timely recovery.

The point of understanding SPOFs, is to reduce them to as few as possible, then to mitigate the failure modes of the rest which can't be eliminated; usually by providing additional backups and alternates for each function, and a process to cut over to these backups in the event of a failure.

If you don't have good processes, which are properly documented; then you cannot reduce your points of failure. You need to know exactly what you are doing, how, and why; to understand how your operation can fail; and therefore how to mitigate these failure modes.

Unfortunately, all of these things are time consuming; generally the time of skilled employees, many of whom will have no time to complete their normal workstream, never mind deal with extra work around security.

Which is where many people reading this will find themselves right now.

I'm responsible, a the delegate of a person of responsibility; to make sure that our processes all work, and that documentation is created or updated for it; at least those pieces for which we are responsible, and have an audit and compliance requirement for.

So, I find myself being the guy going up to folks, and asking to sit with them to see what they do, and saying "and is there a process for this?" and "is the process documented?" and "who owns the process and the documentation, and can I get access to that?

I'm THAT irritating guy whining about process discipline, and irritating people, and poking my nose in where I'd really rather not have to.

Good god, when did I get old?

Sunday, May 06, 2012

Okay, that's a new low for me...

I managed to go a full five days without a post... really six actually... when I wasn't on vacation or sick.

That's how busy I was this week. I've been leaving the house around 7:30am each day, coming home around 7:30 or 8, because I haven't been leaving work 'til after 6 most nights.

That won't be a normal thing once I get settled in; I've just got lots I need to do while I'm getting up to speed, and I lose track of time etc...

At least I'm coming home in daylight.

And of course, as usual, I haven't been sleeping enough; averaging about 3 hours a night for the last two weeks. Combined with the 2.5 hours a day in the car.... yeah, I'm not exactly at the top of my game. I've barely even READ blogs this last week, never mind written anything that wasn't work related.

Thankfully, I'm getting some stress relief, and relaxation on the weekends; post about that to follow soon.

Tuesday, May 01, 2012

The new job, one week in


So far, so good.

As has always been my general policy, I won't be specifically identifying my employer, client, or co-workers.

The job is potentially very interesting. The job is also potentially very politically complicated. Thats never a good thing, but it's not exactly an uncommon thing either.

On the interesting side, there has never really been a standard security operations practice within the client.

On the difficult side, there has never really been a standard security operations practice within the client.

'Til now, security operations has primarily been concerned with authentication management, change control, and dealing with alerts from virus scan etc...

We're hoping to build up a full and robust security operations group; including risk identification and analysis, operational risk elements in project development and delivery, a full incident response practice including investigations and forensics, tools enhancement... and a hell of a lot of other fairly fundamental security operations functions.

Without rocking too many boats, spending too much money, irritating the wrong people, spending too much money...

Yeah.

At the moment I'm pretty much in current state analysis, and gap analysis mode; and I probably will be for several months.

From a purely personal perspective, yeah, the commute is a pain in the ass. I'm making it in a pretty consistent one hour fifteen +-3min, in mostly light traffic (rarely below the speed limit except through the lights in Coeur D'Alene and the last mile off the highway in Spokane) and averaging just under 26mpg.

So, for a full five day week that's 12.5 hours in the car, 750 miles, for about 30 gallons of gas, or about $120 these days.

Yeah... that sucks.

In a few weeks I'm probably going to go to a 4 days onsite one day at home schedule, which will help. I'm also hoping to be able to commute on the bike at least one day a week, maybe two; and it gets about double the mileage of the car. Maybe cut the total time and mileage down to under 10 hours (I figure I can make a bit better time on the bike... though not much) and 600... and the gas spend down from $120 to around $85

Meanwhile, I'm going through audiobooks at a prodigious rate.

Call me... cautiously optimistic and conditionally hopeful at this point.