All against all, part 5; discussion

OK, herewith Part V of the All Against All matrix-wise attack/defense analysis labeling. Let’s call it that, then.

Where the big move in the matrix is, of course, from the top left half towards the bottom right half. Where there’s a continuation of politics by other means. At a grander scale, the analysis (or is it synthesis..?) turns to:

  • The resurgence of, let’s call it, Digital Arms’ Race Cost Competition / Collapse. Just like the old days, where economic and innovation attrition was attempted by both sides of the Cold War. Including the occasional runaway tit-for-tat innovation races and some flipping as well. Yes, all the mix applies.
  • The analysis that the world (yes, all of it) over the decades and centuries seems to bounce on a scale between a bipolar 2-giant-block stand-off on one hand, and a 1 giant versus multiple/many opponents on the other. Like, Europe has oscillated between such positions over the centuries. And took them global by enlisting their youngest sibling (as Baldr to the rescue), the half-god saving the others from Ragnarök, the USofA – against the hordes from the East as predicted by our dear friend Nostra da Mus (remember? though he had a diferent view on the ideology involved…) In Da House. Now that the global stand-off had reached the DARC stage, we see a multi-opponent scheming and chessplaying once again. USofA, EU still somewhat attached but …, Russia and Friends, China, India, Brasil and friends, a host of semi-independents in the East and Far-East, and in the Middle-East (what’s with the Middle, if centers of power gravity change and disperse so quickly?).
    Edited to add: This Attali post, basically delineating the same.
  • As usual throughout human history, it’s the underlings and meek dependents all throughout the top left three quarters of the matrix that are war zones and battle grounds, too, suffering and being sacrificed as pawns without too much share of the spoils, profits, trophies and laurels. For the skirmishes and all-out war’lets as the 20th century shows.
  • Still somewhat ethics-bound players (e.g., “democratic” (quod non) countries) will also have to fight internally, for legitimacy of their ulterior objectives (externally, internally), strategies, tactics and operational collateral damage. Which in turn binds them down tremendously, when up against less scrupulous players. Don’t wrestle with pigs because you both get dirty and the pigs love that. Unless of course you’re fighting over the through’s contents for survival. And you have one hand tied behind your back, internally, while fighting for the greater good of all, externally.

So far, so good. Much more could be said on the above, but doesn’t necessarily have to. Because you can think for yourselves and form your own opinions and extensions to the above storylines, don’t you?
Still to come: (probably the 18th) a somewhat more in-depth view on the matrix of part V, going deeper into the defense palette.

And indeed, I’m still not sure this all will lead anywhere other than a vocabulary and classification for Attribution. But I see light; an inkling that actually there may be value and progress through this analysis …

After all of which you deserve:
[Grand hall of the burghers. I.e., the 0,1% …; Brugge again]

IR-L or 0 (BC)

The spectre of BCM has been haunting ‘business’ departments of about any organization for too long. It needs to go away – as spectre, and take its rightful place in ‘Risk’ ‘Management’. The latter, in quotes, since this, this, this, this, and this and this.
Much link, very tire. Hence,
[Opera! Opera! Cala at Vale]

Which actually brings me to the core message: ‘Governance’ [for the quotes, see the last of the above link series again] fails for a fact (past, current, future) if it doesn’t include risk management, and when that doesn’t take this into account:
Turf wars
[Here, highlighted for InfoSec as that’s in my trade portfolio…]

First, a reference to that RM-in-Gov’ce mumbo jumbo: Here. (In Dutch, by way of crypto-defeating measure vis-à-vis TLAs… (?)) Listing among others (diversity, sustainable enterprise, external auditor role) the need to do more about risk management at ‘governance’ levels. Which might of course be true, and how long overdue after COSO has been issued and has been revised over and over again already.

But then, implementation … No strategic plan survives first contact with the enemy (ref here). And then, on turf are the wars that be, in all organisations. Among the great multitude of front lines, the one between Information Risk (management) the Light brigade [of which the Charge wasn’t stupid! It almost succeeded but because the commander wasn’t a toff so supporting a brilliant move by such an upstart wasn’t fashionable, he was blamed – an important life lesson…], being overall generic CIA with letting A slip too easily on the one hand, and the all too often almost Zero Business Continuity (management) on the other, outs the lack of neutral overlordship over these viceroys by wise (sic) understanding of risk management at the highest organizational levels. As in the picture: It’s all RM in one way or another. And (though the pic has an InfoSec focus) it’s not only about ICT, it’s about People as well. As we have duly dissed the ‘Process’ thinghy as unworthy hot air in a great many previous posts.

