Blog

Infosec: outside in / inside out

One of those “When they speak, others listen” has a say on the future of infosec.
Dr. C. Dr.ow at it again.
First, a picture for your viewing delight:
DSCN6592
[Private enjoyment for the general (not.)]

Which points at the other of two major approaches to get better information security throughout society. Not, by expecting Every Man to do His Duty, or by “Ik val aan, volgt mij” (the hero here), getting better security in a piecemeal way by (having to) upgrading each and every foot soldier read Internet user every time again through labourious exercise.
But by instating societal institutions that govern infosec for us. And then I thought that CD wasn’t a fan of governments…

Nevertheless, interesting. In particular, if some form of transparency could create True Democracy in this field. Which I doubt. But again, nevetheless interesting.

Books by Quote: Zero

DSCN1087
[Aeromecanique, Défense]

Yet another ‘Book By Quote’ then (An attempt to subjectively summarise a book by the quotes I found worthwhile to mark, to remember. Be aware that the quotes as such, aren’t a real unbiased ‘objective’ summary; most often I heartily advise to read the book yourself..! [This time, really. As really as the other times.])

So, this time: Charles Seife, Zero, Souvenir Press, 2003, ISBN 9780285635944.

Within zero there is the power to shatter the framework of logic. (p.5)

Nobody knows whether Gog the caveman had used the bone to count the deer he killed, the paintings he drew, or the days he had gone without a bath, … (p. 6)

(We all know how fun it is to convert fractions back and forth!) (p.19)

A lone zero always misbehaves. (p.20)

Worst of all, if you wantonly divide by zero, you can destroy the entire foundation of logic and mathematics. … You can prove that J. Edgar Hoover was a space alien, that William Shakespeare came from Uzbekistan, or even that the sky is polka-dotted. (See appendix A for a proof that Winston Churchill was a carrot.) (p.23) Continue reading “Books by Quote: Zero”

Rule-based rules rule, babe

First, a picture for your viewing pleasure. You’ll need it.
DSCN5208
[OK, noga I mean toga I mean yoga class, Bryant Park]

Solliciting your help in trying to find the lapse of reason in the following:
Rule-based laws, or regulations, or organisational procedures, aren’t always bad. There need not be a principle-based approach always certainly not since (fact) that deteriorates over time into yet another bucketload of rules every time again for clarity [which proves it just is too difficult for the great many, to think, to only need the principles and act accordingly…].
There can be simple sets of rules… here and there … IF those rules are the precious few guiding rails needed, to keep everyone in reasonable alignment. Brushing off the sharpest edges, and standing ready in the background when something might go heywire.

In organisations throughout. Anything one can dream up, may be left to the specialists (if…), who (should) know best and need not be micromanaged.
Who is it that thinks to be better at rule-setting than the ones in the midst of turmoil in the first place ..? The compliabully, yes, but kick back (Frappez! Frappez toujours!) for freedom. The biggie rulesets derived from principles or not: They squash your freedom of action, your independece, your autonomy.

Take a look at societal rules. The law books have a few very abstract principles, and a great many very detailed rules… In case of doubt, courts come to the rescue [give or take that even there, one cannot be 100% perfect always]. Normal people using their normal brains, will not overstep the line.
Why can’t subsocieties like industry sectors function the same way? No autorities there, to govern the lot? Too many free riders and other scum, maybe; then step in from the outside and wipe it all clean (including the internal cleaners that didn’t perform – claw back their income in full as they didn’t deliver on their promises. Bad luck, such is life throughout the centuries).
Why can’t subsubsocieties like organisations function the same? Same. Would wipe the top half of many an organisation; silly bureaucrat mice walking on the bridge next to the elephant and claiming how much noise you make.

So, would we need oaths per professional association or per industry sector? No. By having been born, one has sworn to uphold the law that includes the lesser rulesets that any halfbrained dunghead could know to have to work within.

