Plusquote: You’re not perfect

Even at the Computer History Museum most of the devices on display stopped functioning many years ago.
This time, not one of my own but quoted from Ray. Pointing out that it’s not that bad if you fail at having the perfect IT management (systems/operations) in the universe — even if you’d had forever you wouldn’t succeed so take it easy on the minor non-compliancies.

So, this in a series inspired by this here Expert, some more of my own (heh) personal ramblings which I would dare to call motivational soundbites but you would consider to be as typically as this sentence to be my interpretation of brief, not necessarily positively motivational but that’s (yes I do use abbreviations to shorten the sentence even further) because that remains your interpretation but that’s not necessarily the right one being the one I intended.

Capice? And:
DSC_0378
[Once – not forever – the newest, carved in / out of stone; Reims]

Somehow, related to Big Data analysis and actions

… Where Rembrandt had an idea of a painting in his head, and executed it in his peculiar way on canvas (after which it became relatively immutable — or paint it over), we now see tons of Big Data (i.e., tons of < whateveryou’dwanttocallit >) and we have to abstract the ideas from it.

So, a reversal. Comparable to the induction/deduction false (sic) counterpoints. The sic since BD gurus don’t seem to ‘get it’ when it comes to nuance over induction’s value.

Yes, I’ll close out for now already. Fireworks approaching, plus:
DSCN8357
[Almost-formless blobs, or this? Prefer this direction of design for the/our future… Van Nelle Rotterdam, of course; great architect’s name]

Define ‘Risk’…

This should be an easy one, by pointing at ISO 31000 and its definition the effect of uncertainty on objectives. But that same easy def also raises more questions than it answers, e.g.,

  • How to define [ hence | and ] classify effects,
  • How to define [ hence | and ] classify uncertainty (a biggy …!),
  • How to define [ hence | and ] classify objectives,
  • How to establish measurement of effects,
  • How to establish measurement of uncertainty,
  • How to establish measurement of objectives

that all have an impact on, and are impacted by, the definition. Hopefully, I don’t have to elucidate define hence classify, define and classify or establish measurement regarding effects, uncertainties or objectives. I’ve been at the subject before (here and many posts since) so much that it hurts, me too. But still, many won’t listen and remain stuck in their proven (sic) mistaken belief that the World we’re dealing with, can be caught in models to ‘predict’ the future and/or at the same time remain stuck in, by now approaching hilarious, classifications like Basel II-IV’s… or the slowly but steadily outdating of the classical information security mantra of CIA — those three classes of objectives don’t cut it anymore.

For the more advanced reader (approx. 90% by now — hopefully), the question remains: How to define and classify uncertainty, effect(s!) and objectives ..? Standard classifications all had their stab at it, but failed for the fuzzy nature of those phenomena. Some leaned to the Uncertainty side, trying foremost to classify threats. Some, to the effects side with their vulnerabilities-first approach — via the Impacts classification. Some even had Objectives in mind when pondering the downside potentials of loss-of-upside potential, including scour-for-opportunities to any (0-100%) degree. And then, there’s the abovementioned surefire laugh over ‘Event’ driven analysis… yes consistency, completeness and orthagonality remain essential.
But above all, none captured the time-fluctuation confluence of causes, effects, impacts, … [what have we] that all have such unanalysable structure. Due to their continuous nature; contrasted to the discrete nature often but cannot-be-more-false’ly assumed. [If you don’t get the fundamental difference between discrete and continuous phenomena, go study core math in depth, length and breath. Which is helpful against so great many ills of mind…] And due to the enormously-over-three body problem of interactions [link is about grand business not the petty risk analysis kind but the link therein is valid for the above, too].
Modeling in order to understand may work, but only to understand the exaggeratedly dumbed-down model, the conclusions of which if normative are (in this case, there is such a thing as absolute) certain not to apply or work so why bother. Oh, maybe you may bother, to get a feel of your inadequacy. [Note: I don’t feign to be above that. But I don’t allow you to assume you are as that is both a theoretical and practical logical error.]

