Category: Information Risk Management

No more cat, up P ..?

OK, we’re now something like a month after the launch of Meerkat. Do we still remember or even use, or was it wiped off the MAU market by Periscope ..?
How fast some things go. Having to be vigilant on a 24/7 basis. Maybe DACs might best take over in the end, indeed, so we can get some sleep. Or, no, … in what way would that work? Users consumers sheeple may be needed to generate content that has more than machine interest otherwise ads won’t work.

But do DACs even innovate ..? Or just develop, possibly prosper (go beyond hockey stick investment recovery), and wither ..?

More importantly, how do the two not point out the futility to move innovation into its limits in just this one direction ..? B/c it doesn’t really contribute to the diversity of communicative expression, does it ..? It’s just Me, Me, Me I Am Totally Awesome Posting This Clip Ermagerd all over again.

Let’s not get too negative. Sometimes, true Innovation goes by little steps. As, here, microsteps. And not really helping humanity in any useful way. Hence, I’ll leave you with:
DSCN2198
[Ludwig dreamin’, static at Barça]

VoteChain

A short question: Would anyone have pointers to info on how to use blockchain methodology to have (physical-world) voting on the ‘Net but with integrity, secrecy and (non-)repudiation everywhere, from eligibility registration to tallying and publication ..?

Because I’d say there’s possibilities with said technology ( / process / methodology / application ?).
E.g., what was it again with that Swiss canton that did three votes per voter and newspaper publication of codes, and other such schemes ..?

Otherwise, this:
[youtube https://www.youtube.com/watch?v=PLIVVDmDjDI]
Will return on this subject. For now:
DSCN7683
[Not seen so oft; for no (?) reason; FLlW near Baltimore]

Here, First

Integrity at any level is the Yggdrasil of any CIA or other quality of the layers on top of it.

I.e., if at the platforms level the integrity of software (à la Turing, engine/programs and data) cannot be fully 100,000…% be guaranteed, no extreme of measures op top of it can restore the missing percentage, only (somewhat) limit further deterioration of the stack on top.

Okay, this being a bit abstract, a somewhat more simple and extensive explanation will follow.
Till then:
DSCN6859
[No base, no glory; Sevilla]

Th Ei(ght hours overtime) Team

When one has the luck to be selected and present [see below…] for the 8-i.org challenge, Dutch division, one learns.

It started when my wife, volunteer for the Stichting Babyspullen, happened to get a slot at the March 28th Utrecht session. And couldn’t find a fellow volunteer to be present all 18:00-04:00h so I chipped in (also for the ride home as public transport would be a night-mare).
It continued with all sorts of small lessons learned throughout the evening, regarding (event) management and content.

But the one thing that stood out was: How, per charity, the volunteer creatives that lend their time, were hand-selected to form as (age-)diverse teams as possible, and with a definite eye for some but optimised not maximised team competence diversity as well.

You probably get it already: Why don’t all businesses work that way ..!? Why would any buiness that wants to think of itself as Creative or Innovative or Open to Change or just We Don’t Want To Acknowledge We’re Boring As Heck, follow this model, too? Usually, almost always, the safe route, the Our Kind Of People incestuous groupthink wins out. Yes, even in creative circles, anyone not fitting the wannabe-hipster mold would be outcast, not allowed in.

So, @8_iOrg won the day, and saved it (for me, for this already), by deliberately changing common ways and demonstrating that when results are wanted (i.e., the specific objective(s) for the charities helped for free) where any level of creativity is required, one best goes for team diversity.

Now you all go out there and spread this word in your organisations. Not by babble but by actual action. For now:
??????????
[Where would be the reason to build something standard?
 Why need a reason to be creative?
 Hopefully, all will move to standard-only-where-actually-needed…;
 Cala at Hoofddorp]

Stuck in the 80s (wrong end)

Some recruiting experience a friend had recently… (in no particular order, just what I recall from his analysis; yes I did take notes after a short while and seeing friend’s energy drained even in the recall):

