Category: Information Security

Learn you will… Recover, you might.

When your countries largest retailer (primarily F&B but non-F only recently growing as well), has finally heard about something-something-smart-fridge. And wants to do it Right and starts off with a pilot. Of, drumroll, a smart fridge magnet with a mic and barco scanner for adding stuff to your on-line grocery list (on-site self-service pick / pick-up, or delivery to follow separately). Didn’t kno that existed already.
Nice idea, to include not (only) a barco deliberate-scanner (no creepy auto-scans) but also a mic when you don’t have the product at hand (and fresh veggies wouldn’t make it; for a long time already not stickered but weighted at the (vast majority) non-selfscanned check-out).

But what security ..? For fun, e.g., putting reams of alcohol stuff on the to-pickup lists of unsuspecting meek middle-classmen that won’t understand but come home with some explanation to do (bonus for taking the stuff off the list once procured so ‘no’ trace on the shopping list). For less fun, snooping off people’s shopping habits and get rich (by ultra-focused ads or selling off the data, or by extortion-light once you get the Embarrassing Items in view). For even less fun but lulz (grow a pair) when changing the list to violate some family member’s med-dietary choices into harmful variants. And don’t forget the option to (literally) listen in on very much that is said in the vincinity of the fridge. Could be anything, but probably privacy-sensitive.
But what security? The press release point to other countries’ supermarkets already offering the Hiku sensors. Nothing is unhackable. Exploit searches must be under way. People never learn. Reputational (corp) and personal-integrity (clients) damages may or may not be recoverable, at huge expense.

I’m not in, on this one. No need. Plus:
[Where you can learn; Zuid-As Ams]

Full cite of important stuff

This being a complete citation of important stuff, on various subjects in one – meaning, that the brillantly brief once more applies to various trades and aspects, for your information:
With the sound off or on?
If you watch a well-directed film with the sound turned off, you’ll get a lot out of it. On the other hand, it takes practice to read a screenplay and truly understand it.
It’s worth remembering that we lived in tribes for millennia, long before we learned how to speak. Emotional connection is our default. We only added words and symbolic logic much later.
There are a few places where all that matters is the words. Where the force of logic is sufficient to change the moment.
The rest of the time, which is almost all the time, the real issues are trust, status, culture, pheromones, peer pressure, urgency and the energy in the room.
It probably pays to know which kind of discussion you’re having.

By Seth Godin, as you may have derived from the style and profundity. (As per here, which is literally the same text – told you so – but also add the Head to your daily reading list! [Noticed that Head thing, intended to refer to a List structure, is a pun when you see the image to click on his blog…].)

Which all relates to a. Privacy [yes it does, just think it through] and b. your IAM ideas, ever in renewal since … decades; plus c. the ‘GRC’ eager beavers — that at last are pushed back, softly and hardly noticably, by counterforces-undetermined that want their space to innovate back. And d. <fill in yourself and colour the pictures>.

Oh, and:
[Marketing -, or was it Design, Department at some Toronto institute]

Right. Without -s

So, we’re into this era of giving up control over our lives. Where we’re either dumb pay-uppers, or (also) victims. Which in turn leads to questions regarding who will have any income at all, to pay for the service of being allowed to sit as stool pigeon until shot anyway.
Because the latter is what follows from this here nifty piece; Tesla not giving your data unless they can sue you. The EU push for human-in-the-loop may need to be extended considerably, but should, must. Possibly similar to the path of the Original cookie directive, from weak opt out to strong double opt in plus all privacy requirements (purpose / functional necessity, minimalisation, etc.etc.).

Do we recognise here again the idea that though your existence creates it and would be different for every human on earth (plus orbit), your data isn’t yours ..? Quod non! When someone takes what you produced (however indirectly! – inferred and metadata and all) without payment, that is theft or worse in any legal environment.
Is there anywhere a platform where the consequences of this global delineation are more clearly discussed, between Your Data Isn’t Yours Because We Process It, versus My Data’s Mine Wherever ..?

