Category: Information Security

Starreveld in the Information Age (industry)

@deKokPieter or others (or just one of his interns; grad work?) may have to help me out with yet another crazy (not (?)) idea of mine:
There was (is?) this great theoretic of accountancy called Starreveld, with his value cycle typology for, literally, every kind of industry and on close reading, even sub-industry. Given that we live in times of information processing factories, how would they fit the model or how would we have to read / translate / interpret the model to ‘work’ in today’s day and age?

Since the information processing industry, being almost all of the world’s service industries including (almost) all public sector organisations, works in an extremely devolved form of hyper-mass-single-piece production including storage, and how do we translate e.g. stock type and count to ‘information’ and ‘data point’?
If we take this approach, i.e., from both sides, being from the current industry operation side to Starreveld and the other way around, do we have a complete mapping and what do we learn for control and audit ..?

Just putting it out there. This, too:
DSC_0418
[That little theatre of note, I mean Noto]

Program. Check. Not.

Going to present at a conference. You know, to raise one’s reputation that is the single currency in independent-consultancyland, and to gain feedback on one’s private research and professional (industry) development zeal.

So, I was to present at (ISC)2, or rather, not, as notified in an email of May 7th, less than 2 months after proposal submission.
And indeed the program/agenda presented online then (and the weeks before already), didn’t show my name. Bummer. Was granted a slot at a back-up filing (ISACA Copenhagen) but had to decline, due to private circumstances.
Over the course of the last couple of months, did receive some (Google)anonymous cell calls from the UK. Dismiss, obviously, as this is the Fast Route to phone bill exploitation by connect-throughs; everyone knows this, right? The some that I could (Google)trace, and the some that left voice messages, I reacted and sometimes responded to. Lesson: Be traceable via your cell number or else.
And then, yesterday this guru peer sent me a message whether I would be in town already — the town being far away, vaguely recalling the above conference of first preference…

So, … checking the conference agenda (PDF here) … my name is there …!
Texted back whether peer might present the rejection email to conference organizers which he did, causing some more cell calls with some voice mail (08:49h) about ‘terrible mistake’ and whether I could still present, at 12:10h — considering having to dress up, make a full professional presentation, pack up, get to the bus, get to the train or to the airport, get a suitable ticket, get on (train takes only 8,5hrs; plane: gate time delay, flight time, offboard delay = ?), transfer to the conference venue, for half an hour talk time … Oh. Or go the next day, in the slot that the replacement speaker got instead but then, I’d still lose out all credibility before having even started.

This just in: per tweet, MIS Training EMEA thanks me for my session… Adding to the audience that will be aware that I didn’t deliver.

Now, still awaiting a proposal from their side, how to compensate for the:

  • Reputational damage of being shown as if not delivering, to a crowd of foremost peers and potential clients;
  • Loss of outright marketing opportunity [note: not ‘sales’], to the same;
  • Feedback not received, which could greatly have enhanced both my service offering and the acceptance and acceptability of the same;
  • Loss of (permanent) education I would have got from being at the conference and hearing all the cutting edge developments in the field (that the organizers promise);
  • Expense and leisure of private travel (incl. spouse) that would have shouldered the conference and would have been half deductible on business for income tax.

I’ll stop now and wait. Some time, before switching to legal recourse.
DSC_0945
[Justice will be served.]

PIA is KIA and KYD (?)

Since the whole Privacy thing has gained new traction with both the European Data Privacy Directive regaining (some…) steam and the European Court finally deciding what all with any bits of brain already knew i.e. that ‘Safe Harbour’ was a sour joke (to put it mildly), I realized, when working on a presentation for a forum centering on/around Identity and Access Management, that any Privacy Impact Analysis work comes down to two things; an objects-side analysis in the form of Know Your Data and a subject-side analysis by means of Know your (authorised OR actual) Identities and their Access, with some Privacy By Design thrown in at the solutions end.
Since I just like sentences of the right length, being entities that contain a discrete but complete set of logically coherent and united concepts.

