Category: Information Security

Cryptostego

Just as last week I’ve been discussing stego with colleagues, I missed this Bruce’s post
Be sure to read the comments, though. A couple on stacking steganography over cryptography, which is what I would presume would work.

And, again the question: what would you know of actual use ‘out there’; is it common, rare, what are the characteristics of its users ..? Is it the next big thing after (?) APTs …?

Oh, here it is; the pic you expected:
DSCN2526
[Would ‘Riga’ be a hint that there’s more to the picture …!?]

Column on Open Source code Bystanders

Well, the column is out there now… Will be published in the July 2014 ISSA Journal but here’s a preview, in Dutch

And, of course:
DSCN6225
[S’bourg, or Brussels – always mix them up and end up in the wrong place for a meeting]

Who controls the Watsons…?

First, a picture for your viewing delight:
DSCN5189
[Seems chaotic, yet navigable]

Who controls the Watsons in your pocket, once they arrive ..?
Anoher one triggered by Clive Thompson’s Smarter Than You Think: When not if Watson has morphed into a Software Defined Anything something small enough to fit on your mobile, just about everyone will use it in cyborg / centaur ways to augment oneself. This will require adaptation of the way one goes around in the world, and …
may create a dependence on the Machine, possibly a big one for those that had gained the most by this new ways.

But

  • Where will the database sit that hold all the info to be brute-force searched, in breath and depth ..?
    If it is local, then how are the inputs screened; are they, and by whom ..? Who would know anything about the stuff you/they miss out on ..? Homophilia (groupthink/narrowingmindedness) and its grave dangers.
    If it is somewhere remote, the control issues loom even larger. Yes, capacity-wise this may work much better. But the Central Scrutinizer (eternal thanks) may … will be the blue pills all around solultion …!
  • Even if primarily stored locally, who will have access to the images stored remotely for ‘backup purposes’ ..? Due to the enormous dependence that the PocketWatsons will create, backups are ‘more essential’ than ever, and by their nature must be kept at some distance. What a TLA wet dream would it be to lay their hands on yours…!

That’s only two questions that popped up already. There will be many more. And the answers …
Who will provide those, who will pick the best ones, who will decide what’s best ..!?

To Be Continued.

Legal honey

DSCN3654
[Life is hard, moose style (i.e., no Tim Horton in sight)]

Hey has anyone ever investigated the various legal ramifications re honeypots? Because, there’s two elements at play:

  • Usually, one would put a honeypot in place to gather evidence of a crime under way – not fixing any leak but redirecting it. In some (many?) jurisdictions (where the Internet reaches, i.e., where you are), one would be required to stop any crime one is aware of, when reasonably possible; as a generic citizen’s obligation. Just diverting traffic to a honeypot for evidence gathering, and not destroying the original context to be able to tap evidence, may not be allowed… This doesn’t concern honeypots only, by the way; for insurance purposes one sometimes would have to gather as much evidence as possible also, even when damages tallies run high(er and higher).
  • In many jurisdictions, entrapment is illegal except by officials under very strict control of warrants, etc., if at all. A honeypot is just that; entrapment – where the strict control by/over officials, isn’t. Your court case may crumble due to this illegal obtainment of evidence…

Or …? Your advice, please.

Theme song

To the track of Rawhide, of course…

Cyber’ Cyber’ Cyber’

Keep hackin’, hackin’, hackin’,
Though they’re disapprovin’,
Keep them routers fallin’ Cy-ber!
Don’t try to witherstand ’em,
Just see and spot and track ’em,
Soon we’ll be mining bit and coin.
Boy my heart’s calculatin’
My true mint will be waitin’, be waiting at the end of my block.

CHORUS
MOV ’em on, <head> ’em up,
<head> ’em up, MOV ’em out,
MOV ’em on, <head> ’em out Cy-ber!
GET ’em out, POST ’em in
POST ’em in, GET ’em out,
Cut ’em out, paste ’em in Cy-ber.

Hackin’, hackin’, hackin’
Hackin’, hackin’, hackin’
Hackin’, hackin’, hackin’
Hackin’, hackin’, Hackin’
Cy-ber!

Hackin’, Hackin’, Hackin’
Though the ports are block’ed
Keep them scripties hackin’
Cy-ber!
Chain and bit and torrent
Hell-bent for an exploit
Wishin’ my tool was by my side.
All the things I’m phishin’,
Good backdoors, trove, and dissin’,
Are waiting at the end of my pipe.

MOV ’em on, <head> ’em up,
<head> ’em up, MOV ’em out,
MOV ’em on, <head> ’em out Cy-ber!
GET ’em out, POST ’em in
POST ’em in, GET ’em out,
Cut ’em out, paste ’em in Cy-ber.

