Category: Innovation, economics, society at large

Note (bank-, bankable); ICYMI

Hmmmmm… Who would be able to mine the easy pickings already, in the Bitcoin world ..? Who has sufficient resources, old-money wise and miners wise ..?

As the firsts through the gate may gain an insurmountable head start at the game of the future. Also, re this on the as yet ill-understood, hardly visible / overseeable spin-off world. DACs are just one part. When incumbent countries’ / nations’ and supra-governments find themselves competing not only with each other but also with anon societies existing virtually (non-geographically – though in the end, physical servers will have to be somewhere), will the latter be re-invented like wheels, with or without preventing the failures of history …?

Since it will be very interesting, sociologically, but still years away (I think…), this:
??????????[Guess where. Netherlands]

Balloons, for joy and instruction

Anyone having an inkling of what the Second-Biggest G is about, knows about their conferences, about their ‘magic’ quadrants (despite the debunking of late; apparently one could pay oneself to the top right…), and about their infamous Hype cycle.

DSCN6170[What one needed to fight Siegfried King of the Netherlands of Xanten]
Bam, there’s your daily pic again, not unexpectedly I hope.

Well then. About hype cycles. You know them. And maybe have a laugh. Or not, and study them for the buzzwords you didn’t know yet.
But would you believe them; would you trust the predictions inherent in them? Probably not. And would you check on the predictions of years past ..? Probably not, also.

Turns out… Yours Truly was busy doing that, collecting data all the way back to 2008, and figuring out a way to graph the data. Which didn’t work too smoothly so I wanted to revert to first analyzing the data I had.
Turns out… Someone else already did the collection part, and the analysis part, too. As in this post; recommended reading.

After which I dropped it; no need to analyse. But to synthesize, there’s still a bit on the table:

  • Why do so and how many ;-| still ‘believe’ the hype cycles, look into them, and cheer when their favourite hypes are listed, somewhat ‘faithfully’..? Probably because the visualization is so strong, capturing so much essence in one pic. And because apparently people need such guidance ..?
  • How come so many of the hypes mentioned, fall flat ..? Or is it a matter of a lot of buck shot in the air, hoping a duck may fly through it ..? Which may also not be a bad thing if this would be clearer, as a caveat. Oh; I already found part of the answer in this Tim Harford post. This one on maps, too.
  • Why can’t people pick up the hypes much faster, as there’s obvious business profit in many of them ..? In particular, when so many fall off the radar, one would expect vigilant companies to profit from such new developments falling off their competitors’ radars. Just find a way to make it all work, for which you could even take a couple of years in skunk works, and then reap the benefits. Oh … – of a first mover; which may be too little too short to recoup the ploughing-through-development investments. As first movers are so often outdone by second-and-(much-)improved movers.

And yet, stil I feel there’s much more left on the table than one would need or certainly want to leave there. Once progress is identified, it better be brought on as quickly as possible.
At the scale as things are on the hcycle. Because the ethical ramifications play at a bigger scale. Wouldn’t 2nd-biggest G be interested to make a cycle of those issues ..? Think self-driving cars, ubiquitous/ambient data collection & storage & analysis, Bitcoin-et-al’s subversion of geography-based governments. You name it. A lot to cover &nndash; maybe requiring much more research into what’s at play and how the discussions progress, but still, very much worthwhile I guess. Beyond the tech hype’lets that fall off the bandwagon so easily. Towards prediction proper of where society’/ie’s heading…

At least, you can have your PIA

Privacy Impact Assessments are treated much too much as an assumption in (new European regulations’) privacy-anything these days. Yes, PIAs are a critical step, on the very critical path towards compliance in substance. Since when they aren’t done well if at all done with any true attention and intention, your compliance effort will fail, if not formally then in practice – with equal serious break-your-business high-probability risks.

First, this:
20140905_201502[Heaps upon Sea again indeed]

The point being; PIAs should be done with an actual interest in privacy (of stakeholders) protection. When done less than full-heartedly, the results have hardly any value. Because that would demonstrate one doesn’t understand the ethic imperatives of privacy protection in the first place. From which would follow all required (other) policies and measures would be half-hearted, ill-focused, and sloppily implemented ‘as well’. Which isn’t the stretch of reasoning you picked up on first reading this…

And then, a great many organisations don’t even start with PIAs, they just jump in at all angles and steps. With PIAs still being required, not full-heartedly carried out somewhere during or after the fact,where all the rest is implemented on assumptions that will not be met.

To which I would add: In the above, ‘you’ regards the ones in control (“governance”, to use that insult) at organisations that would have to be compliant. Not you the advisors/consultants, internally (in 2nd and 3rd LoDs) or externally, that push organisations. [Don’t! Just tell, record, and after the disaster ‘told you so’ them. There’s no use at all kicking this dead horse.]
But oh well, why am I writing this? Why am I hinting at ethics in your governance? That’s an oxymoron at your organization – do you claim to have the one or the other?