Yesy, yes, I know; there very probably is no One Classification Fits All, then. But we may dream, and strive for it, don’t we ..? And at least be very, very clear about it — it being the approach we do take, and what it might potentially (with the probability being above zero but certainly being far off 100%) achieve. Aren’t GUTs, like the Standard Model or the hyperdimensional string theories, the dreams that stuff are made of, too ..?
As always, your suggestions, please. And:
DSC_0643
[Just wait till Etna Says Boom. Or don’t.]

The Bureau of Chaos, by Theory

As a side note to, e.g. this here masterpiece…:
The tendency of bureaucracies to ever further detail its rulesets, that quickly become so burdensome [apart from other ills, ethically much graver], that is evident wherever (top-down) principles are translated in quasi- (not even semi-) mathematical ways, algorithmically almost, to the level of pervasive implementation, stems from the ultimate control approach to life clashing with the ultimate finest-grain detailed descriptions of the universe. Intentional, and definitely normative, description (in order to control! Man over Nature!) banging heads with extensional description.
Which will petrify, then fail because it creates its own Chaos structure, as described here. Where ‘repairs’ to the System are attempted over and over again since the initial values were not infinitely exactly known, can never be. So, one builds rulesets than behave like fractals (zoomed into), in particular when studied to understand and maybe subsequently fight.

Still, the Why of latter-day Bureaucracies (for once, I tried to avoid the overly negative, accurate and pejorative ethical (and esthetical) qualifications I commonly give to these totalitarian, inhumane structures — the latter qualification because of the Will to un-humanize it all) remains in doubt, as the Man over Nature thing (setting rules, hence achieving predictability) is somewhat less valid than otherwise; a bleak reflection of what we feel is a better description of motive.
[Intermission: Be aware as you were, that the b rulesets might be the spelled-out kind but the unwritten rules- social group kinds are also included.]
Ah, back to Maslow, maybe? Yes,yes, was dissed over the past couple of years; attempted to — and failed, probably due to unawareness of its deep values and not only superficial Meaning. Exceptions, the uncontrolled (by definition, and as the Outside is by definition, too), are threats to the achieved in that pyramid. ..? Though the higher up one is, the better one can handle ambiguity, uncertainty, the unexpected, black swans and Extremistan.

Just wanted to put it down for you. And at at last a somewhat positive turn, I’ll leave you with:
DSC_0023
[Royal waiting (room) for Godot (i.e., National Railways everywhere), Amsterdam — notice the almost perfect horizon .. little less perfect but hanging in there … whoops! of the horizontal orientation]

Signalling healthy process

Yet some more cross-over ideas from the IoT world into the administrative bureaucratic office world: Streams of transactions as signals.
Of the health of the process, of course. To be defined, obviously, as the fit to the surroundings. The fit may be off, either intentionally (wanting to let the world adapt to the process, enforcing (?) change) or unintentionally left blank                i.e., having to cope with exceptions to what was envisaged as transactions’ content or form.

Now apply yesterday’s first picture of process control.
Now, too, consider what one could do with sampling theory (as a subset of ‘Shannon’, if properly elaborated, possibly skirting with ‘classical’ statistics ..?). Taking 2log(n) samples (where n is the number of transactions ..?? Just a wild guess) and being able to reconstruct the ‘signal’ then taking its integral (discrete transactions … just summing it up ..?) for the total. Or Fourier-transforming it all and … get your basic theory straight before dreaming of moving on so don’t start at the other end as ‘accountant’…! And/or treating exceptions (as e.g., found by the sort of analysis that these girls/guys are so good at; that not even being meant as a cynical qualifier) as noise to the signal. Never fully suppressable, but useful to pick up secondary signals, stacked in their variation of frequencies, amplitudes an wavelet transformations. That all tell you something, if you listen. Whether you want perfect, over-HiFi replay [intermission: Ugh I’m getting old, even knowing that HiFi was a thing…], or lively veracity, actual fullness of music. And take in again the ole’ industrial process control with its recipe / derivative function(s), et al., and be able to better control it all from the ‘dashboard’ in the control room. When all of the routine stuff, the routine 80%, of business is done by … ‘robots’. Humanoid or digital-machines, IDC.

