Cyclexpo or Expocicle ..?

Tinkering with the hype-like hyping of exponential -everything- versus the Been There Done That ‘history’ prophets (?), trying to integrate their ideas:
Do we have enough history of macro- or micro-‘economic’ data to be able to establish whether in the really long run, the things that count (which, indeed, are not countable) are on a sinus wave pattern OR on an exponential growth pattern ..?

Contra which I’d pose another hypothesis: Both at the same time. And even another: None.

A lot of pundits of course make the mistake (I think it is) of believing the graphs that have shown a very, very slowly increasing (though already exponential) curve that, These Days or Tomorrow, suddenly shoots up extremely. As if the exponens has suddenly grown immensely. This has no proof and wouldn’t need one even to make the point. All ‘smooth’ exponential curves (i.e., with constant exponens) have these tipping points where from Quasi-Linear Under The Radar they suddenly shoot through the roof – and, as often forgotten but giving rise to the up-dent fallacy, they already have the (log) property where zooming in gives the same picture all over again; almost ‘fractalian’.

Other pundits make the mistake (I think it is) of assuming that there’s no news under the sun, ever. All is cyclical, all is under the Nietszchian spell of eternal return. All developments one can graph, have sinus wave functions through time (be it that it might take ages, aeons for the pattern to neat out). Which may be true, in part, when ‘inflation’ in all sorts of (qualitative …!?) areas is applied. But which also may not be true as there may (unfalsified hypothesis) be human(ity) Progress after all.

But then, what about sinus waves on top of exponential long-term developments ..? That would give almost-erratic, almost-earthquakelike-unsettling graph trend breaks, either up or down. (Next to more mundane settling-downs, obfuscating things.)
Or, exponential blips on top of longest-term sinus waves, of course. Also not looking too regular…
Or, there is nothing to extrapolate as all developments, once viewed primarily linearly, now also (sic) exponentially, are accidental short-term fits with the Very Long Term being random. Even Moore’s Law is an accident: Given (the approach of) endless numbers of hypotheses, some will be true, by chance.

We just don’t know until we’ve checked. Which may take eternity.

Just DON’T assume your expo-upkick is news, or is, per se.
And, maybe the Singularity will change things as Everything will be mental, abstract ideas instead of necessarily being possibly physics-bound in some way or another.

OK, enough now. This:
DSCN3684
[Shadows, reflections, of past and future(istic), Toronto again]

Caps off for … not $appl

The below has been going around the last couple of weeks. For your enjoyment, again:
bvvoc11_02
[After inflation corrections. Plucked off the ‘net]

Seems legit. Though one wonders whether and when currency reforms might, just might have skewed the picture. Though some of the above, are of recent times and we don’t really recall all that many reforms did we? Other than the Glass-Stegal revocation the repercussions of which we’re still battling to overcome.
’nuff said.

Where have all the good blogs gone ..?

Except for this one you’re reading, that will stay on for some time to come …
But where would I find some taxonomy of publication ..?

We have the good old ‘new content lines in index.html’, outright blogs (WordPress, Typepad, Blogger, … endless list), SocMed blogspace (LinkedIn Pulse, Tumblr, Facebook, others, having room for, typically, one-pager texts), podcasts, vlogging, Youtube channels, webinars (interactive/recorded), Messaging expanding (and with some original RSS feed and portal page stuff still being around), curated blog sites, paid blog sites crossing over into the classical news(paper) sites, pay-per-post-read sites (cooperative or not), paid-for-popularity sites, ebooks, classical newspapers and more thoughtful (?) periodicals, etc.
Etc.

But how do we classify them? How to determine what (length, content, tone) to publish where [by these characteristics …], and how to do that – as some may be perfect for your brainwave but you just can’t get them to see the genius of your writing. What to do when times are a’changing, and platforms switch through functionality augmentation ..? Do a full decade of backward posting on a new platform all in one go, or leave all content there, to disappear in the mist of time?

Yes I’d really like to hear your answers ..!