I’d like to know. And:
[Your fragile fortress…; Barça]

Crippling ‘synergy’

As of late, we haven’t seen too much news about failed mergers, have we or was it buried under seemingly more interesting industries’ development news ..? Like, the latter-day’s Seven Sisters on the ‘Net driving all M&A activity by grazing the startup pastures bare?
Actually, there are a couple of interdependent developments, it seems:

  • Classic mergers and take-overs (and divestments) seem to become more rare, as the importance of classical industry (primary-to-tertiary, maybe -quarternary) has diminished, in favour of, let’s say, quintary pure-information based industry/industries. I.e., beyond mere ‘service sector’ services but data-oriented everything. Hence, it’s IPOs to behemoths taking over microcompanies not mergers of (relatively) equals.
  • Classic mergers failed so pervasively in resulting net positive ROIs that no-one wants to deal with hem anymore. Including a development like this.
  • [Not all lessons learned, apparently; otherwise, these would be shared quickly and the M&A business would rebound — see (among) the following: ]
  • The new take-overs are of the obliterate-or-fleece kind; the heap of gold just being too big to resist after which the target is plucked bare for the few nuggets of worth in there, if any, then made disappear as technology integration overrides anything qua ideas that was of any value.
  • This pointing to where previous industries’ M&As failed, every time again [at least, often also for other factors of incidental and less interesting character]: Not accounting for IT. Would love to see the research that proves that the upswing of IT in business life negatively highly-correlates with merger failures.
  • Because the focus has been so much, longer-term, on ‘synergy’ — that always was in support fucntions that had to be shrunk, one plus one makes one plus less than half, or so. But this never worked, as the ‘keep as of old until integrated’ was executed so lacklusterly, Always leaving too many traces of old even when clean-slate renewal was attempted multiple times.
  • This in turn, because IT grew so much in prominence in business execution and administration — but wasn’t recognised as such; always relegated to the lowest of basement departments, that in the end the ‘integration’ [hardly ever to any measure of success off zero, almost always not associatiable with the term ‘success’ rather] of separate IT systems costs tons and resulted in … more costs, permanently, for not only the near term but -ever.
  • And, as above, this lesson haven’t been learned. As shown in this: Brexit woes

From which the questions arise:

  • Why haven’t we all (in particular, auditors of all shades that should have been the ones to have learned and warned) learned and warned that IT integration was so crucial, both in due diligence / cost estimations and in failure rates?
  • What is the content of the learned [not]; how to get good IT integration cost estimates, and what are successful methodologies for IT quality assessments ex ante and ex post?
  • Do we only learn from history that we don’t learn from history? This because two bullets don’t look right but three do.

OK, enough to consider and ponder; I want your pointers to definitive solutions in return for:
[Now there’s the resulting Simple view; Baltimore]

Behaviour is key to security — but what if it’s perfect?

When the latest news on information security points in the direction, away from reliance on technical stuff, of the humans that you still can’t get rid of (yet!), all are aboard the ‘Awareness is just the first step, you’ll need to change the actual behaviour of users‘ train. Or should be, should have been, already for a number of years.
In Case You Missed It, the Technology side of information security has so far always gobbled up the majority of your respective budgets, with all of the secondary costs to that, buried in General Expenses. And the effectivity of the spend … has been great! Not that your organisation is anywhere near as secure as it could reasonably have been, but at least the majority of attackers rightly focus not on technology (anymore – though still a major headache) but on the feckle user discipline. Oh how dumb and incompetent these users are; there will always be some d.face that falls for some social engineering scam. Sometimes an extremely clever one, when focusing at generic end users deep down in your organisation, sometimes a ridiculously simple and straightforward one when targeting your upper management – zero sophistication needed, there.

The point is, there will always be some d.face that makes an honest mistake. If you don’t want that, you’ll have to get rid of all humans and then end up overlording robots (in the AI sense, not their superfluous physical representation) that will fail because those underling users of old held all the flexibility of your organisation to external pressures and innovation challenges.
Which means you’re stuck with those no-good [i.e., good for each and every penny of your atrocious bonus payments] humans for a while.