And hey, while we’re at it, why not throw in attempts to include in bookkeeping not only discrete numbers (arbitrarily rounded to hunderds, of random currencies) but Real numbers or even Complex numbers as well ..? The latter, e.g., to indicate VAT surcharges, etc.; leading to tuples-as-single-‘numbers’ in bookkeeping. Maybe somewhat harder to track that all is booked correctly, but also maybe powerful in capturing singular transactions and some processing rules/logic, and controls, in one tuple (‘record’).

Where AI may then be applied to do sanity checks. Not on this author; no AGI or ASI would suffice…

OK, for now:
DSCN1436
[“What a shoe box” but yes that *is* the Bata shoe museum, Toronto]

Attached ITsec

OK, I’m a bit stuck here, by my own design. Had intended to start elaborating the all-encompassing IoT Audit work program (as per this post), but the care and feeding one should give to the methodology, bogged me down a bit too much … (?)
As there have been

  • The ridiculousness of too much top-down risk analysis (as per this) that may influence IoT-A risk analysis as well;
  • An effort to still keep on board all four flavours of IoT (as per this), through which again one should revert to more parametrised, parametrised deeper, forms of analysis;
  • Discomfort with normal risk analysis methods, ranging from all-too-silent but fundamental question discussions re definitions (as per this) and common approaches to risk labeling (as per this and this and others);
  • Time constraints;
  • General lack of clarity of thinking, when such oceans of conceptual stuff need to be covered without proper skillz ;-] by way of tooling in concepts, methods, and media.

Now, before jumping to yet another partial build of such a media / method loose parts kit (IKEA and Lego come to mind), and some new light bulb at the end, first this:
DSCN5608
[One by one …, Utrecht]
After which:
Some building blocks.

[Risks, [Consequences] of If(NotMet([Quality Requirements]))]
Which [Quality Requirements]? What thresholds of NotMet()?
[Value(s)] to be protected / defined by [Quality Requirements]]? [Value] of [Data|Information]?
[Consequences]?
[Threats] leading to [NotMet(Z)] with [Probability function P(X) ] and [Consequence] function C(Y)?
([Threat] by the way as [Act of Nature | Act of Man], with ActOfMan being a very complex thingy in itself)
[Control types] = [Prevent, Detect, React, Respond (Stop, Correct), Retaliate, Restore]
[Control] …? [ImplementationStrength] ?
[Control complex] UnlimitedCombiOf_(N)AndOrXOR(Control, Control, Control, …)
Already I’m missing flexibility there. [ImplementationStrength(Control)] may depend on the individual Control but also on (threat, Threat, …) and on Control’s place in ControlComplex and the other Controls in there. Etc.

Which should be carried out at all abstraction levels (OSI-stack++, the ++ being at both ends, and the Pres and App layers permeating throughout due to the above indetermination of CIAAEE+P for the four IoT development directions, and their implementation details with industry sectors. E.g., Medical doing it different than B2C in clothing. Think also of the vast range of protocols, sensor (control) types, actuator types, data/command channels, use types (primary/control, continuous/discrete(ed)/heartbeat), etc.

And then, the new light bulb as promised: All the above, when applied to a practical situation, may become exponentially complex, to a degree and state where it would be better to attach the security ‘context’ (required and actual) as labels to the finest-grain elements one can define in the big, I mean BIG, mesh of physically/logically connected elements, at all abstraction levels. Sort-of data labeling, but then throughout the IoT infrastructure. Including this sort of IAM. So that one can do a virtual surveillance over all the elements, and inspect them with their attached status report. Ah, secondary risk/threat of that being compromised… Solutions may be around, like (public/private)2 encryption ensuring attribution/non-repudiation/integrity etc. Similar to but probably different from certification schemes. Not the audit-your-paper-reality type, those are not cert schemes but cert scams.

