Coining an answer; Bit-passports

The answer to the final question (“… why the governments didn’t invent this sooner,” he says. “I came up with this over a weekend in my spare time, why didn’t they? …”) in this here very interesting piece, is easy: Enrollment Problem Plus Risk Management.

But still, the idea of using Bitcoin crypto style solutions to the ‘international’ passport problem is useful, and might work. In some way. Not this self-certification one. If you’re aware of how long PGP has been around, you should be aware of all the failures of any form of tribal-cred-branching-out IDs.
And, a great many governments may just not have a sufficiently pressing need for a new passport scheme. The risks of the current model, are known and (again: apparently) manageable.

So I’ll leave you with:
DSCN1415[Apologising calmly. And frequently.]

Your info – value

Wanted to post something on the value of information. Then, this came out a couple of weeks ago. By way of some sort of outside-in determinant of the value of (some) information… [Oh and this here, too, even more enlightening but for another discussion]

who-has-your-back-copyright-trademark-header
Which appears to be an updated but much shortened version of what I posted earlier. Players disappeared or doesn’t anyone care anymore about the ones dropped out ..?
Anyway.

Yes I wasn’t done. Wanted to add something about information value within ‘regular’ organisations, i.e., not the ones that live off ripping off people of their personal data for profit as their only purpose with collateral damage functionality to lure everyone, would value the information that they thrive on, by looking inside not circling around the perimeter.
I could see that being established via two routes:

  • The indirect avenue, being the re-build costs; what it would cost to acquire the info from scratch. Advantage: It seems somewhat tractable. Drawback: Much info would be missed out on, in particular the unstructured and intangibly stored. Employee experience …!?
  • The direct alley. Not too blind. But still, hard to go through safely. To take stock of all info, to locate it, tag it, among other things, with some form of revenue-increase value. Advantage: Bottom-up, a lot of fte’s to profit from the Augean labor (Hercules’ fifth). Drawback: the same.

OK, moving on. Will come back to this, later.

Clustering the future

Was clustering my themes for the future of this blog. Came up with:
Future trend subjects[Sizes, colours, or text sizes not very reflective of the attention the various subjects will get]
Low sophistication tool, eh? Never mind. Do mind, to comment. On the various things that would need to be added. As yes I know, I have left much out of the picture, for brevity purposes. But will want to hear whether I missed major things before I miss them, in next year’s posts. Thank you!
And, for the latter,
DSCN0924[Bah-t’yó! indeed]

Players, sides, too many – where’s the (over)view?

Apart from the #ditchcyber aspects, in the (sometimes somewhat sportsy, even) battle about control, or is it temporary one-upmanship, over the world’s communications, so many parties play a role, in such varying sizes, and operating for so many sides, sometimes multiple sides at the same time, sometimes without even knowing that, with the interactions playing at various topics and levels of abstraction and with varying scopes, time horizons, strategies and plans (quality), I could really do with some clarity. Some mapping, interactive or not.
Which all was triggered by this post on yet another singleton developer taking on, inactively!, some well-funded TLA.

Will have to dive into the detail of it all, but know that I’ll end up losing the helicopter view. How many similar developments are out there, known or not? What stages of development, of deployment, of maturity, of starting to crack and leak are they all ..? It’s a hard life, this keeping up thing.

Hence, you deserve:
DSCN8926[As if moulded by a genetic algorithm, Porto]

At least, you can have your PIA

Privacy Impact Assessments are treated much too much as an assumption in (new European regulations’) privacy-anything these days. Yes, PIAs are a critical step, on the very critical path towards compliance in substance. Since when they aren’t done well if at all done with any true attention and intention, your compliance effort will fail, if not formally then in practice – with equal serious break-your-business high-probability risks.

First, this:
20140905_201502[Heaps upon Sea again indeed]

The point being; PIAs should be done with an actual interest in privacy (of stakeholders) protection. When done less than full-heartedly, the results have hardly any value. Because that would demonstrate one doesn’t understand the ethic imperatives of privacy protection in the first place. From which would follow all required (other) policies and measures would be half-hearted, ill-focused, and sloppily implemented ‘as well’. Which isn’t the stretch of reasoning you picked up on first reading this…

And then, a great many organisations don’t even start with PIAs, they just jump in at all angles and steps. With PIAs still being required, not full-heartedly carried out somewhere during or after the fact,where all the rest is implemented on assumptions that will not be met.

To which I would add: In the above, ‘you’ regards the ones in control (“governance”, to use that insult) at organisations that would have to be compliant. Not you the advisors/consultants, internally (in 2nd and 3rd LoDs) or externally, that push organisations. [Don’t! Just tell, record, and after the disaster ‘told you so’ them. There’s no use at all kicking this dead horse.]
But oh well, why am I writing this? Why am I hinting at ethics in your governance? That’s an oxymoron at your organization – do you claim to have the one or the other?