Well, you have read this. So you deserve:
20150215_144710
[Amsterdam; more than canal houses only. Oft overlooked …]

My Opia

Not being your topia anywhere or dys here topia or whatever.
Was struck by the surge in posts, columns, articles about security in IoT. Because it appears to indicate a need for a new index. Being on the level of myopia one needs, to understand the hype value (a la this). Or hyperopia (?). Or rather – what’s it called when one’s view is narrow, or broad ..? That was what I was after: With the above-linked Second-biggest G.’s Hype Cycle, one should have a perpendicular index of width/breadth of hype and/or potential impact. So that when one would consider oneself to somewhat suddenly be caught in relatively speaking the in-crowd of, purely e.g., IoT and IoT security/privacy issues that one has steered oneself into, it would come as no surprise that suddenly though with some lag, one sees the posts, columns, articles flying around on the same subject without any real news or rather more (for one!) Been There, Done That type of news reporting. For others, the news may be news…

A second aspect would be: How to position oneself. Doing hardcore research style environment scanning and reporting on that in traditional and SM media, would quickly become impossible as any field of study explodes in width and depth as it get off the ground, leaving the actual keeping up with all developments to be impossible. Even when your cutting edge development reporting wouldn’t catch on but with a few aficinados at the very most, and when you’d wait until aspects have crystallised to clarity far enough to be understood by your mainstream audience (if any), the subjects have a. watered down beyond being interesting to you, b. watered down beyond recognition still for your audience, c. still not yet reached interest-through-urgency / -news-value for them.

Whatever. Just an idea; any of your help in developing such a sight/scope index is very much appreciated…

In advance:

[Pretty close, no mirage; Segovia]

IR-L or 0 (BC)

The spectre of BCM has been haunting ‘business’ departments of about any organization for too long. It needs to go away – as spectre, and take its rightful place in ‘Risk’ ‘Management’. The latter, in quotes, since this, this, this, this, and this and this.
Much link, very tire. Hence,
DSCN4069
[Opera! Opera! Cala at Vale]

Which actually brings me to the core message: ‘Governance’ [for the quotes, see the last of the above link series again] fails for a fact (past, current, future) if it doesn’t include risk management, and when that doesn’t take this into account:
Turf wars
[Here, highlighted for InfoSec as that’s in my trade portfolio…]

First, a reference to that RM-in-Gov’ce mumbo jumbo: Here. (In Dutch, by way of crypto-defeating measure vis-à-vis TLAs… (?)) Listing among others (diversity, sustainable enterprise, external auditor role) the need to do more about risk management at ‘governance’ levels. Which might of course be true, and how long overdue after COSO has been issued and has been revised over and over again already.

But then, implementation … No strategic plan survives first contact with the enemy (ref here). And then, on turf are the wars that be, in all organisations. Among the great multitude of front lines, the one between Information Risk (management) the Light brigade [of which the Charge wasn’t stupid! It almost succeeded but because the commander wasn’t a toff so supporting a brilliant move by such an upstart wasn’t fashionable, he was blamed – an important life lesson…], being overall generic CIA with letting A slip too easily on the one hand, and the all too often almost Zero Business Continuity (management) on the other, outs the lack of neutral overlordship over these viceroys by wise (sic) understanding of risk management at the highest organizational levels. As in the picture: It’s all RM in one way or another. And (though the pic has an InfoSec focus) it’s not only about ICT, it’s about People as well. As we have duly dissed the ‘Process’ thinghy as unworthy hot air in a great many previous posts.

Where’s this going …? I don’t know. Just wanted to say that the IR-to-BC border is shifting, as IR becomes such an overwhelming issue that even the drinks at Davos were spoilt over concerns re this (as clearly, here). But still, BC isn’t taken as the integral part of Be Prepared that any business leader, entrepreneur or ‘executive’ (almost as dismal as ‘manager’) should have in daily (…) training schedules. Apart from the Boy Cried Wolf and overly shrill voices now heard, the groundswell is (to be taken! also) serious: IR will drive much of BC, it’s just that, again, sigh, the B will be too brainless to understand the C concerns. Leaving BC separate and unimplemented (fully XOR not!) next to great ICT Continuity.
Or will they, for once, cooperate and cover the vast no-man’s land ..? Hope to hear your success stories.

Disarming the citizens of the US

Ah, yes, prohibiting any discussion of or even link to possibly cracking-enabling information. Already worded in a veiled way, as in:

this would mean taking away the arms that a great many US citizens are equipped with (and prohibiting gun range training), once, against the English (Brits?) now against just any outsider and US citizens themselves? Quite a Second Amendment thing, these days…

As a European, I don’t want to meddle in US domestic affairs. But I tend to the interpretation of constitutions and amendments anywhere, all of them, as principles not absolutes. Absolutes never (sic) work in societal organisation. When quite a number of those concerned [again, I’m not] would gladly see all amendments interpreted to principle not literally except this very dangerous one.

