Information Risk Management – Page 12 – Maverisk / Étoiles du Nord

Parental Control – Surveilling your parents … Ew!

There you have it: Parental Control is needed more than ever, in a subtle way (I’d suggest you would do best to re-study The Cyber Effect; as I do), given the ever increasing (sic) risks online for the smaller than you.

But what about the more grown-up than you; your parents …? They either are only now, slowly, coming online, or they have been there already longer and have practiced but now are becoming older and mentally less capable or acute.
Hence, would we need to instate parental control to (also) mean: control over your parents (‘ their online behaviour)? And how would we have to arrange that; the norms for what e.g., appropriate content would be, are, ahem, not so clear. When a child would want to explore a vast portion of the Internet / its traffic, many agree that this would be either to be forbidden or a serious learning opportunity qua acceptability. When the one(s) that taught you about the birds and the bees would want to visit such sites, well, ew! but on the other hand…
Similar, qua gambling sites, hooliganism, et al. — not forbidden for any adult but where do things get out of hand, squared with how the capacity to operate in society may deteriorate with the elderly and where the thresholds might be.

Yes, in Europe, when you die your data (on socmed etc. too!) belongs to the government and your family has no rights over them. By consequence of some weird interpretations of obscure articles, contra reasonable moral and ethical expectations by relatives (either biologically/family-related or qua social media ‘friends’..?).
But for bank accounts et al., there have been practical rules and protocols already a long time, so that children (come of age) slide stepwise into custodianship. Would we need something similar for parents’ online behaviour? What would the rules of thumb look like, and could they be enforced somehow, to protect the weak against abuse ..?

Let’s discuss. And:
[Bridge too far? Cala ~~aging~~ again; Sevilla this time]

Drones with AI; revenge

Heard recently of an airforce that was setting up a drone squadron where the pilots (? might, given the joysticks, better be called ‘gamers’ these days, apart from the euphemistically erasure of the moral and ethical aspects, maybe) would be in that country but the drones would be stationed in some other country because stupid drone flying rules go for the DoD too.
Yes this regarded a European country [would’ve referred to NL outright if it was; ed.], you guessed that correctly from the previous.

At some point in the future, the drones inevitably will get AI because everything will get AI. And, in times of increasing hacking and comms disruptions, some autonomy would be welcome for the drones already. And, what with increasing (sic) hackability, qua security against take-overs / reprogramming / retargeting while already airborne?
By that AI time, smart enough AI to come back and take revenge for the exile on those that wrote / maintained the stupid rules ..?

Anything too outlandish to take into serious regard today, will be daily no longer newsworthy fact tomorrow. ‘Tomorrow’ may vary from tomorrow to five years; no more.

Oh and on a lighter note:[Oh hey look, a street car! Sevilla]

Colluding AI

As more and more grunt work (like, so much that’s done in the intenisve people farms called ‘offices’) is replaced with AI, how soon will we find that some decision by a human, hardly in control anymore but totally reliant on the precooked algorithmic outcome provided by AI, will be contested in court – that will be presided over by a judge, hardly in control anymore but totally reliant on the precooked algorithmic outcome provided by AI, and the two colliding against humans’ interests…

Note that “of course”, there will be humans nominally handing out the final verdict(s), because so many (not yet) fought so hard (not enough yet) to keep a ‘human in the loop’. But having achieved not much more than the nominal thing, and there quickly being far too little humans with enough experience (how would they gain that, when they haven’t gone through the grunt work themselves, including being allowed to err sometimes or how would they otherwise have learned ..?) to be able to usefully overrule the AI. Usefully, in the sense that the AI will have all the better, rational even if outlandish arguments… No more gut feelings … That may be part of what makes us human; whaddabout Kahnemann’s 90% System 1 ..?

And then, still, what when AI finds it rational to re-introduce the death penalty ..? Swiftly executed, to preempt appeals?