  • When walking into the shared space / reception, an all-M team were starting on pizzas.
  • Setting: One candidate (my type, i.e., aiming to think fresh), one manager-possibly-to-be (M; styled like a civil servant), one HR (F; typical? she got the coffee).
  • Mptb repeatedly brought up a vacancy not applied for. Mptb may have wanted to fill that slot more urgently, but was not the one that triggered friend to send the open (sic) application for a first meeting just to learn more about the co.
  • Mptb couldn’t but return over and over again to the capacity for sales. Friend had already mentioned explicitely in the motivational letter that sales (of the cold call type) was the main weak point, well-known. Why keep hammering on that? Not on marketing (friend has great, very frequently demonstrated capabilities for that), hardly anything on content, not much on knowledge or fields of interest. But then, what can one expect from an Mptb that had the first half of ‘career’ in selling bananas (literally; I checked for friend)? Also, Mptb did not show any interest when friend mentioned his very, very extensive, professional thoughts-filled blog; possibly b/c Mptb didn’t know the concept of ‘blog’..?
  • Apparently, only the one-pager resume had been gleaned over. Of which friend had remarked in the motivational letter that it might read as being skewed to the (IS) audit side but that work content had hardly been that at all for the part decade+ and had been almost completely with advisory and consultancy services. Mptb could not see that, or may not understand enough of business outside the own (narrow? I’ll leave that to friend and you) scope of one’s own daily drudge. Mptb kept hammering that out. Friend has a two-pager resume in English (may be too difficult for the all too Duts Mptb?) that has job content descriptions but that didn’t even come to pass. LinkedIn? Nothing. Friend has a very extensive and diverse profile there and had checked; Mptb hadn’t had a single cursory look. SocMed seemed not to exist.
  • Mptb indicated anyway to operate at ‘tactical’ level with clients. Highly doubtful. At least, taken from some details of the conversation, friend operates a level and a half higher, and examples given and some details of the discussion indicate, Mptb hardly rises above operational control level and didn’t demonstrate to understand much about dealings at various management let alone governance levels. Which may have explained some of the misunderstandings. But Mptb would have had to be the one to have noticed, if Mptb – or would be a very mediocre, 70s-to-80s type of manager?
  • Same indication from the salary range indication. Quite something lower than current. Pay the bananas, get the monkeys.
  • But then, Mptb did keep on spelling out that selling services project-wise to clients, bore down to just proposing a handful of CVs with all track records spelled out. Actual project definition, ToR, deliverables, whatev’ (?). Ah. If friend were to spell out all projects, that would lead to a. a 25-30 page resume, as friend had a resume like that already 16 yrs ago that counted 15 pages (I still have that on back-up somewhere) through executed project summaries (sic), b. clients being dismayed their details would be presented to just about anyone else – if you see the project details of others, yours will be displayed to competitors as well in our business that deals with/in confidentiality.
  • But then, the main point is that friend doesn’t want to be bodyshopped, stuffed in client job slots just for the pay by the hour. How 80s can you get ..? Didn’t Mptb notice the world has changed, and such retro business is to be ridiculed …?
  • This, with a focus on billable hours and not sitting on the bench. Yeah, friend and I understand that. To be an operational hygiene factor. Not the focus of daily work life.
  • On the other hand, Mptb also kept on hammering on with questions how friend would deal with project hiccups, as if they’d be simple bugs or so. To be fixed with a simple fist bang..? As if that goes in today’s business, at the level one wants to be concerned. Friend’s answers to resolve them in, at the same time, businesslike and diplomatic ways, apparently was too difficult to grasp.
  • And oh yes, a handful of half-cocked STAR attempts were thrown in. The sample I heard, are far from and would have missed the point (the method’s information gathering actually intended) quite comprehensively.
  • Overall, Mptb seemed like a bad listener to me, not interested in what friend brought to bare let alone what work friend wants to do, what directions he wants to go, etc. Oh yes, there was the question about own ideas for personal development, but the answers again didn’t seem to land; friend got reaction, not response.
    And though non-verbal comms was clearly mentioned, Mptb didn’t recognise that as a signal that his own posture only conveyed confusion and resignation. Verbal comms didn’t result in replies by Mptb that might indicate understanding and exchange of ideas, just what friend told be to understand “Hm, didn’t get the fully templated answer I wanted to hear b/c that’s the only kind I understand”. But Mptb found fault with friend over the latter’s non-verbal.
  • Overall II, I’m unsure whether, or rather am sure that, friend nor I would want to work with/for such a Mptb. Probably, ‘management’ would consist of bullying over unbilled hours only; no sight of understanding today’s knowledge workers need to be freed of chores such as sales, and need coaching and all other facilitating stuff (and risk management, etc.) offloaded to … the manager as that’s his job, to be free to deploy one’s excellence without being bothered by not-understandelings. We agreed we wish Mptb luck with client relationship management as he’d need tons of it, and would advise him to stay away from actual project execution or staff management. If we’d get into a relevant position we certainly wouldn’t invite him.
  • The (quite unattentively) somewhat brushed aside HR lady slipped in some questions about friend’s private life and goals in the end. I know friend as someone who wants to very much have a seamless blend of (hardcore to softcore) business, semi-professional hobbies, and other stuff. Mptb didn’t seem to care.
  • Conclusion: A waste of my friend‘s time.
  • Friend was contacted afterwards; they sought a full-on build-a-team-through-all-sales person indeed. That was not in the function profile friend showed me… And, as said, friend wrote in his motivation that if anything, that is was/his weak point. The waste of time could have been prevented.

