Author: Maverisk

Who in the world didn’t think this possible ..!? A bug it is. Google says the built-in microphone it never told Nest users about was ‘never supposed to be a secret’.
Of course, Big G claims the mics weren’t On at any point in time, it was just a (free; can you even start to think about the enormity of that claim from them!?) add-on, to be used only later … How trustworthy is that claim …? If you believe that, Santa, Bigfoot, the tooth fairy, etc.etc. are also real. No, no, I mean not only real but they all live in the White House.

Why did nobody take more care ..? Had nobody investigated the technicalities of the equipment ..? Probably Bystander Bugs.
… Not quite. Probably, the more weary already let the sheeple go first. [Disclaimer: I did, explicitly for this very / general security reason.]
You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time. [Abraham Lincoln? Not P.T. Barnum]
You can fool too many of the people too much of the time. [James Thurber]

Maybe laws are needed, to stop the gullible from their own lack of (prefrontal) brain capacity. Anyone who makes it possible to obtain, or conspires to make it possible to obtain either actively or by omission any personal information without consent, shall be fined all income and bonuses and other forms of compensation or renumeration as received over the past five years; in case of non-natural person(s) the fine shall be 10% of global turnover of the organisation and of any organisation that the non-natural person(s) are part of [to thwart jurisdiction shopping by conglomerates] payable in cash including all Board members being fined as natural persons as above.
Something along these lines.

Oh well. Also:

[Your coffers i.e. emptyness – last survivors have good winds; Porto / Foz do Douro]

Just a shortie again, for the weekend when you want to come back to being on top of things, things being the behavioural aspects of compliance.
As too many of us don’t seem to be well-connected enough in the Thinking that goes in in compliance-science circles.

Yes there is such a thing. Yes I know you think you’re all working in compliance the industry, maybe even too much so. But you don’t think you’re effective – as proven by your consistent complaints the ‘users’ don’t seem to ‘get’ it.

Maybe … you should do the read-up this weekend by means of these four articles plus a short vid [unfortunately, may need a professional re-take but still…].

Leaving you with:

[No fun being at the bottom, carrying the top in the clouds; La Défense a couple of years/decade ago]

As a sideline note; the evidence is mounting that the previous hype is fully over, when more and more of these kind of stories emerge [it’s not the first, and will certainly not be the last…], and only those that don’t understand the systemic impact of such ‘incidents’, the hype-laggards, still cling to the same thing as if something might still happen (not) just let those that really know the ins and outs work on it, slavishly, for years to come.

Which the latter won’t. They‘re not the stupids here. The ones you would want, have moved on [or will soon]. Since they do see that the Utopia once presented, will not work that way. The Ideal of it is infeasible; the decadent-hollow pastiche may work but is many thing just not the Ideal.

When (not if) by now you’re still unsure what I’m talking about … it’s just the Blockchain promise of ultimate security that is shown to be most-probably futile. What a way to tell, eh?

Plus:

[We need more research not on b-chains but on butterfly effects of non-compliance in day-to-day infosec without this leading to totalitarian distatorships over ’employees’ but that’s a tricky one, a thin line …; just a dagpauwoog peacock in my back garden through a 300mm]

Ah, not so long ago, I posted Lament:

Those were the days, when knowledge elicitation specialists had their hard time extracting the rules needed as feed for systems programming (sic; where the rules were turned into data, onto which data was let loose or the other way around — quite the Turing tape…), based on known and half-known, half-understood use cases avant la lettre.
Now are the days of Watson-class [aren’t Navy ships not named after the first of the class ..?] total(itarian) big data processing and slurping up the rules into neural net abstract systems somewhere out there in clouds of sorts. Yes these won out in the end; maybe not in the neuron simulation way but more like the expert system production rules and especially axioms of old. And take account of everything, from the mundane all the way to the deeply-buried and extremely-outlying exceptions. Everything.
Which wasn’t what experts were able to produce.

