Being Creative with Trust in Identities

… seems impossible to get right. Since for sure, Identities that can be Trusted are so stable that all Creativity is impossible ..?

What does society-at-large want? If you think about the bandwidth above: Aristoteles’ true middle..! But would you know where that is, in this? Would it be sufficiently on the Fixed side to be able to be used as trustworthy Identity? Or would it be a matter of good-enough reliability, for the task at hand?
Possibly we should like Activity-Based Access Control to pair to this Task-Sufficient Identification ..?

A lot on this will have to be developed further, I’d say, but this could be the beginning of a beautiful friendship
Plus (skewed ‘horizon’-ID intentional…):
[All the ID theft may not get you here…; Amsterdam]

Imminent enrichment through AI — of jobs ..?

Anyone else feels like the breakthrough of AI in all sorts of jobs (yes, most certainly not only the bohrrring repetitive-manual-labour kind — that may be one of the kinds that comes much later in the sequence since it requires extremely sophisticated physical/intellectual (yes) interactions than previsouly thought (by humans))
is imminent?

And anyone see that the horror of replacement of humans XOR your co-workers is to come only (a bit) later, when AI-driven systems have become good enough to replace you, completely — leaving the spoils of labour to the (intensive people-farming) factory owners ..?
With in the shortish mean time, your job being ‘enhanced’ through AI, by the enrichment of having to deal less with the simple stuff and you having more time available to do more Intelligent (parts of) your job. Possile, on conditions of:

  • Such more intelligent parts of your job existing; a great many a manager may find there is no such thing, or the room for manoeuvre isn’t there;
  • You being able, capable, of performing such more intelligent job parts; with the focus on reporting (send/receive; hardly ever anything more than the extremely-simpleton processing in between) probably your capabilities have shrivelled into unusability;
  • Time availability is what holds you back so far; extending on the previous condition, you may find yourself to actually – be honest now! – already have had that time available but used it for busywork, like, being a Manager or so. And/or, by loafing or do I repeat myself. Now that you may get time available for Intelligent stuff, you may not notice that;
  • You getting paid more, or at least the same; as it turns out that the enrichment-by-cutting-out-the-bottom-part, leads to a serious pay cut as your Overlords now see your function as much less time-consuming or bottom-line-feeding. Especially the latter may turn out to be an eye-opener…
  • You getting sufficient time to build a new job; the creeping replacement of You by AI-based systems might speed up significantly as the first rewards transpire — to the Owners again — and hence the cry [not tag; ed.] for More may intensify the efforts to replace you ever more, funded by … your increased utility if at all, or the increasing utility of the you-replacing AI at least.

Suffice to notice that a priori it will be very, very difficult to meet all these conditions, if even anyone would try (apart from you, but you’re too singleton in this to pull that off). So…

Oh well, there’s always:
[A different look at Casa de Musica; Proto]

Quote by Book: John’son

Network: Any thing reticulated or decussated, at equal distances, with interstices between the intersections.
Dr. Samuel Johnson, Dictionary

No kidding. Only script kiddies of the worst kind don’t seem to get that. Though it has been around since 1755, as a definition that is. How prescient.

And:
[Mash; London (already some years ago, yes]

Meta / Attrib-ShareAlike- … Commercial

For the following, one would best resort to …
Who are we kidding; are there still believers out there apart from te truly stupid-to-beyond-dysfunctionality-capacity defenders, that metadata is something less bad than just privacy-sensitive data points outright? Well, <spoiler> it’s the other way around— as is exemplified in this here piece. From which I’ve blatantly copied:

  • They know you rang a phone sex line at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
  • They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
  • They know you got an email from an HIV testing service, then called your doctor, then visited an HIV support group website in the same hour. But they don’t know what was in the email or what you talked about on the phone.
  • They know you received an email from a digital rights activist group with the subject line “52 hours left to stop SOPA” and then called your elected representative immediately after. But the content of those communications remains safe from government intrusion.
  • They know you called a gynecologist, spoke for a half hour, and then searched online for the local abortion clinic’s number later that day. But nobody knows what you spoke about.

So blatantly I might as well add:

But then the Non element in there warps things. Nevertheless, I’ll use the example in my upcoming pres.

And I’ll leave you for now with:
[Full of info, too, innocious that aint but no invasion on you; Prague]

Forever on Page 50

With all the talk about whatever ends up on the Internet, will be around to be found forever, there’s a couple of things:
 

  • It may be on the Internet still, however erased according to the Right to be Forgotten, but that doesn’t mean it can be found. When you’ve taken care to not re-raise attention too much, your shame-news will be on search results page 50+ and nobody will ever go there;
  • But then, if someone took care to actually download the items to some off-line storage, you’re doomed indeed. Yes I too have a lot of electronic files from 1-1-1980, a slew of them actually from around that time. Barely readable qua format but of course easily upgradable, script-wise.
  • Bots may be deployed, to compromise any site or so that has your want-disapperable info; may not be legal in all cases (could be, when an offline court ordered to be Forgotten…) but when the attention dies down, so few will want to restore your info once outdated. Society-beneficial to deploy ransomware on xyz-old site/db data ..?
  • Oh and the title certainly refers to your reading of Sloterdijk’s Spheres Part III as well, probably. Have past that point handsomely, but with considerable effort. Applies to Musil’s Man Without Qualities Part III (Vol. II) also.

