Kotzkopf arrived nearly an hour early for his consultation yesterday, and I knew exactly why, too. It was so he could hang around my comfortably furnished reception area, splitting his time between playing Angry Birds in HD on an iPad and ogling Gretchen. I’d bet that those diversions did quite a bit to cheer him up, and furthermore, that he probably needed it, too. Because Kotzkopf heads up one of several cyber security groups in the Office of the Federal Chief Information Officer and, as he told me when our consultation began, the OFCIO currently has a mighty big security problem.
“You’ve heard about the announcement on www.Imperva.com, I assume,” he sighed as he seated himself in the chair just to the right of my desk.
“That some crazy hacker is offering to sell system administrator access to US government Web sites for what amounts to the price of a decent dinner in downtown Washington?”
“Well,” Kotzkopf mused, “I guess you could put it that way. Depending on the site, he’s asking between thirty-three and four hundred ninety-nine dollars, and yeah, that’s the price of a restaurant dinner around here, depending on where you decide to eat.”
“And what you decide to drink with it,” I added.
“True,” Kotzkopf concurred. “The only place you can get a decent dinner in this town for less than thirty three bucks is Ben’s Chili Bowl.”
“West of Georgia Avenue, anyway,” I qualified.
“Also true,” Kotzkopf grumbled morosely. “So, anyway, it’s been pretty rough for us the last week or so, you know. Thursday, we got a visit from… over there,” he snapped, pointing with somewhat exaggerated emphasis through the picture window behind the couch to the White House. “They sent over this… ah, rhymes with ‘witch,’ you know, Tom? And she ripped us all new ones for about two hours. She called us ‘ignorant lard-butted Civil Service dead wood with ape [expletive] for brains,’ Tom! Now, I ask you, is that any way to talk to a room full of GS-15s?”
“Well,” I carefully responded, “it’s certainly not very polite. Do you suppose she kisses her mother with that mouth?”
“Her mother,” Kotzkopf fumed, “is a Sodomite, unwed, and a pedophile! And she’s a Socialist, a traitor and a cannibal!”
“Come, come,” I tactfully chided, “just because this woman is undoubtedly an Obama Democrat, that doesn’t mean anything you make up about her is automatically true, now does it?”
“Hmph,” Kotzkopf snorted derisively. “I don’t see why not. It works for Glenn Beck.”
“You shouldn’t take it personally,” I recommended. “That woman’s probably under a lot of stress herself. After all, she has to go back to the White House and explain why, after devoting literally millions of labor hours to computer system and network security, the US government still can’t seem to construct a Web site that’s capable of keeping naughty twelve year old kids from hacking it.”
“Okay, yeah, maybe so,” Kotzkopf admitted, “it’s certainly no picnic when somebody who probably wears braces and reads Harry Potter breaks into a federal government Web site we spent a frigging fortune on.” Kotzkopf paused, knitting his brow and considering his utterance carefully, first gazing thoughtfully up at the ceiling, then turning to confront me. “And how come that keeps on happening all the time, Tom, no matter what we do? Look at the Web sites I’m responsible for – they get compromised an average of once every two and one-half weeks! Christ Almighty, Tom, we let the prime contract for them to one of the best blue-chip accounting firms! They have an award-winning IT practice! They put together a top-notch team, too – all of them Ivy League graduates and not a single one over twenty-seven years old! And the quals, Tom, they had quals up the wazoo, I tell you – MSCE, MCA, MCS, MCTS, MCITP, MCPD, MCSA…”
“That’s your problem right there,” I politely interrupted.
“What problem?” Kotzkopf demanded, verging on indignant. “Not enough quals? You didn’t even let me finish the list!”
“There’s no need to finish it,” I told him. “Those are all Microsoft certifications, which means your Web sites are built using Microsoft technology.”
“Of course they are,” he replied in a slightly testy tone. “Microsoft technology is the most popular, most advanced and most cost-effective solution suite in the entire IT industry. I know, because that’s what all their sales representatives told me!”
“And you don’t,” I quietly asked, “possibly, own any Microsoft stock?”
Kotzkopf blushed red as a beet. “That’s permitted,” he huffed, “and I’m certainly not the only IT manager in the US government who does. There’s nothing that isn’t kosher about it.”
“It’s kosher as long as you don’t buy enough shares to exert a materially significant influence on the company…” I began.
“No need to worry about that,” he grunted sarcastically, “with the lousy one hundred fifty-five thousand I get every year.”
“…or,” I continued, “use your position in the federal government to influence the preferential choice of Microsoft products.”
“Nobody,” Kotzkopf shot back, clearly irked, “can prove I did that!”
“Of course not,” I concluded. “But if the federal government continues to promulgate requirements that are nothing but thinly-veiled ‘bearded, red haired, brown-eyed, left-handed man who speaks Dutch’ descriptions of Microsoft products, thus making it effectively impossible for other solutions to qualify…”
“What the hell,” Kotzkopf interjected, “have you got against beards, brown eyes, red hair, southpaws and the Dutch?”
“Nothing,” I assured him. “If, however, ‘the convenience of the government’ continues to be used in sole-source justifications as a transparent excuse to grant Microsoft and its business partners government contracts…”
“You have no idea, Tom,” Kotzkopf countered, “how convenient it is not to have to read half a dozen proposals before we give the work to Microsoft Federal Systems, just like we were going to do in the first place, anyway.”
