Category: Information Security

Total priv’stalking

Errrm, would anyone have pointers to literature (of the serious kind, not the NSFW kind you only understand) regarding comparison of real physical-world stalking versus on-line total data collection ..?
No, not as some rant against TLAs but rather against commercial enterprise than not only collects, but actively circles around you, wherever you go. Giving you the creeps.

Because the psychological first response is so similar, can it be that the secondary behavioural response / adaptation is similar, in self-censorship and distortion of actual free movement around … the web and free choice of information ..?

And also, whether current anti-stalking laws of the physical world, would actually work, or need strengthening anyway, and/or would/could work or need translation/extension, to cover liberty of movement and privacy-as-being-the-right-to-be-left-alone i.e., privacy as the right to not be tracked, privacy as the right to anonymity everywhere but the very very select very place- and time(!!)-restricted cases one’s personal info is actually required. Privacy as in: companies might have the right to have their own information but not the right to collect information of or on me (on Being or Behavioural) as that is in the end always information produced by me, through being or behaving. The (European) principle still is that copyright can be granted, transferred, shared out in common parlance by payment for use (or getting paid for transferring the right to collect such payments) i.e., economically, but not legally; the actual ownership of the copyright remains with the author!

See why I excluded the TLAs ..? They may collect all they would want but not use unless on suspicion after normal-legal specific a priori proof; that’s their job. No officially (…) they may not step outside their confined remit box, but they do have a box to work within.
Now, back to the question: Please reply with other than the purely legal mumbo-jumbo that not even peers could truly understand but just babble along with.

In return, in advance:
DSCN0535
[Foggy (eyes), since in the olden days, probably never to be seen again; Bélem]

Non-Dunbarian compliance

Just a note that the world is in great need for more on Dunbar’s numbers in antidote to totalitarian-bureaucratic compliance efforts.

go-on-gif
Nah, wanted to, but have more urgent issues to discuss. E.g., tomorrow. See you then!

Partially compliant: as a solution

I was recently informed by a respected colleague in a peer-to-peer discussion (see; they’re useful!) about a development of his in the Compliance arena.
About not having just one single Statement of Compliance that all too often wipes deficiencies under the rug for the sake of agreement everywhere. But having two, one on (first-lines’) management awareness of deficiencies as things to actively manage and actively discuss with second and third lines, and one on abstract, ‘anonymous’ no-blame control effectiveness.

So, when the Three Lines of Defense would actually work (yes I’ve ranted against that on this blog frequently as the simpleton approach inherently can’t work!), first-line management can provide their own list of control deficiencies, and the second and third lines can only confirm and not add much of at all. Then, the first line is in control (all is well and/or known-and-WIP), over their own stuff. Hence, awareness ✓ effectiveness X. When the first line doesn’t have much but the 2nd/3rd lines add quite some (other) things, awareness is X and effectiveness is undetermined. Only when the first line doesn’t have much and the second/third lines cannot add quite a few things, will awareness be ✓ and control effectiveness be ✓

Which sounds like a far better, and in practice far better palatable approach than just one messy jumble-together undetermined opinion. For which I leave you with:
DSC_0030
[The bus buck stops here at this chaotic (?) shelter; Aachen. In Control statement: similar]

Sing-Singularity, and/or Shannon

Though we know Shannon for his contributions to ‘computer science’ (Don’t we!? If not, go study. And wash your mouth with green soap or so) – the field would hardly exist without his groundbraking concepts, on par or lower (sic) than Turing maybe – and we all do remember log2 measurements as minimum to reconstruct a signal don’t we? – I rediscovered this piece and wondered … how well you’d know it, and how fundamental to even the IoT now springing up, and … most importantly, what would the ramifications be for all of the discussions regarding the Singularity, pre-, midst of and post- ..? I mean, the discussions will tilt once the profundity of the Work is taken to heart.
I think. Now will go and study. Hard. And:
009_17a
[Old analog (log2!) Zuid-As indeed]