Feel free to contact if you’d like to remedy at least this part of your Privacy non-compliance…

Regulation Renegation Abomi nation

So, after privacy-enhancing regulations finally got some traction here and there – mentally, hardly in implementation yet – we’re getting the full bucketloads of bovine-produced fertilizer regarding adapted protection through ‘Data Use Regulation’.
Which already throws back actual regulation in intent and in the letter of it. But has many more nefarious consequences… As is in this article; couldn’t word it better.

We should be vigilant …

For now, I’ll leave you with this:
DSCN7182[A spectacle, Jerez]

IoTSec from IAM at entry to the end node

Now that you all are so busy implementing Internet of Things pilots everywhere, I mean at home like with this and this, but B2B everywhere as well (…!?) or are you doing it there not too, we may need to consider Security.
Yeah, Hans Teffer did a great piece on that (see here, in Dutch) and I blogged about that before [and many more links/posts…]. And, there’s quite some other issues with IoT. But the point here is – we haven’t thought of security before implementation.
And at the very few implementation’lets of IoT we see so far, security seems absent. Of course, you’d first want to make it work in the first place. But you’re doing it not right at the start, and you know that decisions made now (implicitly) will remain in the architecture for decades to come, in particular when today’s (almost) stand-alone implem’s become linked up into one giant uncontrolled, uncontrollable mesh.

Now, first, an intermission:
DSCN0113
[At dawn]

So, ‘we’ all have been complaining about the security risks of IoT here and there and everywhere, in particular re the current risks of all sorts of industrial control being hooked up to the ‘net without anyone knowing or caring about proper sec.
And still then, we haven’t progressed beyond this Boy Crying Wolf position. Instead of moving to provide solutions. To begin with architecture ideas, the kind that we will need in order to branch out of the simpleton pilots.

On a walk, it struck me that one major part of any solution would be with Identification, Authentication (A1), and Authorisation (A2) – in particular at each and every end node in the network, the kinds you would want to reach to transit back to the Real, Physical world of Things and which are supposed to move ever closer to some form of smart dust… Whereas now, we often have the I and A1 usually at the front door, and the A2 somewhere in the/a network usually ‘near’ the end point (which also usually, is a relatively compute-enabled ‘large’ thing like a server with data).
Clearly, with the IoT we’ll need something else. All end points may float around somewhere out there, uncontrolled, un-tied-down in the giant global mesh network architecture. We will be systemically unable to tie any A2 server to an end point or vice versa (smart dust, spread out, remember), and the IA1-part will also be much, much less definable than it is today. But then, we’ll need much finer-grained access control at the end point, and much more flex at the (IA1) entry point or we leave it all free for all and only at the end point, the destination, check IA1 (again). For this IA1A2 at the end point, we need to consider:

  • The end point(s) will very probably have very limited computing capacity; even with Moore et al., this will still lag required resource in a big way – because any type of ‘attack(er)’ will have vastly more computing power available. Hence, things will need to be really really simple at this point. We may need to consider global IoT mesh network segmentation or other pervasive and comprehensively secure forms of IA1 at entry points (how to guarantee complete coverage) or throughout the mesh (how to prevent complete coverage without even the slightest possibilities of evasion).
  • Identities… ?? Where, how to manage the I’s and maintain the I+A1’s privacy, and transparency to the A2-owners ..?
  • How to arrange A2 at all those end points, including the ability to maintain those ..? The dust (or some coarser-grained proxy, whatever) is out there, and can’t easily be uploaded all with the latest A2 tables we’d want – or that is done by some broadcast flash approach which is all too vulnerable for cracked use.

But still, we need something of that kind. And transparency built in to that, too… To ensure No Backdoors and accountability in general, as these cute little hidden holes would be exploitable by all the bad guys (official, and not). By the way, #ditchcyber.

I’m aware there’s more problems than solutions in the above. But you should be aware of the risks of letting them remain unsolved. Your suggestions, please!

And, just so you know:

Not on our / I watch ..?

OK, so I wrote about the lack of API integration (yes, double) in IoT land. Which seems about to change. Now that this has come around. Tools in their early adopter stage, gotta love ’em. Next, the breakthrough.
Of IoT, too; but in what direction? Countries’ hardware infrastructures first, how deep down to B2C channels? The other way around, home channels all the way up? SocMed to wearables to life tracking blends? We’ll see. Maybe soon.

But for one thing: That geriatric-thinking pseudoreligion time-teller will not connect to the rest of the world. Sad (??). Will become the next one down. Hopefully.

For your viewing pleasure:
20140905_201020[Heaps upon Sea, indeed]

Jargon Watch: Dorking

Google Dorking, to be more precise. Though some startup Internet company (you know, that has a ‘web site’) may want the adjective dropped.
[Maybe they’d better do a ‘); DROP TABLE STUDENTS; — on themselves but that’s another matter entirely]
Which is exepelainifyed in this doc, and at this site (from where I took the doc, duh).

Okay, since it’s Friday afternoon, I’ll leave you with:
h108B4EAA

Maverisk / Étoiles du Nord