Information Security – Page 26 – Maverisk / Étoiles du Nord

C’est arrivé près de chez vous; LoRaWAN

Yet another major building block of the Future … in place. [And, not a ref to some City of Light atrocities]
Where’s the Privacy and (OR) Security experts …? For certainly, though almost out of public view, the undercurrents develop fast, into a maelstrom — I’d like it even more in this form — of possibilities; to be abused before being controlled, as has always been the case throughout history.

Oh well, can’t stop Progress, certainly not of the Technology kind… But one can hope we (sic or huh?) the Concerned will be in sufficient numbers to be able to and to be allowed to insert the appropriate controls into the whole shazam.
Like, you know,

[Or is this an Tocqueville’ian opposite ..?]

The Internot Diploma

In an attempt to pre-empt all 2016 April fool’s jokes by a mile (in time and ridicule value) some Dutch Board on Cyber Security (notice the joke starts there, with ‘cyber’ since #ditchcyber) proposed to ensure all kids would get some ‘Safe Internet use diploma’.
When you know the kids regularly fail for (very, very!) basic math skill tests, can hardly write comprehensible sentences over … [fill in some number comfortably below ten] words let alone know anything about bits and bytes (but do know about birds and bees far ahead of practicing any of that — we hope) or even the most basic things about what programming is, hence are at levels of education about four or five years below their age, you can see the enormity of what’s proposed.

So, to be on such a Board, one shouldn’t know the very first thing about the subject one babbles about or one would be overqualified ..!? What an insult to all the professionals out there that try hardest.

This all stupidity tires me enormously. I’ll stop now. And:

[Continuous renewal — at least that’s something ..!]

Biased news

Demonstrating that … when it comes to InfoSec news … the general press may be biased… Otherwise, why wouldn’t this news have been spread much, much more ..? Since it may look unserious on the surface, but definitely is True.

Just sayin’. And just showin’:

[Similar to Ottawa, but qua size, compensated by the loudest barrels all around; DC]

NFChipknip

Long live innovation! Of the in some respects backward kind.
Yes we did have the chipknip, a stored-value debit card system that for small amounts (e.g., parking in Amsterdam though that hardly counts as ‘small’). And yes, of course it was abolished because nobody wanted it. For one, because the stored value had to be loaded onto the card, at ever (sic) less available separate ATM-like holes in the wall. For a second, because losing the card meant losing the stored value.

For a third, because given this functionality, people much preferred to stick to cash money that was more easy to get, much more widespread usable (think C2C payments…), quite similar if not same in risk, and anonymous obviously vis-a-vis anonymity promised by, hold it, banks, of all the crooks one could imagine. If you don’t see the latter, consider whom Jesus threw out of the temple as prime example of choice of all that was rotten in society back then already, and banks have ‘developed’ ever since.
This to the chagrin of banks that, as usual, packed their most devious of actions in the thinnest of transparent films of customer-servicing arguments and licked their, expensive is an understatement, wounds.

But now we have the triumphant return of the idea in the form of NFC payments off one’s debit card. Which comes with one improvement (not having to preload) but with all the other risks aggrevated:
The ‘preload’ is, relatively, limitless or to one’s credit (sic) limit. Compared to the user-controllable stored value of yesterday.
Skimming doesn’t even require the card to be physically put into a physical reader anymore. The still physical NFC reader devices are just as susceptible to plants of skimming devices as before. Maybe the customer can check the debitable amount but the displayed can be spoofed easily, obviously [or you are foolishly considering yourself competent when not seeing that risk]. But passers-by can skip just as easily (and ‘approve’ without any your notice).

Yes, even with small amounts payments, every now and then one will be required to enter one’s PIN as verification of holdership. But that hinders, and was a measure previously implementable easily so why not then already? And for larger amounts the PIN is required always, turning the actions into a simple debit card payment as we (in the developed world so maybe excluding North America) have grown accustomed to for decades already, but now need not enter the card into the chip reading slot anymore. Wow, the improvement! And all this while maintaining the latter debit card systems.

So, we have to trade security for convenience. While banks trade simplicity for … complexity. And savings, nowhere near. How to prevent some to consider banks to be full of i… ..?

Anyway…:

[The back side of subsequent developments may be pretty or not; Dunedin]

Oh, of course: DACcountantcy

Was reminded by this seer peer (no typos) in a casual remark that DAOs (DACs) may change quite a bit about the world as we know it. “DAOs are a game changing invention enabling a new model for human collaboration. #blockchain #C4ACC” (© him) — but apart from human collaboration (note the pejorative weight of the early ’40s this stil carries with it even today, in continental Europe), also the value of Trust in singular persons may shift.
DAOs then being of course, of course, the element I forgot to mention in my roboccountant post.