Connections, tangled

LinkedIn inmap

Yes, that’s my InMap (http://inmaps.linkedinlabs.com). Quite a messy thing. Large clouds of KPMG [blue], ABN AMRO (various subsets) [orange, green], Noordbeek [light orange], Achmea [purple], NOREA [lilac] in it, too, Maverisk/ISSA [light blue] etc.; aiming for connectedness is nice but I think I’ve wiped enough into one tangle. The top grey Private, #Tuacc et al., ICC and Miscellaneous, is obviously less of a mess.

Oh well.

Postquote

Just a rip from Seth Godin’s blog:

Entropy, bureaucracy and the fight for great

Here are some laws rarely broken:

As an organization succeeds, it gets bigger.

As it gets bigger, the average amount of passion and initiative of the organization goes down (more people gets you closer to averge, which is another word for mediocre).

More people requires more formal communication, simple instructions to ensure consistent execution. It gets more and more difficult to say, “use your best judgment” and be able to count on the outcome.

Larger still means more bureaucracy, more people who manage and push for comformity, as opposed to do something new.

Success brings with it the fear of blowing it. With more to lose, there’s more pressure not to lose it.

Mix all these things together and you discover that going forward, each decision pushes the organization toward do-ability, reliability, risk-proofing and safety.

And, worst of all, like a game of telephone, there will be transcription errors, mistakes in interpreting instructions and general random noise. And most of the time, these mutations don’t make things wonderful, they lead to breakage.

Even really good people, really well-intentioned people, then, end up in organizations that plod toward mediocre, interrupted by random errors and dropped balls.

This can be fixed. It can be addressed, but only by a never-ending fight for greatness.

Greatness can’t be a policy, and it’s hard to delegate to bureaucrats. But yes, greatness is something that people can work for, create an insurgency around and once in a while, actually achieve. It’s a commitment, not an event.

It’s not easy, which is why it’s rare, but it’s worth it.

And a picture for your viewing delight (?)
DSCN6351
[The epitome, unfortunately]

Continuously intermittent

Why processes don’t work, at all: The blocks. The activities scheduled, often only throughout the year, in sequence. As if … Reality will throw all activities at you every day, as reactions to incidents and panics.
Along the lines of “Can’t have a massive data breach today, because this first quarter we’re only supposed to do risk analysis by the book – unsure if by Summer, we’ll have finished this as everyone is learning the first baby steps of it in turns. Come back per September and we’ll have a result that no-one of us recognises, or anyone else for that matter, as anything approaching a serious result, and no-one will know what to do next or have budget for it.” (Remember, the 15.5 risk ..?)

Practice may sober you up. Then, auditors come around. “Check. We did ask about this. Uncheck. You failed to do the irrelevant. It’s nothing personal, but your head will roll.”

Oh well, Mintzberg had it right already.

Check; need to write this up in some white-paperish long-form post. Closing off now, with a picture for your viewing delight:
DSCN6305
[Ah, what a monument, what a museum!(piece) to cherish, to search for]

Selecti(n)on

DSCN1197
[No room for downstairs personnel]

Where are the leaders?
I don’t mean the hopeless hapless clueless bureaucrats that label themselves such.

I mean the kind that opposes the following:
Every time again, when something goes horribly wrong in society, it turns out there are few to blame, if any, after careful search and much (self- and friends-)exculpation. It appears as if (read: when) all societal structures, regulatory and oversight structures in particular, are just set up to spread accountability. So that when all are accountable, none are accountable.

Quod non! However, the meek, that shall be eternally butchered in hell for their inaction against Evil (i.e., bureaucracy and its drone executioners), their complacency and their numbness. Is the latter a definition of blindness to the real world?