But, let’s check the wiki and reassure ourselves we have all that (functionality) covered in “the ‘new’ type of systems”, then mourn over the depth of research that was done in the Golden Years gone by. How much was achieved! How far back do we have to look to see the origins, in post-WWII earliest developments of ‘computers’, to see how much was already achieved with so unimaginable little! (esp. so little computing power and science-so-far)

Yes we do need to ensure many more science museums tell the story of early Lisp and page swapping. Explain the hardships endured by the pioneers, explorers of the unknown, of the Here Be Dragons of science (hard-core), of Mind. Maybe similar to the Dormouse. But certainly, we must lament the glory of past (human) performance.

And also AI into Evolve:

After the generic-AI hype will have slowed, and actual generic AI of the Normal kind gets integrated into society big time / you ain’t seen nothin’ yet time, what ..?

Apart from a huge spread of more ML algo’s than the mere Bayesian and non-linear regression (e.g., this one that I tested in a thesis already back in 1994 – it worked even when I had the feeble cpu power of the day),
And apart from the return of Expert Systems, since when the above start to become analysed everyone realises that is what ML does, on a big scale but still,
let me propose:

Evolutionary (genetic) algorithms.

Which is mentioned in this overview, I believe to recall – I’m human, and perfection is boring.
But not enough. Strange, when one considers how effective these are, and how e.g., ‘quantum computing’ actually is only a massively-parallel implementation of this.

Which made me consider even more, that we haven’t tackled the core ‘problem’ [That’s engineering-talk. Engineers find something, and solve it period. Not like those ‘alphas’ that keep on talking forever and then are very satisfied they did – notwithstanding the persistence of the problem, that’s not an issue for them; problems are to talk about not solve even when the hurt continues indefinitely hey we babbled away so who cares all are still in pain ..? Etc.].
The core problem being: How to get the I into machines ..!?
Which of course we can only do after we answered some more fundamental questions:

• What is this ‘intelligence’ thing you keep talking about? I don’t think it means what you think it means … [classic] By which I mean, where is it in the knowledge stack ..? And why do you refer to that, as it is so incredibly incomplete, e.g., it misses the idea of context completely. Whereas in this case, context is king, or emperor. A little knowledge is a dangerous thing [proof: the ‘executives’ that ‘lead’ your organisation; or, if you are one, look around you], but a lot of ‘knowledge’ without context and appropriateness of application of that knowledge, is far, far worse [proof: the ‘board room advisors’ that bypass you the real experts, of, if it’s the other way around, look around you. Or maybe you’re the Head Honcho for a reason (not)].
  Only if this ‘intelligence’ is properly defined, can we chase it. And find, that the average human doesn’t. As we consider ourselves to be above-average intelligence [Dunning-Kruger-like!], we consider also more than half of humanity to be of less wit that we ourselves – that’s how averages work [no, I know it’s not about averages but about medians but normalisation-wise it’s close enough together …];
• Context-awareness it is … How is that built into your ‘intelligent’ system? Or is the machine merely raw processing, with polishing required afterwards? Etc.; a lot of variables here. Sensors? Of what kind? Training data – with or without context data?
• Depth of intelligence; depth in field / width of field – how ‘much’ knowledge/intelligence is in your system? Also referring, in an intertwined way, back to the context: What is in, what is out?
• where on the bandwidth of structured-to-chaos? There’s classical algorithms on the one end, and full ANI/AGI/ASI even on the other. In between: Expert systems, Big Data correlations, classifier ML, more-complex ML, basic neural nets, complex neural nets, evolutionary algorithms [or are they a separate, close but parallel track?] … We need to establish a proper scale for this even when allowing for a 2^nd dimension of the above factors, to go along with it.

Which is sort-of the purpose of this post. Surely, I’m not the first one to have considered this; would any of you have pointers ..? I’d be delighted to hear / cross-post / Like (well…)

TIA, and:

[In for Skinny Tipping – “what’s that?”: Keep an eye open for next Friday’s post (22^nd). This, Resson France no you won’t be going there if you knew it]

… Was thinking: How is Quantum Computing not where AI was, around and about 25 years ago ..?

