Double shhh

[On a rooftop ..! ‘t Spant, Bussum]

Yeah, it’s a post on double secrets again. Not just because I haven’t seen any conclusive research on what to do with it; how to handle oversight (what is warranted, , etc.), what limits to justifications there would be, how to close the recursive secrecy gap, etc.
Not even because of stuff like this.

But because another issue was pointed out yesterday/today in a post at Bruce Schneier’s blog: Where double secrets may exist, trust is lost, and (theoretically and practically) impossible to regain.

Which is a problem not only for ‘current’ (big) companies relying on the trust of ‘consumers’ (who are in fact drone suppliers of almost completely free raw materials) and other business partners on the receiving end, as their business model will crumble to nothing when (not if) those cheapoo supplier leave in massive numbers.
It also spells trouble for the not-yet-big, almost-not-yet-companies. As defined in this slide deck, those new companies rely on distributed power, which is based on trust. The said (not sad) companies can grow only to the point where the base of trusting counterparts in exchanges (~facilitated) still grows. If at one end, trustors still flow into the system, but trustors on the other end flow out at a faster pace, the base will be ever narrower; the house of cards becomes more fragile and will collapse as some business wind (if only draft) comes along.

So, in order to really ‘disrupt’ as if that would be a lofty goal of any business [I am very much opposed to such thinking! ‘Disruption’ invariably leads to massive job losses and ever so many more family members’ life dreams ruined. No, the new industry will be of (relatively) jobless growth and yes, at some scale one has to take the macro effects into account], one would need to have a pre-emptive way to deal with double secrets, so the trustor trust base may grow in breath and depth.

My feeling is now that this sort of issue may also be the foundation of the inevitable-collapse-of-any-democracy issue. As predicted toungue in cheek, and shown practically throughout history. Are we at the verge of such a (Schumpeterian?) collapse, dinosaur extinction phase, in the way societies manage themselves? Utopian or distopian visions of what’s next for the coming era (remember the ‘Mayan calendar’ prediction of such a ‘new era’ ..?) may both be overblown, or … does reality always play out a bleak version of what could have been?

All in all, it seems rather important than someone [preferably someone more intelligent than me – regarding these issues, that is] would have a look at this all…
Is there really nothing out there in the intersection of sociology-, trust-, legal-, and economics- research that has pointers on how to resolve this issue ..? If the NSA or other TLA(s) are listening in and would have some Confi stuff, that’s good, too …!

Domo tics

[Voorburg, Herenstraat; Mú by Ming Hu Chen]

With the Internet of Things coming at us with lightning speed, why haven’t we seen a surge in easily appliable domotics ..? Sure, there have been small little, often not too well-designed and plasticky appliances out there for a while, but they often were in the bargain bins before a full‑scale deployment could take place. And we see trials here and there in offices (cheesily, in Dutch, and video) with bits and parts of true ambient intelligence style domotics. But still, not the real stuff.

If you now say that within our homes, domotics don’t (doesn’t?) take off because of lack of network effects (What are the benefits? [How to size them up and compare/add them?] Where‘s the tipping point?) within the confines of our houses individually, and the prices still being too high (among others, due to the lack of turnover and initial investment recoup), and installation being too cumbersome (all devices need placement and connection, probably to power supplies other than oft- and quickly failing batteries, and either connect cabled (old-fashioned) needing breaking into walls, or wireless, requiring ugly visibility) – I would reply that these are issues to overcome with smarter solutions.

But then, what is the date of construction of Bill Gates’ Xanadu2.0 home [If you’re listening: I would like a tour yes indeed thank you!] that has all the follow-me temperature, lighting and ambient music ..? Over a decade ago; does M$ deliver a full copy solution to every home yet? Domotics Explorer 2.0 doesn’t give too many Bing search hits…

A thing that may need to be settled first, is the general architecture of it all. Sensors and actuators need to be put in place, but how and where; what secondary elements do we need (control centers; where and how many (networked, carry-on or stationary?), signals-generating actuators; separate devices (hi keycard/pin) or built into other things, or programmed into other things (hi smartphone, à la NFC payments, now not so N)). What human control, using monitoring dashboards and some form of input (fingerclicks and voice work well in sitcoms; phone screen swipes, maybe?), can we have, can we allow? Are any ethics involved (haves/have nots; control over one’s environment vs. experiencing new things, conflicts, the commons) ..?