Where’s this going …? I don’t know. Just wanted to say that the IR-to-BC border is shifting, as IR becomes such an overwhelming issue that even the drinks at Davos were spoilt over concerns re this (as clearly, here). But still, BC isn’t taken as the integral part of Be Prepared that any business leader, entrepreneur or ‘executive’ (almost as dismal as ‘manager’) should have in daily (…) training schedules. Apart from the Boy Cried Wolf and overly shrill voices now heard, the groundswell is (to be taken! also) serious: IR will drive much of BC, it’s just that, again, sigh, the B will be too brainless to understand the C concerns. Leaving BC separate and unimplemented (fully XOR not!) next to great ICT Continuity.
Or will they, for once, cooperate and cover the vast no-man’s land ..? Hope to hear your success stories.

Disarming the citizens of the US

Ah, yes, prohibiting any discussion of or even link to possibly cracking-enabling information. Already worded in a veiled way, as in:

this would mean taking away the arms that a great many US citizens are equipped with (and prohibiting gun range training), once, against the English (Brits?) now against just any outsider and US citizens themselves? Quite a Second Amendment thing, these days…

As a European, I don’t want to meddle in US domestic affairs. But I tend to the interpretation of constitutions and amendments anywhere, all of them, as principles not absolutes. Absolutes never (sic) work in societal organisation. When quite a number of those concerned [again, I’m not] would gladly see all amendments interpreted to principle not literally except this very dangerous one.

‘nough of that. Now, onto the more recent EU moves towards banning hacker tools … (and the UK push for banning encryption tools, even). I just have questions:

  • What about free speech? Seems to be an issue for discussion as democracies need more absolute protection of that. Amazon wouldn’t be allowed to sell hacker books in selected countries. Banning books, anyone?
  • How many % of crackers would live in the applicable jurisdictions, to be under the prohibition provisions, and how many are outside those jurisdictions ..? What would happen if one would exclude the former from being armed and ready but giving the latter a, most probably, more vulnerable target?
  • The honest researchers in those countries would be jobless; never a good incentive to stay in the right side. The honest researchers elsewhere would have a bonanza as all bugfix trade must move to the outside. Either that XOR through a form of licensing one creates a humungous random hence erratic but totalitarian public/private cartel. In the Home of the Free, in the pursuit of happiness.
  • If through this, the balance is lost, will the US and/or EU start to isolate itself (its ‘Internet’ (quod non as per this)) from the rest of the world ..? If so, how any trillions of $/€ will be lost to others, whereas any related industry (that will be the future as the mature-industry-little-growth primary, secondary and tertiary industries will be what’s left for the EU/US but serious growth will be in the new industries?) will not come off the ground, hindering greatly any recovery from the intermediate term (slump) before booming, à la this.
  • Will stego boom? The Hiding in Plain Sight can bring an additional benefit of plausible deniability (with some tweaking).

Seems like the above POTUS quote might indicate that he’s not planning any censoring of the spread of direct or indirect vulnerability information but on the contrary would be stepping up efforts to bring the US back on top of the game. E.g., by not focusing solely on physical terrorists but also on outside-in and from-within (sic) cyber attacks. Or was the quote an apology for the NSA being in NK even before the (known to them!) Sony hack ..?

The picture is still murky. Too murky to take sides already, for my take. I’ll leave you with:

[Bergen aan Zee, Autumn dominos]


Suddenly (?), amidst all sorts of ‘backlashes’ to whip the 90%, or 99%, back into sully compliance and complacency, this ENISA report came out. Issuer → importance. Get it and read…

For the effort:
[Somewhat close to near perfect alignment. But no cigar for the Gemeentemuseum Den Haag …]

HTTP status 418 against unpersonation

Though we’re halfway towards granting legal person rights to animals (as this and this show), and you know a lot of co-workers for whom this presents a nice little bit of progress, I’d say we have also moved great strides in the opposite direction.
Which is far more dangerous.

It all started, throughout the ages over and over again, with the already-responsibility-deprived weasels (a.k.a. ‘mere employees’ and ‘leaders’) wiggling out from under the burden of guilt for, e.g. most recently, the Sony hack, the financial crisis; you name it. With excuses ranging all the way from “I wasn’t important enough to had been able to make any noticeable difference anyway” to “If I hadn’t done it, someone else would have and at least now it was me with still some consciousness that did it” – where one’s character speaks through one’s actions …
Which in sum total, through a particularly nefarious twist of aggregation and emergence (read back this little badly unnoticed gem and you’ll get it) leads to … dehumanization of these speakers, and corporations seeking personhood as well.
Which is far more dangerous.

