Category: Information Security

Data Classinocation

I was studying this ‘old’ idea of mine of drafting some form of impact-based criteria for data sensitivity when, along with a couple of fundamental logical errors in some of the most formally adopted (incl legal) standards and laws, I suddenly realised:

In these times of easily provable easy de-anonymisation of even the most protective homomorphic encryption multiplied with the ease of de-anonymisation throught data correlation of even the most innocent data points, all even the most innocent data points/elements must (not should) be classified at the highest sensitivity levels so why classifiy data ..!?

This may not be a popular point, but that doesn’t make it less true.
In similar vein, in European context where one is only to process data in the first place if (big if) there is no alternative and one can process for the Original intent and purpose only,

To prevent data from unauthorised disclosure internally or externally, without tight need-to-know/need-to-use IAM implementation, one already does too little; with, enough.

That’s right; ‘internal use only’ is waaay too sloppy hence illegal — it breaks the legal requirement for due (sic) protection, and if the use of data is, ‘by negligence’ not changing a thing here, let possible, the European privacy directive (and its currently active precursors) do not allow you to even have the data. This may be a stretch but is still understandable and valid once you take the effort to think it through a bit.
Maybe also not too popular.

Needless to say that both points will not be understood the least by all the ‘privacy officer’ types that have rote learned the laws and regulations, but have no experience/clue how to actually use those in practice and just wave legal ‘arguments’ (quod non) around as if that their (song and) dance is the end purpose of the organisation but cannot answer even the most simple questions re allowablity of some data/processing with anything that logically or linguistically approaches clarity. [Note the ‘or’ is a logical one, not the sometimes interpreted xor that the too-simpletons (incl ‘privacy officers’) interpret but don’t know exists.]

OK. So far, no good. Plus:
dscn0990
[Not a fortress, nor a real maze once you see the structure; Valencia]

Waves of cyberfud

Not just because #ditchcyber is real. But because only now, the first of the absolute leggards (i.e., gov’t officials) begin to make waves about access to private data, through apparent (sic) complete lack of understanding about the fundamentals of free society. The issue of blanket access to any communications, for whatever purpose, has been settled so shut up for eternity or however much longer it takes ‘you’ to get it or die — whichever comes first, my guess is the latter.

Politics being the only field of work where no education is required; all the cyber-blah being the second, then, apparently ..? And:

dscn1128
[He would have annihilated the little people that clamour for ‘backdoors’, etc., et al.; DC]

Fraud no-angle

There was a lot of work done, mainly from faux legal/ethical corners, on the so-called ‘fraud triangle’. Without pointing only at previous dismissal, there are some fresh insights on why this’all is faux.

One is, as pointed, the presentation that considers the three corners of the triangle (pleonastically not tautologically) to be ‘present’ at one same time. In stead of seeing that there is a (very) definite order of the three. Once started, the march by moral capture / self-blackmail is one-way only. Whether triggered by willful act or casual impulse (i.e., Kahnemann’s System 2 or System 1 ..!); this is just a fact.
Two, the considerations on the triangle, and how to ‘prevent’ ‘it’, are theoretical only. Because they leave out human nature, where Systems 1 and 2 interplay. Where ‘protection’ against that, is not a theoretical exercise somehow (sic) translated into perfect control — as history learns, all totalitarian dehumanising organisations inevitably (sic) fail, and even trivial implementations will fail due to imperfect control everywhere, by definition through its selection by risk vs. budget balancing.

Yes the Faux triangle sometimes appears to be discussed only by those without due experience in practice. That know not of what ‘ethical’ means when it comes to leading and controlling people. That see only a tiny fraction of perverted Bad people (tellingly forgetting about the difference between Bad and Evil, Nietzschian style) that need to be stopped at all cost… Because Ordnung Muss Sein.

We all know how that worked.
Leaving you with:
dscn1377
[Please take a bath…; at Caldelas]

Comedy crashers

No capers, frankly no comedy either, when some of the most respected in the field are concerned about pervasive probing of whole countries in one go. As here.

Probably, the same is pulled off on smaller countries as well; the infra doesn’t distinguish, but the protection budgets probably are much smaller, so a proof of concept might be interesting. Though this may trigger better protection in the larger country/countries, if done ‘right’ the attack(s) may be class break kind of things not so easily protected against in the first place.
And for now, the smaller countries probed, will have even smaller budgets and capabilities to even detect the probing all together / in the first place. Interesting …

But maybe budgets are better spent on all the other actual risks out there, like: ..?
dsc_0789
[Suddenly (of course !!) turned up at the Joinville château; Haut-Marne]

Dronecatcher, now with dronespotter

Ah. Found; yes, probably @DARPA already had theirs, this one’s more (?) private-sector though: A partial solution to the Attack of the Drones thing.

Back some time ago I posted this gem, on a solution against drones, e.g., around objects of ‘vital infrastructure’ — that weren’t, like, so, about a hundred years ago and people may have been happier then.
Once drones were distinguished from birds [the in-the-air kind not the ones you spot on the beach, topless], any kind of mini-Goalkeeper preferably with buck shot (since short-range effectiveness is required only, without any long-range bystander damage risk) might suffice. I’d say Mini- indeed; more like a double-barrel pointed up above e.g., 50° or more to prevent nasty fall-out on hoomans but with some swing capability to cross-fire.

