Mostly on wine. Also: IRM/InfoSec/I-Advisory and -Audit services. Positive contrarian, inspirator, loosen-upper.
Suddenly (?), amidst all sorts of ‘backlashes’ to whip the 90%, or 99%, back into sully compliance and complacency, this ENISA report came out. Issuer → importance. Get it and read…
For the effort:
[Somewhat close to near perfect alignment. But no cigar for the Gemeentemuseum Den Haag …]
In order to get proper information risk management and audit in place for IoT, on top of IoTsec, the frames of mind should be grown and extended so at least they touch, if not overlap in a coherent way.
Where IoTsec-and-IRM-and-audit is about the I and C of All Of ICT, we could do worse than to have a look (back) at the OSI stack. All People Seem To Need Data Processing, remember. (Not even a question mark but a period Or else go back and study, a lot.)
Which we should extend, clarify for IoT, and deepen in detail, downwards towards the sensors and actuators, and upwards beyond the A level into … Meaning, like, Information and stuff ..?
As an interlude, you already deserve:
Heh, ‘smart’phone pic; not FLlW but Van ‘t Hoff’s Villa Henny. As here in Dutch, though that states the style would be related to FLlW only – wiping the ‘near-perfect carbon copy’ aspect under the rug…
Now here’s a few actual FLlW’s…:
How’zat for copying ‘in a style related to’…!
[Sorry for the pic quality; these scanned from analog…]
Now then, back to the OSI stack and the absence of Security in that. Audit is even further away; the orphaned nephew (role, function!) will be attached later to the whole shazam.
Given that the A is there for Application, do we really have anything like the function of the communications/data at that level or higher up ..? Well, it seems Higher Up is where we should aim indeed, as a starting point. And end point. Because the information criteria (being the quality criteria that information may or may not meet) play at that level. Resulting in all sorts of security measures being applied everywhere ‘in’ the OSI stack itself [as a quick Google shallows shows] for safeguarding these criteria at lower levels; lower in the sense of below the Meaning level i.e. A and down.
Because, the CIAEE+P (as partially explained here and here) regard quality criteria in order to ‘have’ appropriate data as medium in which Information may be seen, by interpretation, and by letting it emerge from it. (Sic, times two.) Above which we might, might possibly, even have Meaning getting attached to Information. (Big Sic.)
Oh, and, the even-below P-level implementation I’d relegate to the, usually not depicted, physical not-comms-box-but-signal-source/destination physical objects of sensors and actuators… Obviously.
So, all the Security in the picture regards the quality criteria, and the measures taken at all levels to enhance their achievement. Enhance, not ensure. Because whoever would use ‘ensure’ should be ashamed of their utter methodology devastation.
And, to be honest, there is some value in having measures at all levels. Since the grave but too common error of doing a top-down risk analysis would require that. And a proper, due, sane, bottom-up risk analysis would still also have this, in a way.
Where the conclusion is: Requirements come from above, measures to enhance meeting any requirements, should be built in as extensively and as low down as possible, only extended upwards as needed. Note that this wouldn’t mean we could potentially do without measures at some level (up), since the threats (‘risks’) would come in at intermediate and upper levels, too, not having been taken care of at lower levels ‘yet’.
Audit, well… just checking that all is there, to the needs whims of apparently unintelligent requirement setters…
I’ll leave you now; comments heartily welcomed…
OK, herewith Part II of:
Tinkering with some research that came out recently, and sometime(s) earlier, I had the idea that qua fraud, or rather ‘Cyber’threat analysis (#ditchcyber!), some development of models was warranted, as the discourse is dispersing into desparately disparate ways.
The usual picture suspect:
[Art alight, Ams]
Second up, as said: The same matrix of actor threats, (actor) defenders, but this time not with the success chances or typifications, but (read horizontally) the motivations.
Next up (probably the 26th) will be typical main lines of attack vectors. After that, let’s see whether we can say anything about typical countermeasures.
Hmmm, still not sure this all will lead anywhere other than a vocabulary and classification for Attribution (as in this piece).