OK, that’s enough for now. Will return, with some more methodologically sound, systematic but also practical results. I hope. Your contributions of course, are very much welcomed too.

Not so self-driving

Errrm, after reading this Slate article, what is the ‘self-driving’ the car does ..? It’s just fitting into the template of the world laid out, not self-driving with ‘self’ being autonomous and aware.
Though I’m not fully in agreement on the conclusion, I do recognize the comparison in the early paragraphs: The G’s self-driving one as the Newton. But that was handsomely overtaken (intended) by the handhelds of all sizes that are ubiquitous today. As the article already hints, it’ll be a matter of AI creeping into our cars in all sorts of ways, when we suddenly realize how close we are to (or past the point of) true autonomy. But we’re not very close to that, yet; the jumps to be made may be much bigger than the Newton-to-Android-phablet one. Not being able to cope with any but the finest weather … Ugh, if one had known that, no-one would have claimed anything about self of driving, right? Where are the permits to road-legality (CA, probably already, UK 2015/2016 it was?) going to if mere sleet and fog may destroy safety?

By the way, did you notice the similarity with what happened to Glass ..? “Yes indeed, where has that gone!?” Well, it turns out it was a good try for Big G and now has vanished due to the public denouncement, through ridicule and physical backlash. So… next time, the tech will be inobtrusive, secretive, so you’ll not be able to detect or defend against it… Big win, not. So it will go with cars. Till the next round; then: Sneeking up on you, then be inevitable.

OK, I’ll leave you with yesteryears’ gloomy perimeter defences:20141019_134718[1]

Black / White

Just in case you thought that men (the typical kind; you like generalisations, apparently) know only black and white, or if pushed, also red, blue, yellow, green and brown, and women (see how overgeneralized this argument is?) know so many more as in this – then there’s also this
Wouldn’t it be stupid to ask for some easier (to remember!) classification / labeling?

And the pic; what colour this house …?
004_22 (2)[Old analog->digital… Utrecht]

Mo’Data, Mo’Problems

Some time ago, I was triggered by this tweet (by @meneer; no surprise in that):

that somewhat-translates (i.e., manually, however clunky still better than machine translation as that doesn’t get Dutch unstructuredness…) to: “Bizarro weather picture again: forecast #somechannel/app from the South-East to the North-West, #someotherchannel/app from the North-East to the South-West” referring to some predictions about clouds and (turned out quite torrential) rain passing over the minute geography of the Netherlands.

And another about this article – that explains, in a more scientifically styled prose, that having ever more data makes it ever more difficult to connect the dots you’d want to connect…

Both of which are poignant reminders that:

  • Big Data is not a tool but a mere tool, to be used very carefully even (or in particular?) by the few that have really big data sets. If you collect focusedly, it can hardly be called Big, rather ‘Smart-‘ or just plain ‘data analysis’, no more; if you collect as much as you can, you are destroying objectives achievement – the required method destroys the results;
  • If, very big if, Big Data would result in anything, why haven’t weather predictions improved ..? The enormity of data that had already been around in that arena for decades, will have exploded over the past one, and should have resulted in far better predictions instead of the worse that the predictions seem to have gotten. And we’re talking patterns, not even the zoom-in to tinier details that one commonly associates with BD (the major patterns are usually skipped for being too well known already). Hence, what hope would we have for other areas..?
  • Reliance on apps for info is getting more and more dangerous, almost literally so far, but in an indirect sense, already, widely. What if… when now as already well-known, some search giant might have monopolized Search and skews the results you get…? That would theoretically be a disaster. Oh.

So, think again, be ever more critical of Shallows app usage and reliance… I’ll leave you with:
??????????[Lucca: ‘modern’ Italian parade]

Maverisk / Étoiles du Nord