‘corn down, times 10

After the many lists of wat went well this year, with AI, bitcoin, etc.etc., we wonder: How much of that is plugged fake news or ditto overblown ..?
When still, we have the likes of this: A list of some 10 unicorns that went down (or -soon) despite funding to dream of. When you look into it, we seem to be back in, 2001, and somewhat later, when the idea of drafting a two-pager business plan seemed to be enough to get VC / angel / whathavewe funding. OK, maybe this time around (and for the co’s mentioned) it’s more like a ten-pager requirement but hey, why wait to throw money into a wormhole, right ..?
To remind us that maybe, not all went so well in ’17.

And maybe despite all the hopes we have for 17++, we should again, still, reckon with downside risks a little bit more, please?
But you’re not gonna listen to me, are you?

Mewwy Cwistmas & happy new year anyway! Plus:
[Heck, this has nothing to do with festive fireworks or so but is pretty still; Valencia]

In Controllusion

After a good receipt of this, I kept on receiving nudge-pointers about a related issue. Being, that so many are, have become, control freaks. Micro-managers with such enormous blind spots, blinkers/blinders.
With a thesis developing that this is caused by sheer frustration of not being able to shake off the being controlled. Since individualism, the societal buddy of pure neo-capitalism the fascist kind intertwined with consumerism and the blow-out of traditional social group cohesion(s), demands we are Free. Or so. And find ourselves [well, not me] still tied up tight in (whether private or public) corporate dictats. Having to let off all the steam, it explodes (short of detonation) through the escape vent of downward bullying – in perception from all sides.

Hope I’m overstating this. But a fuzzy-logic sort of partial acceptance of the point only, will point the point towards resolution of at least one contributing part of the stifle that is so rife in modern (not) organisations. Capice? Capisco..?

[Apparently not when this of course is Dyon.]

Small Mob Rule

Dat is dus grote onzin: De @telegraaf zit er (weer) dik naast, in dit stuk. “DOKKUM – Er gaapt een reusachtige kloof tussen de provincie en de Randstad. Thema’s als genderneutrale toiletten, de nadruk op ’diversiteit’ en vooral het debat over de kleur van Zwarte Piet worden door een kleine culturele elite in met name Amsterdam aan de rest van Nederland opgedrongen, terwijl de meeste burgers in de regio’s hier helemaal niet op zitten te wachten.”
Nee Telegraaf, dit is volslagen onzin, over de rand van leugen.
Want het is slechts een miniem klein-handjevol (inderdaad) bewoners van de Randstad – die oh zo sosialisties nog een tweede huis op het platteland hebben omdat ze alles en iedereen zo lang hebben getreiterd dat ze nauwelijks belasting betalen ‐ die de landelijke stemming bepaalt. Terwijl de andere 99,995% van de Randstedelingen ‘ook’ gewoon normaal is, hoor.

Dus stop ff die terreur van het klootjesvolk i.e. T-“journalisten” quod non, die inkt verspillen met zulke grove onzinkoppen. Of, om hen in hun eigen moreel vermogen aan te spreken: Bek houwe.

[Geen plaatje vandaag. Té boos over zulke idiotie.]

The dullness of infosec ..?

And you thought fraud detection was about bank transactions or even counterfeiting physical stuff. Boh-ring, when you read this. Takes it to another level, eh?
Which brings me to an important issue: Are we not still studying and practising infosec from the wrong angle, doing a middle-out sort of development in many directions but starting at a very mundane ‘CIA’ sort of point. Which is of course core, but there is so much to cover that some outside-onto view(point) might be beneficial. We’re in the thick of the fight, and no matter in which direction you go, when you wade through the thicket with your control measures machete, you achieve little – when you then turn around to try to clear some area in another direction, all has grown dense with state-of-the-art arms’ race bush again already.
And yes, of course one can educate, etc. in some form of hierarchical approach, top-down. But that leaves us with many, all too many that float comfortably on the canopy where the view … isn’t that great as one’s very certainly in thick fog of the monsoon rain. And nothing is being directed (ugch) deeper down. Or controlled (?). Just more, most partial world views unconnected and behaving erratically.

The e.g. in this is that link above. A tiny subset of situational scenario. Not solved pervasively, once and for all. Now think about the hugely, vastly, enormously wider scope of ‘all’ of infosec that would need to be covered to a. arrive at sub-universes of control, b. overview.

The latter remains Open.
Me not happy.