Yes it’s becoming clear now, if you hadn’t had this on your radar yet from scanning to tracking, that certainly the first half of 2015 will be the Year of SocMess – Social Messaging. Breaking through as a separate category, since SocMed as in the Platform-collecting-all-your-data-for-sale-to-the-prime-examples-of-shadiness kind, think Facebook, will quickly diminish and the Anon apps will spring forward. Where the Anon aspects (as per this explanation and others) may differ, but they all’ll have a mix of the elements that make part of the comms anonymous. Really. As otherwise, they wouldn’t be in this category, right?
And indeed, of course, I wrote ‘part of’ not for nothing.
This development will be interesting to follow. As it mixes with the development of in-crowd apps (that have been around already for a number of years!) where exclusivity is ensured either by limited invite-onwards capabilities or central control over extension.
And there will also be the development in the mix where follower-numbers will stratify further, so we’ll have more 1%-99% skews between interest-pinnacles and the hordes of followers blabbering Likes of all kinds – or flipping into hater gangs.
And, … even more … Subgroups, interests and subcultures emerging to dominate platforms (errr… socmed apps), crowding out others, leading to verticals qua interests segments, and some probably unwantable forms of social exclusion and ‘xenophobia’ where if you’re a n00b you may not be let in on discussions. Kindergarten playground style, but that’s how many (not so, or literally still hardly) grown-ups are.
And on top… The platform providers will battle it out, too, deep under water, where Docker, Google Cloud, Amazon, iCloud, et al., will vie for prominence.
And, the IoT/Appmix will extend. Uber was a quicky, likely to meddle forward in 2015 but the prime has been lost on that one. And Lyft will trail. So will domotics like Nest et al. But, the extend part will be there, with a range of new apps in this area, for functions you still now haven’t even thought of to be handled in this way.
Didn’t I forget to add a little Apple in the mix? No, since there will be hardly anything to mix in, A-wise. Or it be the deterioration of MacBooks’ revenue [Edited to add: Same for iFoan] leading to an emperor in ‘new’ clothes qua prospects, market value and future…
OK, I understand it’s all a bit much, and comes quite late, as predictions for 2015 [Edited to add: apart from these I posted previously; somewhat overlapping], but nevertheless, this all was required to be spelled out for you. Which leaves:
[Smells like 4711 spirit…]
OK, I’m a bit stuck here, by my own design. Had intended to start elaborating the all-encompassing IoT Audit work program (as per this post), but the care and feeding one should give to the methodology, bogged me down a bit too much … (?)
As there have been
Now, before jumping to yet another partial build of such a media / method loose parts kit (IKEA and Lego come to mind), and some new light bulb at the end, first this:
[One by one …, Utrecht]
After which:
Some building blocks.
[Risks, ∆ [Consequences] of If(NotMet([Quality Requirements]))]
Which [Quality Requirements]? What thresholds of NotMet()?
[Value(s)] to be protected / defined by [Quality Requirements]]? [Value] of [Data|Information]?
[Consequences]?
[Threats] leading to [NotMet(Z)] with [Probability function P(X) ] and [Consequence] function C(Y)?
([Threat] ∆ by the way as [Act of Nature | Act of Man], with ActOfMan being a very complex thingy in itself)
[Control types] = [Prevent, Detect, React, Respond (Stop, Correct), Retaliate, Restore]
[Control] ∆ …? [ImplementationStrength] ∆?
[Control complex] ∆ UnlimitedCombiOf_(N)AndOrXOR(Control, Control, Control, …)
Already I’m missing flexibility there. [ImplementationStrength(Control)] may depend on the individual Control but also on (threat, Threat, …) and on Control’s place in ControlComplex and the other Controls in there. Etc.
Which should be carried out at all abstraction levels (OSI-stack++, the ++ being at both ends, and the Pres and App layers permeating throughout due to the above indetermination of CIAAEE+P for the four IoT development directions, and their implementation details with industry sectors. E.g., Medical doing it different than B2C in clothing. Think also of the vast range of protocols, sensor (control) types, actuator types, data/command channels, use types (primary/control, continuous/discrete(ed)/heartbeat), etc.
