Tag: education

All fine, for whom?

Just to be clear: Where do all the fines that will rain like hail from heck once GDPR comes into force, go to ..? Yes the supervisory authority may levy the fines, but it isn’t clear to whom the payment should go. Certainly leading to huge differences in compliance chasing: When the auth may keep them for themselves, they’re a. richer than the king since b. sure to penalise each and every futile infringement to the max; when the money goes to government’s coffers, that chasing not so much because who’d care?
You don’t believe me, right? Just wait and see. And weep.

Plus:
[Where the coffers are kept ..? Segovia]

Progress, friends, is here. Only, not everywhere. Yet. Say ‘No’ till then?

You know that the bright new future is here, when amid the torrent (figuratively referring to the physical phenomenon, nothing to do with the on-line tool(s)) of fake news, this still makes it into a headline: ATMs now to begin to start being rolled out with Win10 ‘support’. To be completed per 2020, when support for Win7 stops. Right. 2020; probably not referring to the eyesight of the ones planning this, not being personally accountable and duly informed of the risks.

Because otherwise, wouldn’t it be smarter to come up with a clever idea to do the roll-out within a month, to prevent just about anyone to take ATM security — or is it a signpost for overall infosec’s position — seriously, as seriously as it should ..?

It’s time there comes an agency, Nationwide, worldwide, that has the authority to say NO!!! to all ill-advised (IT- which is the same these days) projects. Infosec professionals tried to ditch the Dr. No image, but it turns out, it’s needed more than ever to prevent the Stupid (Ortega y Gasset’s Masses I guess) from endangering all of us or at least squandering the billions (yes) that could have been applied against world poverty etc.etc.

Oh, and:
[The UBO ‘humanity’ seems to be lost, here; Zuid-As Ams]

Learn you will… Recover, you might.

When your countries largest retailer (primarily F&B but non-F only recently growing as well), has finally heard about something-something-smart-fridge. And wants to do it Right and starts off with a pilot. Of, drumroll, a smart fridge magnet with a mic and barco scanner for adding stuff to your on-line grocery list (on-site self-service pick / pick-up, or delivery to follow separately). Didn’t kno that existed already.
Nice idea, to include not (only) a barco deliberate-scanner (no creepy auto-scans) but also a mic when you don’t have the product at hand (and fresh veggies wouldn’t make it; for a long time already not stickered but weighted at the (vast majority) non-selfscanned check-out).

But what security ..? For fun, e.g., putting reams of alcohol stuff on the to-pickup lists of unsuspecting meek middle-classmen that won’t understand but come home with some explanation to do (bonus for taking the stuff off the list once procured so ‘no’ trace on the shopping list). For less fun, snooping off people’s shopping habits and get rich (by ultra-focused ads or selling off the data, or by extortion-light once you get the Embarrassing Items in view). For even less fun but lulz (grow a pair) when changing the list to violate some family member’s med-dietary choices into harmful variants. And don’t forget the option to (literally) listen in on very much that is said in the vincinity of the fridge. Could be anything, but probably privacy-sensitive.
But what security? The press release point to other countries’ supermarkets already offering the Hiku sensors. Nothing is unhackable. Exploit searches must be under way. People never learn. Reputational (corp) and personal-integrity (clients) damages may or may not be recoverable, at huge expense.

I’m not in, on this one. No need. Plus:
[Where you can learn; Zuid-As Ams]

Full cite of important stuff

This being a complete citation of important stuff, on various subjects in one – meaning, that the brillantly brief once more applies to various trades and aspects, for your information:
With the sound off or on?
If you watch a well-directed film with the sound turned off, you’ll get a lot out of it. On the other hand, it takes practice to read a screenplay and truly understand it.
It’s worth remembering that we lived in tribes for millennia, long before we learned how to speak. Emotional connection is our default. We only added words and symbolic logic much later.
There are a few places where all that matters is the words. Where the force of logic is sufficient to change the moment.
The rest of the time, which is almost all the time, the real issues are trust, status, culture, pheromones, peer pressure, urgency and the energy in the room.
It probably pays to know which kind of discussion you’re having.

By Seth Godin, as you may have derived from the style and profundity. (As per here, which is literally the same text – told you so – but also add the Head to your daily reading list! [Noticed that Head thing, intended to refer to a List structure, is a pun when you see the image to click on his blog…].)

Which all relates to a. Privacy [yes it does, just think it through] and b. your IAM ideas, ever in renewal since … decades; plus c. the ‘GRC’ eager beavers — that at last are pushed back, softly and hardly noticably, by counterforces-undetermined that want their space to innovate back. And d. <fill in yourself and colour the pictures>.

