Ever start a simple project – or perhaps ask for something simple to be done on your behalf – and get far more than you bargained for? Sometimes the seemingly simple things reach up and bite you. I was thinking about this two weeks ago, in the middle of some weekend gardening, expecting to tackle a small irrigation leak that popped up during the winter.

I went out to the yard with the handful of tools I would need and started scouting around the pool of standing water to locate the source of the leak, and I found it – more or less. It was buried under some mud, so before I could fix the leak I needed to remove the mud around the irrigation line. Before I could remove the mud I needed to remove the giant rat’s nest on top of the mud – stuffed full of Cholla. Literally. It apperas a rat ate the irrigation line and then used it as a private port-o-let. But in order to remove the rat’s nest I needed to remove the 45 lbs of prickly pear cactus that formed the roof of the rat’s nest. Before I could remove that cactus, I needed to remove the 75 lb Agave that arched over the prickly pear. Before I could get to the agave I needed to remove a dead vine. Before I could cut out the vine I need to remove some tree branches. Each step required a new trip to the garage to collect another tool. And so it went for the next three hours, until I finally found the line and fixed the leak.

When I finally finished that sequence I was rewarded with 30 minutes tweezing prickly pear micro-thorns from my fingers. What should have taken minutes took the entire morning, and left painful reminders. Which brings me to IT: those who provision data centers and migrate backbone business applications know exactly what this feels like – as I was reminded when I told a couple friends about my experience, and they laughed at me. That described their life. They deal with layers of operational, security, regulatory, and budgetary hurdles – mixed liberally with rat droppings – all the time. Someone asks for a small server to host a small web portal and before you know it someone is asking how PCI compliance will be addressed. Say what you will about cost savings being a driver for cloud services – simplicity (or at least avoidance of complexity) is a major driver too. Sometime it’s just better to have a third party do it on your behalf – and that comes (anonymously of course) from some IT professionals.

On to the Summary:

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Top News and Posts

Blog Comment of the Week

This week’s best comment goes to HD Moore, in response to Should the Red (Team) be dead?

It isn’t clear why Gene believes that CTF contests have any correlation to professional red teams. A similar comparison would be hackathons to software engineering. In both cases you approach the problem differently and the participants learn a different set of skills. CTFs are not how real red teams operate or vice-versa.

On the demand for security engineers and forensics professionals – we absolutely need more of them, but these folks need to be familiar with what actual attacks look like and how they are carried out. In a perfect world, every security professional would have a background that included both attack and defense.