Oh how bright is our future! Also:
[There was supposed to be a shut-down button somewhere in one AI/pillar at least… Now they switch each other On again …; Córdoba]

Weak Humans, the Top-10

Again, the reference in the title is useless but may attract more readers through Timeline/Prio Gaming(™ from now on) – and, this in return might have referred to the title but yet again, close but no cigar (again, less chances of a Cuban, anyway, for some by their own mistake).
What I meant was that humans are targeted by hackers since they’re so vulnerable read stupid may be true — relatively… actually meaning apparently Technology and [the empty shell phrase of; ed.] Process may be so perfected that hackers have nowhere else to turn to.

That, of course, is not true. Simply, false.

When looking at the disastrous error rates (bugs to be fixed, sometimes easily) in software, how would anyone be able to claim Technology is anywhere near kinda OK. And Process… Show me an office (however formal, or strikingly similar to a coffee shop of not the Amsterdam original kind, or any beach with WiFi [→ why aren’t we all there, yet …!? ed.]), and show me a ‘process’ there. Wrong. All you can show, is either concrete, chairs, etc. even if of the kanban billboard kind [how idiotically silly can one get ..?], or humans. I.e., Technology or People. Neither of which is Process. No, printer paper with some ink blots .. also not process (descriptions) but Tech..! Don’t believe the lies, people! Process doesn’t exist!
So, we have something half-crappy [surprise this blog editor still runs … ;-] and something non-existent, … and People. On what now would you want to build your security?

Ah, on the People that are the most flexible, attentive (to business objectives, not your overhead), and creative (well… but including the most meta<sup2 of abstract/meme evolution evah) that Nature has ever developed with her genetic algorithm play of Evolution.
Where did you leave your own mis- and totally-zero-understandings on Humans, to pursue Tech and “Process” (quod non) solutions to Human threats ..? Why weren’t human threats from the word Go protected against by the best that human defences could muster to protect human vulnerabilities ..? Not only qua passwords, with a method aligning with cardinal sin number …. [should re-read the Bible for that; ed.] being the quest for ever more money i.e. including the protection of what you have (see the link). But qua overall about-all controls you’d need. If done right, I bet a lot of tech controls would dwindle in significance (and possibly be executed much worse than today; zero gain).

Now I start to ramble. But you get the point, and you get:
[From here, the Strong came in. NY]

Yup, called, confirmed

Always pleasant, to read one’s (almost…) correct, on off-off-Broadway analysis and postpredictions. Like this one, corroberated here, in a way.
Yes, I kno. I almost got that correct. Enough to confirm the line of reasoning, if you read it / both correctly, they turn out correct. I’ll stop now. And:

[Check, for Dutch ad viewers; Valencia]

Discharging DPOs by auditors

Now that it by and large seems to be that GDPR hypestuff is mostly pushed into the legal corner, … let it stay there. Let the others do their job, and reap all the benefits. I.e., via the avenue (required budget-wise; wildlands qua budgets received) of data discovery [Uchg ugly word I meant inventory] / data minimalisation/cleansing / data security [the old way, like information security, not the #ditchcyber fail] towards magnificent efficiencies in IT ops, and much clearer, exponentially better profile’able data even if Big.

Hey, the DPO was so self-inflatedly Important, right? Let him (sic) handle all the fan mail then… Let him panick-crash during every high-pressure breach BCM handling.

And then a. get fired, b. get sued, c. get replaced by yet another legal scholar turned business savvy (quod non) ‘executive’ [who executes who?].

But … in the mean time, someone would have to discharge the DPO. Not from internal audit because they’re part of the ~~problem~~ organisation.

OK, let’s have that done by an external auditor, then. A specialist, hopefully.

Hereby my claim to that specialty. Will develop fully-compliant methodology, will travel (charging expense…).