All of you that behave this way: You’re not underestimating the dystopian version of the Singularity, but actively bringing it on … by degrading your own independence, freedom (of mind and action!), identity, humanity, and value. By suppressing any questioning of the Überbureaucracy, actively, by frowning of much worse on those that want to remain human and social (i.e., exchange ideas). Etc. To no end.
To the end of letting the force of nature, the beast within, to explode out through the most deviant, unthinkably inhumane, behavior in particularly with the ones that were most and first in line with ratio, bureaucratic petty rules, i.e., the ones holding sway over all others including you. With the explosion hitting you, too – and you have no answer either now or then…

Complexity, of the world, of societies, of your immediate environments (Sloterdijk’s spheres, yes), of yourself, is no excuse to shut down. It should be a wake-up call, a call to arms, a sacrifice … not to ritually celebrate past developments, but to progress out of the complexity …!
My fabourite option: a healthy dose of status code 418 for all, not always, but every now and then, here and there. Life is too important to always take seriously!

Well, I’m off to some very dense prose, where mere text lines are ever more narrow in their description of the richness of the ideas and constructs to be discussed. Hence will part ways, with:
[Bam! Out explodes the force of nature]

Predictions 2015

So… The End is Nigh. Hence, my predictions for beyond it.

As 2015 is about to kick off, herewith my predictions of what happen in Internet / IT land, as notable in the global society, being part of my mind frame. Or so.
To not make things too difficult to understand, I’ve assembled a mixed bag of abstract notions and concrete(ly noticeable) stuff that will happen, interlaced with all sorts of fancy graphs and dull pictures – to make you think not applaud sheepishly. Think, think first, deeply, and then still agree with the clairvoyance of:

  1. A first easy start: The development of Appl. [censored] stock as a systemic risk to the (financial and other) world. As the 1 trillion dollar mark approaches, how much would a stock need to corner the market in terms of risk ..? In particular when it will turn out to not be hip anymore somewhere during the next year:
  2. Another of this kind: Docker. As explained before on this site, this underpinning of cloud-to-cloud portability, now backed by all the major brands and a bunch of others as well – those not in, to fall off the bandwagon, hard! –, will surface as a big-time hype catchphrase and will even get implemented quite extensively. Though the latter will remain under the surface for most outcrowd.
  3. Aie oh Tee. Yes, as it rallied to the fore already in 2014, but will now burst out in earnest. After Kurzweil’s agenda, despite Carr’s, and beyond the nerdy early innovators’ adoptions. For the various directions that IoT will develop in, see this here earlier post. These streams will become more distinct next year.
    • At least, the ‘domotics’ / wearables markets will come to full steam, in particular as retrofitting becomes easy and invisible.
    • Security and audit (vendors racing to lead the former, you may thank and reward me in advance for the latter) over IoT of all kinds, will rapidly improve. See below.
    • AI will get integrated. Because reasons. Being:
      [Useful if not when you understand what’s going on here, both (!) story lines]

  4. Disruptions: In particular the unsettling decentralization ones. Like:
    Where grassroots sharing on either the supply side, the demand side, or both, will rule.
    OR the Amazonian style of Big Corp obliterating the defenseless old, may intervene.
  5. AI. A big, very big one in 2015 – whether you like it or not, the Kurzweillian happy go lucky augmented-humanoid buds will come to fuller bloom next year.
    • E.g., the above trolley problem and similar ethical and philosophical questions will be discussed profusely, hopefully delivering some twists and turns that settle parts of the problems. All of them, probably cannot be resolved once and for all; the Gödelian knots in them, are systemic and no re-definition of the problems may prevent that. FACT. But progress is there.
    • And/or, there will be many snap-to-make-sense solutions coming out. Partly or fully automated [visual|speech]-to-[text|interpretation]-to-[information|action] will arrive on any device. Take this article as example of early stages; using spreadsheets – how Old School! but still pervasive ..!
    • And many more applications. Like this. Big G’s X Labs is at full speed. And will come with many breakthroughs…
    • Oh, even before this post aired, this here interesting development…

  6. XYZCoin will continue to develop in the next year. Structures will emerge. Look for development in all the main sectors:
    • Sorting of all the sorts of coins. Zippcoin may flourish. Litecoin, maybe. Others?
    • Wallets (software wallets, and web/mobile wallets);
    • Payment processors (payment service providers, and payment networks);
    • Exchanges (xyzCoin exchanges, spot/forward exchanges, and stock exchanges);
    • Borrowing and lending (peer to peer borrowing and lending, and bank-like borrowing and lending);
    • Hardware and equipment development (for mining and ATMs);
    • Investment vehicles (ETFs, trusts, venture funds);
    • Other (binary options, casinos, microworks sites);
    • Secondary and tertiary systems of cryptographic(‘ally provable’) unicity of IDs. This actually will be the Big One. As Zippcoin delivers a Basic Income in the economists’ sense. As DACs will do all sorts of strange things, hard to understand by most, easy to reel off in dangerous directions similar to quants having been ill-understood (at a deep, fundamental understanding/meaning level) in the financial derivatives world… And as explained here and here in its systems details.
      But then, if you’d claim to understand already, the following would be easypeasy for you to explain, right?