The problem being, was, to have an installation small enough to be easily placeable in sufficient number to get good air dome/cylinder coverage but to not be too obtrusive. Yes, probably @DARPA already had theirs but didn’t want to beat the drum too much, to not lure ‘DoS’ swarm attempts or false-negative probing. But at least, for the rest of the World, there now is Elvira, instantly in fixed, flex as well as military versions.
Apparently, their aim is to prevent bird/drone collisions in mid-air (triggers association with this great clip work, and also this one) but I see use for the inverse, too, picking off the flyers/drones before they don’t, up against ‘vital infra’.

But aren’t we then reverting to an arms’ race where the silly, petty, may be stopped but not the countermeasure-escalation pro’s …? Like these:
drone
[But hey, seems to be on a carrier exactly like I have in my back pond for fun and impressing the babes so can’t you have one, too ..?]

ORM will not fly B-4 People are included

[Warning: Longread]

On the ails of the Basel-IV ORM proposals:

1. Unwarranted, certainly unscientific overreliance on ‘models’;

2. Modeling for prospective use in stead of hindsight understanding;

3. Too much top-down, not enough bottom-up;

4. No humans in the picture, hence the wrong and unactionable indicators.

Introduction

About all of the banking industry, and other financials in their wake, have had to deal with loads of regulatory requirements. Justified, some say, for ‘they’ cause(d) so much misery beyond mere most temporary loss of bonuses that the ‘un’ should be (have been long before) detached from bridled. So, Basel II and -III regulations swooped in requiring much more explicit and detailed handling of financial business than ever before. The move from laissez-faire to regulation, to regulation with sanction schemes, to sanctions (possibly interpreted as ‘token’…), was extended with provability and then complete proof-demonstration as minimum requirement.

This all, however, has created a large, and in general even I would say quite overpaid [disclaimer: am profiting too] industry of consultants, quants, ‘risk managers’, reviewers, assessors, auditors, and scores of Toms, Dicks[1] and Harries of the GRC kind. That are all very likeable nice lads and lassies, but maybe not all quite worth their salt, certainly not their bonuses, or even be sure to be worth much lending one’s ear to.
Keep reading!

"This is impossible!"

‘tWas not long ago, when all that knew their way in Infosecland (when the land had not expanded and complexified beyond grasp of mere mortals and AI was not yet needed to have taken over) would point at the stupidity of any claim like “That can’t happen here because our security beats every threat till Kingdom come”.
And the claimants would have it, by sheer power play. When dinosaurs roamed, it was in your interest to move over when they’d want to pass.

Now, the dino’s are on the way out (well, the current stock of them; new ones in the wings), and this of course happens.
Where the complete ignorance of the dino’s is displayed by their response, as if something new happened.
Where we haven’t heard enough calls for claw-backs of even standard salaries for, give or take, a decade or two back due to willful and (should-have-)self-knowing incompetence, especially at C-level and up.
But then, justice is served cold, by history making a fool of the true culprits (the authoritarian dino’s) at best, or forgetting them in old Greeks’ second hell as deserved.

Can we be friends now; you being the entry-level kindergarten ‘students’ and the rest of the world you scoffed, as your nannies …? For that:
20160820_151302
[At least they acted as proper Night Watchmen; at the Rijks, Amsterdam]

New! (RE yesterday's post)

Oh how appropriately timed, this…: A new version of l0phtcrack is here ..!

As I mentioned in the passing in yesterday’s post, defense-wise one would be hard-pressed to find anything that’s up to snuff qua being a step ahead of the Other Side, catching up is however still (if only just) feasible. Good to see that the tools once (we talk, like, ages ago, ages being circa 20) used offensively and having disappeared from view, return in all their sophisticated glory — be it as point solutions in a much evolved world but still.

All rejoice and ‘play around only to get to know it’…!

Remember… you may turn out to be such a toll all the same … And:
20160820_140719
[Once, sufficient and hard to handle, for defense. Now, a model just for show]

Weird infosec science

Who would have thought — that total surveillance would reach into the house, no / hardly any backdoors need to be built in even.
As explained here, and here in closer-to-humanly-readable form.

If such are the Tempest inroads, who needs the newest-of-highest-tech solutions as they all will all succumb to either trivial complexity-induced-unavoidable sloppiness of implementation, or to circumvention in the above way…?

Of course all of it is an atrocity in ethics but … I won’t be utterly negative about humanity’s future so I’ll stop now. With:
20160820_120127
[Art imitating life; Stedelijk Amsterdam]

Clapton: 5 years for shooting sheriff

Singer not guilty of shooting deputy

August 9, 2016 by George Smith

A Clermont County, Ohio judge has sentenced Eric Clapton to five years in jail for shooting the sheriff. The British singer is said to have confessed in some Number 1 hit of 1974.

Clapton’s lawyer thinks the verdict is ridiculous: “They are trying to smear my client all over his home town. OK, he did indeed shoot the sheriff, but I swear it was in self-defense. And all they do is shout that is was a capital offense. Plus, the original was by Bob Marley so what the heck are we talking about??”

In the court hearings, Clapton did not reveal which friends gave him a little help. He did say he felt that five years was forever, man.

Schermafbeelding-2016-08-09-om-12.26.01-670x375

[Original, in Dutch, on the Speld; translated with permission]

Maverisk / Étoiles du Nord