Author: Maverisk

Y’all remember this:

And how does that not translate directly to how risk ‘management’ is done in your enterprise ..?
Yes, whack-a-risk it is. One by one. Now that the hype about ‘cyber’ has blown over [Has it? Can we finally retire #ditchcyber ..?? We may need to party!], what will be next?
Hopefully, tackling the secondary risk of using futile methodology in risk management. Like, ‘heat maps’ (per this) or ‘evidence based’ kindergarten-big-data nonsense as is in this vast resource. The latter not dismissing the use of estimates, but putting them into perspective. And you do remember this …?
Let alone switching from 3LoD ridiculousness – as it is done today, all too often, towards actually useful organisational structures to get risks into every nook and cranny of your enterprise … I mean -managed and -resolved. Recalling this giant‘s work on that, in a sense.

[Perfect for lounging outdoors, no moles; Park Grill terrace]

Unfortunately, this is not about coffee, it’s about in-filtration.
And, supposedly, some form of exfiltration or abuse.

All about IoT – still going strong as a term, despite slowly growing out of the trough of disillusionment both qua general deployment and use of the things behind the abbrev, as qua security concerns that resurface unresolved moreover in bigger force.
Now with a side branch of the ugly duckling sibling Security getting its own term: Infiltration of Things. Nice. Certainly in reference to this recent post of ours. [Hoping that pre-publish linking actually works]

But then, we don’t need a new term as much as we need fundamental solutions for pre-existing conditions of weakness… As here, here and here, and many others before that..
Certainly this one, that also hasn’t been resolved at all. And displays only some part’lets of the very core reengineeering we need even with an e too many.

Thus, we haven’t started at all yet. But I’ll leave you with a distraction:

[Happens to be somewhat relevant, that building in the background; La Défense, appropriately]

… when you are too scared by anything new, to fully embrace it before it overruns you.
As a pointer that the arms’ race of deployment of AI in security (offense/defense) is almost lost. Depending on which side you are.

That there was such an arms’ race in the brewing, I need not repeat for y’all that paid attention, to the many news items re that in the past couple of quarters. From fundamental, policy-level discussions and debate all the way to operational stuff, the subject has been on the radar for many on many aspects.
Not that much on arms’ flipping, by the way, that is happening now in a sort of collateral-damage way. Adding to the loss of other methods there.
And now then, also here here, in the twist one sees the example of the attack side getting smarter than your defense though possible.

Wasn’t it that AI was possibly deployed by both the offense and the defense, and that the first serious entrant would win, winner takes all style?
Well, the conclusion seems obvious, qua who’s first out of the gate here. It’s over; get over it.

[ Some may suggest that maybe, some agencies may have defensive AI stuff that they keep secret as not to be outdone by AI yet. No need to remind you that security by obscurity has never worked, and may be turned against the defender, when not the methodology has been leaked long time before suitable use hopefully to all the public so secret counter-attacks on the shelf may be prevented. ]

For the moment then, as long as we last:

[Back to analog surfing / sailing, then; NYNY]

Blanding down a message to be comforting to all potential readers, isn’t my thing. Posts here are meant to be tease from slumber, to opine for discussion and to stimulate to think. This means the language has a distinct style, being direct, and apologetic nor understated, also elliptical and/or long-winding, stopping short of using the correct ‘prolix’ since not many readers may understand the QED in this – not for simpleton readers.
Oh and pics are almost all my own – almost all unedited if you didn’t notice… – and selected to be at least slightly relevant to the post concerned. Maybe.
And, let’s not forget my seriousness: “Let silence be your general rule; say only what is necessary and in few words” (one of my heros, Epictetus). Yes, isn’t it ironic, don’t you think?
Have fun!

A major, huge, missing thing in ‘attack trees’ [aren’t they related to access path analysis?] is that they only depict the ‘opportunity’ part of perpetration, and have nothing on the Motivation of Rationalisation parts (as in this easy explanation). And hey, the latter points at insiders, too, that are so often not to be found in attack trees. Why?
That’s two things that broaden the context to anything realistic. So that, e.g., the following can be applied better:

Which goes way back to the physical realm. Allowing for controls to be seen not only as lines of defence [indeed, not the outright stupid kind], but also being of various categories, for differing purposes. To enrich your protection beyond mere data-oriented classical (info)sec which is but an operational subset of what one want, qua information security in its broader scope for the enterprise; figuratively and literally, when combined with this masterpiece method, as rightfully and correctly promoted by this peer.

So, attack trees yes, but why only now, and weren’t you using them already for a long time, implicitly? When not if, not, how can you ever have given any serious opinion about the Design of the control system (being the opinion of its potential Operating Effectiveness!), let alone its Actual Operating Effectiveness which is a mere afterthought when the Design and Implementation are A-OK. If either of the latter isn’t tip-top, actual operating effectiveness is theoretically impossible.
Also, include the various costs of control figures [introducing reasons you can’t achieve perfection by this reason of needing infinite budgets for achieving that, throwing out the baby with the bandwidth bathwater], and Time, as in trend analysis and second-order errors in that.
The more detailed your model, the more rigid it will be. The more comprehensive, the more … it may be inexact but that’s the price of ‘de-modelling’ i.e. making something applicable in reality. Either your model is perfect [into analysis paralysis] OR it makes sense [better be roughly right than a rabbit in the headlights].