E.g., in the world of temp staffing, in particular re freelancers, contractors, external consultants. Some department has a need, however inexact the requirements for the solution. The in-charge must deal with HR, and Procurement (in all their shades and clourings, and many other departments probably too), to get a slot filled. HR and Procurement have NO clue whatsoever, are only marginally capable of posting a check box list from some outdated, never-have-been-valid longlist of randomly assembled requirements.
Candidates apply. The ones that check all the boxes (currently, often automatedly, shutting out even more interpretation), get the job. The ones that fulfill the original need, don’t. All now must be satisfied for procedure was followed – to death. The problem owner isn’t since (s)he gets only the dull, the procedure-fitting, not the original, the fresh, the new, that could actually create (new, innovative) solutions to the ill-defined problem. The true candidate isn’t because (s)he’ll never be able to deliver the real solutions.
How can you comment when HR and Procurement just did their jobs ..? When in fact, they didn’t. But theirs was not a lofty goal or objectives, theirs was just the mincemeat targetlets. Operation successful; patient died.

And don’t start on the financial sector… And every business failure in between.

Or do we first need to revert to common sense in principle-level target setting, over just the quarterly figurelets..? This may not catch on quick enough to prevent the mob from raiding the regents’ houses… (as here (Dutch)).

So, where are the leaders that call this crap for what it is, fire all those that refused to think, and instate and require direct comms wherever possible …?

No me auto

On the quest to maintain autonomy as Freedom, as the driver for privacy.

First, a picture:
DSCN1118
[Oh look, a fig leaf of green, so this isn’t Metropolis at all (…?)]

Yes, indeed. I was triggered by the ‘blessings’ that Big Data may deliver in e.g., health care, where Watson-like doctors may deliver more accurate diagnoses that humans might. IF, big if, they’re fed with the right information. Restraint will not be in the system.
But, moreover, it is not the emotionless (?) machine we fear; it’s the loss of control. A human would interact; a machine, well, wouldn’t have need for that as it’s ‘always’ better than a human, and shouldn’t be second-guessed. A human doctor we can still distrust even if posing as an authority.

In there is our fear: The loss of control. The loss of autonomy.

Prisoners don’t fear guards as long as the latter just act normal. Because then, the latter are drones that actuate the System, the bureaucracy that is the Power That Be. Abusive guards, overstepping their (‘minimal’) power, lose that authority and are just Evil.

Humans fight bureaucracies because of the loss of autonomy that these bring.
Ever since Man (F/M) became aware of his autonomy in the dangerous environment, she has strived for control over that uncontrollable Nature beast. Most of all, by growing a pair, of brain halves, to a size so huge that pattern recognition leading to predictive analysis was bound to spring up. If only one could predict Nature, then one would have power over it because nothing surprising would happen. And then, one could do less fleeing, a bit more fighting and feeding, and much more of the Four F’s ‘F-for-reproducing’.
Ever since Man (M/F) started to cooperate in groups, there was a balance of sacrifice of autonomy, independence and efforts as inputs versus gains from cooperation.

And now, with the übercomplexity of society having passed a threshold somewhere in the mid-19th century, there is no room, no dream, for escape anymore. Until then, there was sufficiently vast terra incognita’s, (near-)unoccupied inhabitable lands, that there was always the alternative, however distant in achievability, of quitting the Contrat Social. Or, as before, societies weren’t overly complicated (for: ), one could start a revolution, or so. To get the non-autonomous together and with their combined muscle- and brain-force, get all to be free again. Until then, there was no notion of privacy, but it did result quite quickly (well, in line with the speed of societal development that then was also seen as being high…).

Which also ties in with the overwhelming Big Corp (Google, the Second Tier, and the rest) dominance over governments is steering our societies as these integrate. These uncontrollable beasts go far beyond what ‘democratic’ geography-tied national authorities pull off. Pulling both the TLA-agency snooping (automated trawling for patterns; no humans involved! but that’s exactly where the (above) fear comes in: uncontrollability as it’s too much, too fast, too abstract to be tractable for humans…!) and the loss of copyright over one’s own data (production) into the picture. The latter, as in this most recommendable book.

[Bell for a relevant intermission]
Or … this; around 0:37- but the whole thing isn’t too long and needed for full understanding – yes indeed if that was The Message, then it is, still, for all.
[We’ll continue the show]
Continue reading “No me auto”

Maverisk / Étoiles du Nord