So, with this one linked in, now all the elements of that post make sense. In which the ensemble may have surpassed me. Or:

[Materially a circle, to any human accountant and dress codes displayed, are of the apparent relaxed Big4 dc’s of today; DC]

Privvezy Protrection

An off the cuff — where’s gentlemens’ style, these days? — remark hit a nerve. When an interesting company had some very interesting speakers and me. On IAM, data leakage and … well, what was it, data protection XOR privacy …?

Because the little collateral remarks was about Privacy being the ethical imperative, but being implementable straight away, would need translation to operational Data Protection.

Yes, where the core of legislation is about the latter, in an attempt to achieve the former… to the degree feasible, achievable, and wanted.
Demonstrating that all legalese, even of the EU kind, is just about white washing whatever you’d want to get away with.

A sore reminder that when one would want (hypothetically, for the sake of the argument that such would be theoretically possible) Privacy, one’s still on one’s own. Against all that is formally formed or not as Institutions, against the windmills that all want you to believe don’t exist or have power over you…

But hey, I’m a happy bunny so I’ll leave you with:

[When Penzance would be at Bergen On The Beach]

Define ‘Risk’…

This should be an easy one, by pointing at ISO 31000 and its definition the effect of uncertainty on objectives. But that same easy def also raises more questions than it answers, e.g.,

How to define [ hence | and ] classify effects,
How to define [ hence | and ] classify uncertainty (a biggy …!),
How to define [ hence | and ] classify objectives,
How to establish measurement of effects,
How to establish measurement of uncertainty,
How to establish measurement of objectives

that all have an impact on, and are impacted by, the definition. Hopefully, I don’t have to elucidate define hence classify, define and classify or establish measurement regarding effects, uncertainties or objectives. I’ve been at the subject before (here and many posts since) so much that it hurts, me too. But still, many won’t listen and remain stuck in their proven (sic) mistaken belief that the World we’re dealing with, can be caught in models to ‘predict’ the future and/or at the same time remain stuck in, by now approaching hilarious, classifications like Basel II-IV’s… or the slowly but steadily outdating of the classical information security mantra of CIA — those three classes of objectives don’t cut it anymore.

For the more advanced reader (approx. 90% by now — hopefully), the question remains: How to define and classify uncertainty, effect(s!) and objectives ..? Standard classifications all had their stab at it, but failed for the fuzzy nature of those phenomena. Some leaned to the Uncertainty side, trying foremost to classify threats. Some, to the effects side with their vulnerabilities-first approach — via the Impacts classification. Some even had Objectives in mind when pondering the downside potentials of loss-of-upside potential, including scour-for-opportunities to any (0-100%) degree. And then, there’s the abovementioned surefire laugh over ‘Event’ driven analysis… yes consistency, completeness and orthagonality remain essential.
But above all, none captured the time-fluctuation confluence of causes, effects, impacts, … [what have we] that all have such unanalysable structure. Due to their continuous nature; contrasted to the discrete nature often but cannot-be-more-false’ly assumed. [If you don’t get the fundamental difference between discrete and continuous phenomena, go study core math in depth, length and breath. Which is helpful against so great many ills of mind…] And due to the enormously-over-three body problem of interactions [link is about grand business not the petty risk analysis kind but the link therein is valid for the above, too].
Modeling in order to understand may work, but only to understand the exaggeratedly dumbed-down model, the conclusions of which if normative are (in this case, there is such a thing as absolute) certain not to apply or work so why bother. Oh, maybe you may bother, to get a feel of your inadequacy. [Note: I don’t feign to be above that. But I don’t allow you to assume you are as that is both a theoretical and practical logical error.]

Yesy, yes, I know; there very probably is no One Classification Fits All, then. But we may dream, and strive for it, don’t we ..? And at least be very, very clear about it — it being the approach we do take, and what it might potentially (with the probability being above zero but certainly being far off 100%) achieve. Aren’t GUTs, like the Standard Model or the hyperdimensional string theories, the dreams that stuff are made of, too ..?
As always, your suggestions, please. And:

[Just wait till Etna Says Boom. Or don’t.]