The first wave having past, then, of neuron-simulation you know, like 25 years before that. ‘Expert Systems’ having had some fifteen months/years (?) of fame in between, and then, suddenly, ‘neural networks’ were all the rage. In the news, and for academia. With some PoCs but not much.
Currently, neural nets AI-by-way-of-mere-ML has had yet another wave. Not the Big Kahuna of course, but again the groundswell has risen a serious level and continues to implement all sorts of – what we would now immediately consider mundane – implementations.

On the heels, ‘quantum computing’ is hailed as the Next Big Thing, along with other Next Big Things [probably much Bigger than Big things] like biotech, global cooling [yes that’s what we would need, not the problem we have already but the solution is the Thing], You Name It. QC seeing some qubits implemented here and there, and not much means, knowledge or Understanding what to do with it, how to program it, how to read the results
[when, not if, these don’t crumble under Heisenberg’s – or will entanglement at some future stage be shown to defeat his – and then again, we’ll have gained nothing as we’ll have zero proof that the entangled particle we picked out, actually is the one out of an infinite number that we wanted to ‘read off’; how can we be sure some alpha particle is the one to read off when it might have encountered an anti-alpha particle somewhere along the way? The way being any time frame, even approaching infinity, since linear time is only valid in a singularity spot [by which I mean beyond-infinitesimally small, not 1- but approaching o-dimensionality or worse]. Ah, time; yes, how do we know we measure the ‘immediate’ change to some entangled particle when time is so extremely variant? Does time exist? Note that it needs to, otherwise immediacy that is required in the theories re quantum entanglement so if it doesn’t exist, qe doesn’t either. But it should be clear that there is a strong bond between entanglement and quantum computing. Or at least some bond, theoretically. Kant’s view of inner-time-only may apply.]
.. hey did I digress or what?

Whatever, QC is a hype in a precious handful of labs now. Even when the Marjorana particle is being pulled into it (Delft [other links apply], but of course; almost fittingly), not much has been deployed into, e.g., call centers.
Which places the whole shazam [are you listening?] exactly where AI was 25 years ago.
QED. Well, which was my thesis.

Now, out with other things that rock, but these stood the test of time:

[You recognize D21 immediately, with sweet D22 next to it just outside of view; Drenthe – even if you’re a Rovelli follower: memento mori]

A note, ICYMI, on the insidious effects of free speech … that gives room to Stochastic Terrorism.
Say something vague but suggestive to disassociated loonies to take illegal action, and then deny you suggested the specific action(s)… [i.e. politicianspeak]
Say something vague but claim it is a hard promise, and then disclaim that claim by wiggling your way out in the fat margin of vagueness [i.e. politicianspeak] then be called a big fat liar.

Both as same sides of the coin, denying the other side of accountability for any speech act. If you didn’t intend the consequences, don’t use vague speech. Be clear in both meanings. Or justice will prevail; maybe not immediately but in history – you will be vilified or at best utterly forgotten; useless, wasted life. For the latter, you may be mocked by your own family.

So, what will be your course of action ..?

And:

[Your defences will be outdated before you know it; Château du Haut-Kœnigsbourg (my pic, unedited)]

How can it be a surprise this happened ..?
This, being the position that because ‘cyber’insurance is a scam, someones claimed and found out. Yes, an insured company tried to get some money as far proxy of damage repair, after being hit on a (inherently; more on that later [1]) slight little flaw in information security (that’s what it is, however moronic you keep on cybering). And the insurance co panicked (why; they could have claimed the hurted just hadn’t done the right thing completely enough, apparently [2]). And threw in the only blanket, fail-safe claim denier: Cyberwar! Arrrgghhhhh!.

In the vacuum of definitions (let alone the official recognition of those by relevant international bodies e.g., the UN – not We The People that doesn’t count as a party that has any serious say in this, anymore), they’re not even false advertising. But … as they should know, the legal principle still is he who posits, proves and that might be a challenge… Until further notice, no state party shall be considered guilty, so no cyberwar is or was to be found. Maybe at that one planet near Alpha Centauri but we have only circumstantial evidence of that.