Had to discuss this over a couple of days, to get it out of friend’s system…

Only to realise that I haven’t had a good job conversation myself recently, either. Though most of the (not so many) times, only a couple of above’s issues were at play, I was disappointed all too often. I also didn’t really like the other sort of ‘interview’ where one is asked snarky gnarly brain teasers. Of even had to do an assessment with a day’s full of questions with quite certainly the wrong answers. Or just in the interview. Why do recruiters still think they’re the conversation boss or something? Haven’t they learned how to beg for the right talent ..!? I might not completely be in that category [worded like that not to appear presumptuous at considering myself perfect, or would that add to the adoption of the hypothesis? ;-] but still to have a grown-up conversation about it all, would be welcome. So, … your comments.

But hey, then, to not get depressed:
DSCN6875
[Pleasant life; not only the Expo at sunny Sevilla]

IoTA mutiplication; old style, is the new new

Apart from the previously established focus on Integrity, in particular to have Data plane integrity from which actual Information could be derived, through integrity in the Control plane, there’s of course a need for other aspects as well, like Confidentiality, Availability, and Effectiveness and Efficiency.
[Oh that previous Integrity signal is here.]
Though the latter two, we’ll diss straight away as most secondary, at best, along with the even further irrelevant Auditability et al. That take a devastatingly distant back seat to ensuring the first three objectives are met; not to interfere by mention, even.

Intermission:
DSCN5611
[Onto itself, good enough; Papendorp]

And, we’ll square the three foremost information/data/systems/elements quality aspects with the great many objects one can outline in the IoT sphere. Leading to very interesting new combinations of various corners and angles of objects and aspects in all sorts of abstraction levels – multiple, not necessarily constant, consistent or complete when studying for certain overall audit objectives.

And, let’s not forget, we do have OSSTMM for more traditional objects, and may (have to) enhance that to incorporate the ‘new’ more technically oriented objects of sensors and actuators (including a need to understand and probe them, e.g., at the AD/DA-converter and pure signals levels).
But we also need to incorporate the vast blue (rather, muddely grey) ocean of People, as controls and to be controlled elements.
Only then, can we have a full systems view on the to be controlled and to be audited phenomena.

But we dreadnought and fear not; for we have a number of building blocks bricks, even if at Lego size. Like the security suites springing up and spreading, Splunk et al and al. of the proprietary hardware-vendor types.

To Be Continued in extenso, including including these vendors their security-management-first approach which helps a lot, through logging/reporting availability and some security control, and including including the generic risk management approach that is at the limit of what common auditors’ associations seem to have as vanguard developments in lieu of actual understanding of the vast terrain to cover.

All in all, together in order

Ah. Actually, I needed a well-ordered list of the subset of my posts re All Against All. Because searches don’t pony up the rightly ordered results, herewith for future reference:

So… Done. For you:
DSCN4588
[Well-calculated dare, Madrid]

SwDIoT

Recently, there was yet another exepelainificationing of ‘software defined networking’, along the lines of separation of the control plane from the data/content plane (here).
Which ties into a core problem, with IoT the subject of this post: Integrity.
Yes, confidentiality may be an issue, but singular raw data points themselves often are too granular to actually steal any information from. And Availability is of course also of the essence, especially in ‘critical’ systems. But te main point of concern is with Integrity, of the system in a wider sense, but also in the smallest sense.

Take Stux … Integrity breach as the vector space, spanned along a great number of dimensions.
Objective: Degradation of the information value; increasing the variance to a level where noise overwhelms the R2 of the signal (however far from log2(n), big if you understand), through degradation of the (well, original) software integrity.
Path: Introduction of intentionally-faulty (?) software. With use of of, probably, penny-wise correct IAM, being pound-foolish at the medium level. I mean, the level where human and other actors are unwitting accomplices in planting da bomb. That’s what you get by simpleton top-down compliance with just about every thinkable rule: To do any work, underlings will devise ways to circumvent them. And, adversaries will find, see, avenues (that wide) for riding on the backs of the faithfully compliant to still achieve the objective.

