Non Dad Bots

With all the attention having gone to the not-so-Russian-or-are-they hacks, and some ransomware and CES17 news, over the past couple of months, one could have forgotten that not too long before, there was the wavelet (not like this) of hype over the, then, sudden exponential roll-out of bots in all sorts of customer-interactive sittuwaysjons.
Have these non dad bots, contrary to the MAMILs, disappeared from the streets ..? Or where are they; not like “out there in the cloud” which means a. they’re on someone’s machines, still, geo-bound as physically these are and hence under someone’s (non!)privacy control, b. nobody cares. But in a sense of ‘market share’ by any measure (which?), and who are the big players, what are the typical products/services and what metrics are there to compare these?
[Edited to add after scheduling the first version: this]

Just wanted to know. Surreptitious developments are ominous in their invisibility already. And working worse than ever… — some help may be thinkable, not yet on its way I’m sure, but that’s a long way off what we’d need…
Oh and I didn’t mean the idea of botnets for attack purposes; that’s done deal and yesterday’s weapons technology, right?
And also not robots, as they have a physical presence which enables some form of physical override options, at least in theory, when required and not hindered
Not even the personal at-home quasi-sentient devices limiting your world view ever more whilst plucking you bare for unwanted purchases behind your back.
But did mean the kinda chat bot-ish software working in the background…

Until then, we’re stuck with bad not dad bots not bods … With:
DSCN6171
[Physical protection, if of the obese/obsolete kind; Nancy (sic)]

Fake-fake-fakes

[Edited to add: this, I wrote a month+ ago, and has of course since been ‘repeated’ over and over, e.g., through the poor Swedes not knowing what hit them…]

Not quite like this, but troublesome: The information explosion brought to us by the Internet, has finally come to the brink of its feared state of drowning-till-death the Truth, under Fake. Where nothing, literally nothing, can be believed anymore, nor can anything be refuted as fake once the humans’ limited context view cannot discard everything that seems legit or on the border of it, for lack of irrefutable, foundational truths that would raise the plausibility to sufficient levels.
On the contrary, the logical-positivists’ traps / blind spots would kick in. We get unprovable ‘double secrets’ and ditto ‘double falsehoods’ (“We didn’t hack the elections”) — so finally, we reach Socrates’ ideal ..!!

The Elysion at last, like:
DSC_0026
[Now that’s E Pluribus Unum; Noto oh no it’s reluctantly-unified DunEdin…]

Secret Health

The year hasn’t started in earnest, and already we’re swamped in news about the over-easy hackability in and/or frequent leakage of medical data from the Care sector — haha we aren’t swamped but rather, quite ignore the news because either one cannot do anything about it (but complain) or it’s too embarrassing …
Also, it turns out that people are more reluctant to share medical data (info) with their practitioner(s) when they are less secure about the secrecy of it; the very reason there’s such a thing as medical professional code of secrecy (doctor/patient confidentiality) and now, leading to worse care (quality, cost) then if proper secrecy wouldn’t be in doubt.

So, either you medical/care expert have professional pride to provide the best medical care and hence implement proper infosec measures (from ISMS to crypto-details) and chastise your managerial staaf for not doing it properly — or you try to wing it, don’t secure properly hence don’t provide maximal care, and should be banned.

And:

[A good health figure; Barça]

And … down goes LI

OK, so has a new platform risen yet, where ppl can just have their resumés and contacts and that sort of stuff, beyond the diversion that LinkedIn is on ..?

‘Cause all the talk you read, isn’t about what actual users (not the few that would want and need other, much better tools anyway) have their LinkedIn profile for. So any disruptor can finally get a shot at this. No, Flunkbook and the others with market shares and caps already, have their own niche (sic) and not this one by miles.

So, what’s your guess which one it will be ..? and:
DSCN0263
[Old-school defensive functionality; Ávila]

Going somewhere but where?

Which beats going nowhere. Like, where’s the hardware industry going?
If this is where it’s going, brace yourself, four seasons in one day’s coming.

On the serious side, where’s the hardware industry going? Are we through with yet other categories, from desktop to laptop to iPhony to iPad to notebook to notepad to bent screen mega-TVs to tilt-screen Chromebooks to slightly-larger-but-hardly-so-what’s-the-point-anyway phone screens …? Why can’t I still not assemble (sic) my equipment the way I want it?

And, I forgot Cloud in there, and Raspberry, and mainframe (heh, that one’s just for the joke), and …
Is there such a thing as a framework for discussing how this all fits together? A set of classifiers so one could draw up a matrix of options/feaures ..?

Plus:
DSC_0718
[Well that’s still fresh, but a one-off; Sculpture garden, DC]

Automobiles, (trains,) Planes

What a disaster it would be if all those (self-driving, or augmented-driving as they are today already) cars could be taken over by some madman or unrelatedly hacker … One could remotely steer a car off the road! One could remotely steer a whole bunch of cars within some area / country (?) off the road in a broadcast … With pre-emptively having disabled manual override, of course. [Though, noted before, the ability to do so would on the human side deteriorate very quickly as it wouldn’t be needed to be seriously trained/experienced (anymore).]

Yes, that’s bad. How is this same idea, but applied to current-day planes ..? Where about-all is automated, and users get more and more access hence control (think that one through; qua nothing’s 100% secure) to still but what do you know limited zone(s) of plane networks, e.g., re on-board wifi. The known-to-be-stellar-secure wifi.
Of course, this would be suicide — or airport-proximity (from just outside the fence) runway-DoS …; but not all seem to care about the sacrifice… on the contrary. And don’t come with the argument of having to know systems to break in / run amok. Some had gone through the effort of going through a pilot’s training, right? And here, one can be a passenger and do recce from business class, and/or deliver and C&C from there.

