education – Page 7 – Maverisk / Étoiles du Nord

Weak Humans, the Top-10

Again, the reference in the title is useless but may attract more readers through Timeline/Prio Gaming(™ from now on) – and, this in return might have referred to the title but yet again, close but no cigar (again, less chances of a Cuban, anyway, for some by their own mistake).
What I meant was that humans are targeted by hackers since they’re so vulnerable read stupid may be true — relatively… actually meaning apparently Technology and [the empty shell phrase of; ed.] Process may be so perfected that hackers have nowhere else to turn to.

That, of course, is not true. Simply, false.

When looking at the disastrous error rates (bugs to be fixed, sometimes easily) in software, how would anyone be able to claim Technology is anywhere near kinda OK. And Process… Show me an office (however formal, or strikingly similar to a coffee shop of not the Amsterdam original kind, or any beach with WiFi [→ why aren’t we all there, yet …!? ed.]), and show me a ‘process’ there. Wrong. All you can show, is either concrete, chairs, etc. even if of the kanban billboard kind [how idiotically silly can one get ..?], or humans. I.e., Technology or People. Neither of which is Process. No, printer paper with some ink blots .. also not process (descriptions) but Tech..! Don’t believe the lies, people! Process doesn’t exist!
So, we have something half-crappy [surprise this blog editor still runs … ;-] and something non-existent, … and People. On what now would you want to build your security?

Ah, on the People that are the most flexible, attentive (to business objectives, not your overhead), and creative (well… but including the most meta<sup2 of abstract/meme evolution evah) that Nature has ever developed with her genetic algorithm play of Evolution.
Where did you leave your own mis- and totally-zero-understandings on Humans, to pursue Tech and “Process” (quod non) solutions to Human threats ..? Why weren’t human threats from the word Go protected against by the best that human defences could muster to protect human vulnerabilities ..? Not only qua passwords, with a method aligning with cardinal sin number …. [should re-read the Bible for that; ed.] being the quest for ever more money i.e. including the protection of what you have (see the link). But qua overall about-all controls you’d need. If done right, I bet a lot of tech controls would dwindle in significance (and possibly be executed much worse than today; zero gain).

Now I start to ramble. But you get the point, and you get:
[From here, the Strong came in. NY]

Discharging DPOs by auditors

Now that it by and large seems to be that GDPR hypestuff is mostly pushed into the legal corner, … let it stay there. Let the others do their job, and reap all the benefits. I.e., via the avenue (required budget-wise; wildlands qua budgets received) of data discovery [Uchg ugly word I meant inventory] / data minimalisation/cleansing / data security [the old way, like information security, not the #ditchcyber fail] towards magnificent efficiencies in IT ops, and much clearer, exponentially better profile’able data even if Big.

Hey, the DPO was so self-inflatedly Important, right? Let him (sic) handle all the fan mail then… Let him panick-crash during every high-pressure breach BCM handling.

And then a. get fired, b. get sued, c. get replaced by yet another legal scholar turned business savvy (quod non) ‘executive’ [who executes who?].

But … in the mean time, someone would have to discharge the DPO. Not from internal audit because they’re part of the ~~problem~~ organisation.

OK, let’s have that done by an external auditor, then. A specialist, hopefully.

Hereby my claim to that specialty. Will develop fully-compliant methodology, will travel (charging expense…).

And:

[As an external auditor specialist, I love to have this sort of view; NY]

Nudging to intermittance; 5 steps to awa success

As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:

How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.

Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?

Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?

Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:

[On a bright day, for Stockholm, the Knäckeboat museum]

Car disruption

Have governments gone insane?? They penalise anyone (but certainly not everyone) going over some completely [?] arbitrary speed, whereas my car can do double that, easily. This needs to be disrupted! Just drive as fast as you can handle, don’t care about the ‘others’ that stand in the way of you in your fundamental rights to freedom and the pursuit of happiness, and fight government in courts when they go after you – they are the stupid ones! They can’t stand you disrupting the traffic market by being quicker than the stupid sheeple [or is that you disruptor-user ..?] from A to B! People will die in traffic (e.g., by being so stupid as to always stay on the pavement but wanting to cross the road at a pedestrian crossing; fools. Children will veer off onto the streets; too bad. There will always be some less lucky and they take themselves out of the gene pool, just let them not hinder the Winners.

I’m into privacy. Which is of course completely different? from traffic ‘markets’ where the road is a commons, bound by rules (like, one doesn’t have priority but should give it to others when due) to make it reasonably safe for anyone (as a commons: no over-use till Tragedy Of). Just like hotels having to live by all sorts of safety rules (training staff, smoke alarms, hygiene, etc.etc.) for a reason. The same reason (or worse, given casuality of visitors) that goes for the V-sign company?
So, privacy in public space, the more virtual the more so [at least, no bit less so], can one (ab)use it when in breach of laws of common decency – that go much beyond mere laws or constitutions ..?

