Category: Information Security

Visual on socmed shallowness

When considering the senses, is it not that Visual (having come to ther play rather late in evolution or has it but that’s beside the point, is it?) has been tuned to ultrahigh-speed 2D/3D input processing ..? Like, light waves particles who are you fooling? happen to be the fastest thing around, qua practical human-scale environmental signals – so far, yeah, yeah… – and have been specialised to be used for detection of danger all around, even qua motion at really high pace (despite the 24-fps frame blinking).
Thus the question arises: What sense would you select, when focusing on shallow processing of the high-speed response type? Visual, indeed. Biologically making it less useful for deep thought and connection, etc.

Now that the world has turned so Visual (socmed with its intelligence-squashing filters, etc.; AR/VR going in the same direction of course), how could we expect anything else that the Shallows ..? Will we not destroy by negative, non-re inforcement, human intelligence and have only consumers left at the will of ANI/ASI ..?

Not that I have the antidote… Or it would be to Read, and Study (with sparse use of visual, like not needing sound bite sentences but some more structured texts), and do deep, very deep thinking without external inference.
But still… Plus:

[An ecosystem that lives off nanosecond trading – no need for human involvement so they’re cut out brutally; NY]

When ABC– will use AI, success

So it turns out that the company formerly known as Google, may very well enter the job market. Qua brokerage.
In which it may succeed (it already caused to-be competitors’ stocks to nosedive, a little at least), when deploying smart AI solutions.

Let’s hope, then, that Alphabet Jobs [as it might be called in a stab’let at $AAPL ..?] will use the AI to bypass the most ridiculous aspects, that are many, of the current process. E.g., obliterating the tick box atrocity – as certainly, its own search capability will burn the fuses when trying to find anyone on this planet that fits the requirements for just any job description as billed by ‘recruiters’. Dropping the similar requirements also of ‘having ten years of experience with this totally unknown system that only three current sysadmins can handle and had been implemented only two years ago’, or the infamous but near-certain to surface ‘millennial with thirty years of industry experience, will work for barely entry-level / intern salary’. Don’t say these requirements aren’t realistic like being real over and over again. They are! They’re there, everywhere!

And what does it tell you that ‘we’ may need AI to overcome this stupidity ..?
That Disruption with a capital is desperately called for.

We can hope, can’t we?

And:

[Tomb of the Unknown Candidate. No don’t wry-smile, pay some respect…!; Paris]

Not there yet; an OK Signal but …

But the mere fact that Congress will use strong crypto Signal, can mean many things. Like, “we” won the crypto wars, as Bruce indicated, or the many comments to that post are correct and it’s for them only and will be prohibited for the rest (us), or … nobody cares anymore who uses Signal, it’s broken and those that balked in the past, now have some backdoors or other coercive ways to gain access anyway. [Filed under: Double Secrets]

But hey, at least it’s something, compared to nitwittery elsewhere… And:

[Ode to careless joy; NY]

Having fun with voice synth

In particular, having fun the wrong way.
Remember, we wrote about how voice synth improvements, lately, will destroy non-repudiation? There’s another twist. Not only as noted, contra voice authentication for mere authentication (banks, of all, would they really have been in the lead, here, without back-up-double auth?), but in particular now that your voice has also become much more important again [after voice had dwindled in use for any sorts of comms, giving way to socmed typed even when with pixels posts of ephemeral or persistent kinds; who actually calls anyone anymore ..?], we see all sorts of Problems surfacing.

Like, mail order fraud. When hardly anyone still goes on a shopping spree through dozens of stores before buying something in store but rather orders online, of course Alexa / Home/Assistant / Siri / Echo / Cortana are all the rage. For a while; for a short while as people will find out that there was something more to shopping than getting something — but recognising the equilibrium that’ll turn out, may be in favour of on-line business, with physical delivery either at home, or at the mall.
The big ‘breakthrough’ currently being of course some half-way threshold / innovation speed bump overcome, with the home assistant gadgets that were intended to be much more butler first, (even-more-) mall destructor second. But that second … How about some fun and pranking, by catuyrig just some voice snippets from your target, even when just in line behind ’em at Wallmart, and then synthesizing just about any text? When a break-in on the backside of your home assistant (very doable; the intelligence is too complex and voluminous to sit in the front-end device anyway [Is it …!? Haven’t seen anything on this!] so at least there’s some half-way intelligent link at the back) may be feasible per principle but doing a MiM on the comms to some back-end server would be much more easy even, and much easier to obfuscate (certainly qua location, attribution), a ‘re’play of just any message is feasible.

Like, a ‘re’play of ordering substances that would still be suspicious even when for ‘medicinal purposes’. Or only embarassing, like ordering tools from the sort of fun-tools shop you wouldn’t want to see your parents order from. Of course, the joke is at delivery time [be that couriers, DEA/cops, or just non-plain packages] — oh wait we could just have the goods delivered to / picked up at, any address of our liking and have the felons/embarressed only feel that part plus non-repudiability.