And then, the new light bulb as promised: All the above, when applied to a practical situation, may become exponentially complex, to a degree and state where it would be better to attach the security ‘context’ (required and actual) as labels to the finest-grain elements one can define in the big, I mean BIG, mesh of physically/logically connected elements, at all abstraction levels. Sort-of data labeling, but then throughout the IoT infrastructure. Including this sort of IAM. So that one can do a virtual surveillance over all the elements, and inspect them with their attached status report. Ah, secondary risk/threat of that being compromised… Solutions may be around, like (public/private)2 encryption ensuring attribution/non-repudiation/integrity etc. Similar to but probably different from certification schemes. Not the audit-your-paper-reality type, those are not cert schemes but cert scams.
OK, that’s enough for now. Will return, with some more methodologically sound, systematic but also practical results. I hope. Your contributions of course, are very much welcomed too.
Tinkering with some research that came out recently, and sometime(s) earlier, I had the idea that qua fraud, or rather ‘Cyber’threat analysis (#ditchcyber!), some development of models was warranted, as the discourse is dispersing into desparately disparate ways.
The usual picture suspect:
[Odd shape; maybe off-putting as a defense mechanism ..!?]
First up, then, an extended version of the matrix I’ve been presenting lately, about offense/defense characteristics. Just to expose it; would want to hear your feedback indeed. (Next up: The same, filled in with What the attacker would want to get out of it, information-wise. After that: Strategy, tactics commonly deployed; rounding off with least-ineffective defense postures (?))
Hm, there was this meme about Death By Powerpoint. Now, the toned-down version, conviction (attempt) by PPT, has been found in the wild. As in this here article. Where the prosecutor was too dumb to not hide the culpose text behind the 24-images-per-second visibility screen. [Is that ‘stego’ ..?]
Incentives, incentives…
[Vic chic]
This day and age, one cannot be too careful with one’s digital traces. To the point where normal functioning in modern society is impacted. And then, that’s not enough. Your mere existence may cause trouble by you not being the only one recording your life. As in this here piece…
Which, apart from its many manifest errors of thought on the side of the wannabe good guys that by being absolute n00b sorcerer’s apprentices at best, has this nugget of inhumanity: “The RMV itself was unsympathetic, claiming that it was the accused individual’s “burden” to clear his or her name in the event of any mistakes, and arguing that the pros of protecting the public far outweighed the inconvenience to the wrongly targeted few”. Well, if you think that, you might as well join terrorists in the Middle East; they think the same and wouldn’t be allowed to be at all, in any functioning society.
Well, I’ll stop now before suggesting the ones doing such erroneous thinking should be locked up safely in some asylum of the old kind, and leave you with a calming:
![20141101_150551[1]](https://maverisk.files.wordpress.com/2014/11/20141101_1505511.jpg)
[On how life actually is]
Why did it take so long for this to surface ..?
As the <link> mentions, steganography in images is detectable and tools are around to help – how many of you already use them on a regular basis, in times when LOLcat pics are so abundant (hint(?)) – but wasn’t it too obvious that the Bad (?) Guys knew that, too, before you the pithy defenders?
So, why?
Either the tools are around but not widespread enough, or as <link> suggests, other means might work better. But the other means… are as cumbersome to deploy, continuously, costly, for the short run for the slightest of changes that anything would be leaked in such a sophisticated way whereas we’re nowhere really nowhere near similar near-water-tight deployment of tooling and methodology against much simpler leaking methods. Leaving you in blissful ignorance. ?
Leaving (sic) you with:
[Tarrega door. Shut closed.]
On state of the art innovation – at the lowly (!?) end of programming.
I mean, it’s not rocket science; it’s quite a bit harder to pull off. To produce something decent though that seems to have gone lost in these überagilescrum times of putting apps out before anyone has a clue what they’re intended for. What problem they’d have to solve, for a large enough audience to care. Yes, it seems that “If you’re satisfied with your product at launch, you’ve launched too late” is all the rage now. But to win over the world, over Fubbuck, to win over all the big organisations still out there (and will be there, for decades to come, and will still have the power i.e., money, to dwarf others’ interest when they put their mind(s) to it), one would need decency in the product, hence also in the coding.
