2007 can be summarized in one word: busy. Thank you to our customers, employees, and partners who helped make this year better than even my high expectations.

The first year of the blog saw just over 100 posts. The second saw just under 25. And given the current forecast, the posts will continue to be a bit light in 2008.

I was just catching up on some blogs, and I saw this post from Thomas Ptacek.

We’re still alive… but holy crap are we slammed.

Funny… I was going to submit a similar post this week. Apex is in the same boat.

I like Thomas’ brevity. Though, unlike the Matasano folks, you probably won’t see us resume to our normal posting schedule early next week… probabably more like middle/late next month! Things are really hot here.

According to NIAP CCEVS:

Beginning 1 October 2007, for FY08, the NIAP CCEVS office will begin accepting US Government PP compliant (basic, medium or high) and EAL 4 or above products in support of National Security customers. Product submissions meeting the above criteria will be queued and validation resources allocated as they become available. Detailed letters of intent identifying DoD or IC customers will continue to be required.

There is still a bit of discussion and concern around the Fee for Service validation plan, so things will certainly be interesting.

September is a busy month (even by our standards!).

It’s time for the semi-annual (or so it seems!) posting on the Apex Assurance blog.

We’re looking for a Ruby on Rails developer, either part-time or full time. If you’re interested or know someone who is, please send an email to careers@apexassurance.com.

I’ll save all the HR/marketing spiel. That’s not my specialty.

NIST is now accepting comments on the latest draft of FIPS 140-3.

From the website:

Electronic comments may also be sent to: FIPS140-3@nist.gov with “Comments on Draft 140-3″ in the subject line.

I saw this article a few days ago but didn’t have the time to post a link. Thank you to the good folks at EWA-Canada for the reminder.

In case you missed it, there is a draft policy for the fee-for-service validation model from NIAP CCEVS. Details can be found at the NIAP CCEVS website.

Has it really been almost two months since the last post? Wow. I’m sure your RSS reader is freaking out… and no, it doesn’t have a bug.

Anyway, things have been extremely busy lately, and I’ve been thinking about the blog. Just not writing. Customers come first, then the company, then the blog. The first two are completely consuming us.

And believe me, there are many interesting things going, and I’m hoping you’ll see several big announcements soon.

I was traveling this week and had an interesting encounter.

The first leg of my flight was delayed, and I was going to miss my connection. I was rebooked on another airline, and I went to the desk to get my boarding pass. Since the booking was just made, I wasn’t able to self-check-in at the kiosk. The terminals behind the desk were all being used, and an airline representative was kind enough to step out and offer some help.

So get this… she taps three times on the touchscreen near this particular airline’s logo. She is presented with a login prompt, and the kiosk displays a full touchscreen keyboard. She enters a 4 digit number (which wasn’t masked). Then she’s prompted for the password. She types in a 6 character password that was quite easy to “shoulder surf” given the size of the keyboard and the fact that the letters are animated when touched.

And I think I know the name of one of her pets. Or the street she lives on.

Anyway, on the screen, a full-featured GUI is presented. She mentioned that she is able to do all the things that they normally do behind the desk via this interface. Rebookings, upgrades… it was all there. Amazing! Of course, I joked with her about putting me in for an upgrade, but considering it was a 50 minute flight, it really wouldn’t be worth it.

Anyway…. very interesting stuff. Who, besides Johnny Long, would have thought?!?

There is a new FIPS 140 Testing Laboratory: ACTL: authsec Conformance Testing Laboratory. This brings the total to 14 labs.

With the NIST queue for review standing at about 5 months, I do wish NIST would enlist the help of the labs to assist with the validation component. The increased timeline has been quite frustrating for our customers, and I’m working up a proposal for an operations plan to help NIST with this issue.

A customer poked fun at me for not updating the blog as often as in the past. Of course, he was just kidding because he knows how busy we’ve been, but I did promise an update. So here goes.

This story requires two inputs:

1. My two year old daughter loves Dr. Seuss’ Hop on Pop, and we read it together about a week ago.
2. I talk in my sleep. Weird, random, and usually coherent streams of unconsciousness pour out uncontrollably (and usually quite humorously).

This morning my wife asked, “Do you remember what you said last night?” That question is usually followed by the most intense feeling of nervous anticipation you can imagine.

Well, apparently I quoted about 1/4 of Hop on Pop. Really quickly. Then I followed with, “Of course, I’m not reading this. I’m just reciting it.”

So what’s this have to do with security?

Nothing. But it’s pretty darn funny.

Consider the blog updated.