‘nough of that. Now, onto the more recent EU moves towards banning hacker tools … (and the UK push for banning encryption tools, even). I just have questions:

  • What about free speech? Seems to be an issue for discussion as democracies need more absolute protection of that. Amazon wouldn’t be allowed to sell hacker books in selected countries. Banning books, anyone?
  • How many % of crackers would live in the applicable jurisdictions, to be under the prohibition provisions, and how many are outside those jurisdictions ..? What would happen if one would exclude the former from being armed and ready but giving the latter a, most probably, more vulnerable target?
  • The honest researchers in those countries would be jobless; never a good incentive to stay in the right side. The honest researchers elsewhere would have a bonanza as all bugfix trade must move to the outside. Either that XOR through a form of licensing one creates a humungous random hence erratic but totalitarian public/private cartel. In the Home of the Free, in the pursuit of happiness.
  • If through this, the balance is lost, will the US and/or EU start to isolate itself (its ‘Internet’ (quod non as per this)) from the rest of the world ..? If so, how any trillions of $/€ will be lost to others, whereas any related industry (that will be the future as the mature-industry-little-growth primary, secondary and tertiary industries will be what’s left for the EU/US but serious growth will be in the new industries?) will not come off the ground, hindering greatly any recovery from the intermediate term (slump) before booming, à la this.
  • Will stego boom? The Hiding in Plain Sight can bring an additional benefit of plausible deniability (with some tweaking).

Seems like the above POTUS quote might indicate that he’s not planning any censoring of the spread of direct or indirect vulnerability information but on the contrary would be stepping up efforts to bring the US back on top of the game. E.g., by not focusing solely on physical terrorists but also on outside-in and from-within (sic) cyber attacks. Or was the quote an apology for the NSA being in NK even before the (known to them!) Sony hack ..?

The picture is still murky. Too murky to take sides already, for my take. I’ll leave you with:

20140905_201502
[Bergen aan Zee, Autumn dominos]

Half an argument for mainframes

This here article is somewhat interesting… Explanatory, but also lacking some. E.g., some strengths are given, but not how they would be competitive advantages over a mega-dc of blades or so, as the really big players do.
Oh well. Who cares ..?

For now:
Old camera
[Plain vanilla Vienna damn auto’rekt]

Ruled by the petty

When mores are sufficient, laws are unnecessary; when mores are insufficient, laws are unenforceable.

Durkheim, you recall. Only now. Only now that you’ve started the year all refreshed to this time around implement all the nitpicky petty rather childish, kindergarten-level rules to reign in all the misfits (i.e., about everyone except you) that don’t want to dance to your tunes (while you can’t dance, really; admit it. Not even to your own tune you don’t!). Which turns you into a petty fool, given the veracity of the above quote. If you don’t get it, just think it over once again. And again, until you do. Or quit, but then stay away. Like, at these nice locations just for you.

The big Question of 2015, or the decade, being: How to get the mores back

Part of the solution may be your admiration for:
DSCN5159[Some time ago, when photography was still allowed….]

Risk of being Duds

Wow, the new year starts of with … failure. I mean, apart from your inability to keep your New Year’s resolutions (already – if you need such a specific date like Jan 1 and the motivation of a ‘fresh start’ which, on the whole, it isn’t since calendars were invented as easy shorthands not life (so exactly) defined turning points) to change habits, … why didn’t you just change when the need arose ..? You’d be much further with it – the year is really off to a traditional start when failures of the past, are repeated ad nauseam… [As interlude: No, writing shorter sentences isn’t and wasn’t on any of my resolutions’ lists…]

Which one might expect from less-clear thinking professions. Though this post isn’t meant to address the precious few, the exceptions to the rule, I do mean ‘accountants’ and ‘IT-auditors’ (IS auditors that don’t understand) to be among those. That, apart from the slew of other vices you can easily sum up, tend to instruct others to do risk analysis this way:
R6 model
Yeah that’s in Dutch but you probably can make out the (actual) content and meaning. Being that the risk analysis is (to be) carried out top-down indeed, analyzing how lower layers of the model will (have to) protect against risks in the layers above, after the controls at any layer may have failed to ‘control’ the risks… [About that ‘control’ quod NON: See this here post of old.]