But then, there’s this dark and shady epitome-of-big-org backed initiative called Pliny to help out. We’re interested. As it may, when it will deliver results, help towards better programming practices.
Would these three be worth it ..? Of course it will. They will raise low-level coding up quite a bit, upping the Lean And Mean Coding Machine sweatshops to greater productivity and hence, to quicker full-scale and mature products. And make all the app bungling less interesting, hopefully. Maybe even making all the stuff more secure. But that … waaay too much to ask for. (?)
To round off:
[Hi DARPA in your dark fortress!
Oh, not you, your supposedly-opponents-but-in-your-pocket Big G houses here]
Voor sigaren bepalen we het profiel aan de hand van de criteria Smaak, Balans, Body, Sterkte, Aroma en Finish.
Voor Smaak pakken we het aromawiel erbij. Let wel I; wat u proeft of verwacht, kan gedurende de diverse fasen van het roken nog variëren... En let wel II; er zijn ook aspecten die nog niet zozeer als aroma staan aangegeven in het wiel, we denken aan termen als (ja de sigarenwereld is langzamerhand, helaashelaas US-, Engels geworden) zesty, tangy, floral, en earthy, of soms zelfs metallic. Lijkende termen die een combi zouden kunnen zijn van diverse aromas en papillaire en olfactorische/nasale sensaties en -tactiele invloeden. Hierbij komen termen als 'complex' uiteraard ook bijgepakt, om in dit geval te beschrijven dat er vele aromas herkenbaar zijn. Rustig roken, dat is niet alleen beschaafder en allerlei sigarenrokeneffecten-versterkend maar biedt ook meer kans om aromas te onderscheiden.
Balans is voor de hand liggend; of de zoete, zure, zoute en bittere tonen (OK, en 'umami'...) in balans zijn. Ja, ook bij een sigaar – al zal het meestal gaan over de balans tussen 'creamy' en 'spicy' en gaat het meestal mis door te veel bitter of te veel spiciness.
Body gaat over de volheid, in dit geval vooral te bepalen aan de volheid, dikte, dichtheid van de rook. Die ook een gevoel geeft; 'light' is als een licht bier, 'full-bodied' is als een rechttoe-rechtaan whisky of cognac.
Overigens hoort bij Body ook textuur, 'leathery', 'meaty', 'silky', 'creamy', 'soft', 'succulent', 'woody', 'chalky', 'dry', 'oily' en 'spicy'. Die dus net niet hetzelfde zijn als de aroma-indicatoren uit het wiel; soms overlappend. Niet handig maar zo is het nu eenmaal.
Sterkte is een wat eenvoudiger maat voor het nicotinegehalte van de sigaar. De topbladeren van een tabaksplant heeft meer nicotine dan de lagere bladeren – me(n) dunkt dat de topbladeren zijn waar de plant verder wil groeien en dus betere bescherming nodig heeft van de nico; lager is het wat ouder en 'expendible' dus ga je daar als plant niet je nico op concentreren ..? Waar de sigaar van gemaakt is, heeft dus invloed. Kan je meestal niet kiezen, maar wel proeven. Rustig roken is ook hier handig; om een nico-klap/duizel te voorkomen bij het opstaan.
Aroma dan, vervolgens. Ook hier kan het aromawiel worden ingezet. Vreemd genoeg is het moeilijk de aromas te bepalen als we zelf roken; iemand anders' rook kunnen we beter analyseren. Of we blazen de rook door de neus uit ('retrohaleren'), dan hebben we wel de volle verfijning (ga ik vanuit, lezer!) van onze neus ter beschikking. Bedenk bij het 'benoemen' overigens dat we veel meer uit ons geheugen putten, qua eten en drinken!, dan we wellicht zelf(s) denken. Dus rare smaken herkennen is niet raar.