And:

[As an external auditor specialist, I love to have this sort of view; NY]

Some Quotum of Questions of Quantum

Am I the only one with questions how the following intertwine:
An article on how quantum-secured blockchain may be so safe, but possibly not in the hands of whom you’d want it? If in anyone’s hands at all, since no-one can be trusted forever; if you wouldn’t believe that, you declare yourself incapable of discussion on this subject…
A most brillant blog post on a related subject.
An equally insightful piece on how blockchain-of-command would lead to Totalitarianism.
An equally … Being the Why Johnny Can’t Encrypt, 2017 version. Notably, the previous versions hadn’t been patched properly…

So, you see a Perfect Storm or what ..?

Plus:

[Why did you cross the street, you chicken? M’drid]

Nudging to intermittance; 5 steps to awa success

As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:

How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.

Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?

Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?

Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:

[On a bright day, for Stockholm, the Knäckeboat museum]

Car disruption

Have governments gone insane?? They penalise anyone (but certainly not everyone) going over some completely [?] arbitrary speed, whereas my car can do double that, easily. This needs to be disrupted! Just drive as fast as you can handle, don’t care about the ‘others’ that stand in the way of you in your fundamental rights to freedom and the pursuit of happiness, and fight government in courts when they go after you – they are the stupid ones! They can’t stand you disrupting the traffic market by being quicker than the stupid sheeple [or is that you disruptor-user ..?] from A to B! People will die in traffic (e.g., by being so stupid as to always stay on the pavement but wanting to cross the road at a pedestrian crossing; fools. Children will veer off onto the streets; too bad. There will always be some less lucky and they take themselves out of the gene pool, just let them not hinder the Winners.

I’m into privacy. Which is of course completely different? from traffic ‘markets’ where the road is a commons, bound by rules (like, one doesn’t have priority but should give it to others when due) to make it reasonably safe for anyone (as a commons: no over-use till Tragedy Of). Just like hotels having to live by all sorts of safety rules (training staff, smoke alarms, hygiene, etc.etc.) for a reason. The same reason (or worse, given casuality of visitors) that goes for the V-sign company?
So, privacy in public space, the more virtual the more so [at least, no bit less so], can one (ab)use it when in breach of laws of common decency – that go much beyond mere laws or constitutions ..?

Not even a personal thing, the above … and:

[Perfect space for street racing…? Wouldn’t even hit too many ‘innocents’ here…; Zuid-As Ams]

Macrodots on your Opsec training card

Already a couple of weeks (month) ago, the whole secret-microdots-ID-your-printer thing came out. Re the leakage of something-TLA in relation to electionhacking [let’s write that as one word, better aligning the construct] or what was it, where the leakster was IDd quickly because the microdot on the published material(s) revealed the printer used.
Here I was, thinking that this microdot thing – Some claim it goes with laser printers only, not inktjet/dot matrix ones; anyone has any definitive confirmation of this? If confirmed, how many non-stupid bad guys will still use laser printers not have switched already …? – was wider known (like, I had yet to meet anyone in the infosec field that didn’t know of them or could not expect them, nor give any canary) but was supposed to not be used for any but the most extreme evidence-requiring circumstances. Like, you let incidental bombers walk because you don’t want to reveal your methods in order to be able to trace networks of them.

But here, a simple case of whistleblowing (is it, or is there more at play, like, Western democracy or even something serious, unfake …?) and everyone knows it now, in the open. Strange.
Tons of good info in the link, BTW.

Also strange that someone with such high clearance wouldn’t be better trained in Opsec, hence a. know about microdots and b. have used more covert leak channels. If training of such critical staff is so poor, there’s more serious troubles than just the demise of democratic institutions forthcoming.

Or maybe pretty-face leakster was ousted for not (falling for blackmail pushing to) providing some kind of services. Who knows. No one, these days of non-non-repudiatable news.

Oh well. And:

[In some relation to the above, that guy on the pole would know much better than to want encryption banned or backdoor’d to counter some moronic attackers like latter-day flat-out lying PMs]