Better train them to never ever deviate from standard procedures, right?
Wrong.
Since this: Though the title may look skewed and it is, there’s much value in the easy step underpinning the argument; indeed repetitive work makes users’ innate flexibility explode in uncontrolled directions.
So, the more you coax users into compliance, the worse the deviations will get. As elucidated, e.g., here [if you care to study after the pic; study you’ll need to make something of the dense prose; ed.].

So, here too your information security efforts may go only so far; you must train your users forever, but not too much or they’ll just noncomply in possibly worse directions.

Oh well:
[Yeah, Amsterdam; you know where exactly this depicts your efforts – don’t complai about pic quality when it was taken through a tram’s window…]

Pwds, again. And again and again. They’re 2FA-capable ..!

Why are we still so spastic re password ‘strength’ rules ..?

They have been debunked as being counterproductive outright, right? Since they are too cumbersome to deal with, and are just a gargleblaster element in some petty arms’ race with such enourmous collateral damage and ineffectiveness.

And come on, pipl! The solution has been there all along, though having been forbidden just as long …:
Write down your passphrases! The loss of control by having some paper out there, e.g., on your (Huh? Shared workspace, BYOD anyone?) monitor (Why!? Why not have the piece of paper in your wallet; most users will care for their money and those that don’t, miss some cells due to the same you wouldn’t want them at your workplace anyway) is minute, certainly compared to the immense increase in entropy gains i.e., straight-out security gains.
And … when you keep your written-down pwd to yourself (e.g., against this sort of thing), it becomes the same thing any physical token is and you created your own Two Factor Authentication without any investment other than the mere org-wide system policy setting change of requiring pwds of at least, say, 25 characters. (And promulgating this but that shouldn’t be too hard; opportunity to show to make life easier for end users, for once, and great opportunity for collateral instructions on (behavioural) infosec in general…)

What bugs me is that alreay a great string of generations have been led astray while all along the signs were on the wall – not the passwords on them, but the eventual inevitable collapse of the system, by users that demonstrated this security measure was too impractical to stick to par excellence as evidenced in the still-strong and practiced practice of writing down pwds. If people do some specific thing despite decades of instruction … might we consider the instruction to not fit the humans’ daily operations ..? so the ones seeking to Control [what pityful failures, those ones …; ed.] will have to rescind?

So, written-down passphrases it is. Plus:
[Easy sailing to new lands, beats being stuck on Ellis; NY]

Take me out of the loop, (as I) please

Considering that there is this thing with privacy — where people are getting more and more aware that yes, they do have a legal right to not opt in to any scam’ish spam and Shallows-ing of their filter bubble [where the latter sounds soft and pleasant, pink, instead of crushingly dusty and petrifying your mind, the one thing that so far keeps you human].
Considering, too, that there is a push to have at least a human in the loop of math destruction. Which will fail if it’s a click-yes-or-be-fired job. Which it will, in the current setting and developments, be. Unless the human, and all of hes [her/his; LGBTQ-neutral] superiors all the way up to and including in particular, the Board members individually fully accountable, remain accountable for all that the click-yes leads to. They should be are or else they have to legal title to any income of any kind. But since the legal side is all set but the 0.1% is above the law, this isn’t happening.

At least then, we should aim for something similar to the cookie directive [so villified because it was such a glorious and simple idea it could work. could have.]; I propose:
The right to be left out of (statistical or other) profiling. Since the profiling follows from matching patterns that are different things from the data I providedmost probably to some party other than the one doing the profile extraction out of statistical masses – fitting me to the profile is a direct form of de-anonymisation to identification to which you have no legal right and a legal duty not to. Check your brain to see whether it is capable of the most basic functioning, which is sufficient to understand articles 11 and 12 of the Universal Declarations of Human Rights. Name one set of principles that applies more widely, globally, than that. Doing away not only with the nuisance but also with the filter bubble et al. including the atrocious downsides of false positives as per the link above.

Maybe the online ad markets would crash. Report has it that they already do; imploding under their own emptiness. There is no inherent reason any market should exist per se. The world would a. continue to prosper, so infinitely more so than before when ad markets would crumble; b. be a better place and who could be against that?