Solutions, anyone ..?

Oh, plus:
[Ah! The days when this sort of ‘defence’ was enough to conquer! Alésie of course]

Trust ⊻ Verify

You get that. Since Verify → ¬Trust. When you verify, you engender the loss of trust. And since Trust is a two-way street (either both sides trust each other, or one will loose initial trust and both will end up in distrust), verification leads to distrust all around – linked to individualism and experience [we’re on the slope to less-than-formal-logic semantics here] this will result in fear all around. And Michael Porter’s two books, not to mention Ulrich Beck in his important one. So, if you’d still come across any type that hoots ‘Trust, but verify’, you know you’ve met him.

Since the above is so dense I’ll lighten up a bit with:
Part of the $10 million I spent on gambling, part on booze and part on women. The rest I spent foolishly. (George Raft)

Which is exactly the sort of response we need against the totalitarian bureaucracy (i.e., complete dehumanisation of totalitarian control – which approaches a pleonasm) that the world is sliding into. Where previously, humanity had escapes, like emigrating to lands far far away, but that option is no more. Hopefully, ASI will come in time to not be coopted by the One Superpower but then, two avenues remain: a. ASI itself is worse, and undoes humanity for its stubborn stupidity and malevolence (the latter two being a fact); b. ASI will bring the eternal Elyseum.
Why would it b. ..?
And if it doesn’t arrive in time, a. will prevail since the inner circle will shrink asymptotically which is unsustainable biologically.

Anyway, on this bleak note I’ll leave you with:

[Escape from the bureacrats; you-know-where]

Arms / race coming to an end ..?

When this is still necessary and (counter)x-measures will continu to be developed, for sure, how will this little nugget of WP29 change things?
Because it has power. That may lead to a throwback. For how long? The harder the throwback, the longer to recover. But the more powerful will be that rebound ..? We’ll see. For now, canvas blockers are still the way forward, so implement them, right?

This post was brought to you as a public service announcement from the sanity of browsing for information security and privacy blog you’re reading.
But seriously, why is there so little analysis of the WP29-on-Profiling stuff ..!? And:

It doesn’t matter

A great many before me have discussed the merits pro and contra using contractors instead of perm contracted staff.
I will still give it one more go. Since lately, there has been some back and forth again about motivational issues and how certain is one in one legal contract situation compared to the other hence how motivated can one be and why the need to cater to so different audiences as ‘manager’.
The thing is
It doesn’t matter:

When investigating the differential motivators, one invariably ends up with the same motivators, and much the same demotivators (nicely depicted here of course still going strong, since tout a continué).
This, coupled with:

  • Financially, you’ll have to pay for income taxes (buy side yes), holidays, sick days, etc.etc. (welcome to Europe!) and all of the administration surrounding that when you hire someone on a perm contract. If you hire a contractor, not so much; all costs are for the contractor
  • You’ll also have to pay for continued education and a company car for perm contracters. For contractors, not so much; all costs are for the contractor
  • Add in a ton for pension contributions (we’re still in Europe). For contractors: Nope.
  • How about severance packages? (Oh, shouldn’t differ much…)
  • Going through the calculation motions, it is little wonder that fully loaded costwise, a perm contractor will cost you 2,5-to-3,5 times per hour what a contractor bills you
  • And your perm contractor is scientific reasearch confirmed actually productive for four (upper bound) to two (lower bound) of any eight-hour working day. Your contractor can only bill you for two hours slippage per day, at most
  • You can even expect to pay more for the above motivators when dealing with perm staff. Contractors behave more mature and don’t need as much of everything

clearly leads in one direction. Isn’t there a catch ..? No, only if you’re Mr Tax Man; then, you’re the one losing out. Otherwise, you as an employer can gain seriously even when paying out ‘huge’ hourly rates to contractors.

Remember that.

Your comments, please.

Norm over substance of risk management

Overheard: A major company in a relevant industry re infosec – and well-known for their good and even so recently much improved infosec posture – doesn’t follow the mantra of “risk management first, policy/standards second” but first sets some quite rigid standards and then, when vendors can’t deliver (even when the standards are strict but quite reasonable and doable), do some form of risk analysis plus compensating controls / acceptance or what have we.
Because otherwise, everything gets so mushy (hey, normal (?) risk analysis is business driven, what do ‘they’ know ..!?) that the end result is a chaos of quasi-accepted risk all on one huge unmanageable infra heap of backdoors and byways (those in particular) which results in zero security. And because this way, standardisation is encouraged and security plus manageability hugely increased i.e. big bucks are saved.