And for those of you in the know; the above contains all there is to Know. Sort of. Maybe add in a bit of this (in Dutch; from the FD newspaper), for implementation. For a lot of implementation…
And, things may change in the somewhat near future with the advent of drones, IoT, robotics (humanoid or abstract), and ANI/AGI/ASI, in the IAM sphere alone. Just read up your huge backlog on this blog, and elsewhere as I cannot really summarise it all here…

I’ll give you some time space for that now. With:
DSC_0305
[At the Ragusa Ibla end but of course you knew]

Vendors pitchin’ — reality’s b… moving elsewhere

Was reminded today that still, a great many vendors in the (Info)Security arena are pitching their worn-out warez to a laggerd crowd — or is it just me to see that, in particular where IAM is concerned, all eyes are still on some vault idea of data storage and systems, behind some mirage of a perimeter of the ‘data center’ (as it is presented ..!).
Luckily, I met this old friend of mine of Zscaler that see that today’s access and wider security concerns are over Cloud (storage, services) and Users (out there, anywhere). How nice would it be if not too much time would be wasted anymore on the classical, outdated (sic) model(s) and we’d all move to this new world ..?

This, for your viewing pleasure:
20150911_143510
[Watching the ships go by, Amsterdam]

TLD: Shoo! Shoo!

Awwww was reminded today that the fallacy of Three Lines of “Defence” is a stubborn one. Debunked by a great many, among others on this blog over a year+ ago, but still much too much alive. So let me remind you with the following picture that speaks for itself (or …):
Van plank misslaan naar spijker op de kop v0.3
[No high-class design frenzy, just the blot-down in an angered jolt]

Yes, that’s right, still, and is until y’all ditch the TLD idea on the rubbish heap of history: the lines DO NOT stand between the threats and the vulnerabilities. And Boards et al can bypass the circus at their leisure. The lines (aren’t) of defense (aren’t) only stand between all that has gone wrong, and the regulators so the latter are placated with three rounds of white washing and window dressing.

In the past, everyone I discussed this with, agreed the whole thing’s a joke. A sour, very expensive, delusional one. Everybody reacts, nobody responds… Which will need to change or massive damage will occur.

OK, I’ll stop now before my language over the totalitarian, mind- and ethics-genocidal bureaucracy gets out of hand.

Privacy for drones, *from

Some found it odd that e.g., in Chicago, the ground floor space, the up into the air (no not that) building, and the naming rights to that building, are traded separately.
Elsewhere, one’s home comes with an expectance of Privacy, “behind one’s front door”. But not outside; that’s free game for any … usually still ..!, photographer when from public space.

But now, back gardens, previously considered safe from prying eyes, are visible from other, 3D public space: the air. Via drones.
Which takes care of the public space part, where the ‘photographer’ (?) still is without even the need to trespass ’cause the camera is unconnected to him (sic). [Apart from the argument that just about any official could claim access to the back yard as if semi-public space..?] But does it nullify the “shouldn’t have been outside” argument ..? Or is the previously invisible part of the garden also part of the interior..? As it had similar/same protection by having needed illegal means of access hence the expectance of privacy — that now, by the legality of that access not having been arranged (yet), is still in doubt and the morons “break in” regardless.

Hence the start with the above distinction: Would the air over one’s house be private property as well (How high ..? At least till levels of commercial flight, that is regulated), then possibly, flying a drone into it would be trespassing. But immediately, since camera resolutions increase so quickly, we would need protection against prying eyes from above the streets as well, looking over rooftops. Hm, we would revert to the “expectance of privacy” argument back again anyway. And the automatic ownership non-transfer would prevent shooting them down, still.

So, hopefully, I’ve made you think. Else, there’s no result … ;-[

Oh well:
20141015_132551
[Beauty exposing herself very publicly… above not under some n.rds? Voorburg]

A quantum leap

Remember, that (not) a great many days ago I posted some bits on crypto ..? There’s a new twist to it all, after the venerable Bruce noted that some agency started a new, this time ’round bit more fundamental round, on crypto algorithms. And then, some notes on the approach of quantum computing. Well, the latter is still five to ten years off (current estimates; could be three, could be twenty, as such estimates go).
But impacting. So, the following flew by:
CryptographyChart-1-482x745
Which explains a lot, hence I just wanted to pass it on. Bye for now.

BIOS hacked; bury it! ..?

Over the past year (five Internet years), we have seen regular messages about the ‘hacking’ of BIOSes. Due to which all that we can trump up for information security, is nullified through this lowest thinkable level form of unknown, unlocked backdoors.

After a week or so, usually the news value drops and we hear very little. Mainly by this being such a deep, deep into technology issue; a showcase of a class break — it’s hardly worthwhile to think about solutions. The perpetrators, usually considered to be agencies of powers-that-be of Western, Eastern or anything in between origin, are seen to mainly fight each other and we can only be mangled in between can’t we? The one taints the BIOS on the chips that the other installs, the other does the same the other way around. And, how long ago isn’t it that you yourself were babbling in de BIOS with some assembler or even lower-level code ..?