Not even a personal thing, the above … and:

[Perfect space for street racing…? Wouldn’t even hit too many ‘innocents’ here…; Zuid-As Ams]

Top 5 things that Awa isn’t

When dealing with awareness, certainly in the infosec field (#ditchcyber!), there seems to be a lot of confusion over the mere simple construct under discussion. Like, the equasion (with an s not a t) of Awareness with Knowledge plus Attitute plus Behaviour. Which, according to the simplest of checks, would not hold. Since Knowledge, and maybe Attitude, are apt components. But Behaviour is what eludes the other two, by the unconscious that drives 95% of our behaviour, in particular when dealing with any but the most hard-core mathematical-logic types of decision making and interaction.

Which is why so many ‘Infosec awareness programs’ fail …
First of all, they’re Training, mostly, even when in the form of nice posters and QR cards [that’s Quick Reference, not QR-code you history-knowledgeless i.e. completely clueless simpleton-robot-pastiche one!], and it’s true that “If you call it Training, you’ve lost your audience’s want to learn” – your audience will figure out it’s Training despite you packaging it differently; they needn’t even explicitly but intuitively (the level you aimed for, or what?) they will.
Second, all the groupwise that you do, doesn’t reflect in-group dynamics at the actual workplace and work flows, nor does it reflect the actual challenges, nor the individuals changing moods (attitudes). Oh the latter: Your attempt at changing Attitude is geared towards A in relation to infosec but that’s only such a tiny, so easily overlooked and forgettable part of the A all-the-time in the workspace.
Third, and arguably foremost, to plug ‘arguably’ as a trick’let to appear more interesting, What you aim for is not blank flat knowledge, nor even attitude, but Behavioural change. Do you really use the methods to achieve that ..?

No you don’t.

Oh and of course I titled this post with something-something 5, to get more views. Geez, if you even fell for that… And:

[Your ~~kindergarten~~ Board wish they could ever obtain such a B-room; Haut Königsburg]

Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]

1. Train like you BCM

Isn’t it strange that one of the most prominent success factors of Business Continuity Management, actually training for eventualities of all kinds and sizes, is so little done?
Or has the basic tenet Train like you fight, then you fight like you train been forgotten?

Or not even learned in the first place. Shameful.

And, by the way, it’s true. When you train (well, as serious as if you’d actually be in a ‘fight’ for survival), you get experienced. Surely no trained scenario will play out in the unlikely event of an emergency of any kind that your BCM aimed for, but you will be experienced to handle such unknown situations, be flexible, and have the acumen, courage, and wit to come up with a solution, no sweat, right ..? Because you know you can, no sweat, and hence, clear thinking about the right things.

So, … have fun shooting down the bogeys. And:

[Hey,, that’s a pic from a scanned slide (physical, Kodak), of the bitches of South, at Twente (no more)…]

The Legend of Knuth the Agile

Once upon a time in a land far, far off-shore to today’s centers of economic, political of civilised-society gravity, before DevOps was a thing even, there was a great algorithm champion warrior named Knuth. Unlike his fellow programmer clansman, that coded for ~~fun and profit~~ deep innovation and peer recognition [f&p came only decades i.e. ‘centuries’ later; ed.], in a world that was barren of bad code but still inhospitable to what later would become hero geeks and nerds (for whom this was still obvious), Knuth was just that little bit less quickly-footed in his subject matter, earning him the nickname The Agile, just to deride his profound work.

Because, you see, he was a man of honour and clean algorithms, two things that in his days were nearly the same. And he was in favour of solving things with fundamental parts. Not ‘process steps’ or so – how would he laugh at those that propose that, these days. Nor happenstantially bundled ‘sprints’ of fast (hacked, in its profound meaning) coding – though extreme coders live on here and there, not given the honour and credit they deserve.
But real, standardised, tried and tested (even in a semi- or fully mathematical way) logically consistent actual process steps. But then, he understands that the real warrior body (brains) belong only to those that have honed the warrior spirit, have grinded and polished their skills over decades to shine like blank sheet metal of the finest alloys. So, not like ‘hey I had this one-year (??, mostly one-week or so ..!) course in agile programming now I’m a l33t h@x0r’ kind of pre-puerile nonsense.

Well, dear readers, you know how times can fly and how reputations can change overnight. So it happens that his nickname suddenly meant something else. No more poetic escapes of sparse code and clean, logic-based algorithm library linking and calling/returning at the side of the waterfall. development method. No more re-use of the tried and tested. No more frozen waterfalls at all, due to scope creep leading to progress-temperature drops to zero and below, leading to icy atmospheres where nothing works anymore. No more basic weapons training of even knowing how to deploy re-usable code and algorithms…
All we have now, in these days with no more heroes (but the baddies are still out there, everywhere), is/was faint attempts at “patterns”, being of course the latter-day devolution of the very algorithms that made Knuth the hero he was. Is.

And then, DevOps came to the scene. If only Knuth were still in his prime, he would know what to do…

Plus:

[Only in such art is extremely precisely applied sloppiness a virtue …! Gemeentemuseum Den Haag]

Effective presentations

May be elsewhere.
Recently delivered a ppt full of bullets and text [hold it; see below], to gather response and feedback. Put in quite some effort, like two days’ driving to the venue, including overnight stay, lunch and dinner costs, transport expense, sweating away at the location (the venue was only a couple of °s cooler than the 30°+ outside) with an extra night stay at the location, plus lunches, dinners, and a return trip of two days’ driving, incl overnight stay, lunch and dinner costs, transport expense, et al (sic).
For … well, not any sort of renumeration or token gift, even. Not, like, a promisingly large room turning out to be less than 40% (rounded way up) filled.

Which wouldn’t be so bad, if suitable, useful feedback had been received, or only publicity gained e.g., through (live or late) tweeting, LI mention or so.

But now, all I got was not even the T-shirt; all I got was 0. As in: zero.
Yes that’s the number of tips (let alone useful ones), or tweets about the pres (let alone far out reaching ones). I did disclaim the fullness of the slides (sic) to give impressions of all the content delivered (did not read them line by line, mind you), and yes I did before, during and after ask for feedback… Only some old hand pre-known friendlies with form/delivery compliments.

Oh well; at least now I know not to submit for free anymore. And/or, is this the beginning of the Classroom Learning Is Dead for trade conferences ..?
Yes, sponsor opportunities will make conferences et al, still feasible economically, but not when attendee rates will go down. Yes, online webinars et al are still bandwidth-challenged and most often, sketchily interactive at best – which is an opportunity for TEDx style beautifully told fairy tales but not for the ability to interrupt and, in particularly necessary very often with these kind of powering-on talks, correct huge biases, false assumptions, and certainly pastiches of logical reasoning, nor for feedback or pointer tips.

So, where are the (affordable…!) online conferences that are worthwhile to visit?
Not 2-way IRL (‘F2F’ like in the olden days of still today) but virtually – warping the meaning of the latter so far beyond its Original, and not taking it to the limit here but having only the channel un-physicalised, even; where is total two-way VR and/or AR in this ..?

Oh well, and:

[Still only had time for ‘drive-by’ i.e. walk-by tourism…; München]

Panoptic business

Recently, I heard the gross error of thinking again “When people use their business IT for private purposes, they have no right to privacy” – rightly countered from the room that standing European law most clearly has the opposite: Employer has zero rights to see anything unless there’s prior evidence of some malfeasance or malfunctioning (e.g., performance problems – of the employee, not of the infra…). So, blanket or categorical surveillance (or blocking, which presupposes monitoring how the heck else would you detect the to-be-blocked URLs..!?): No sir.

What about the recent spat where a bank blocked Netflix because employees’ use of it at home, using company laptops that Citrixed back to the bank and from there onward, overloaded networks of sad (typo not said, intended to characterise the) bank? Well, a. how dumb can you be to Netflix over Citrix etc, or is one so incredibly cheap (hey, works at bank; apart from the exceptions you know, go figure) that bandwidth cost is an issue? Then maybe you’re too scroogy to be allowed to wok at a bank in the first place; monumental failure of ethics wise, b. in this case, clearly there are performance issues – when it’s noticable on the company network level, certainly it goes for a number of individuals, even if only by disturbing the performance (bandwidth availability) of others. c. there’s no absolutes in what employers cannot do.

But clearly, in just about every case considered today where categorical blocking by blacklisting would be attempted because managers sideways involved in HR stuff would understand what the URL is about, i.e., not-business-related entertainment however SFW or N-, skipping the blacklisting of the really to be blacklisted sites (torrents, malware shops and other rogue tooling),
we have again the panopticon argument of “observation changes behaviour” – and in these times of clueless managers (the less they know that of themselves, the worse cases they are!), you need in particular those ‘users’/employees that go beyond monkey typing away to be creative in their work and find new revenu / cost reduction directions. Which means that when you observe, or only log to be able to observe, you squelch productivity and profitability… Way to go!

Oh, and:

[Not the one mentioned above; HypoVereins München on a heat-hazy day]