And you think that insurers know more, better than company employees that are in the firing lines ..? For the being fired upon, and then being fired anyway than for firing back or the reference to ‘war’ (quod non). So, they take your money and don’t know what for. Hence the dismissal on grounds of last resort. You should’ve known, again. And [2], again.

Plus:

[Never worked. This one, fake on purpose …(note the Delft blue tiles); Barça]

[1] Remember, there’s no such thing as perfect security, and very-good security is way too expensive, not worth the risk … Ah, risk, the thing that is inherent in life. And which one can ‘manage’ but hey, one better also study this incl comments … (risks can be displaced but not reduced). When costs come in play, there’s only so much you can afford – and the rest, one insures …??
[2] If you have a fire insurance that requires to take all possible (beyond reasonable…), thinkable precautions and preventative measures, and still your house burnt down, it shows you haven’t done what was required i.e. prevent a fire. Anyone can claim with hindsight you’re risk analysis was flawed, in this way. And the spelling was without purpose but intentional.Plus, “So sind Beispiele der Gängelwagen der Urteilskraft, welchen derjenige, dem es am natürlichen Talent derselben mangelt, niemals entbehren kann. (Kant, CPR 187 A 134, B 173-4)“

How the lack of transparency of the information flow architecture, leads to inability to qualify the quality of the information flows – the latter which is the core business of system-oriented (financial) auditing …
The lack of transparency in architecture, by the explosion of complexity of the information flows through exploded complexity of systems/interfaces. The latter nearing Chaos status, the threshold where modelling (complexity reduction to get an understanding including the understanding one has simplified and acknowledging the analysis can not be used for normative stuff just for some understanding) will be either too little reductive to get any understanding but is driven by the requirement to still capture all relevant stuff, or too much reduction leading to (some) understanding but the understanding may be wrong due to oversimplification.
Continue reading “Flip sides; transparency and auditability”

Or, how your average compliance isn’t any good.

Y’all understand that compliance has a purpose. IAOI (this, not this) you comply with Principles. Anything you need as guidance nay hard requirements in detail ‘below’ that, means you have no clue about the principles, and hence cannot comply with them [consciously; but otherwise it’s an unnoticed accidental accordance, happenstance gotten, easily lost]. IAOI you can discourse at the principles’ level of moral reasoning, in your explanations too, do you have a chance of doing it right.

Otherwise, the very penny-wise and pound-foolish compliance with trivial rule’lets will deliver any effort to /dev/null sigh if you need this explanation you’re doomed, squared.
And, if you’re in Compliance (i.e., in Audit – NO if you live in this world, that is not different!) and push for the penny-wise, you are not only part of the problem, but also fighting symptoms not (root) causes — being the malformed morality. The latter like here – hintspoiler it’s about money.

Just read nay study Musil, and Aristotle, plus Power and so many others, and you might just Get It. Oh, [Edited to add post-schedule–pre-post], this story. Worth the somewhat-longread ..!
For the time being, …:

[At the Zuid-As, you’ll fit right in – the picture isn’t edited even, it’s no collage but the original ..!]

Hey yeah you know, it’s still a quite (too) popular thing to talk about People – Process – Technology when it comes to control(s) types in the IS risk management / audit corner of the universe.
If you think about it … keep in mind that these factors are almost always presented as nearly disjunct things. With maybe an overlap, but not too much. In terms of Venn diagrams, almost three separate circles. Sometimes three completely, and deliberately, separate circles; joined by many-point wide edges with borders, like pipes.

Because pipe dreams. Of the legal kind now, in Canada. Keeping the three corner spheres with P-P-T text on them, separate. Think PPT indeed – boring outdated graphics and useful content, not so much.

But then, when sober, one realises that in fact, such pictures don’t say much since the overlap is huge, near-complete. If one thinks of controls, utterly-most often, all three factor apply in one way or another. …

So, only when controls towards certain control objectives cover all three aspects of P-P-T, can, even theoretically, eventual effectiveness be achieved.
Edited to add: Seek to mitigate weaknesses in one aspect of any control, with controls that are stronger in others. Otherwise, Swiss cheese model [however critiquable that has become… more on that later.]

Leaving the circles idea to: