Category: Innovation, economics, society at large

Hardcore, (Information) Security pieces

DSCN1599
[Meant as gateway, not closure]

Earlier, as in here, here and here, and other places apart from these, I floated the idea of redesigning the way we tackle the core of Information security. Unfortunately, I don’t have sufficient time (yet!) in lunch breaks to get it all together in one big white paper hence I’ll drop some elements here, again.

I’ll keep working on collecting loose ends, so when I find time, I can integrate it all, including your comments, of which I have received so much. Not so much. As one. Single. Comment.

Herewith, then, to start off, a picture I took from … somewhere, probably the ISACA site somewhere. I’ll work from this, structuring the story line from top to bottom, first how we do it now (kindergarten level, with the pretense, pomp and circumstance of high priests doing high art), next, how it should be done ndash; qualitatively, vaguely, massaging off the rough edges and not being able to do much more except for the hardest cores of security (Remember the pyramid I presented? Read up via the above links).
COSO_2013_ISO_31000-english

Also, I’ll drill down a bit on the design of controls, according the lines sketched earlier (yup, see links again) and using an augmented [By me; disclaimer [Huh? When it’s by me: Why …!?]: *value may not be included] anti-fraud matrix à la:
Anti-F 1
Which will have an advice that visually is something like this, of course:
Anti-F 2
which is very different from the usual “Uhhhh, dunno, do we have a Motivation or Rationalisation here, dude..? Can’t progress until we figure out.” i.e. is design and action oriented.
But then, this matrix will be overlaid (third dimension) on the SABSA matrix I guess. Though I’ll make it very clear that SABSA is all very well, but very much focused on the bottom layers of itself only, the bottom layers of the InfoSec pyramid I sketched. And, upwards, there’s much methodological confusion. In particular re its Information and Conceptual / Context / Wisdom definitions and placements.

And of course I’ll throw in a bit of ABAC referring to this.

OK. Time’s up!

Which means I welcome your comments. One may dream, right …?

A few bits of hope, a lot of redundancy

DSCN1926
[Perfectly doable, for a machine/computer, very soon. Barça harbour.]

Along flew a tweet on this insightful piece.

Providing some leftover bits of hope that there will be a humanity that can sustain itself, in various marginal ways. Glad that we don’t need to be drones (and other links) ‘anymore’… As long as we can outpace AI, which we may lose control over soon.

Exit homo sapiens sapiens. Entrat Singularity, artefactum sapiens sapiens sapiens.

No coin

Bank? Nopes!
[Bank towering over daily affairs? Nopes!]

OK, a final (?) note then on Bitcoin et al.
Because we haven’t discussed the non[?]-currency equivalents yet. Austrian Freigeld, Swiss (very succesful, still very much operational) WIR and Dutch Noppes (nothingnadas), that sort of stuff. And now, there’s Qoin, working internationally. Because Noppes “… didn’t deliver the required result. By linking noppes to the guilder [now euro], there was no market efficiency. With noppes, the rich still got richer. A lawyer could hire a cleaner very cheaply, whilst people with little talent and a greater demand for care, were left out.” OK …

Why then, link up with the community currency Makkies (‘hendies’), where the unit of calculation is someone’s hour of performance regardless of any-currency going rate ..?

And why not drop all the stuff altogether, and move to the full digital currency schemes? [Suddenly realise how ominous that can read.]

But I may repeat myself from that post, and others.

Conclusion: Crisis makes creative; let so many ‘genetic’ variants spring up in ‘richer’ times (rich of need, in a surprising evolution theory plot twist), and all but a few be weeded out once the real pressure comes on. And we’ll end up in Singularity armageddon.

Contra?note ID is

This @meneer returned to an old snippet, on his blog. To which I have the following, apart from an earlier post:

  • People, if they are real people, visit your site to obtain services, indeed. But you want either moneda or some other nonpecuniary return. This may be kudos only, as in the naive sharing model, or some other form of not near- but far-money, e.g., client data for you to sell better or to sell outright. [Yeah, I know @meneer, you wouldn’t. Others have mortgages.]
    So it’s not that they don’t trust you for services, but you may need some form of trust (e.g., through pre-trust in their propensity to ‘pay’ through some reliable third party declaring their trustworthiness or allsorts of revenue from affiliation however looesy defined).

Interlude; here’s a picture for your viewing delight:
DSCN4130
[Valencia, obviously, by the master, obviously]

  • Unreal ‘people’ will just troll. Actual hooman trolls, or the AI that keeps getting better (also at guessing captcha’s). You may want to not ‘service’ them with bandwidth, and/or with room to screw up e.g., your site its stats, its quality image (re illegible or defamatory comments) or its usability for others. You do need some way to assess the trustability level in advance i.e., when the visitor comes to your site.
  • Your dislike for trust models is correct. But how did we get along on sneakernet ..? What is the closest proxy we can find, when in bits? Paying for bandwidth ..? All sorts of bonus/malus and whitelist/blacklist systems work only if not when all involved, all ‘citizens’, would fall under the same rule of unified law. I’m not negative, but don’t see a solution.

Trust is not a one-way affair (though ‘leaders’ of the real kind, trusted, may not trust all their followers individually…, etc.), but a cumbersome concept. Cumbersome implementations, will follow.
Too bad! And even if we get the basic concepts extremely simple, they may not be implementable similarly. As in e.g. quantum physics et al.: Simple basics, but not simple or useful in its implementation throughout when you’re in the mudane world out there, e.g., at a good restaurant. [Disclaimer: I’m not a fan of molecular cooking; waaay too much chasing effects at the expense of natural cooking.]

No I don’t have a definitive answer. Just wanted to add my 2c.

Bias Time (6 of 9)

DSCN0411
[Baroque ideas of yours]

Yes, it’s bias time again. The sixt of the series of biases that you, yes you, have. Even if you are aware of these, and even if you consciously try to correct for them to be, heh, ‘objective’, as in what e.g. auditors pursue, you will fail.

Formal fallacies

Formal fallacies are arguments that are fallacious due to an error in their form or technical structure. All formal fallacies are specific types of non sequiturs.

  • Appeal to Law: an argument which implies that legislation is a moral imperative.
  • Appeal to probability: assumes that because something could happen, it is inevitable that it will happen. This is the premise on which Murphy’s Law is based.
  • Argument from fallacy: assumes that if an argument for some conclusion is fallacious, then the conclusion is false.
  • Bare assertion fallacy: premise in an argument is assumed to be true purely because it says that it is true.
  • Base rate fallacy: using weak evidence to make a probability judgment without taking into account known empirical statistics about the probability.
  • Conjunction fallacy: assumption that an outcome simultaneously satisfying multiple conditions is more probable than an outcome satisfying a single one of them.

Correlative based fallacies

  • Denying the correlative: where attempts are made at introducing alternatives where there are none.
  • Suppressed correlative: where a correlative is redefined so that one alternative is made impossible.
  • Fallacy of necessity: a degree of unwarranted necessity is placed in the conclusion based on the necessity of one or more of its premises.
  • False dilemma (false dichotomy): where two alternative statements are held to be the only possible options, when in reality there are more.
  • If-by-whiskey: An argument that supports both sides of an issue by using terms that are selectively emotionally sensitive.
  • Ignoratio elenchi: An irrelevant conclusion or irrelevant thesis.
  • Is-ought problem: the inappropriate inference that because something is some way or other, so it ought to be that way.
  • Homunculus fallacy: where a “middle-man” is used for explanation, this usually leads to regressive middle-man.
  • Explanations without actually explaining the real nature of a function or a process. Instead, it explains the concept in terms of the concept itself, without first defining or explaining the original concept.
  • Masked man fallacy: the substitution of identical designators in a true statement can lead to a false one.
  • Naturalistic fallacy: a fallacy that claims that if something is natural, then it is good or right.
  • Nirvana fallacy: when solutions to problems are said not to be right because they are not perfect.
  • Negative proof fallacy: that, because a premise cannot be proven false, the premise must be true; or that, because a premise cannot be proven true, the premise must be false.
  • Package-deal fallacy: consists of assuming that things often grouped together by tradition or culture must always be grouped that way.
  • Red Herring: also called a “fallacy of relevance.” This occurs when the speaker is trying to distract the audience by arguing some new topic, or just generally going off topic with an argument.

Propositional fallacies

  • Affirming a disjunct: concluded that one logical disjunction must be false because the other disjunct is true; A or B; A; therefore not B.
  • Affirming the consequent: the antecedent in an indicative conditional is claimed to be true because the consequent is true; if A, then B; B, therefore A.
  • Denying the antecedent: the consequent in an indicative conditional is claimed to be false because the antecedent is false; if A, then B; not A, therefore not B.

Quantificational fallacies

  • Existential fallacy: an argument has two universal premises and a particular conclusion, but the premises do not establish the truth of the conclusion.
  • Proof by example: where examples are offered as inductive proof for a universal proposition. (“This apple is red, therefore all apples are red.”)

Formal syllogistic fallacies

  • Affirmative conclusion from a negative premise: when a categorical syllogism has a positive conclusion, but at least one negative premise.
  • Fallacy of exclusive premises: a categorical syllogism that is invalid because both of its premises are negative.
  • Fallacy of four terms: a categorical syllogism has four terms.
  • Illicit major: a categorical syllogism that is invalid because its major term is undistributed in the major premise but distributed in the conclusion.
  • Fallacy of the undistributed middle: the middle term in a categorical syllogism is not distributed.

Also gone

Walk in the park; hot/not?
[Does one still do a walk in the park ..?]

And, yet another goner: Where’s the news about all new tablets, tablet sizes, and eBook readers …? Once there was a time when one would read about that every day.
Now, not so much. Isn’t there any movement in the market? Or is the focus too much on gear and other wearables crossing over into the IoT..?

Just wondering. Comment, please.

[2014 02 07 edited to add: some news.]

You’re a SCADIoT?

Strassbourg
[Just some side street of Straasbourg]
[Updated, ? added in title to make it less harsh]

A thought crossed my mind, as they do constantly: SCADA is over the hype hill already, qua setting information security as a requirement abstraction. Not yet onto enlightenment, implementation. But still, gefundenes Fressen. And methodologies are available, if one searches well and close enough.

For the Internet of Things (including domotics), not so much. Here, we see much more societal and philosophical discussions still going on, whilst the first traces of implementation, the earliest of early adoptions [that’s why they’re called ‘early adoptors‘, not ‘adaptors’ you fool; they’re actively adopting, not passively adapting like a micro-HDMI-to-VGA connector] are spreading. But security as in getting that implemented from the start, not so much.

Which would be OK if the first true piloting would await the results of the discussions, after which the implementations of the outcomes would still have to be done before roll-out. But no, the discussions are of no use now that Big Corp start pushing its ‘solutions’ quod non.

The more interesting thing is: Any wider-scale implementation will be a cross-over of SCADA and IoT, OR we give devices, robots, full control from the start; sorcerer’s apprentices when it comes to operating IRL.
In that space, we still stand very much empty-handed, don’t we, when it comes to methods to do methodologically sound work. Where (information/privacy/societal) security would be integral and important part of the ‘sound’.

Any thoughts, anyone ..?

[Edited to add: This link, with a discussion on the same (ex security)]

What the Dormouse Said

At Navy pier
[At Navy Pier]

After Glass, some somewhat older invention came back into the news among technorati.

Will we now see the age-old battle between computer-centric networking, and network-centric computing, like in What the Dormouse Said, being played out all over again in the visual info delivery space (literally, and figuratively ;-)?

Hope so. Paradigm battles are interesting.

Oh, and WtDS, I might turn into another Books by Quote, some day. Will have to re-read it (recommended) to pick out the quotes…

Edited to add: Just found a link worth sharing, regarding the above…

Inf(n)ographic

Your neighbour's design
[Ah, didn’t Rietveld design the dream next to your house (value plunge)? Who laughs last?]

It occured to me that somewhere over the last couple of months, some infographics fatigue has come to te fore.
Not that we don’t see too much less infographics – though they seem to have gone out of style, or out of the hype cycle – but they do seem to be, well, less infographic’sy. E.g., by just presenting a nice background to a couple of comparison tables and maybe still a pie chart or two.

But where’s the brille…!? The clever use of graphics seems to have devolved to something mundane, hardly helping the numbers to be understood (better).

Ah, the olden days, when the graphics augmented the clever though still objective selection of numbers in becoming really great information transfer …!

Or am I getting old, i.e., is all this ‘old’ by half a year already?

Wired / Tired / Expired, February 2014 edition

Riga, close-in
[Riga seems to be W class]

So, here’s the February edition of my Wired / Tired / Expired jargon watch overviews:

WIRED TIRED EXPIRED
Your own Jura Babychino at Starbucks Nespresso
(and ~ shops)
– or –
Latte macchiato
(tie)
(Since this blog is personal…) Too wannabe hipster George is getting really old, too
Mainstream Hipster Hip, New, or whatever
Since, you know, it’s the hipsters’ derogatory phrase for anything non-hipster that you can spread around anywhere like a cat spraying. Is like (being) a lady: If you have to talk about it, you aren’t one. You were young in some past millennium, maybe.
Fisker Karma Tesla S Prius
Just look at it!
Kar1
but I’m holding out for
Kar2		 The sheer exclusivity of it drops just a little too much Mehhh. Also, see this infographic
Meanwhile… Doge speak and starparodies Rickrolling
… anywhere where some give no […] as here and here or even here. Much nonsense. So annoy. Very copy. Only if done really right.
Negging socmed Competing socmed Blue ocean (pretense) socmed
The way to go; invite to be bought out i.e. sell out. Harharhar, just give it a try. The new what, you are? Oh, and you think not everything has been invented yet?
Business suits (with or without tie; as long as the shirt is classy in itself not plain white no-iron (horror)) Too open shirts and thinny V-neck sweaters with no shirt under them Business shirts with no undershirt
Classy will always be classy, will NOT go out of style Petty pauvre posturing, with your breast hair not having recovered from the previous fad stupidity Ewww!
Wearable tech (Glass, via Toq and Gear, to Google lenses) Layar Hey, I have this new phablet and I’m too stupid to understand I’m a dork for showing off!
They’re just hot, still. It’s getting embedded, but the idea of ambient intelligence will certainly integrate with the Wired equipment. That it’ll be invisible, isn’t bad. Akamai is doing quite fine without anyone knowing… Obnoxiousness sometimes is hard to ignore though we’ll try very hard
Gamification Risk-based control / security Totalitarian SOx control
So Wired it’s not figured out yet how this will change businesses throughout. Mehhh, you cannot have progressed any further than the newspeak as no-one has, yet. And the idea is half-baked on many sides so may never work without much, (too) much compromise. Only interesting for drones very below the ‘intelligent’ robot level. Stupid’s Delight. See Compliabullies and many posts before and after that.

OK, any suggestions for next month’s edition ..?

Maverisk / Étoiles du Nord