And there’s the question of business models for device suppliers and servicers. Subscriptions with updates of software, and hardware, or plain purchase? What about interconnectivity and multiple standards?

Just check the wikipedia page; so much more to discuss. E.g., re the integration or not, I definitely prefer not, of domotics with “‘smart’ grid” ideas of outside monitoring of our home internals – but connection to the outside may help your fridge to order short stock/supplies. Or what to do when conflicting demands are made within the same room (try sharing music tastes with your kids; they just don’t seem to get Purple, Floyd, or the Maiden or even Zappa).
But the question remains: How to overcome the not-yet-existing network effects requirement ..?

Stats and news

[Van Gogh’s ear]

The news is still filled these days with all sorts of incidents with (new) media, information leaks, etc. etc.
How long will it take us to realise that this is just the noise to the signal of health? It’s not that traditional media, and new media, are filled, it is that their space is too limited. If they would have sufficient space to cover all that goes well, no-one would notice the mishaps. Risk-based controls, anyone ..? Because, if you would do that seriously, you probably wouldn’t control anything!

Your comments, please.

Predictions 2014 the InfoSec edition

[DUO Groningen (couple of years ago), where a leak led to many a student’s funds were defrauded. Looks original, is just chasing outer effects]

So, some of you have seen my Predictions 2014 including the update or two, and other posts on developments in the Information world at large.
But what you desparately needed, awaited before even starting on the Christmas decorations (for those in the West), and held out any shopping for food or beverage for, I know, I know [Heh, that’s the opposite of Unk Unk’s ;-], is my completely and utterly unpretentious predictions for the Information Security arena of 2014.

Well, here we go then:

Advanced Persistent Threats will blossom like weeds (not wiet!) in 2014. APTs being the ultimate blended threats to confidentiality of information. There may be cases of government-on-government espionage, that highlight the ‘modern’ squared or cubed variant of traditional intrusion & spying (information exfiltration) work. But moreover, there will be incidents much publicised where business-on-business espionage, possibly helped by shady government agencies, is outed as more than a theoretical possibility. Of course, you all know that this is nothing new, but the general public will demand an answer from some Board members and State secretaries here and there (literally) of victims and perpetrators (denial becoming less if at all plausible). These answers will be the definition of lame. The infosec industry will rush to develop (maybe not yet fully utilise) the market; contra but hush-hush, also pro…

Certificate vulnerabilities will be shown to be a factor of import. Yesterday’s unprotected printer WiFi, will be the current certificates being stolen or manipulated. Bot victimisation of clients will be less by trojan planting and more by means of hijacking certificates (‘Certjacking’? You read it here, first! [Update to add: well, in this spelling …]) to do … sort of low-level ID / trust theft. This will not be explained nearly well enough to the general public to get them concerned, but with tech-savvy CIOs and IT managers, this will give a stir. And major sweeps through the own infra. And not much by means of future better cert management.

Crypto-failures. Cryptography, as far as actually implemented at all (some ‘implementations’ may embarassingly be found out to be done on paper only!), will show to have failures in at least two ways: procedural errors will lead to (much publicly visible) non-availability of information, e.g., when asymmetry isn’t implemented well due to lack of understanding of bureaucrat procedures writing committees mumbling and fumbling about; and by public demonstration of bad technical implementation, the coding being so shoddy that the strength of crypto will drop to n-day crackability (with 0 < n < 2 I guess).

Quantum computing, on the plus side, for crypto, will see its first practical proofs of concept. Where the PoCs are used to protect the most secret of some government’s information, but with that information having to be used by the most bumbling-about officials hence the overall end user -to- end user effectiveness being close to zero and helping any and all attackers (rogues, organised or not; state(-sponsored) organisations, etc.) to learn about tentative, among them maybe class-hack, attack vectors.

