Applicable to business – Page 10 – Maverisk / Étoiles du Nord

Authentic means work, you see?

Recalling the recent spat about passwords again (and elsewhere), and some intriguing, recent but also not so recent news (you get it when you study it), it seems only fair to the uninitiated to clarify some bits:
Authentication goes by something you know, something you have or something you are. Password(s), tokens or biometrics, in short. All three have their drawbacks.

But that’s not the point. The point is that authentication is about making the authentication unspoofable by anyone but the designated ~~driver~~ owner.
That is why you shouldn’t dole out your passwords (see the above first link) e.g., by writing them on a post-it™ whereas writing a full long passphrase on just one slip of paper that you keep to yourself more zealously than your money, will work.
That is why tokens shouldn’t be stolen. Which you might not discover until it’s too late; and tokens have a tendency to be physical stuff that can be replayed, copied, etc. just like a too-short password. Maybe not as simply, but nevertheless.
Same with biometrics. When made simple enough for the generic user (fingerprints, ever so smudgy!) also easily copyable, off a lot of surfaces. Other biometrics, maybe more secure i.e. harder to copy but not impossible. And opening possibilities for hijacks et al., focus on breaking into the systems in the login/authentication chain, et al.
Which brings attention to yet more vulnerabilities of Have and Are: Both need quite a lot of additional equipment, comms, subsystems, to operate and work from the physical to the logical (back) to the IS/IT levels. Weakest-link chains they are ..!

So, the strength of authentication covaries with the non-leakability of the key, since both correlate to the source determinant in-one-hand-ity close to the actual person whose identification-as-provided (by that person, or by anyone else posturing) needs to be authenticated. By which I mean that ensuring one item of authentication, closely glued to the person and with the simplest, least-link connection chain to the goal system(s), is best. The latter, clearly, is the written-down-verylongpassword method.

Just think about it. And:
[They’re called locks. Discuss (10pts); Ottawa]

All fine, for whom?

Just to be clear: Where do all the fines that will rain like hail from heck once GDPR comes into force, go to ..? Yes the supervisory authority may levy the fines, but it isn’t clear to whom the payment should go. Certainly leading to huge differences in compliance chasing: When the auth may keep them for themselves, they’re a. richer than the king since b. sure to penalise each and every futile infringement to the max; when the money goes to government’s coffers, that chasing not so much because who’d care?
You don’t believe me, right? Just wait and see. And weep.

Plus:
[Where the coffers are kept ..? Segovia]

Golden Oldie Pic of the Day

Yup, once again: For your viewing pleasure. And consideration, over the weekend:
[That one edit that makes your work from stupidifyingly boring to a best-seller]

Progress, friends, is here. Only, not everywhere. Yet. Say ‘No’ till then?

You know that the bright new future is here, when amid the torrent (figuratively referring to the physical phenomenon, nothing to do with the on-line tool(s)) of fake news, this still makes it into a headline: ATMs now to begin to start being rolled out with Win10 ‘support’. To be completed per 2020, when support for Win7 stops. Right. 2020; probably not referring to the eyesight of the ones planning this, not being personally accountable and duly informed of the risks.

Because otherwise, wouldn’t it be smarter to come up with a clever idea to do the roll-out within a month, to prevent just about anyone to take ATM security — or is it a signpost for overall infosec’s position — seriously, as seriously as it should ..?

It’s time there comes an agency, Nationwide, worldwide, that has the authority to say NO!!! to all ill-advised (IT- which is the same these days) projects. Infosec professionals tried to ditch the Dr. No image, but it turns out, it’s needed more than ever to prevent the Stupid (Ortega y Gasset’s Masses I guess) from endangering all of us or at least squandering the billions (yes) that could have been applied against world poverty etc.etc.

Oh, and:
[The UBO ‘humanity’ seems to be lost, here; Zuid-As Ams]

Yesterday, same thing.

This is sort-of the same as yesterday’s post, put into practice, when your AGA now not only remotely slow-cooks but slow-betrays you. Slowly either does not at all or over-burns your carefully prepped meat. So the wretched short-lived lambkin died for nothing.
Would anyone know of any device out there that is duly protected against this sort of thing? Or whether (not or not) this is a generic weakness: Access from the outside, offers access from the outside to anyone, to rattle the door. And some, through persistance or imme force applied, will find the door opens. Your convenience, theirs too. Same, with ‘connected’ toys. Yes they are…

Oh, and:
[May superficially look like an AGA but isn’t, not even a hacked architecture studio’s design, just purposeful – and beautiful – museum design in Toronto]

Full cite of important stuff

This being a complete citation of important stuff, on various subjects in one – meaning, that the brillantly brief once more applies to various trades and aspects, for your information:
With the sound off or on?
If you watch a well-directed film with the sound turned off, you’ll get a lot out of it. On the other hand, it takes practice to read a screenplay and truly understand it.
It’s worth remembering that we lived in tribes for millennia, long before we learned how to speak. Emotional connection is our default. We only added words and symbolic logic much later.
There are a few places where all that matters is the words. Where the force of logic is sufficient to change the moment.
The rest of the time, which is almost all the time, the real issues are trust, status, culture, pheromones, peer pressure, urgency and the energy in the room.
It probably pays to know which kind of discussion you’re having.

By Seth Godin, as you may have derived from the style and profundity. (As per here, which is literally the same text – told you so – but also add the Head to your daily reading list! [Noticed that Head thing, intended to refer to a List structure, is a pun when you see the image to click on his blog…].)

Which all relates to a. Privacy [yes it does, just think it through] and b. your IAM ideas, ever in renewal since … decades; plus c. the ‘GRC’ eager beavers — that at last are pushed back, softly and hardly noticably, by counterforces-undetermined that want their space to innovate back. And d. <fill in yourself and colour the pictures>.

Oh, and:
[Marketing -, or was it Design, Department at some Toronto institute]

Crippling ‘synergy’

As of late, we haven’t seen too much news about failed mergers, have we or was it buried under seemingly more interesting industries’ development news ..? Like, the latter-day’s Seven Sisters on the ‘Net driving all M&A activity by grazing the startup pastures bare?
Actually, there are a couple of interdependent developments, it seems:

Classic mergers and take-overs (and divestments) seem to become more rare, as the importance of classical industry (primary-to-tertiary, maybe -quarternary) has diminished, in favour of, let’s say, quintary pure-information based industry/industries. I.e., beyond mere ‘service sector’ services but data-oriented everything. Hence, it’s IPOs to behemoths taking over microcompanies not mergers of (relatively) equals.
Classic mergers failed so pervasively in resulting net positive ROIs that no-one wants to deal with hem anymore. Including a development like this.
[Not all lessons learned, apparently; otherwise, these would be shared quickly and the M&A business would rebound — see (among) the following: ]
The new take-overs are of the obliterate-or-fleece kind; the heap of gold just being too big to resist after which the target is plucked bare for the few nuggets of worth in there, if any, then made disappear as technology integration overrides anything qua ideas that was of any value.
This pointing to where previous industries’ M&As failed, every time again [at least, often also for other factors of incidental and less interesting character]: Not accounting for IT. Would love to see the research that proves that the upswing of IT in business life negatively highly-correlates with merger failures.
Because the focus has been so much, longer-term, on ‘synergy’ — that always was in support fucntions that had to be shrunk, one plus one makes one plus less than half, or so. But this never worked, as the ‘keep as of old until integrated’ was executed so lacklusterly, Always leaving too many traces of old even when clean-slate renewal was attempted multiple times.
This in turn, because IT grew so much in prominence in business execution and administration — but wasn’t recognised as such; always relegated to the lowest of basement departments, that in the end the ‘integration’ [hardly ever to any measure of success off zero, almost always not associatiable with the term ‘success’ rather] of separate IT systems costs tons and resulted in … more costs, permanently, for not only the near term but -ever.
And, as above, this lesson haven’t been learned. As shown in this: Brexit woes…

From which the questions arise:

Why haven’t we all (in particular, auditors of all shades that should have been the ones to have learned and warned) learned and warned that IT integration was so crucial, both in due diligence / cost estimations and in failure rates?
What is the content of the learned [not]; how to get good IT integration cost estimates, and what are successful methodologies for IT quality assessments ex ante and ex post?
Do we only learn from history that we don’t learn from history? This because two bullets don’t look right but three do.

OK, enough to consider and ponder; I want your pointers to definitive solutions in return for:
[Now there’s the resulting Simple view; Baltimore]

Behaviour is key to security — but what if it’s perfect?

When the latest news on information security points in the direction, away from reliance on technical stuff, of the humans that you still can’t get rid of (yet!), all are aboard the ‘Awareness is just the first step, you’ll need to change the actual behaviour of users‘ train. Or should be, should have been, already for a number of years.
In Case You Missed It, the Technology side of information security has so far always gobbled up the majority of your respective budgets, with all of the secondary costs to that, buried in General Expenses. And the effectivity of the spend … has been great! Not that your organisation is anywhere near as secure as it could reasonably have been, but at least the majority of attackers rightly focus not on technology (anymore – though still a major headache) but on the feckle user discipline. Oh how dumb and incompetent these users are; there will always be some d.face that falls for some social engineering scam. Sometimes an extremely clever one, when focusing at generic end users deep down in your organisation, sometimes a ridiculously simple and straightforward one when targeting your upper management – zero sophistication needed, there.

The point is, there will always be some d.face that makes an honest mistake. If you don’t want that, you’ll have to get rid of all humans and then end up overlording robots (in the AI sense, not their superfluous physical representation) that will fail because those underling users of old held all the flexibility of your organisation to external pressures and innovation challenges.
Which means you’re stuck with those no-good [i.e., good for each and every penny of your atrocious bonus payments] humans for a while.

Better train them to never ever deviate from standard procedures, right?
Wrong.
Since this: Though the title may look skewed and it is, there’s much value in the easy step underpinning the argument; indeed repetitive work makes users’ innate flexibility explode in uncontrolled directions.
So, the more you coax users into compliance, the worse the deviations will get. As elucidated, e.g., here [if you care to study after the pic; study you’ll need to make something of the dense prose; ed.].

So, here too your information security efforts may go only so far; you must train your users forever, but not too much or they’ll just noncomply in possibly worse directions.

Oh well:
[Yeah, Amsterdam; you know where exactly this depicts your efforts – don’t complai about pic quality when it was taken through a tram’s window…]

The Sixties, rehashed ..?

Quo vadis; society ..? This now has an answer: We’ll have a rehash of the 19-30s and -60s (/-70s) in one.
When the 1%ers slash Military-Industrial Complex slash totalitarians claim to want unfettered market economies for all even when they pursue an absolute, complete Big Government / monopoly society, even pushing IoT for the purpose of providing Big Brother with total surveillance capabilities under the guise of ‘citizen’-supporting ambient intelligence Oxford, and pushing VR as a tool for mind control (sucking everyone (?) into the blue pill illusions of the Matrix),
And on the opposite end we have a continued strive for the Commons-Arcadia of small businesses (not much beyond mom-and-pop freelance gigs) everywhere on a level playing (sic) field where Experiencing Nature in te Great Outdoors (soon trampled by the masses, and not too wild and Unknown), with IoT as tool for healthy slash sustainable living for all and VR as just a small-scope tool,
The Sixties / Ealy-Seventies are back. Much more transparent (also qua disruptors’ identities, whereabouts, and culpability vv the Law…), much more (yes indeed) ground to cover, to loosen up societies’ structures much more extensively — due to backlog, backfire and backlash since the last Aquarius rush (80s-10s). Even in business, seeing a return away from totalitarian-bureaucratics towards enterpreneurial freedom (“actual” leadership contra übernacissistic CEOs).
The Thirties are back. With the income distribution being more skewed than ever (!) in history, so with more argument pro (…) Revolution … [Despite the latter having proven throughout history to fail or rather, in the end to not work out the way it was intended!] But also the Junker that babble alternative facts (US) and pretend to rule (Europe) but have no clue about their overly apparent airheadedness, leading duces to be able to grab power.
Noting that in some conglomerate of nominally independent states, the division or even separation between the Poor in the middle and the Elites on either coast, is more clear (worse) than in the Thirties now.

Pendulum swings everywhere. And throw in China and Russia, plus some India into the mix…
What have we learned from the past; can we deal with extremes in a better way now ..?

Plus:
[Absolute rulers, Nature in the back; Salzburg again]

Customers, users, they aren’t the same

Yet another recent article in an otherwise wise mag tripped over the not even remotely subtle distinction between customers and users, when it comes to bragging rights of social media platforms.
User, users everywhere … But even by the billions they aren’t providing any subscription income… Because they’re just the product. Would mr Musk brag about how many Model S3X cars can run off his new factory’s assembly lines [errr…, yes he may], or would he be happier when there’s some out there that actually pay for the products? [that’s why he may]
At least, here we can still (sic) speak of actual products and clients. Where already clients and (‘all’) users are not the same thing. Buried in the above-linked article is passing reference to skew in ad revenue. Yes indeed. With the end kicker being the achievement of so-and-so-many billions of users again, to bury the fact that ad revenue points at what Facebook is all about: Lift, shift and retention of ad (selling) companies that are the actual users-customer-clients that bring in the dough.

So, wouldn’t it be better business reporting to stratify the users by ad generation ..? Wouldn’t it be better to point out all developments in revenues per ‘active’ user? Wouldn’t it be honest to report how little per user the ultimately advertising company makes in additional renevue by sales of (near-)physical products ..?

I’ll leave you with:
[The Salz’ worth going all the way up there, the ‘user’ down below made to feel on top of it…]