This may be a C-rated-movie plot scenario, hence it will happen somewhere, a couple of times at least. Or become an epidemic. And:
[No mall, but a fun place to shop anyway; Gran Vía Madrid]

No surprises here; qua attribution

Is anyone surprised that apparently, “there’s traces of North-Korean involvement” in the WannaCry hiccup ..?
As yesterday’s post (below) already noted; no-one cares about WannaCry1.0 anymore hence ‘hiccup’. Has 2.0 come ’round already?
But how much repudiation by the North-Koreans would reach our general news …? So, how easy it is to blame the NKs for anything that goes wrong ..? Like,

Whereas, … Russia did claim it was also ‘hit’ by WC1.0 [oh the abbrev], but no damage ensued because they were able to stop it at the front door. Right. By lack of actual true snippets from 1600 Penn Ave, we now consider anything that comes out of Russia to be tru-er than what comes from DC, just like that ..? Because that would indeed leave ‘North Korea’ the only reasonably believable/unsurprising culprit.
On the other hand, the embedded tweet indicates Russia actually stole something. Until now, wasn’t it that the exploitable was leaked? Quite different … What is Russia’s involvement now, that those that have info of leakage only, don’t have intel on ..?

[Edited pre-press to add: there… ]

Oh, I’ll just leave it for you to ponder. And weep. And:

[Yes from that ridge, Gettysburg…]

Notnews

Remember it’s a two weeks flashback already
Monday morning’s watercooler discussion: Did you hear about this WannaCry attacks all around the world? The sky is falling! And what a hypecycle the ‘solutions’ vendors piled onto it immediately and oh hey look cat pics how cute oh now it’s Friday again how time flies CU on Monday for more cat pics.

So true it’s sobering; appropriately. And:
[Will never learn. NY]

Having a Coboll

Just when you thought that some problems had come and gone to be never heard from again, it turns out that it’s not that easy but big-time help is here.
Got tipped by a peer that flagged one particular company for help. No endorsement outright, no financial or other interest whatsoever [maybe I should, for the odds are with them], just plain ol’Hey Look That’s Interesting.

Because you didn’t get it; they help converting COBOL (and other mummyfied LoC) to New stuff.

On that note, I leave you with
[Images of volcanic activity keep blubbering out of your new systems infra, too; Zuid-As Ams]

Golden Oldie Pic of the Day

Yet again …:

[Yes I, this refers to your infosec arrangements – wouldn’t deride the terms ‘management system’ or ‘practices’ by attaching them to what you do…]
[Yes II I did not include a dropcap style in his post on purpose. Thanks you noticed.]

Note to self: GDPR scrum with or without the r

Just to remind myself, and you for your contributions, that it’s seriously time to write up a post on Agile development methods [OK, okay, I mean Scrum, as the majority side of the house]; how one is supposed to integrate GDPR requirements into that.
Like, we’re approaching the stage where the Waterfall model      of security implementation, will be Done for most organisations. Not Well Done, rather Rare or Pittsburg Rare, at your firm [not Firm …]. But then, we’ll have to make the wholesale change to Maintenance, short-term and long-term. And meanwhile, waterfall has been ditched for a long time already in core development work, hence we have a backlog (huh; the real kind) qua security integration (sic; the bolt-on kind doesn’t work anyway) into all these Agile Development methods of which word has it everyone and their m/br-other seems to make use these latter days.

But then, the world has managed to slip security into that. Which is praiseworthy, and needs more Spread The Word.

And then, there’s the GDPR. May we suggest to include it in ‘security’ as requirements flow into the agile development processes ..?
As said, I’ll expand on this l8r.
If only later, since we need to find a way to keep the DPOs out of this; the vast majority (sic) of them, with all due [which hence may be severely limited] respect, will not understand to a profound level they’ll try to derail your development even without the most basic capability to self-assess they do it, in ways that are excruciatingly hard to pinpoint, lay your finger on.

But as written, that’s for another time. In the meantime, I’d love to see your contributions (if/when serious) overflowing my mailbox… Plus:
[Lawyers lurking next door…; Zuid-As Ams]

The privacy-nightmare not your pseudo-dreams

Again, some serious flaw in the GDPR: Its reliance on, sponsorship for, pseudonymisation.
Which is worthless, already against break-ins.
And is worse, much worse, when you consider all the exemptions for ‘statistical use’ that are a cover for all the blatant abuse of personal data that the GDPR was originally intended to counter. And is worse, because six publicly available data points are all that is needed to identify anyone of the general public. De-anonymisation may be an art of sorts, but not a difficult one; easily demonstrated by any half-ass capable “hacker” consultant involved. [Of the Real kind]

Outside the controllers/processors conglomerates, such six points may have to be searched for – holdit; done. – but when anyone were to be able to infiltrate (why haven’t we heard of APTs for so long now? Because it was the TLAs, or is the overall picture waaayyy too scary to consider?), those six points are often found winthin one data set, if not with the IDs in some hardly-remote table.

And don’t come with the solution of homomorphic encryption, so usable for the statistical stuff. Also cracked, ever more systemically.

As if in today’s 21st century age, anyone would come forward with ‘these new developments, of motorised aeroplanes, with a “propellor” and all; they hold a promise for possible trans-atlantic flight!’ — Yet the GDPR isn’t different…

And:
[The background has much more circus than the tent before it, ifyaknowaddImean; Zuid-As Ams]

Maverisk / Étoiles du Nord