Methodological innovation in information security. As already discussed earlier, and here, and here, and with OSSTMM, and before that in quite some other posts as well. Now, also Docco joined the fray, advising SMEs from the accountancy side … Which shows this prediction for 2014 is already hatching.
On this item, we will see much improvement. E.g., combining the OSSTMM framework with SABSA. Combining the rebooted CIA with the fresh install of the (alternative to the) ‘15.5 risk’ management approach via the OSSTMM framework. And so on. Interesting! Want to contribute!

I’ll leave these here for you to follow up. When (not if) I’m right on any of the above: Yeah, see? Told you so! And if (not when) not all five are square-on: Hey, they’re only predictions! Don’t shoot the messenger that only conveyed the message of the Great Engineer Behind The Scene.
Though I would like to receive a bottle of good (I mean, really good) red Bourgogne for each prediction that shows to be somewhat right; at the good side of 50-50. Any takers?
The opposite, I can unfortunately not do as it would have way too many takers…

sCrummy development. Standards ..?

[Just a great place]

A peer leader asked around for guidance re assessing scrum development contract bids.
And I browsed around. And found nothing really.
Oh yeah, the usual suspects of IT-contracts / IT-development contracts, but even those are thinnish, insignificant as help. Somehow, it appears to be too fluid a field to be captured in bureaucratic-behemoth totalitarian all-detail governance, management, planning and execution procedures. In which actual deliverables and content requirements are always but with very few exceptions pushed to some annex or ‘later to be detailed’ never-will-exist auxiliary and unassessed documentation with not much concrete information or even anything understandable for the white raven well-informed assessor / professional.

Hey, there is better information out there for this, right ..?

The Ethics of Full-Autos

[EU whale washed up in Strassbourg]

Via Ross Dawson, again, I found a piece on the ethics of self-driving cars which is fascinating in its ethics discussions. Or, pointers to, as the discussions are of course not definitively settled once and for all as is the nature of such discussions. In particular when various ethics backgrounds from around the world collide, as they will! (No autopilot there, heh.)
But the discussion should reach further. ‘We’ now focus on cars, but if we can tackle that issue of autonomous, self-driving cars (wasn’t the term ‘automobile’ not already coined to include that glimpse of a possible future (apart from the engine part) ..? And weren’t horses self-driving to a degree ..?), there are so many more self-operating things out there that would require simpler environmental awareness. If cars can drive full-auto, so many more machines can – how much human operators would we need; how many (how few) managers, etc, when organisations are self-driving ..?How do we train and gain experience necessary for the inevitably required human overrides ..?

But more importantly, how would we settle the ethics arguments like the ones indicated in the above example ..? Because there will be many, of a great variety. And certainly not all (end) stakeholders may be present at/for the discussions, or may not be capable to represent themselves (incurring agency issues, already the downfall of all democracy), or may vary in their quality of discussion process execution, and may not reach a final equitable conclusion shared by all; then what ..? [‘One should not count arguments, but weigh them’ (Cicero); very, very true]

Will we have time to develop a societal framework for ethical discussions, or will we have to take them one by one as they come along, badly reinventing the wheel every time, and getting overwhelmed by the sheer number of must-settle ethical discussions that will come at us ..? Because settle we must; letting it rest and letting marketplace/economy forces run their course, will result in unethical results. Mammon shouldn’t rule.

But anyway, let’s get engaged. Because similar problems are already all around us – healthcare costs mushrooming, global environmental destruction, etc.; all problems at the societal scale or above, all still in much need of ethical discussions and course setting.
And because we must.

The IS Audit Worker of 2019

[Your prospect of Elysean fields]

2019 is only five years away… But predictions require a suitably close horizon to be able to see how today’s trends and Early Indicators might play out, and still be sufficiently distant to allow flexibility and variance off the predictions – otherwise the predictions are dull.

Hence, apart from my predictions for 2014 (and update) below, some more ‘mega’trends, in particular for the management of information risks – I still maintain that anything managed, isn’t a risk ‘anymore’! – professional or more specifically, the ‘information systems auditor’. Note the ‘’ as this post will show how the role and content will change enough to warrant a new job title.