See? This just perpetuates the toxic myth of top-down analysis. The more one would follow this model, the more deluded one’s risk estimates would become… And this is proposed to lead the way in financial audits…
If you think this limits the Spectre of errors – this thinking permeates, and will permeate, the audit / inspection environment, leading to ‘Sony’. Yes, this erroneous thinking is at, or near, the root cause of that mess-up. [Anyone has seen proof that the NK actually did it, I mean, not the ‘proof’ trumped up by the most biased party ..?]

Whereas a bottom-up approach would show all the weaknesses that would create logically impossible effectiveness of higher-up ‘controls’. Controls just aren’t put in place to build a somewhat reliable platform to build higher-order controls on… Controls are put in place to try (in vein) to protect same-level risks throughout, as well, and higher-level controls were (are; hopefully not too much anymore) put in place to try to protect against all the lower-level controls failures not remediatable there… [‘Mitigation’ as the newspeak champion]
Hence, the distribution of error ranges (outside the acceptable sliver in the middle of the distribution of, e.g., transaction flows – hopefully that sliver is the intentional one) is ever wider the higher one goes in the ‘model’.

Rightfully wrecking your approach to financial audits, where not the risks of misrepresented true and fair views are managed, but the risks that the auditor is caught and found guilty of malpractice by not doing the slightest bit of the checking promised. ‘Assurance’ hence beginning with the right first three letters. Risk management to cut down the enormous workload (due to the overwhelming risks percolating up the model, as in reality they do..! hence having to check almost everything) to nicely within the commercial cutthroat race-to-the-bottom budget which is supplanted with ridiculously attractive (by bordering(!?)-on-the-fraudulent hourly rates) consulting business.

Now, the only hope we have is that the R6 model will not spread beyond … oh hey, googling it returns zero results – let’s keep it that way! Let’s not follow BAD guidance…

Jeez… And that’s only two of 124 pages of this

I’ll leave you with …
20141101_155144[1]
At the door to
20141101_160525[1]
– if you know what these are, you know why they’re here…

Progress at the other end

On state of the art innovation – at the lowly (!?) end of programming.

I mean, it’s not rocket science; it’s quite a bit harder to pull off. To produce something decent though that seems to have gone lost in these überagilescrum times of putting apps out before anyone has a clue what they’re intended for. What problem they’d have to solve, for a large enough audience to care. Yes, it seems that “If you’re satisfied with your product at launch, you’ve launched too late” is all the rage now. But to win over the world, over Fubbuck, to win over all the big organisations still out there (and will be there, for decades to come, and will still have the power i.e., money, to dwarf others’ interest when they put their mind(s) to it), one would need decency in the product, hence also in the coding.

But then, there’s this dark and shady epitome-of-big-org backed initiative called Pliny to help out. We’re interested. As it may, when it will deliver results, help towards better programming practices.

  • By introducing predictive text to low-level core programming.
    But I also see other potential use for its ideas, towards:
  • Better coding, pre-emptively less buggy, by using in-line sanity checks on whatever is put out. It says this in the linked article indeed, but only in passing – whereas I’d say this is an important improvement opportunity in its own right.
  • Better re-use of code. When context and (machine level) interpretation of intent is gathered anyway, why not map and match that intent to the existing code base? Through that, lots of pre-programmed, debugged and efficienced (hey I didn’t want to break up the sentence rhythm with ‘made efficient’ oh what am I doing now) routines, re-use could skyrocket and the most hideous issues of non-reuse as listed at the Daily WTF may be prevented.

Would these three be worth it ..? Of course it will. They will raise low-level coding up quite a bit, upping the Lean And Mean Coding Machine sweatshops to greater productivity and hence, to quicker full-scale and mature products. And make all the app bungling less interesting, hopefully. Maybe even making all the stuff more secure. But that … waaay too much to ask for. (?)

To round off:
DSCN8534[Hi DARPA in your dark fortress!
  Oh, not you, your supposedly-opponents-but-in-your-pocket Big G houses here]

Maverisk / Étoiles du Nord