Proud to Produce

Ah, the information age! Where we have lost the pride of our production. For several reasons.
First, no more physical products come from or through our hands, it’s just bits — they say ..! — somewhere around the world; not necessarily even at the office building we’re at, neatly stacked as intensive farm livestock. What do we have to show for our work?
Also, there’s the lack of hand work. Typing and yakking is not work, it’s just what it is; fingertip exercise at most. Let alone real physical work.
Then, there’s the mirage of production. Ours (isn’t but also) has no weight; and is gone in nanoseconds. Without a trace unless one is carefully crafted into the ‘process’ (Newspeak alert!).
Finally, there’s no the loss of meaning of what we produce. Nothing to show for, all the toils are mental, and come down to biting the bullet through time, of loss of freedom, independence, crushed under the overhead of ‘TLD’ and similar ploys, some (needn’t repeat) bordering on any side of the psychologically if not also ethically criminal.

Yes, massive daycare industries we have. Hardly anything more. Are we on the Blue Pill all, has The System already taken over ..? Is this the rosy picture of the Singularity?

Before I ramble on on the negative…:

[Healing colours, VUmc]

The Bureau of Chaos, by Theory

As a side note to, e.g. this here masterpiece…:
The tendency of bureaucracies to ever further detail its rulesets, that quickly become so burdensome [apart from other ills, ethically much graver], that is evident wherever (top-down) principles are translated in quasi- (not even semi-) mathematical ways, algorithmically almost, to the level of pervasive implementation, stems from the ultimate control approach to life clashing with the ultimate finest-grain detailed descriptions of the universe. Intentional, and definitely normative, description (in order to control! Man over Nature!) banging heads with extensional description.
Which will petrify, then fail because it creates its own Chaos structure, as described here. Where ‘repairs’ to the System are attempted over and over again since the initial values were not infinitely exactly known, can never be. So, one builds rulesets than behave like fractals (zoomed into), in particular when studied to understand and maybe subsequently fight.

Still, the Why of latter-day Bureaucracies (for once, I tried to avoid the overly negative, accurate and pejorative ethical (and esthetical) qualifications I commonly give to these totalitarian, inhumane structures — the latter qualification because of the Will to un-humanize it all) remains in doubt, as the Man over Nature thing (setting rules, hence achieving predictability) is somewhat less valid than otherwise; a bleak reflection of what we feel is a better description of motive.
[Intermission: Be aware as you were, that the b rulesets might be the spelled-out kind but the unwritten rules- social group kinds are also included.]
Ah, back to Maslow, maybe? Yes,yes, was dissed over the past couple of years; attempted to — and failed, probably due to unawareness of its deep values and not only superficial Meaning. Exceptions, the uncontrolled (by definition, and as the Outside is by definition, too), are threats to the achieved in that pyramid. ..? Though the higher up one is, the better one can handle ambiguity, uncertainty, the unexpected, black swans and Extremistan.

Just wanted to put it down for you. And at at last a somewhat positive turn, I’ll leave you with:

[Royal waiting (room) for Godot (i.e., National Railways everywhere), Amsterdam — notice the almost perfect horizon .. little less perfect but hanging in there … whoops! of the horizontal orientation]

Comparatively innovative (Beetleroot)

There was this quite simple hack; in (very) pseudo-code: If 2-wheels Then { Rollerbank; diss up some fancy figures; }
Which calls to mind the Problem of BIOS hacking / backdoor/malware pre-installing, as explained here.

On the one hand, a solution is available: At a sublimated information level, encode, as here. In the physical, car, scenario this would be readily implementable as: Just test the emissions, not rely on data produced by the system itself. Prepared By Client is used pervasively in accounting (financial auditing part) as well so consider yourselves warned…
On the other hand [there always is another hand it seems, possibly because this is real life], in the VW scenario there will probably also be a call for source code reviews. Or at least, from the software development corners, there will be. But then one ends up in the same situation as spelled out in the Bury post: How to verify the verification and not be double-crossed? A source code review would be one part, but how to compare a clean (pun not intended at time of typing) compile / image to what is actually installed (continued, without change-upon-install-to-dirty-version or change-at-service) throughout in the field?

Another issue from this: How to overrule self-driving (or what was it; fully-autonomous) cars ..? The BIOS-hack and Car examples show some intricacies when (not if) one would have a need to overrule near-future “Sorry Dave, I can’t Do That” situations. Once no physical controls are left to take over manually, … Arrmagerrdon. Yes, that 2001 was a rosy, romantic, not horror scenario. And demonstrating that at a comprehensive abstraction level, Prevention still trumps Detection/Correction. But not by much, and the advantage will slip by careless negligence and deliberate deterioration efforts.

Oh well. We all knew that All Is Lost anyway, And then, this:

[(digi)10mm wasn’t wide enough to capture the immersion in this… Noto again]