Tag: Information Risk Management

Seamless complacency, rise of the crackers

Yes, seamless integration as, e.g., pursued by the likes of Appl, may polish some edges of the roughness of the world. OMG! I have to turn this plug over to make it fit! The horror! Why didn’t someone fix this!?
Such, to be shipped to the battlefields of the Middle East and Africa, traumatised at the bus ride already.

And, the consumerism, the ultimate ideal of marketeers and Silicon Valley alike, will bring both down crashing. Because the ideal of consumerism everywhere, will also, does already also, pervade education, leaving (achieving its goal at) numb drone consumers – that have no means of income as they’re too mediocre at far too low a level to have any differentiating value (of potential (work)); a vicious circle – that will not be able to see value in services offered but moreover are incapable of building the Next Thing of even maintaining the old.

That will be left to
a. The ever shrinking (!) money(sic)-mostupper class. Not true class!
b. Crackers.
a. This of course, till the exponentially spiraling competition of the money hierarchy will result in < 1 slot, in the end.
b. This of course, since there will be renegades, outcasts, that go their own way. And will be legion. As they drop out, are brute- nuclear-force pushed out of the consumerist lowest classes. Suddenly, have to be resourceful – and (t)hence go after the resources… Only outcasts will see the porous base of the systems stack and hack their way into it. Cultural abandonment leading to … this, you know.

Ah, lessons …? Don’t Be Evil, and Be Prepared. To abandon. ..?
Whatever, there’s still:
DSCN1118
[Metropolis… La Défense, many years back]

The beauty of variance

Oh why did we think that mere straightforward compliance with one definitive set of rules (however principled, or detailed) would achieve anything worthwhile ..?

Why didn’t we consider the inherent, innate beauty of variance and variation, beyond mere secondary usefulness in resilience/robustness ..?

Because reasons. The perennial one being Fear, probably. Fear of uncertainty. As there’s downside risk in that. Where all the risk management still focuses on. Yes, no, no denying that; all models still have any ‘impact’ of any ‘event’ as a single negative number. If (in the every-part-but-when sense) we would inculde positive, good possibilities and outcomes to count as well, wouldn’t we end up with zero average impacts in many places ..? Like the great many places where non-compliance is conscious just because the enterpreneur wants to achieve something worthwhile hence other than compliance ..?

But what if we turn risk management into the brushing off of the rough edges of beautiful sculpturing that enterpreneurs and true managers do ..? Chiseling away grey/gray unusable material to keep the beuatiful statue that was in the stone already to be released ..?

Those that want nothing to bloom may await nothing but their ignomous and insignificant death. In the mean time, don’t bother the one sthat want to achieve something, please.

After which I remind you: That’s all secondary talk. Primarily, seek the beauty of variation for its own richness. Hence:
000021 (9)
[The view from my field office, once. Y2K was a party on St. Lucia…]

Partially compliant: as a solution

I was recently informed by a respected colleague in a peer-to-peer discussion (see; they’re useful!) about a development of his in the Compliance arena.
About not having just one single Statement of Compliance that all too often wipes deficiencies under the rug for the sake of agreement everywhere. But having two, one on (first-lines’) management awareness of deficiencies as things to actively manage and actively discuss with second and third lines, and one on abstract, ‘anonymous’ no-blame control effectiveness.

So, when the Three Lines of Defense would actually work (yes I’ve ranted against that on this blog frequently as the simpleton approach inherently can’t work!), first-line management can provide their own list of control deficiencies, and the second and third lines can only confirm and not add much of at all. Then, the first line is in control (all is well and/or known-and-WIP), over their own stuff. Hence, awareness ✓ effectiveness X. When the first line doesn’t have much but the 2nd/3rd lines add quite some (other) things, awareness is X and effectiveness is undetermined. Only when the first line doesn’t have much and the second/third lines cannot add quite a few things, will awareness be ✓ and control effectiveness be ✓

Which sounds like a far better, and in practice far better palatable approach than just one messy jumble-together undetermined opinion. For which I leave you with:
DSC_0030
[The bus buck stops here at this chaotic (?) shelter; Aachen. In Control statement: similar]

Tip: Morozov’s Click Here

Ah, maybe I’m the one not having paid attention, but I see so little response (which would be: digesting and repeat) of the ideas of the great Morozov in his To Save Everything, Click Here, as e.g., here (to be clicked).