Now then. As a starting point, I took the insightful graph of the always even more insightful Ross Dawson off, noting the CC-BY-SA 2.5 license:

Which is a depiction of trends that impact the IS auditor as professional, rather than touching (too much) on the content of her/his work… Indeed, but I’ll demonstrate where the content is touched, too, by the trends depicted. Let’s just run them down one by one:

1. Connectivity will mean the necessary re-think of the traditional CIA to be able to guide, control and audit the information security stance of clients. The Information availability explosion, the globalised (i.e., de-geography-bound is de-accidental-physical-location-bound) access hence globalised use, and mobile work to even loose the ties of the Last Mile (in a way), require this. And enable the IS auditor to do the same. Already, this is being piloted, and in my view, we’ll see much more of this kind of work for the IS auditor in the very near future; this enables not only the auditor to not have to come to the clients’ offices too much – albeit that initially, some F2F contact may still be required but the need may diminish quickly when clients gain experience –, it also enables her/him to engage with clients much further afield, remotely. As far as (by today’s standards) superb connections reach, that is. See items 5, 9, 10, 13, and 15 below.

2. Machine capabilities will lead to work being taken from our hands. Through raw processing power explosions (not only due to Moore, but also due to the explosion of the sheer number of devices out there), Spatial recognition giving machines even more data to deal with, and large-scale Artificial Intelligence deployment not the petty trials of today, will enable the off-loading of much manual mental work (human- / person-bound work) to machines ‘out there’. The user will not even need to know where the ‘there’ is. Or should (s)he ..? We’ll see a redesign of philosophy, thought, methodology and tools on privacy surface. Quite some areas where IS auditors might (sic) lead the way, in thinking, acting, controlling and auditing.
And robotics … If that takes off, it’ll be piecemeal on the one hand (I too want my Roomba) but massive on the other (so many disjoint markets blooming). If only Asimov’s Three Laws can be reinstated, and reenforced or we’ll end up either in a mess or dead… It’ll start with Worker replacement anyway … (see below).

3. Demographics are something that we have somewhat less to deal with in the management of information risks. Apart from Migration leading to professionals’ markets impoverishing to markets of lemons, if unprotected (the dams will only hold back only so much inflow for only so shortly), and Country divergence maybe hitting us when our geographic region forces us to move elsewhere, as in item 1 above.

4. Social expectations Not much, either, apart from the Flexibility that will created Theory of Firm 2.0 type organisations, on which the IS auditor and others can no longer impose totalitarian bureaucracy. What then ..!? I don’t know. Your bad, if you can’t adapt… From the true ethics of your trade, you should have already adapted long ago…

5. Modularisation may impact us in ways similar to what we have already seen in the past; just labour specialisation, if any. Not too much to do about not too much. Though the general trend by which broad experience by and large caters for broad, balanced widening of one’s professional content in the stages after specialisation, may turn or have been turned already, the direction is unclear, either repeating constantly all directions, or awaiting a major redirection.

6. Globalisation I already characterised as a possible major impact through the Connectivity angle. In Products, I consider it to will come to completion in the near future. Service… To the degree that any service has no physical-presence component; (medical) care, for one, would be hard to do remotely, and also some other personal services e.g., IT tech support, may not ever work to a satisfactory degree without being able to communicate by nonverbal / sensory signals. So, not all the promises of item 1 above may not be realised all too soon.

7. Productivity will be driven by the Machine capabilities, mostly. Together with Connectivity, theese will determine Factor shifts or rather, define and refine factors of worth. Manual labour will re-flourish! And so will brain work, but only the non-standardised stuff, the work requiring creativity, true intelligence and empathy. Where many IS auditors etal. Think they are, but they aren’t. You know my rants against ‘peers’ just checking boxes. That is not what auditing is about. That is administration. Auditing, and other management of risk roles (sic), is about interpretations, judgement, close calls, gut feeling, and guts. Balls. (F/M), you must have them or be replaced by drones. Do not count on being (just) on the right side of the dividing line! Count on being on the wrong side, the down side, the cast out side. Or join progress.