Oh, and:
[Marketing -, or was it Design, Department at some Toronto institute]

Fake your news

So this is your future, part II:
Fake news is (to be – timeframe in question is ..?) battled by platforms that have full control over just about everything out there. By whatever algorithm these might bring to bear, most probably with a dose of ill-aligned AI creating a filter bubble of the most beneficial to the platforms kind for sure which is the most profitable one to their *paying* customers which is the ad industry which hence is by definition detrimental to the users, the global general public (sic).
Thus suppressing Original Content by users that isn’t verifiable against the ever narrowing ‘truth’ definitions that benefit the platforms.
Thus installing the most massive censorship ever dreamt of.
And despite some seemingly (!) benign user support in this

In the olden days, anything of such ubiquity that it was factually (sic) a (inter)national utility, was nationalised to bring it under direct control of the People.
May we now see the appropriation of Fb by the UN due to exactly the same reason ..?

One can hope..? Plus:
[Rosy window on the world ..? Not even that; Zuid-As Amsterdam]

Right. Without -s

So, we’re into this era of giving up control over our lives. Where we’re either dumb pay-uppers, or (also) victims. Which in turn leads to questions regarding who will have any income at all, to pay for the service of being allowed to sit as stool pigeon until shot anyway.
Because the latter is what follows from this here nifty piece; Tesla not giving your data unless they can sue you. The EU push for human-in-the-loop may need to be extended considerably, but should, must. Possibly similar to the path of the Original cookie directive, from weak opt out to strong double opt in plus all privacy requirements (purpose / functional necessity, minimalisation, etc.etc.).

Do we recognise here again the idea that though your existence creates it and would be different for every human on earth (plus orbit), your data isn’t yours ..? Quod non! When someone takes what you produced (however indirectly! – inferred and metadata and all) without payment, that is theft or worse in any legal environment.
Is there anywhere a platform where the consequences of this global delineation are more clearly discussed, between Your Data Isn’t Yours Because We Process It, versus My Data’s Mine Wherever ..?

I’d like to know. And:
[Your fragile fortress…; Barça]

Behaviour is key to security — but what if it’s perfect?

When the latest news on information security points in the direction, away from reliance on technical stuff, of the humans that you still can’t get rid of (yet!), all are aboard the ‘Awareness is just the first step, you’ll need to change the actual behaviour of users‘ train. Or should be, should have been, already for a number of years.
In Case You Missed It, the Technology side of information security has so far always gobbled up the majority of your respective budgets, with all of the secondary costs to that, buried in General Expenses. And the effectivity of the spend … has been great! Not that your organisation is anywhere near as secure as it could reasonably have been, but at least the majority of attackers rightly focus not on technology (anymore – though still a major headache) but on the feckle user discipline. Oh how dumb and incompetent these users are; there will always be some d.face that falls for some social engineering scam. Sometimes an extremely clever one, when focusing at generic end users deep down in your organisation, sometimes a ridiculously simple and straightforward one when targeting your upper management – zero sophistication needed, there.

The point is, there will always be some d.face that makes an honest mistake. If you don’t want that, you’ll have to get rid of all humans and then end up overlording robots (in the AI sense, not their superfluous physical representation) that will fail because those underling users of old held all the flexibility of your organisation to external pressures and innovation challenges.
Which means you’re stuck with those no-good [i.e., good for each and every penny of your atrocious bonus payments] humans for a while.

Better train them to never ever deviate from standard procedures, right?
Wrong.
Since this: Though the title may look skewed and it is, there’s much value in the easy step underpinning the argument; indeed repetitive work makes users’ innate flexibility explode in uncontrolled directions.
So, the more you coax users into compliance, the worse the deviations will get. As elucidated, e.g., here [if you care to study after the pic; study you’ll need to make something of the dense prose; ed.].

So, here too your information security efforts may go only so far; you must train your users forever, but not too much or they’ll just noncomply in possibly worse directions.

Oh well:
[Yeah, Amsterdam; you know where exactly this depicts your efforts – don’t complai about pic quality when it was taken through a tram’s window…]

Pwds, again. And again and again. They’re 2FA-capable ..!

Why are we still so spastic re password ‘strength’ rules ..?

They have been debunked as being counterproductive outright, right? Since they are too cumbersome to deal with, and are just a gargleblaster element in some petty arms’ race with such enourmous collateral damage and ineffectiveness.