However, and this is similar to laws against crypto (as e.g., here), those with bad intent may use the backdoors just as the good guys (the above, that work their a’s off for your privacy, right?) might. And don’t we all want to remain at least a little in control ..?

Hence the question: What would be roadblocks against a solution of ‘isolation’ of a possibly tainted BIOS ..? I’m thinking here of some form of inverse, upside-down sandbox. That isolates and screens all messaging from and to the BIOS and filters all malicious, unauthorized stuff out.

This calls for clear and complete rules about what is generally good and normal, and what is naughty. We may solve that with checksums, hashes of extensive lists of functionality we would allow. But who calculates these checksums, and how reliable is the baseline when already off-the-dock OEM stuff may contain malware in the BIOSes; who can you trust ..? And all that white listing: Isn’t there a huge context dependency regarding superficially trustable but in effect malicious messages? With a sandbox we put the problem at a somewhat higher, more insightful level. Be it also somewhat ‘higher’ in the architecture which raises the question whether the sandbox is sufficient and isolates completely, all around. And the sandbox has to run on … the chip with (support of the) BIOS…
This creates an arms’ race where the bad guys (unsafe-BIOS-wanters) will try to make the BIOS circumvent or dig through the sandbox, and where the good guys will have to build repairs, patches and new versions to plug ever new the leaks. Looks almost like the information security we all know already.

And here, too, the question is: Who can we trust? The sandbox should be made and maintained by utterly independent experts. Do we know these Lone Wolves well enough, how do we establish the sufficiency of their technical expertise, what are their interests, aren’t they secretly (and I’m thinking double secrets here, too) bribed or coerced to let that one agency in despite it all? And, how do we know the patches we receive, would be reliable? If we can’t trust the most mundane of apps or -store, how can we be sure to not download an infected sandbox?

In short, the simple question of feasibility of a sandbox over the BIOS to keep things safe, ushers in a surge wave of new questions — but those are all questions we already have on other, ‘higher’ levels of security: Are the patches of the applications we have, reliable? What about the antimalware-software we deploy (yeah, bring in the ‘haha’)? The employees and contractors of our Managed Security Provider (we chose, NB, as lowest-cost supplier)?

But also for this reason, my question is: What do I miss; are there principled, logical fallacies here or is it a matter of (tons of) effort that we put in, should be prepared to put in?

Dazzles one. Hence, for relaxation:
20150911_155809
[For the people living here, rather Mehhh of course]

Blown over — smart dust or where is it?

In all the news about IoT, where has the (admittedly far-flung) prediction about ‘smart dust’ gone ..? Where has the smart dust gone? Was it a wormhole glimpse into the future, was it some runaway brainstorm on steroids (or other stimulative substance) session’s result ..?
Where still, it looms in the background. Once information is created, will it remain in the universe, existing without a result (as it may or may not have a cause, the rebel against entropy that it is)? (Here I go in similar vein, not stimulated!)

Now, let’s first have actual working quantum computers. Similarly vague at inception and counter-intuitive — for which reason I believe it will turn out to have logical fallacies in its current models so will in the end not be feasible to realise ..! —, let that come first. In itself, already difficult enough to cope with, as a global society.

Afterwards, smart dust will look like a rough cut piece of cake, probably. But maybe the Problems of it, will stil be Hard (compute-complexity-wise), as here and elsewhere.

And this, for your blue pill:
20150911_143851
[Excellent or mundane archi; but with sublime acoustics — second (to) one in Amsterdam!]

Trivial TLA Things-Tip

If you Thought This Time Things would be easier, as the universality of plug-‘n-play has spread beyond even the wildest early dreams into the realms of the unthought-of non-thinkingness, think again. Drop the again. Think. That was IBM’s motto, and they created Watson. No surprises there.
However… It may come as a surprise to some that now, an actual TLA has some actual tips, to keep you safe(r). As in this. Who would have thought… On second thought, this agency of note might have no need for the access disabled themselves anymore, as they’ve provided themselves of sufficient other access (methods) by now and just want to hinder the (foreign) others out of their easy access ..?

Oh well, never can do well, right? And this:
DSC_0070
[Another one from the cathedral of dry feet — only after, making sticking fingers in dykes worthwhile; at Lynden, Haarlemmermeer]

Maverisk / Étoiles du Nord