8. Value polarisation again one where the machine capabilities, Connectivity, and Globalisation will work to quickly create new classes of haves and have-nots. The 1% of today, may be another 1% in other fields tomorrow or the day after. Try to be part of that, or you’re no longer suitable as part of life. Seek out your own 1%. But one thing would clearly be wrong: Remain as you are, meek, sheepish, not daring to be a Man (M/F) … So, most IS auditors et al. will have to change dramatically, if one can change one’s character…

9. Remote work I already described above. Telepresence, (remote!) Collaboration, and (local) Machine operation – 3D rinting, maybe ..? – will work as above (item 1 again). Virtual worlds may provide diversion from the destroyed natural habitat we still have to live in. The tropical island scenario still is somewhat too far away from us.

10. Work marketplaces are the mechanism through which the market for lemons may play out, or not. The barriers to Participation should be watched – some arguments for, some against –, Availability may not be an issue anymore (oh, but availability of suitable, sustainable markets may be), Pay pressure defines the lemons aspect, as does Access to expertise. Don’t sit still, as through Globalisation, access to expertise and availability, and participation will lead to pay pressure. I.e., pressure on your economic sustainability. Do not think you’re protected in your behemoth Organisation; any organisation is not too big to fail ..! So, even Big4 IS auditors should be aware. The bigger, the … no, size doesn’t delay a crash landing into a gentle glide, you’ll not be able to sit it out. The only sliver of new work would be to assess the work marketplaces against some standard but even that may be outsourced to … why assume a certified auditor should do that; why not instead (sic) by a reliable professional …

11. Crowdsourcing will impact IS auditors, too. But it may be a threat, or a blessing. No more dumb production of checked boxes…!? On the one hand, drafting those dull IS adit work programs from PDFs and too lengthy texts, may be outsourced to Labor pools – lucky if you can stay out of them, otherwise, you’re done. Will you be the one overlooking Managed crowds, or in it? By the munbers, and by today’s mentality, the vast majority of IS auditors will in fact be in the masses. Enhanced mechanisms will enable evenmore IS audit work (aspects) to be crowdsourced, changing the value proposition in the audit / advisory projects hence threatening livelihood. Open innovation’s also an In or Out aspect, for IS audit work. Though there may be a splinter of secondary audit work to be done on the deliverables of crowd sourcing and on the crowd markets… Fuzzy why that should be by certified auditors.

12. Worker replacement. Oh yes, if you’re a worker. Which is what a lot of IS auditors are. Not doingthe hard to replace physical work (taken over by Robotics, see 2, for the standard stuff but) since this requiresproximity and flexibility. Plumbers will be OK, IS auditors, not; will suffer from (enormous progress in) Automation, Robots, though Service may be slower to migrate (medical care robots may be proficient in many other areas, too, though), and Judgement may be the last to go over, to AI. So, as above, anything requiring judgement may for the foreseeable future not be taken away from us. But again, so many IS auditors et al. don’t judge, but administer. Where would you want to go, if (not when!) you would be able to (quod non)..?

13. Economy of individuals I consider to regard our profession in particular. Are you one of those few ones above that actively seeks out one’s own future? Then you’re in luck; your Independence and Entrepeneurship may lead to work being available, in Collaboration of the Theory of Firm 2.0 based on your Reputation. All these factors will be currencies of the future, so work on hoarding them! Not ‘the’ currencies, as Bitcoin and the like may kick in on a large scale within five years.

14. Polarisation of work With the Pay and Opportunity being so unevenly distributed, one may not rely on Affiliation with an organisation of old any longer. The dinosaurs are dying. New affiliations will need to be sought out. IS auditors, be aware, be active or be left out.

15. High-performance organisations or as I indicated above, Theory of Firm 2.0 organisations, may rise quite quickly. Google, Facebook and the like have risen to their 1.5 (sic) status and size in (qua order of magnitude) five years. Others may be in their inception phase today, and be the biggies, the most wanted (virtual) workplaces literally tomorrow. Again, be aware. Internal markets, Ad-hoc networks, Social technologies and Distributed value creation may all be part of the landscape of small and middle-sized temporary organisations that will flourish, already from, literally, today and tomorrow on. All these factors point at project-oriented get-togethers of professionals all with their own needs (for fair value to contribution distribution) and wants (work only where, when and for whom you like, do only what you like; if one factor starts to fail, move elsewhere) banding together just for the common interest and then all going their own ways again, maybe meeting again in the future, maybe not. Temporary Affiliation only..? Or looser ties? Double o, though many an IS auditor may have a single o as they haven’t innovated and are left behind as deadwood.