De Finish ten slotte is kort of lang, naargelang de aromas lang op de tong (sic) blijven hangen. Milde sigaren zijn nogal eens kort – hetgeen niks zegt over de complexiteit, overigens. Hierin zit ook de reden om een zwaar (sterkte)kanon na een milde te nemen, niet andersom.
Als het gaat over de champagnes en hun profielen, pakken we er de (echte en semi-)klassieke wijn-analyses bij die we allemaal wel kennen; onderscheidend in [Hier verder. In ieder geval https://www.wijnwinewein.nl/hoe-proef-je-wijn/ en aromawiel + zuurgraad/tannines/body(viscositeit/alcohol/tannines/smaakintensiteit/mondgevoel)/afdronk + Aanzet/Zuren/Zachtheid/Tannine/Body en alcohol/Afdronk/Smaken dus de aromas bijna-los van structurele criteria. Dan de smaken matchen met die van sigaren, of niet; Klosse's overlap/contrasten erbij halen en dan verder. En toespitsen op champagnes... pak het smaak-plaatje van het CIVC erbij!]
Dear reader; bij deze dus de waarschuwing dat u vanaf hier (?, inderdaad, echt niet alleen hier) serieus te lange zinnen tegenkomt.
Ach, daar ben ik me prima van bewust, mijn hele blog is immers ook een poging tot schrijfoefening in alle facetten. Sommige posts daar blinken uit door korte zinnen en ellipsis; ook deze pagina is opgesteld als tegenwicht. En ik vertrouw erop dat u dat gewoon doorlezend aankunt.
Als voorbeeld: Oplettende lezers zullen opmerken dat onderstaande waar het uitweidingen achter links naar andere pagina's betreft wellicht beter met behulp van OnMouseOver's, alt-tekstblokken of andere tags per pop-uppable item zou kunnen zijn geïmplementeerd maar ik heb het zo gekozen en ik kan best komma's toevoegen in deze zin maar ook dat heb ik achterwege gelaten zonder de leesbaarheid of de begrijpbaarheid in het gedrang te brengen.
Inderdaad, het ontwikkelde, ik schreef, een en ander vanuit een voortdurende, voortgaande research. Na zoeken in het wilde weg algemeen, navraag bij het Comité (iv) Champagne, een aanvullend zelfzoeken met Google Satellite én Street View zowel rond de officiële als in het algemeen, kwam ik tot de Lijst Van (uiteindelijk) 78. De en passant gevonden kaarten leidden tot enige aanvulling. Toen kwam ik Weinlagen.de tegen en tsja dan ben ik niet meer te houden qua sys-te-matisch alle streken én plaatsjes af! Hoewel, ... in onderstaande tabel heb ik maar niet meer voor ieder stuks de Street View erop losgelaten of onderstaand ingevuld. Terwijl ik er vanuit ga dat dit alles nog aanvulling kan krijgen ... Les Clos Inconnus zijn uiteraard zichzelf.
De gangen kwamen al zeer onregelmatig door, en met andere tafels die uitliepen en/of (weer) bijtrokken, tot zeer ver inhalen zelfs, tot gang 6 van de 7 tachtig (schrijve: 80) minuten op zich liet wachten, ondanks diverse malen navraag. Waarna het nauwelijks-opgewarmde pompoen met koude polenta bleek te zijn; "dat hoort zo" ammehoela. Nee, het niet-koude nagerecht erna hebben we niet gehaald; we zijn opgestaan en weggegaan. Die zien ons nooit meer, zeker omdat de bediening ook Zwak was (gangen aan verkeerde tafeltjes serveren want die waren al twee gangen verder), etc. En balsimaco-saus dus, 'et al.'...
Huh, da's écht voor de Insiders..? Inmiddels wel toegestaan als aanplant, maar nog zo'n drie tot tien jaar onderweg voor er de eerste re-de-lijke wijnen van kunnen worden gemaakt en dan is het nog maar afwachten. En dan had je Floreal, Artaban en Vidoc nog niet gezien. Die mogen (in de toekomst) ook... En dan is het Comité Champagne ook nog bezig met kruisingen van de Top 3, Arbane, Meslier, en Gouais. #feest