Keep probin’, probin’, probin’
Though they’re disapprovin’
Keep them scripties probin’
Cy-ber!
Don’t try to track&trace ’em
Just probe, show, deface ’em
Soon we’ll be living on the flight.
My cores are calculatin’
My true grep will be waitin’,
Be waitin’ at the end of my Perl.

Cyber!
Cyber!

So now all go out and #ditchcyber (#wegmetcyber) ..!

And, .. of course! A picture for your singing pleasure:
DSCN7014
[Not really Rancho Notorious. Sevilla]

Seriously, what is @google up to ..?

Just a short note. Or question, rather: What the … is Google up to, these days..?
I mean, Glass has turned into a pilot thing, as yet testing the waters only, but spawning a whole eco(?)system of wearables. One of The Other Ones (fubbuck) swallowing up Oculus might tie in to this (pre-emptive, to keep it out of G’s hands ..!?), or not.
And after Hadoop there’s news on WebScaleSQL; I can understand that (but see how this means reaching out to conglomerate with erstwhile fiercest (attention) competitors).
But then there’s AI. Yeah, that might improve Search. But the potential(s) for game changers of unseen kinds are limitless. Is the Big G trying to outflank Watson, and/or will G morph into the Matrix ..? Blue pills…, blue pills everywhere….
Compared to this, the jump to Gmail Banking is just a little one, (will) disrupting only a couple of major industries.

As it all stands; what is Google’s grand master plan, or if there isn’t one, how could one get a good overview of all (sic) the initiatives in the wings, either public or, of which I guess there’s a lot more to know, internally?
I would sign a stack of NDAs to get an insight – if only to be able to decide on a reinventive career switch… Thanks Google if you could reach out to me!

Oh and now to close it off of course encore the usual picture for your viewing delight [sits on ‘Picasa’ somewhere anyway ;-]
DSCN8589
[Appropriate, if you know what/where I mean]

Infosec: outside in / inside out

One of those “When they speak, others listen” has a say on the future of infosec.
Dr. C. Dr.ow at it again.
First, a picture for your viewing delight:
DSCN6592
[Private enjoyment for the general (not.)]

Which points at the other of two major approaches to get better information security throughout society. Not, by expecting Every Man to do His Duty, or by “Ik val aan, volgt mij” (the hero here), getting better security in a piecemeal way by (having to) upgrading each and every foot soldier read Internet user every time again through labourious exercise.
But by instating societal institutions that govern infosec for us. And then I thought that CD wasn’t a fan of governments…

Nevertheless, interesting. In particular, if some form of transparency could create True Democracy in this field. Which I doubt. But again, nevetheless interesting.

Rule-based rules rule, babe

First, a picture for your viewing pleasure. You’ll need it.
DSCN5208
[OK, noga I mean toga I mean yoga class, Bryant Park]

Solliciting your help in trying to find the lapse of reason in the following:
Rule-based laws, or regulations, or organisational procedures, aren’t always bad. There need not be a principle-based approach always certainly not since (fact) that deteriorates over time into yet another bucketload of rules every time again for clarity [which proves it just is too difficult for the great many, to think, to only need the principles and act accordingly…].
There can be simple sets of rules… here and there … IF those rules are the precious few guiding rails needed, to keep everyone in reasonable alignment. Brushing off the sharpest edges, and standing ready in the background when something might go heywire.

In organisations throughout. Anything one can dream up, may be left to the specialists (if…), who (should) know best and need not be micromanaged.
Who is it that thinks to be better at rule-setting than the ones in the midst of turmoil in the first place ..? The compliabully, yes, but kick back (Frappez! Frappez toujours!) for freedom. The biggie rulesets derived from principles or not: They squash your freedom of action, your independece, your autonomy.

Take a look at societal rules. The law books have a few very abstract principles, and a great many very detailed rules… In case of doubt, courts come to the rescue [give or take that even there, one cannot be 100% perfect always]. Normal people using their normal brains, will not overstep the line.
Why can’t subsocieties like industry sectors function the same way? No autorities there, to govern the lot? Too many free riders and other scum, maybe; then step in from the outside and wipe it all clean (including the internal cleaners that didn’t perform – claw back their income in full as they didn’t deliver on their promises. Bad luck, such is life throughout the centuries).
Why can’t subsubsocieties like organisations function the same? Same. Would wipe the top half of many an organisation; silly bureaucrat mice walking on the bridge next to the elephant and claiming how much noise you make.

So, would we need oaths per professional association or per industry sector? No. By having been born, one has sworn to uphold the law that includes the lesser rulesets that any halfbrained dunghead could know to have to work within.

Maverisk / Étoiles du Nord