Well, leaving you with:

[Awww, isn’t it beautiful, even from a late-80s analog pic? Pierre Blanche near Courchevel 1850 (most recommended)]

As was in some recent waste of power/time by marketing apparently-dunces, “… like Neural Networks, Polymorhic [sic] Sensors, Machine Awareness and Automated Data Monitoring. These techniques all use AI.”
OK. If you believe that, you’ll believe anything. Like, elected presidents are better than monarchies – have a look around the world and weep.

The point being,
a. ‘AI’ is what is still outside any machine’s abilities however complex, by definition. All that machines do, is ML. Yes, even ‘Watson’ (which is …!?) beating humans at Jeopardy is but a flimsy, pathetically failed attempt at a Turing test. [I don’t mean this one.] The missing part is not even that training is on past data (sic) and the future is by sheer logic different from that, but the also missing part, huge, is Random Context. ‘AI’ is still trained in closed environments, including supervision over Right and Wrong outcomes even if through automated learning from feedback loops. Indeed, not Good and Evil even ..! But then, you haven’t understood Nietzsche did you? And remember these quotes, relevant when you see it. Returning to the subject, context is still King [heh], and differentiates the Artificial, the Machine Learning, from the I of Intelligence. The latter ai’s have it. All, and yes I mean ALL, current-day software is insufficiently context-aware or, if approaching context awareness [much like we on Earth approach Proxima Centauri – yeah, not much effect, eh?] like in ‘autos‘ still much too little so (follow the link and weep).
b. … the latter also points to the second part of the point that is being: Intelligence seems to need morals and ethics, that we humans (and your political opponents that I shall not consider under this header) seem to have naturally. Right? Not right as a system choice?
c. Don’t know / not applicable / no opinion.

Hence, do you really want AI, or will you be satisfied with ML that takes over all the mundane tasks that bore humans to death? Not like this Boring Company but like accountancy where Intelligence may be reserved for the human overlords after all. Yes, you may snicker. But the truth is: Your job will be disrupted once it’s rid of the mundane stuff and hopefully you have developed some superiority over the remains. Which is inherently uncertain.
Hence, you may not want this. QED i.e. I rest my case as in:

[Better align with what goes on here; Startup Village Amsterdam]

Well, that escalated quickly.
Only recently, I posted this here thingy that had been lingering for a long time in the back of my mind. And in repeated discussions with various peers. About how things, as in state of the art AI things, converge to bring smart systems to the vineyard.

The post had an open end, how all things put together woud not exist yet in full.
Negative time. As per this: the solution, deployment-ready. Sans the microlocal antidote delivery, that is. But we can consider the viability a closed issue.

Yeaj! There goes my idea of being in the vanguard. But happy that a. I wasn’t a fool, if anyone had noticed .. my posts, b. this may finally get off, and be true innovation helping eco-friendly(er) viticulture.

Hoorde een vraag over de positionering van de Functionaris voor de Gegevensbescherming. Het antwoord (uit een zaal) was ongeveer: In de 2e lijn – u weet wel, als in de 3LoD-Flut (1e alinea van dit, en dit). Omdat, in termen van ‘de’ zaal, de FG een tool is van management om de klantvragen te beantwoorden en zo wat, en niet meer dan dat.

Rrrright. Voor wie te bescheten was om de Avg zelf gewoon eens te lezen. En eventuele aanvullende jurisprudentie. Enig idee wat het begrip Onafhankelijkheid inhoudt, wat Toezicht inhoudt ..? Wat het inhoudt dat (niet of) bestuurderen op het matje te roepen zijn als ze zich, vanuit hun onmiddellijke of middellijke (!) taken, hoofdelijk aansprakelijk maken voor privacy-misstappen in de organisatie. Ja, ook vanwege de middellijke besluiten liggen zij wat erg dicht bij het hakblok. Met de rewards, komen de risks.

Waarmee het aloude perspectief van een land iets naar het Oosten interessant wordt, als spiegel. Denk eens terug hoe het ook alweer was; de commissaris van de (dus: communistische) partij die als toezichthouder op het recht in de privacyutopische leer blijven van alle medewerkers in traktorfabriek nummer 43 werd geplaatst. Met sanctiemogelijkheid van buitenaf geëffectueerd.
Het enige verschil met utopischeprivacy is dat de sanctiemogelijkheden nu weleens zwakjes zouden kunnen zijn, cost of doing business. En het enige verschil is dat de traktorfabrieken [ja natuurlijk met een k en niet met een c! we houden het wel histories korrekt ja!] zelf hun partijcommissaris mogen kiezen, en budgetteren en belonen, en mogen inruilen. Maar da’s marginaal.
Niet marginaal is dat het Recht op zo een pietluttig puntje zo diepe greep heeft. Alles en iedereen is schuldig totdat het tegendeel met meters privacydossier is aangetoond nee bewezen.

Wie er meer gebelanceerd mee omgaat, heeft het wat beter begrepen. Maar wie de uitgangspunten niet kent en/of terzijde schuift, zal met de meest hilarische karikatuur van de Partij te maken krijgen. Hoe is het eigenlijk met de directie van de AP; zijn daar al kundige opvolgers aangesteld van de vertrokken kundige bestuurderen …?

Nou ja. En:

[Proper protection is the point; Segovia]