“And because of that,” I firmly maintained, “your Web sites are constructed using components with security so lame, script kiddies can crack it wide open any time they want. Face it, the security vulnerabilities of Microsoft products are practically legendary. The list of monumental Microsoft security failures is nothing less than astounding to contemplate – the Component Object Model, Active X, Internet Explorer, the dot-NET Framework, FrontPage Server Extensions, MS Hotmail, Windows 7 User Account Controls…”
“Bing! Bing! Bing!” Kotzkopf shouted as he rocked back and forth, his eyes clamped shut, his hands covering his ears. “Bing! Bing! Bing! I can’t hear you! Bing! Bing! Bing! I can’t hear you…”
I had seen him like that before, and so knew what to do. I made us some chocolate raspberry cappuccinos with steamed organic half-and-half from grass-fed cows, wild harvested Peruvian Amazon cocoa syrup, my best espresso and a shot of Chambord. One whiff of the finished product was enough to bring him out of it.
“As it happens,” I remarked as I attempted to resume our conversation on a different tack, “if we just consider the incident Imperva reported – that was perpetrated via SQL injection, which is a ubiquitous security vulnerability across a wide range of database products.”
“Ah yes,” Kotzkopf nodded sagely, “SQL injection. That’s when, er, some…. SQL… gets…. injected, um… into…” he looked at me expectantly.
“SQL,” I declared, “as we both know, is Structured Query Language, an interactive fourth generation non-procedural language designed for management of relational databases.”
“Yeah, sure,” Kotzkopf nodded, sipping his cappuccino, “of course. Fourth interactive… generational… non-procedural relational management. Basic stuff.”
“Quite,” I agreed. “And SQL injection is a malicious exploit in which the attacker bypasses an Internet application’s firewall by taking advantage of erroneously filtered escape characters and/or insufficiently strong variable type casting to cause the relational database management system’s SQL engine to execute one or more stored dynamic query strings in an unexpected manner.”
“Right,” Kotzkopf proclaimed with an air of authority. “And that’s our challenge then, isn’t it? How do we fix all those unfiltered character types and, um, make the variables’ casts stronger so they can’t escape? Those are the questions that seem to be key here.”
“Essentially,” I humored.
“In the final analysis;” Kotzkopf pedantically intoned, “at the end of the day, in substance.”
“Fundamentally,” I offered.
“Without,” he went on, “getting overly technical about it, naturally. No need for that. Not at our level.”
“No need at all,” I dryly responded.
“Okay then, in that case,” Kotzkopf inquired, “what’s the solution?”
“In order to remove a Web site’s vulnerabilities to SQL injection,” I explained, “it will be necessary to review all of the dynamic queries which accept and process user input. For each subject SQL query so examined and found to be vulnerable, it will then be necessary to determine and execute a strategy to redesign it, using an appropriate combination of parameterization, stored procedure calls and escape character filtering. In addition, it will be necessary to assess, and in many cases, reconfigure the current user privilege structure and/or restrict access to database search and query inputs based on a modified user authentication regime.”
“So,” he presumed between sips, “you’ll write up some… instructions… or whatever… for my staff?”
“My pleasure,” I confirmed.
“And, if they need any… support, um… interpreting those instructions,” he fretted, “I’m sure they can contact you for issue resolution?”
“I’d be glad to,” I truthfully vouched with a sincere smile, thinking of all the billable hours I would log during numerous lengthy hand-holding sessions with Kotzkopf’s minions.
This was all well and good so far, but it occurred to me that I had no particular wish put in a lot of effort and then either get stiffed or have to sue in order to be paid. Consequently, I sought to confirm that Kotzkopf does indeed have the resources necessary for an effort of this magnitude – a magnitude which, if my previous experience with him is any guide, Kotzkopf had little, if any real concept. “But,” I therefore wondered aloud, “given the problematic economic situation at the moment, with its obvious implications for tight federal funding constraints, are you sure you can find the money – not only to pay me, but to pay for the huge amount of labor that will be needed to go back and rework all the dynamic SQL in all your Web sites?
“No problem,” Kotzkopf shrugged as he drained his cup. “We’ll just get rid of the contractors who do configuration management, quality control and testing. That should give us a pretty sizable bundle to work with. And oh, yeah, who needs those contractor project managers anyhow? We can get rid of them, too. I’ll just appoint some GS-9s to take over all that project management stuff.”
For a moment, I could not believe that Kotzkopf would be allowed to do anything as egregiously stupid as the actions he was contemplating, but then, suddenly, I realized that this is, after all, the United States government I’m dealing with, and yes, they very well might let him go right ahead. Nevertheless, I did seek to hold his feet to the fire for a moment. “Won’t getting rid of the people who manage your software’s development, maintain its configuration, inspect it for quality and test it for proper function have some, shall we say… negative impacts… on when users receive the mission critical tools they need to perform their duties, how well those tools function, and whether or not those tools are actually useful?”
“Nah,” Kotzkopf sneered dismissively as he put down his empty cup and rose to leave. “Everybody in government IT knows that all you really need is a bunch of geeks who will code whatever you tell them.”