My Opia

Not being your topia anywhere or dys here topia or whatever.
Was struck by the surge in posts, columns, articles about security in IoT. Because it appears to indicate a need for a new index. Being on the level of myopia one needs, to understand the hype value (a la this). Or hyperopia (?). Or rather – what’s it called when one’s view is narrow, or broad ..? That was what I was after: With the above-linked Second-biggest G.’s Hype Cycle, one should have a perpendicular index of width/breadth of hype and/or potential impact. So that when one would consider oneself to somewhat suddenly be caught in relatively speaking the in-crowd of, purely e.g., IoT and IoT security/privacy issues that one has steered oneself into, it would come as no surprise that suddenly though with some lag, one sees the posts, columns, articles flying around on the same subject without any real news or rather more (for one!) Been There, Done That type of news reporting. For others, the news may be news…

A second aspect would be: How to position oneself. Doing hardcore research style environment scanning and reporting on that in traditional and SM media, would quickly become impossible as any field of study explodes in width and depth as it get off the ground, leaving the actual keeping up with all developments to be impossible. Even when your cutting edge development reporting wouldn’t catch on but with a few aficinados at the very most, and when you’d wait until aspects have crystallised to clarity far enough to be understood by your mainstream audience (if any), the subjects have a. watered down beyond being interesting to you, b. watered down beyond recognition still for your audience, c. still not yet reached interest-through-urgency / -news-value for them.

Whatever. Just an idea; any of your help in developing such a sight/scope index is very much appreciated…

In advance:

[Pretty close, no mirage; Segovia]

Better IoT privacy

Oh, I’ve been outdone again, in some ways. Which isn’t a big deal; ’twill happen to you, often, too. This time, it’s about the IAM in IoT that I signalled here and here, here, and here as a generic problem. Correct: Challenge.
Which all was readable. Hopefully. For all dealing with the stuff on a monthly basis (ahum, ‘weekly’ or ‘daily’ wouldn’t make sense; you’d be ahead of me probably…) that is. For a more general explanation, one can now turn to this here piece; much better at generalpublicspeak than I’d produce when diving onto it again.
Oh well. This:
DSCN6007
[Somehow, typically Madridean ;-| / Southern European / Latin style]

All against all, part 6; loose ends

OK, herewith the final-for-now Part VI of the All Against All matrix-wise attack/defense analysis labeling. This time, about tactical content of … mostly, the defense matrix of edition IV.

Where I wanted to do a full-scope in-depth analysis of all the cells of Matrix IV. Not the sequel but the actual original defense posture strategy matrix. Because that was put together in a straightforward sloppy way anyway.
But then… I wanted to detail each and every cell according to this here scheme:
Anti-F 1
After further analysis along the lines of this here approach:
COSO_2013_ISO_31000-english
but mixing that quite hard, according to this previous post of mine (certainly the links contained therein, too) and a great many others contra bureaucratic approaches… but also mixing in the guidance of (not stupid compliance with!) the new one that at last, has quite some ‘user’ involvement in it. But still is based on both the top-down and the step-by-step fallacies a bit too much.

But it’s late and I don’t feel like the tons of effort involved. Yet. Maybe in a future enormous series of posts …
And should include references to OSSTMM here, too. Because al of the above, in the super-mix, will have to be checked and sensitized (is that the word for checking that it all makes sense?). Short of the word ‘audit’ where the respective profession (a trade, it is… at most, a role) has let us down so much. If only by the kindergarten zeal about ‘governance’ and ‘value’ – phrases so hollow (or circularly defined) that they’re not worth the ink (light) they’re written with, when used in the auditors’ contexts.
So, OSSTMM may help. By inspection where the rubber meets the road. And fixing whatever needed to be. Duct taping the last few bits, where the beautifully AutoCADded [anyone remember what that was (for)!?] frameworks failed in the machine milling. Or 3D printing, or whatev’, due to design failures due to requirements failures due to failures in common reason at the upper levels…

Now, with all the all against all posts (1 to 6 indeed), would you be able to advise Sony, and the others, how to be better protected ..? You should. Or re-read the whole shazam until you do…

After all of which you deserve:
DSCN1367
[Cologne, of the massive kind]

The Pirate Bay to Source Pay à le Lanier

… it may they say [title because reasons]
Well, this just struck me. If the Pirate Bay, back up since a couple of weeks, could innovate, this could be one avenue. Implementing the ideas of Lanier’s You Own The Future to attach original-source coding (not as in a programming language but as location (?) IDs) – and automatic microcopyright payments… – to creative works. Somehow, it would feel right if the PB would implement such a thing.
Voluntarily, to show they’re not Bad Guys. And don’t cave in all the way à la Napster, and innovate beyond Spotify.