Feel free to contact if you’d like to remedy at least this part of your Privacy non-compliance…

Arms reversion (flipping); your call

Would anyone have the official name for a tactics switch leading to a collapse of an arms’ race ..?
I was triggered by this recent post about some gang(s) using low-tech but somewhat-sophisticated pencil-and-paper crypto in stead of the highest tech burner phones etc. (or did they also use those). To which many commented that probably, the code should be (very) easily crackable even if all of the many safeguards were upheld.
(But also, dropping a physical USB stick at a (physical) watering hole (or desk, or handout point, or street corner pavement) also circumvents a great many fab network entry safeguards of the firewall kind, in particular when APT technology, stamina and dedication, and tailoring is involved.)

But then, what if the codes were good enough; time-based security still can work, and the adversaries (gov’t) weren’t overly capable in this, apparently. And one can also think back of what happened to the stealth fighter-bombers that suddenly showed to be vulnerable to detection by not the highest-tech radars but the decades old low-freq stuff e.g. the ‘Soviets’ had stored one day behind the Ural.
Sort of an arms’ race that has gone to such did-did not length that in the buildup, a sudden flip to old technique and old tactics / operations may undercut the sophistication of the other in an off-guard way. Maybe not allowable per arm wrestling rules, but arms’ races are a different ball game everywhere; no honour involved, weaseling allowed and winner takes all for the time being.

How would that be called..? Flipping? Reversion ..? I’m really interested. About your thoughts, too. E.g., how can one use this to improve security (‘pentesting’ yourself against such flips / reversions), on the Internet and elsewhere. Hope to hear!
I’ll leave you with:
DSCN6729[A fordable river, at Cordoba]

Wired / Tired / Expired, October 2014 edition

DSCN6765[Ah, what a pleasant fortress! Córdoba]

Yes here’s the October edition of my Wired / Tired / Expired jargon watch overviews, a mixed bag again:

WIRED TIRED EXPIRED
Stealthy introductions Gartner Hype Cycles Apple Product (Launch) Events
Let the products speak for themselves, let them grow organically around the globe, don’t try in vein (sic) to go viral or so. Be happy with moderate growth as it will be sustainable so much, much longer. Don’t believe this hype … Will have a separate post on this in the near future. Nothing new; all hyped and epiphany only for the fast-shrinking few simpleton acolytes left…
Smart analysis integrated into regular audits Process Analysis Big Data
Like, let the process analysis take its place in the Understanding the Business part of any audit. No craze, just helpful in all sorts of directions (including early-on advisory work). For it’s own sake, no more. Not accepted, not acceptable anymore. Meh. If less than a yottabyte, not it. Tools in place, again the other 99.9999% of work to be done is human; which is not available in sufficiently intelligent, sufficiently large numbers. Hence, fails beyond the tiniest of anecdotal finds.
InfoSec groundswell / tsunami Hyping APTs, megaleaks RO(S)I, ISO, et al.
No more top-down, just bottom-up, by guerilla even if needed, but with a desperate need to improve by all (not granted) means and authorizations necessary. Doing, not waiting (not) to be allowed. Oh my! The Sky Is Falling! No more. APTs are still around, yes, vastly more than ever before; megaleaks of the data breach kind and of the Snowden kind, ditto. But nobody listens anymore so why dwell on these? Ah, the passé methods of yesteryears… Didn’t work. Didn’t fit with InfoSec, do still fit with corporate policy but who cares; if there’s no match, nothing will result. If you still try to match, also nothing (serious in InfoSec terms) will result.
3rd Platform Software Defined BYOD/CYOD
Where the first was Mainframes, the second one Client/Server. Now // Just a way to cement the bricks of your architecture. Well, there’s so much work in here if one’d want to do this right but few! the effort, I don’t want to think of this too much. Done deal. BYOD; CYOD’s not going to fly (discussed earlier, somewhere on this site; use the search, Luke!).
Ello Snapchat Whatsapp
Well, qua hype. Otherwise, very very maybe still Nice ‘n quick, but has it gained enough traction ..? Even your old, 30+ relatives use it now. If (dinosaur) Then (expired).
Ideate Empathy UX
Being creative and coming up with new ideas, needed its separate buzzword. Well, maybe. Will age quickly I guess. Yes all companies still need it, but none have a clue. Here I was wondering what all these flimsy design-types had to do with Unix. Turns out, it’s user experience – above good design, but stumbling till you accidentally hit something good, isn’t It. Has never been. But is; expired.
Don’t care about illegal downloads Chase the most petty, pityful of “illegal” downloaders only Push a U2 album
Just because your business model doesn’t depend on levying silly huge distribution costs. You know, trying to wring millions out of the poor that otherwise would not buy scrap from you, while you know the damages are 99.999% into the lawyer’s pockets only. Ah, the FAIL …! This deserves a (cultural) backlash flogging by the billions (yes) that weren’t interested…
Locally produced, biodynamic even but without the zeal Super foods Don’t Care
Yes one can eat/drink healthily but don’t need the fanatism. Just somewhat less, quite a bit healthier produced (full supply chain including externalities), and varied. Quod non; as proven over and over again. After so many, many failed attempts, don’t numbly try again; you’ll fail for sure. Eating all the preservatives and sweeteners, too much of it all, just isn’t ‘permissible’ anymore.
Decently colourful Normcore bland Grey all the way
Yes even in Fall/Autumn, there’s many colours (not colors) that fit the season and are cheerful and bright. It already looks formless, has the colours to match: Why? Duh, that was last year’s one big great miss without purpose.