So after this bombshell of an idea, I leave you with:
[Peace of mind; at a borgho just North of Siena]

Leaking profiles

Got an attention raiser during an off-the-cuff discussion on data leakage. Qua, like, not getting the first thing about what privacy has been since Warren&Brandeis’ eloquent definition, and subsequent codification in pretty hard-core, straightforward laws.
The problem being, that no theory of firm (incl public) allows subsumption of employees into slavery, of mind or otherwise. Think Universal Declaration of Human Rights, article 12. Hence, tracking and tracing every keystroke of employees, i.e., treating them as suspect of e.g., data leakage before one has any a priori clue about everyone individually actually doing anything wrong, not having been granted any rights of surveillance in this jurisdiction, is a crime in itself.
And no, the comparison with street cameras that bother no-one and make everyone safer, is a lie on two counts. And, in many countries (the civilised ones; a criterion in reverse), such (total or partial) surveillance isn’t outlawed without reason.
So, your data leakage prevention by tracing everyone is an illegal act. Don’t.

No, your security concerns are not valid. Not the slightest, compared to the means you want to deploy. Stego to files of all kinds, when all are aware of its implementation, may help much better. And supplies you with the trace you want; not to your employee that you (but no-one else) suggest is rogue – (s)he knows about the traceabilitry so will be self-censored (ugch) into compliance – but to the third party that spilled the beans. Since stego-cleansing tools may exist, your mileage may vary. Encryption then, the destruction of content accessibility for those not authorised (through holding a password/token/~), will fail when anything you send out, might have to be read off a screen; the PrtScn disabling being undone by good ol’ cameras as present in your good ol’ S8 or P900 (though this at 0:50+ is probably the typical TLA stakeout vid/result).

Conclusion: Excepting very, very rare occasions, your data leakage prevention by employee surveillance will land you in prison. Other methods, might be legal but fail. Your thoughts now on outbound traffic keyword monitoring. [Extra credit when including European ‘human in the loop’ initiatives.]

And:
[No privacy in your prayers, or ..?? Baltimore Cathedral]

Ninety percent

Not in any economic sense you may have thought, given the attention oft given to, e.g., the 1% or 99% (We Are-; Occupy-style) where now the 90% might be the disappeared middle class in the US that extended from the bottom 10% – that was around even in the best of times – all the way to the top — excepting the 0.01% that was in charge all the time …
Here, it’s about a quote slash truism:

90% of everything is crap

Have ever truer things been said. This, of course you knew since prep school, being Sturgeon’s Law.

Just putting it there. See the link for a ‘proof’. Or look around you; physically (co-workers), mentally (in your head, and feel free to assume the others’ heads are not necessarily better…), qua your pay check, your significant other [hey here I can testify I’m lucky with a not-90% specimen par excellence; no she’s not reading this], etc.

Leaving you with:
[In the 10%, definitely. Even when it rains, this one. Baltimore]

Summer’s approaching

Sixteen steps to build a campfire [Because there’s not enough attention, or contention, to make it to the List of Lists you’d want to be on]:

  1. Split dead limb into fragments and shave one fragment into slivers;
  2. Bandage left thumb;
  3. Chop other fragments into smaller fragments;
  4. Bandage left foot;
  5. Make structure of slivers (include those embedded in hand);
  6. Light match;
  7. Light match;
  8. Repeat “a Scout is cheerful” and light match;
  9. Apply match to slivers, add wood fragments, and blow gently into base of fire;
  10. Apply burn ointment to nose;
  11. When fire is burning, collect more wood;
  12. Upon discovering that fire has gone out while out searching for more wood, soak wood from can labeled “kerosene”;
  13. Treat face and arms for second-degree burns;
  14. Re-label can to read “gasoline”;
  15. When fire is burning well, add all remaining firewood;
  16. When thunder storm has passed, repeat steps 1 – 15

    17. Oh, and:
    [Feels like a slide; to follow the above link, please do; NY/NY]

Maverisk / Étoiles du Nord