  7. Security. Finally, something closer to home. Here, a natural modesty may cloud the actual vast progress. Like in:
    • The spread of OSSTMM. More a gaining of ground. But from there, anything goes. ISO27k1:2013 may still go around, and will indeed have a major impact on the efficacy of InfoSec implementations – now, hopefully, where applied correctly (one fears in a precious few places only; the rest performing dismally), optimizing visibly and efficiently for maximum effect. But still, it will have to be augmented with OSSTMM(-style) concrete InfoSec business. Even when the compliance/certification Totalitarian-Bureaucrat mumbo-jumbo will continue.
    • IoT security. Vendors are onto this now, mainly in the B-Internal and B2B markets (explained in these posts).
    • Encryption of data by default, throughout. Quite an example of InfoSec basics spreading under the radar. Even socmed tools will incorporate this. Effectiveness (security levels achieved) may vary widely, but the attention is good. Very good.

OK. So far, so good. First, let’s celebrate the end of the year commemorative days, in a solemn and thankful, humble way. Then, party like it’s 2015 all the way. And, I’ll leave you with:
[Not oft seen, at Viana do Castelo]

[Edited to add: I’ve upgraded the predictions a bit, and turned them into a PPT. Yeah, I can do More Slick but this: ISACA Zuid 2015 01 21 (in Dutch but you get it) is how it is…:]

Spam (out) of control

How is it that for decades, we had been used to managerial spans of control being in the 5-to-10, optimal (sic) 8 range, whereas what we had in the past couple of decades is spans of control in the 2-3 range mostly ..? [Duh, exceptions and successful organisations aside…]

Because I came across some post on a well-known business site where there’s an early simple statement that a span of control of 10 would not only be normal, but outdated as well, as the span could be at 30.
Well, I doubt the latter, as this would conflict with a lower ‘Dunbar’ number which indeed is about 8, with ramifications for informal control as outlined in this Bruce masterpiece. Oh yes now it springs to mind the 8 figure was taken by the military, the ultimate built-for-survival organization, to be the optimal span of control, and taken over to business for its apparently attractive all-business-is-war metaphor – where the attraction is there only for those not really exposed to the gore of war, I guess.

But whether it’s 8, 10 or 30, the optimal span of control clearly is larger than the common today’s practice.
Which has implications:

  • Too low a number will inevitably lead managers to seek to have something to do. Busywork, in their role leading to excessive micromanagement (yes pleonasm but on purpose) and/or excessive meeting behavior, in particular with their underlings and/or likewise trapped colleagues, like an AA group. Thus burdening the underlings with time taken away from actual content work and the need for Action item lists and reporting blub. Thus burdening colleagues with all sorts of time lost on, what actually is, whining.
  • Too low a number and the micromanagement leads to extreme (far overextended) controls burdens on the ones who’d actually produce anything of value instead of producing negative value with all their externalities like managers may commonly do. This burdening then leads to ‘process’, ‘procedures’ etc., to ‘standardise’ (otherwise, understanding of actual content would be required; the horror to managers!), hollowing out even further the value of any work done. As in the abovementioned / linked Forbes article; the Peter principle will reign.
  • Too low a number and the standardisation will drive out the creativity (in process and in product/service design/production/delivery) that is required ever more than before to counter the ever more changing environment. As I typed this, this article arrived…

So yes, we all need to focus on upping the number. To counter stalemates. To counter bureaucracy heavens. To regain flexibility.
But still, still, this could only work IF, very very big IF, ‘managers’ (not to address actual managers, that I value enormously!) can loosen their frantic, fear-of-death-like Totalitarian Control attitude.
Which I doubt. But then, organisations relying on these (whether already or after they will have crowded-out the actual managers via the Peter principle and acolyte behavior) will loose out to the upstarts that do keep the mold out.

And, finally, of course:
DSCN1138[Was safe, now the highway passes by somewhere down below, leaving the ‘secured’ stranded upon high; Carmona]

Maverisk / Étoiles du Nord