So, it’s an interesting High Baseline Minus approach. Though I guess you may have some comments, so take it away …:

Oh, and already:

[Maybe green, but not fond of blaugrana ..? M’drid]

The logic of automated decisions;
ransparency through audits ..?

Not bashing, nor FUDhyping…
Was triggered by various treads, e.g., The Book on the subject (or, het boek in Dutch), and scores of elucidation (yes. be happy finally there is some truly) from the legal perspective, on GDPR article 15.1h and article 22.

The latter two not being conclusive, however. They are about requirements of transparency on the logic underlying automated decisionmaking. But there is no clarity about how deep that should go. Will “Hey your data is processed by some AI system [literally, factually incorrect statement because it’s only Machine Learning at max, today; does that construe a false statement i.e. fraud ..? ed.] and even we the builders ourselves have no clue what goes on in there – that’s the whole point of using it besides being able to fire a great many inherently expensive humans and we don’t care the least about the biases and other grave errors of the system it works fine for us!” be acceptable? Hint: No. Will “Oh it’s so intricate that we, let alone you, have no clue when looking at the audit trails that the system generates” fly? Same hint.

Because here, we see a new area developing for IS auditors: Auditing ‘AI’ [quod non but read ‘ML’ and you’re good; ed.]. As IS auditors are (supposed to be, I happen to know a fair share of peers … etc.) the experts in gauging systems functioning qua .. reliability overall, too. Which goes way beyond mere C-I-A but still, has Always been part and parcel of IS auditors’ education, right ..? I will come back to you soon, with more definitive info on how IS auditors should go about this all.

Oh by the way yes I did already notice that the more the system in scope behaves, and is constructed to behave, intelligently like the average (sic! statistically you have zero reason to put yourself above that! oh wait you read my blog so you are definitely, way off the right end of the scale) human, the more the audit will have to be like we audit humans today. Uniting psychoanalysis and explicit rules on paper (in procedures, algorithms et al.), very dogue much fun.

[Though a flat, and has iron, legally misidentified as flatiron …; NY – Pic tilted to fit in the pic frame of course]

Are you scared of perfectionism ..?

Not of but to.
This dawned on me, suddenly – as dawning of this better kind is unenforceable – a lot of people list ‘perfectionism’ as their default weakness-read-humblebragged-strongpoint. But it’s a weakness indeed because any such feeling will be rootcaused by insecurity, of the angst kind.
When taken forward, from the latter, one sees: Fear of the unknown, uncontrollable impact on the edges (first), will lead to overzealous focus on those edges, the rougher parts, to prevent even the tiniest deviation from the all-of-the-world’s-plan that totally deterministically was supposed to be followed to not introduce Uncertainty of any kind. No quantum collapse of the wave function allowed; no wave function allowed – that’s all heretical deviation from a supposed Plan from up high (where ?); der Herrgott würfelt nicht in the least! Quantum entanglement is that each and every quantum particle was predestined to be and behave / move as it does. No Uncertainty!

Or else … bad things may happen to you, e.g., your career.
You may get fired, for not perfectly achieving your Personal Year Plan. You may get fired anyway but that’s Bad, the devil’s work, or the shareholders’ (his rep’s..!) wish for slashing by the FTE numbers. To prevent this, just be perfect. Or, more practically, (say to, only!) strive for perfection. Bossed might want to believe then, that you’ll do your utmost and give your life, to make that happen. So bosses’ year plans are achieved. Or bosses, just to be sure, revert to the inhumane micro-management practices … so very common still today…

Let’s hope that proper risk management wins out in the end. If only since the more Chaos, the universe’s drive to entropy, is suppressed, the more gigantic will be the outburst of the Uncontrolled energy because it will burst out. Better to be able to control that through not letting the pressure build so high, by allowing steam to blow off in much more benign, possibly profitable, ways long before.

So, embrace entropy! Embrace balance ..! Just don’t be ‘perfectionist’ like everyone else and then be found out to be the very average sloppy that one reads so much too much of, even in trivial non-control of basic writing skills. If you write without care for proper spelling, etc., and don’t proofread, you’re waaay off to the wrong side of the balance ..!
[Discuss, progress to the dialectic third way – which is NOT in the middle by definition; study Aristoteles on that..! Ottawa, BTW]