But then:
??????????[A Cordoníu — note the accent! — may ‘save’ your sanity by unsaving your memory]

Tragic users

Isn’t it a tragedy that those that would most need full but fully inconspicuous, unnoticable security on socmed et al., are the ones that care the least?

This, both in careful scouring of legalese and practical settings, tools, and what have we, and qua effort to keep messaging (Email dies out hard, doesn’t it ..? Or doesn’t it due to very valid reasons..?) secure and data private ..?
On the other hand / end, not all ‘professionals’ practice what they preach to the hilt… And may do too little.
Flip side of “There exists no 100% security”: If you do only a little less, the huge costs aren’t worth it whereas if you do quite a bit less, you’re much more efficient. Hence, even reasoning from the other side, maximum security will leave gaping holes you (sic) will get caught in.

So, all are in an inverse Catch-22 of sorts… [there should be a name for that; suggestions?]

And:
Photo11[The one that checked water temp, wasn’t the one to go swimming…; Cyprus]

From bike design to security design

You recall my posts from a couple of days ago (various), and here, and have studied the underlying Dutch Granny Bike Theory (as here), while not being put off by the lack (?) of design when taking a concrete view here.
You may also recall discussions, forever returning as long as security (control) design existed even when not (yet) as a separate subject, that users’ Desire Paths (exepelainifyed here) would inevitably be catered for or one would find continual resistance until failure — with opposition from the Yes But Users Should Be Made Aware Of Sensitivity Of Their Dealing With Commensurate (Linearly Appropriate) Security Hindrance side; things are hard for a reason and one should make things as simple as possible but not simpler. [Yeah, I know that’s a reformulation of Ockam’s Razor for simpletons outside of science and having dropped the scientific precision of O and of application to science where it’s valid and the second part is often lost by and on the most simpletons of all short of politicians which are in a league of their own.]

I feel there may be a world a.k.a. whole field of science, to be developed (sic) regarding this. Or at least, let’s drop the pretension of simpleness of cost/benefit calculations that are a long way on the very, very wrong side of but not simpler.
Anyone have pointers to some applicable science in this field?

Oh, and:
DSCN3655[Applicable to security design: “You understand it when you get it” © Johan Cruyff; Toronto]

4Q for quality assurance

To go beyond the usual, downtrodden ‘quality in assurance’ epitome of dullness, herewith something worth considering.
Which is about the assessment of controls, to establish their quality (‘qualifications’) on four, subsequent, characteristics [taking some liberties, and applying interpretation and stretching]:

  • Design. The usual suspect here. About how the control, or rather set of them, should be able to function as a self-righting ship. Point being, that you should+ (must?) evaluate the proposed / implemented set of controls to see whether self-righting mechanisms have been built in, with hopefully graceful degradation when not (maintained) implemented correctly and fully — which should be visible in the design or else. Or, you’re relying on a pipe dream.
  • Installation. Similar to implementation-the-old-way, having the CD in hand and loading / mounting it onto or into a ‘system’.
  • Operational. Specifies the conditions within which the control(s) is expected to operate, the procedural stuff ‘around’ the control.
  • Performance. Both in terms of defining the measuring sticks, and the actual metrics on performance attached to the control(s). Here, the elements of (to be established) sufficiency of monitoring and maintenance also come ’round the corner.

Note; where there’s ‘control(s)’ I consider it obvious, going without saying (hence me here now writing instead of that), that all of the discussed applies to singleton controls as well as sets of controls grouped towards achieving some (level of) control objective. All too often, the very hierarchy of controls is overlooked or at best misconstrued to refer to organisational / procedural / technical sorts of divisions whereas my view here is towards the completely ad hoc qua hierarchy or so.
Note; I have taken some liberty in all of this. The Original piece centered around hardware / software, hence the Installation part so explicitly. But, on the whole, things shouldn’t be different for any type of control or would they in which case you miss the point.