Your comments, please. In return for:
DSCN1453
[Maybe not Great but still quite passable, worth(while); sorry 416]

All against all, part 5; discussion

OK, herewith Part V of the All Against All matrix-wise attack/defense analysis labeling. Let’s call it that, then.

Where the big move in the matrix is, of course, from the top left half towards the bottom right half. Where there’s a continuation of politics by other means. At a grander scale, the analysis (or is it synthesis..?) turns to:

  • The resurgence of, let’s call it, Digital Arms’ Race Cost Competition / Collapse. Just like the old days, where economic and innovation attrition was attempted by both sides of the Cold War. Including the occasional runaway tit-for-tat innovation races and some flipping as well. Yes, all the mix applies.
  • The analysis that the world (yes, all of it) over the decades and centuries seems to bounce on a scale between a bipolar 2-giant-block stand-off on one hand, and a 1 giant versus multiple/many opponents on the other. Like, Europe has oscillated between such positions over the centuries. And took them global by enlisting their youngest sibling (as Baldr to the rescue), the half-god saving the others from Ragnarök, the USofA – against the hordes from the East as predicted by our dear friend Nostra da Mus (remember? though he had a diferent view on the ideology involved…) In Da House. Now that the global stand-off had reached the DARC stage, we see a multi-opponent scheming and chessplaying once again. USofA, EU still somewhat attached but …, Russia and Friends, China, India, Brasil and friends, a host of semi-independents in the East and Far-East, and in the Middle-East (what’s with the Middle, if centers of power gravity change and disperse so quickly?).
    Edited to add: This Attali post, basically delineating the same.
  • As usual throughout human history, it’s the underlings and meek dependents all throughout the top left three quarters of the matrix that are war zones and battle grounds, too, suffering and being sacrificed as pawns without too much share of the spoils, profits, trophies and laurels. For the skirmishes and all-out war’lets as the 20th century shows.
  • Still somewhat ethics-bound players (e.g., “democratic” (quod non) countries) will also have to fight internally, for legitimacy of their ulterior objectives (externally, internally), strategies, tactics and operational collateral damage. Which in turn binds them down tremendously, when up against less scrupulous players. Don’t wrestle with pigs because you both get dirty and the pigs love that. Unless of course you’re fighting over the through’s contents for survival. And you have one hand tied behind your back, internally, while fighting for the greater good of all, externally.

So far, so good. Much more could be said on the above, but doesn’t necessarily have to. Because you can think for yourselves and form your own opinions and extensions to the above storylines, don’t you?
Still to come: (probably the 18th) a somewhat more in-depth view on the matrix of part V, going deeper into the defense palette.

And indeed, I’m still not sure this all will lead anywhere other than a vocabulary and classification for Attribution. But I see light; an inkling that actually there may be value and progress through this analysis …

After all of which you deserve:
DSCN1473
[Grand hall of the burghers. I.e., the 0,1% …; Brugge again]

All against all, part 4

OK, herewith Part IV of:

Tinkering with some research that came out recently, and sometime(s) earlier, I had the idea that qua fraud, or rather ‘Cyber’threat analysis (#ditchcyber!), some development of models was warranted, as the discourse is dispersing into desparately disparate ways.

The usual picture suspect:
DSCN1453
[Mock defense, open for business at Brugge]

Second up, as said: The same matrix of actor threats, (actor) defenders, but this time not with the success chances or typifications or (read horizontally) the motivations, or typical strategy-level attack vectors, but basic, strategy-level defense modes. Not too much detail, no, but that would not be possible or the matrix would get clogged with all the great many tactical approaches. Those, laterrrrr…

Fraud matrix big part 4

Next up (probably the 16th) will be a discussion of movements through the matrix, matrices (by taking both the blue and the red pill; who didn’t see that option ..?), for state actor levels. And (probably the 18th) a somewhat more in-depth view on the above matrix.

Hmmm, still not sure this all will lead anywhere other than a vocabulary and classification for Attribution (as in this piece). But I see light; an inkling that actually there may be value and progress through this analysis …

Maverisk / Étoiles du Nord