OK, any suggestions for next month’s edition ..?

Regulation Renegation Abomi nation

So, after privacy-enhancing regulations finally got some traction here and there – mentally, hardly in implementation yet – we’re getting the full bucketloads of bovine-produced fertilizer regarding adapted protection through ‘Data Use Regulation’.
Which already throws back actual regulation in intent and in the letter of it. But has many more nefarious consequences… As is in this article; couldn’t word it better.

We should be vigilant …

For now, I’ll leave you with this:
DSCN7182[A spectacle, Jerez]

IoTSec from IAM at entry to the end node

Now that you all are so busy implementing Internet of Things pilots everywhere, I mean at home like with this and this, but B2B everywhere as well (…!?) or are you doing it there not too, we may need to consider Security.
Yeah, Hans Teffer did a great piece on that (see here, in Dutch) and I blogged about that before [and many more links/posts…]. And, there’s quite some other issues with IoT. But the point here is – we haven’t thought of security before implementation.
And at the very few implementation’lets of IoT we see so far, security seems absent. Of course, you’d first want to make it work in the first place. But you’re doing it not right at the start, and you know that decisions made now (implicitly) will remain in the architecture for decades to come, in particular when today’s (almost) stand-alone implem’s become linked up into one giant uncontrolled, uncontrollable mesh.

Now, first, an intermission:
DSCN0113
[At dawn]

So, ‘we’ all have been complaining about the security risks of IoT here and there and everywhere, in particular re the current risks of all sorts of industrial control being hooked up to the ‘net without anyone knowing or caring about proper sec.
And still then, we haven’t progressed beyond this Boy Crying Wolf position. Instead of moving to provide solutions. To begin with architecture ideas, the kind that we will need in order to branch out of the simpleton pilots.

On a walk, it struck me that one major part of any solution would be with Identification, Authentication (A1), and Authorisation (A2) – in particular at each and every end node in the network, the kinds you would want to reach to transit back to the Real, Physical world of Things and which are supposed to move ever closer to some form of smart dust… Whereas now, we often have the I and A1 usually at the front door, and the A2 somewhere in the/a network usually ‘near’ the end point (which also usually, is a relatively compute-enabled ‘large’ thing like a server with data).
Clearly, with the IoT we’ll need something else. All end points may float around somewhere out there, uncontrolled, un-tied-down in the giant global mesh network architecture. We will be systemically unable to tie any A2 server to an end point or vice versa (smart dust, spread out, remember), and the IA1-part will also be much, much less definable than it is today. But then, we’ll need much finer-grained access control at the end point, and much more flex at the (IA1) entry point or we leave it all free for all and only at the end point, the destination, check IA1 (again). For this IA1A2 at the end point, we need to consider:

  • The end point(s) will very probably have very limited computing capacity; even with Moore et al., this will still lag required resource in a big way – because any type of ‘attack(er)’ will have vastly more computing power available. Hence, things will need to be really really simple at this point. We may need to consider global IoT mesh network segmentation or other pervasive and comprehensively secure forms of IA1 at entry points (how to guarantee complete coverage) or throughout the mesh (how to prevent complete coverage without even the slightest possibilities of evasion).
  • Identities… ?? Where, how to manage the I’s and maintain the I+A1’s privacy, and transparency to the A2-owners ..?
  • How to arrange A2 at all those end points, including the ability to maintain those ..? The dust (or some coarser-grained proxy, whatever) is out there, and can’t easily be uploaded all with the latest A2 tables we’d want – or that is done by some broadcast flash approach which is all too vulnerable for cracked use.

But still, we need something of that kind. And transparency built in to that, too… To ensure No Backdoors and accountability in general, as these cute little hidden holes would be exploitable by all the bad guys (official, and not). By the way, #ditchcyber.

I’m aware there’s more problems than solutions in the above. But you should be aware of the risks of letting them remain unsolved. Your suggestions, please!

And, just so you know:

Maverisk / Étoiles du Nord