And, the above shouldn’t just be done at risk assessment time, in this case seen as the risk assessment time when one establishes the efficacy, effectiveness of current controls, to establish gross to net, inherent to residual risks, on all one can identify in the audit universe, risk universe, at various levels of detail. On the contrary, auditors in particular should at the head of any audit, do the above evaluation within the scope of the audit, and establish the four qualities. Indeed focusing on Maturity, Competence, and Testing to establish that — though maybe Competence (not only the competence of the administrator carrying out the control, but far more importantly, the competence of the control to keep the risk in check) is something just that bit more crucial in the Design phase, with Maturity slightly outweighting the others in Installation and Operational, and Testing of course focusing on the Operational and Performance sides of things.

Intermission: The Dutch have the SIVA method for criteria design — which may have some bearing on the structure of controls along the above.

Now, after possibly having gotten into a jumble of elements above, a closing remark would be: Wouldn’t it be possible to build better, more focused and stakeholder-aligned, assurance standards of the ISAE3402 kind ..? Where Type I and II mix up the above but clients may need only … well, hopefully, only the full picture.
But the Dutch (them again) can at once improve their hazy, inconsistent interpretation of Design, Existence, and Effectiveness of control(s).
With Design often, mistaken very much yes but still, meaning whether there’s some design / overall structure of the control set, some top-down detailing structure and a bit of consistency but with the self-righting part being left to the overall blunder-application of PDCA throughout…;
Existence being the actual control having been written out or more rarely whether the control is found in place when the auditor come ’round;
Effectiveness… — hard to believe but still almost always clenched-teeth confirmed — being ‘repeatedly established to Exist’ e.g., at surprise revisits. Complaints that Effectiveness is utterly determined by Design, fall on stone deaf ears and overshouting of the mortal impostor syndrome fears.

Back to the subject: Can four separate opinions be generated to the above four qualities ..? Would some stakeholder benefit, and in what way? Should an audit be halted when at some stage of the four, the audit opinion is less than very Satisfactory — i.e., when thing go downhill when moving from ideals and plans to nitty practice — or should the scope of the audit be adapted, narrowed down on the fly so the end opinion of In Control applies only to the subset of scope where such an opinion is justified?
But a lot needs to be figured out still. E.g., suppose (really? the following is hard fact at oh so many occasions) change management is so-so or leaky at best; would it be useful to still look at systems integrity?

Help, much? Plus:
DSCN4069[An optimal mix of complexity with clarity; Valencia]

One extra for Two AI tipping point(er)s

To add, to the post below of a month ago.
This here piece, on how AI software is now writing (better) AI software. Still in its infancy, but if you recall the Singularity praise (terroristic future), you see how fast this can get out of hand. Do you?

The old bits:

You may have misread that title.

It’s about tips, being pointers, two to papers that give such a nice overview of the year ahead in AI-and-ethics (mostly) research. Like, this and this. With, of course, subsequent linkage to many other useful stuff that you’d almost miss even if you’d pay attention.

Be ware of quite a number of follow-up posts, that will delve into all sorts of issue listed in the papers, and will quiz or puzzle you depending on whether you did pay attention or not. OK, you’ll be puzzled, right?

And:
DSCN1441[Self-learned AI question could be: “Why?” but to be honest and demonstrating some issues, that’s completely besides the point; Toronto]

You Don’t Call The Shots

I.E., You Are Not In Control !

This, as a consequence of the ‘In Control’ definition. Where the controlling and ‘steering’ (what Steering Committees are about, if properly functioning … ) are the same.
But as explained previously, such steering doesn’t happen (is impossible) already in a Mediocristan world its complexity, let alone the mix-in (to say the least) with Extremistan that you’ll find everywhere and certainly in your business.

NO you can risk-manage your business to the hilt, or even make it extremely brittle, antiresilient by totalitarian bureaucracy that leaves no human breathing space but switches to full 100% bot-run enterprise, DAO-style ops (hence will fail with complete certainty when interacting with humans like, e.g., your clients),
because complete risk-managed stuff still weighs costs so is imperfect or isn’t…
And of the imperfection of fully-reactive quod non-‘security’, see the above and many of my previous posts…

So either way, things will happen that you didn’t order. Estimates run from 50-50 (where you have zero clue about which 50 you do control) to 90%, 95%, 99% not-your-call shots. The latter category since your brain is not wired [link: huh] to deal with more than 10% ‘free will’ and the rest is, as scientifically determined, reactive to the environment however clever and deep-minded you think yourself to be (the more the latter, the less you are … If you have to say you are wise, you aren’t). Which make the majority of what happens to you and your organisation, accidental and from the outside. Which is by the very definition not you being ‘in control’.

Despite all the ‘GRC’ liars that should be called out for that quality.

[Edited after scheduling, to add: In this here piece, there are very, very useful pointers to break away from the dismal Type I and II In Control (quod non) Statements of all shades. Should be studied, and seen to refer back to the foundations of auditing ..!]

Oh, and:
DSC_1033[Designed to belittle humans — failing since they’re still there…; DC]

Maverisk / Étoiles du Nord