But OK, back to … separating the control plane from the data plane. Bringing a shift in efforts to disrupt (no, not of the mehhhh!! destructive, economy-impoverishing kind but in the actual signal degradation kind) from just-about any attack plane down to, mostly, the control plane. That may seem like an improvement, de-messing the picture. But it also means shifting from a general, overall view of vulnerabilities to the core, and a core which is less tested or understood, and harder to monitor and correct, than previously. Or is it ..?

So, if we take this Software Defined to IoT, we’ll have to be careful, very careful. But yes, IoT is constructed that way … With signals to actuators that will result in altered sensor data feedback. Know the actuator signals, and the actuator-to-sensor formulas (!), and you’re good to go towards full control, with good or bad (take-over) intent. Know either (or how to get into the sensor data stream), and at least you can destroy integrity and hence reliability. [DoS-blowing the signal away in total blockade or grey noise wipe-out, and your cover is blown as well. Is a single-shot or semi; you may want to have full-auto with the best silencer available…]

Hm, the above from the tinkering with the grand IoTAuditing framework promised… To turn this all into a risk managed approach. Well, for now I’ll leave you with:
DSCN3214
[It has a glass floor up in there, you know. Blue Jays territory, ON – and yes, a very much sufficiently true and fair horizontal/vertical view picture, according to accountants]

Morozov’s no joke

Just a vey few:

“The fear of appearing inauthentic, of being a fake, has propelled nearly as much technological innovation as pornography.”

“But Adorno does have a point: authentic things are not necessarily morally good, and morally good things are not necessarily authentic.”

“In this, the authenticity rhetoric of Facebook is strikingly similar to the public debates in 1950s America over whether uniformity (everyone living in mass society is essentially the same) was a greater sin than conformity (some people adopt ideas, habits, and beliefs only to get along). The latter, the conformists,were seen as phonies who chose to be someone else; the former, those who were uniform by design, were seen as the real phonies – as people who thought they were making choices and being their unique selves, when in fact they were anything but.”

Worrying about usability – the chief concern of many designers today – is like counting calories on the sinking Titanic.”

The goal of privacy is not to protect some stable self from erosion but to create boundaries where this self can emerge, mutate, and stabilize.”
“Digital technology has greatly expanded the windows and doors of our own little rooms for self-experimentation – but we are now at a point where those rooms are on the verge of turning into glass houses.”

“Given the complexity of the self, trying to reduce the privacy concept to a purely utilitarian framework is like steamrolling a statue to capture its essence in the simpler space of the two-dimensional plane.”

Oh how many more such insights are there, to Learn. And weep. For that:
DSCN5410
[Yes, Gettysburg battlefield. Ominously.]

Seamless complacency, rise of the crackers

Yes, seamless integration as, e.g., pursued by the likes of Appl, may polish some edges of the roughness of the world. OMG! I have to turn this plug over to make it fit! The horror! Why didn’t someone fix this!?
Such, to be shipped to the battlefields of the Middle East and Africa, traumatised at the bus ride already.

And, the consumerism, the ultimate ideal of marketeers and Silicon Valley alike, will bring both down crashing. Because the ideal of consumerism everywhere, will also, does already also, pervade education, leaving (achieving its goal at) numb drone consumers – that have no means of income as they’re too mediocre at far too low a level to have any differentiating value (of potential (work)); a vicious circle – that will not be able to see value in services offered but moreover are incapable of building the Next Thing of even maintaining the old.

That will be left to
a. The ever shrinking (!) money(sic)-mostupper class. Not true class!
b. Crackers.
a. This of course, till the exponentially spiraling competition of the money hierarchy will result in < 1 slot, in the end.
b. This of course, since there will be renegades, outcasts, that go their own way. And will be legion. As they drop out, are brute- nuclear-force pushed out of the consumerist lowest classes. Suddenly, have to be resourceful – and (t)hence go after the resources… Only outcasts will see the porous base of the systems stack and hack their way into it. Cultural abandonment leading to … this, you know.

Ah, lessons …? Don’t Be Evil, and Be Prepared. To abandon. ..?
Whatever, there’s still:
DSCN1118
[Metropolis… La Défense, many years back]

Maverisk / Étoiles du Nord