16. Education is key, to many of society’s desirable developments. Available, Open, Continuous is must be, and focused on Peer learning. All things where IS auditors could play a role, as auditors and advisors, and partaking out of necessity to keep abreast of latest developments.

Because the italics weren’t there for nothing. IS auditors, and others, just play a role and not an important one at that! Do not fool yourselves; auditors are only, and no more than, an afterthought of business and other organisations. Be happy that you have some specialised knowledge that you apply in whatever role, one accidentally being audit. When now both the unimportance of the audit role comes to the fore, in particular through Ross Dawson’s megatrends and technology developments, and your knowledge and experience that you apply in the role, are ever quicker to expire, you’ll have to keep abreast of all new knowledge ever more certainly, ever more widely and completely, and ever faster, and you’ll have to constantly seek out new roles to apply your greatness. Dropping audit as an expired old skin…

The central message is clear. IS auditors et al.: Innovate! That takes trial and error, and ‘learning experiences’ also for one’s deeper insights and even character, it takes risk taking and damage to one’s personal quest(s), but with the right virtues (Aristoteles-like), one will prevail. Innovate, along the lines of the work future and towards developments as described elsewhere and more.

[More will follow on this subject…]

The State of Crowdsourcing

[Kopenhagen. Denmark]

It has been a while since Wikinomics et al. brought the idea of Crowdsourcing to the fore.
Where are we now, with that ..? Would anyone have good pointers as to the current state of affairs with the handful

of initially successful crowdsourcing ideas, sites, etc..?

My guess is that in the end, crowdsourcing times global reach equals a market for lemons. How to fix that ..?

With market rules, but how to keep those neat and tidy, and above all principle-based, and still enforce compliance

The latter part is maybe the most difficult part. The hordes will overrun any (necessarily human-monitored)

decent-behaviour rules slash subscription/abuse system.

With no rules, accepting the race to the bottom, in quality but in price, in return, too.

With club memberships. Maybe. These will go up and down the effectiveness scale. And may arrive at some Pareto

optimum that’s just no use – no use for elicitating the strengths of crowdsourcing as a problem resolution


Where would moderation be


Anticipating nothingness

[Your guess.]

Just read a post on Anticipatory Computing. Like it, though maybe not a full Belieber:
For one thing, the picture contains the limitations of the idea: It has this block Understanding the World, and within that Understanding the Human.

But let’s not get ahead of ourselves. The idea presented, on the surface looks rather appealing. And scary at the same time. If a System around you would implement Ambient Intelligence, it certainly should include Anticipatory Computing. As noted in a post below, Data crunching or even Information or Knowledge, is a basis for Intelligence but no more than that… And notice the underpinning ‘Predictive Analysis’ idea.

But it’s scary, too, for its Privacy implications. Think Minority Report. Even the complacents may not want to live such a life.
Moreover, who will control the System ..? There is no safeguard that it won’t get abused; it will as even any democracy will succumb to totalitairan control. [Famous who was it that said this?] Or will not any human be in control anymore (no need) but will (s)he fall to the ÜberSystem as well? Singularity.

And don’t now complain that Anticipatory Computing will not go so far. Any development will go as far as it can, and further, with scope creep at a societal scale always winning out over moral counterforces.
Let’s just be happy that its fundamental flaws have already been built in. Apart from the practical aspects (some here); but we shouldn’t overstimate these, these days: A model of the World – Universe ..? As that determines 😉 the quantum collapse of probability functions that ‘determine’ us Humans since Understanding the Human requires encapsulation of all its erratic neuron firing – would have to include the model itself as well, leading to infinite recursion, silicon-based life’s idea of infinity.

Nevertheless, let’s see how things develop, shall we ..?