And come on, pipl! The solution has been there all along, though having been forbidden just as long …:
Write down your passphrases! The loss of control by having some paper out there, e.g., on your (Huh? Shared workspace, BYOD anyone?) monitor (Why!? Why not have the piece of paper in your wallet; most users will care for their money and those that don’t, miss some cells due to the same you wouldn’t want them at your workplace anyway) is minute, certainly compared to the immense increase in entropy gains i.e., straight-out security gains.
And … when you keep your written-down pwd to yourself (e.g., against this sort of thing), it becomes the same thing any physical token is and you created your own Two Factor Authentication without any investment other than the mere org-wide system policy setting change of requiring pwds of at least, say, 25 characters. (And promulgating this but that shouldn’t be too hard; opportunity to show to make life easier for end users, for once, and great opportunity for collateral instructions on (behavioural) infosec in general…)

What bugs me is that alreay a great string of generations have been led astray while all along the signs were on the wall – not the passwords on them, but the eventual inevitable collapse of the system, by users that demonstrated this security measure was too impractical to stick to par excellence as evidenced in the still-strong and practiced practice of writing down pwds. If people do some specific thing despite decades of instruction … might we consider the instruction to not fit the humans’ daily operations ..? so the ones seeking to Control [what pityful failures, those ones …; ed.] will have to rescind?

So, written-down passphrases it is. Plus:
[Easy sailing to new lands, beats being stuck on Ellis; NY]

No legalese please, we’re in business

Which translates to: A DPO better be an IT expert who has learnt [for clear thinking, UK English is preferred by far; ed.] the legalese of the GDPR, than a legal expert who has learnt some tidbits of IT. Despite the usual suspects exceptions, you do recognise the former and latter types in practice. And exceptions those are.
And debunking the myth that a legally schooled ‘GRC’ operative might pick up sufficient IT skills in a couple of courses or a bit of privacy practice, needn’t be necessary or you have done zero investigation re this. What a sorcerer’s apprentice of the pastiche kind do they portray. Because the mindset is inappropriate; the mindset of accidentally finding an interesting problem and for once not being dazed by those in the know, studying it extensively, how interesting this all, and then       hardly anything. Certainly (sic) no actual solution to the problem…
The IT side, so often and so extensively underestimated in its intricacies throughout the vast wide scope of it in particular qua privacy concerns even in the GDPR itself that core document around which so many circle, on the other hand is qua background focused on (actively going out and) finding problems and then creating and implementing a solution.
And at the same time, recognising that the legal stuff is not as hard as it is sometimes portrayed (instigated) to be and does not require more than a trade diploma level of intellectual development, if even that.

One could easily remain on the subject but without much gain. We retire, having made sufficient argument why DPOs have no legal basis need in their functional requirement.

Oh, and:
[Feel free to pose and shine – with pretense of superiority through some legal jargon most probably devoid of meaning; NY]

Take me out of the loop, (as I) please

Considering that there is this thing with privacy — where people are getting more and more aware that yes, they do have a legal right to not opt in to any scam’ish spam and Shallows-ing of their filter bubble [where the latter sounds soft and pleasant, pink, instead of crushingly dusty and petrifying your mind, the one thing that so far keeps you human].
Considering, too, that there is a push to have at least a human in the loop of math destruction. Which will fail if it’s a click-yes-or-be-fired job. Which it will, in the current setting and developments, be. Unless the human, and all of hes [her/his; LGBTQ-neutral] superiors all the way up to and including in particular, the Board members individually fully accountable, remain accountable for all that the click-yes leads to. They should be are or else they have to legal title to any income of any kind. But since the legal side is all set but the 0.1% is above the law, this isn’t happening.

At least then, we should aim for something similar to the cookie directive [so villified because it was such a glorious and simple idea it could work. could have.]; I propose:
The right to be left out of (statistical or other) profiling. Since the profiling follows from matching patterns that are different things from the data I providedmost probably to some party other than the one doing the profile extraction out of statistical masses – fitting me to the profile is a direct form of de-anonymisation to identification to which you have no legal right and a legal duty not to. Check your brain to see whether it is capable of the most basic functioning, which is sufficient to understand articles 11 and 12 of the Universal Declarations of Human Rights. Name one set of principles that applies more widely, globally, than that. Doing away not only with the nuisance but also with the filter bubble et al. including the atrocious downsides of false positives as per the link above.

Maybe the online ad markets would crash. Report has it that they already do; imploding under their own emptiness. There is no inherent reason any market should exist per se. The world would a. continue to prosper, so infinitely more so than before when ad markets would crumble; b. be a better place and who could be against that?

So after this bombshell of an idea, I leave you with:
[Peace of mind; at a borgho just North of Siena]

Maverisk / Étoiles du Nord