I love my old-style car / driving … and:
Photo15
[Warped, but quite safe from hacking… Somewhere upstate WI]

They're Security Scrum!

Yet another trend: The recoil of Agile practices since uncontrollable isn’t what you’d want from your IS infrastructure..?

Where the scrum and other development methods using emblematic sprints by that very idea have to lose all the ballast …
But would you run a marathon-length Chinese Whispers game (Telephone if you’re from the US, inable to go with the rest) …? Because that’s what you get, quality-wise, if you deploy sprinters for the whole 42k195m — no use for miles either — and (wide-sense) security’s one major part of it.

Again, a baby with the bath water thing, here. Moreover, since even with large Waterfall development — which should’ve been V-shaped for the right half of it ..! — security (wide-sens, incl. proper-usability, documentation for maintainability et al.) was too much of an afterthought. When taken seriously, by the way, proven to be much less of a nuisance either during the project or or during implementation/roll-out or during the production phases, than it was taken for.

So, the question is not how fast ‘we’ can dump Security when adopting something agile, nor ow to ‘ split up’ the CISO’s thinking and acting and standards over App Devt and DevOps, but how to get suitable Sec into DevOps-or-whatever. The only road that’s not a dead end, sounds like “Sorry Dave, I can’t let you do that” [I know]. A sort of thick-concrete sandbox — creating tons of overhead in sprints, and when later exposed in the Real World of production. Retrogade.
Your start-up hacktons just don’t cut it in the big boy business..? Better ideas?

Plus:
20160408_133824
[Where all you wanted was one big coat hanger… Beurs van Berlage]

Switching to the Offence Defence wait what?

Lately, the Preventative Doesn’t Work Quick / Well Enough So All Heads Turn To Reactive Security has had its effect. But not the intended effect of doing both, just the latter it seems [yes, I know].

And, where the FLOT hadn’t been up to it before, often by lack of proper budget, the hardly sufficient funds have been shifted. Recipe for …

Indeed, the Reactive part had been neglected much too long, but a shift was not asked or, but a doubling of efforts on both sides (?). Hence, the now ‘new’ SIEM et al., may have had all the attention but that doesn’t mean success (yet!), objectively.

And subjectively, maybe less — ’so what did you do with the money ..?’ — also caused by the shift-not-double of allocations (budget, in Count da Money, time and supremely capable staff).

Not so strange, when you go, at a strategic level, from one point (/) solution to another…

So, the way out ..?

This is 2017. Do it in the mix. As presented here and here. But certainly here.

I.e., find the balance and play chess at Grand Master level on all boards (including B~ see last Thursday’s post below). Starting at the front, your attack surface, by means of Activity-Based Access Control and Integrity of Systems. And all other stuff you did in the past but have to bring back up to snuff and clean out like Augeas’ stables (thinking of your ‘user administration’ here).

And then realise that all this is still asymmetrical to the hilt, so absolutely not enough. Do not throw away what you built over the last year / and a half but extend it… With smart fill into the matrix of this. Which should be much cheaper than (thinking, faintly trying) to tighten your FLOT shut; the thin red line that it is. And with this blended approach also much less hindering the Good ones.

[Oh, edited to add after schedule-time: this. For the balance… But will, I think per Feb 27, return with a high(er)-level view why ‘preventative’ and ‘in control’ are definitely two distinct things…]

Plus:
20140905_201502
[No you st.p.d that’s a blue’ish-and-white’ish line of sorts; Noordwijk]

Ah, security rules — not for Us

When the Last Mile in infosec is convincing the Board to stick to ‘their’ own rules and not think themselves above it, how do we’d want to pull this off ..?
Where, so often, they complain that sticking to the rules is too complex or cumbersome for them — for no extra credit, reflect on their capacities to be in there position to Lead and Show — whilst forgetting their underlings have to deal with it anyway, possibly being more capable yes but not as claimed dealing with less sensitive information …
Where the reaction for themselves is they Have to carry on, counter to sane advice and rules, with unsafe behaviour often in particular when dealing with the most sensitive stuff; either not recognising that as such or hardball playing down the sensitivity and/or their attractiveness as targets — out of some form of cognitive dissonance and often contrary to their lightly-to-grossy inflated self-worth estimates respectively.

Where, also, we see con-zultands playing up their self-importance and -assigned capabilities, as per this. Recognisable, all too recognisable [been there, done that, didn’t even got the T-shirt; ed.].
And realising that this all, seems to work… reminds me of what Thomas Paine can still bring to bear on this, which is not good. Not at all. Though the advisortypes may co-opt and exploit the courtiers’ methods (hey, how hard have you studied these ..?) without being caught in the courtiers’ ‘regulatory capture’ error and maintain a bedrock of sanity until My Precious is had; is that the only viable road?

Or would you have something else? No, not plain forward address that is so sure to fail, to fall flat on your face before it’s out of the starting block; if you don’t see that, you may very well be too inexperienced to have a clue…
But seriously, folks, what have ..?

Oh, and:
20170104_131738_hdr
[When the castle goes down, all go down but the upper class (sic) has (golden) parachutes so why would they care? Bouvigne Breda]

Maverisk / Étoiles du Nord