Which is quite a contrast with his content, having a major discussion area in itself, about every other paragraph throughout. Yes, that makes it just a little bit harder to retain the main plot (?) line and the ‘details’ as well; it seems a bit like the asymmetry in information security where the defence will have to fight (? debate, rather) on all sides when attackers (the ones with the blindingly large blinds/blinkers on, headless chickens) can move their individual spearhead attacks forward anywhere – but in this Morozov case, one can count on the defense having the much more and more importantly, much better, arguments on its side. One should not count arguments, but weigh them (Cicero).

“Huh, no content of the book here …” Indeed not. Get it and read! I’m off now to finish reading, leaving you with:
DSCN4458
[Ah, the one little part where The Hague is somewhat like a big Milanish / Parisian city; unedited hence the off light conditions]

Sing-Singularity, and/or Shannon

Though we know Shannon for his contributions to ‘computer science’ (Don’t we!? If not, go study. And wash your mouth with green soap or so) – the field would hardly exist without his groundbraking concepts, on par or lower (sic) than Turing maybe – and we all do remember log2 measurements as minimum to reconstruct a signal don’t we? – I rediscovered this piece and wondered … how well you’d know it, and how fundamental to even the IoT now springing up, and … most importantly, what would the ramifications be for all of the discussions regarding the Singularity, pre-, midst of and post- ..? I mean, the discussions will tilt once the profundity of the Work is taken to heart.
I think. Now will go and study. Hard. And:
009_17a
[Old analog (log2!) Zuid-As indeed]

Just Wow… 2 links

Two great halves of one Magdeburg (hemi)sphere (as here, duh) in this and that. Describing and explaining (all in one, or …) the vast field of pre- and post-singularity thinking by the eminent Dr2 Urban. What an excellent intro for all to study… (though should be taken with the subtitle from this).

After being passed left and right on so many aspects:
007_19
[Cala St. Exupéry (analog circa 1997)]

Power failure after the Singularity

What would happen if, after the Singularity which is Near anyway, there is a massive power failure ..?
Actually, many thing can happen. Unordered list:

  • Depends on the scale of the power outage. Let’s assume a minor one (affecting just one continent) will give Mad Max like breakdowns but in the end only a scar will remain. A medium one (affecting several but not all continents) will, after the same, prolonged, downturn, recover to an amputee or severely set back world. A major one, a power outage everywhere, well …
  • If we’re just past the Big S, we could recover; the Mad max scenario would be to the later movies only not the earlier ones.
  • If we’re already some way into the Nirvana scenario(s) of ASI (see via this post) helping us out in everything, we (the affected) have a Problem as we may not know anymore what and how to do to survive and/or to restore. Old people may remember some things, but maybe (already) incompletely and wrongly (with error). The Old as your BCM plan B. Younger people, will not know a thing. So what the oldies may do (at all) may seem like magic.
  • If we’re already some way into the dystopian scenario(s) of ASI, our demise will be sped up…
  • If we’re already a long way into either scenario, we may collapse as a species (‘locally’ or globally, as we’re a long way in already we’ll be complexily and not-unravellably connected, linked, and intertwined and degenerated through and with / in technology).
  • If we aren’t anymore and the world has just the ASI, no humanoid animals anymore: Either resilience will restore things (possible in the minor scale scenario), or suddenly, the lights will go out globally. No humans, no intelligence, no Hegelian Ratio. Maybe pet animals. You know, cats watching cat pics and videos and not caring about anything else. The horror? Not to them.
  • Just one on likelihood: When ASI takes over, it will assume grandeur and hence not care about BCM / redundant or back-up power supplies as it will presume to be able to predict everything. But a meteorite strike… heh, that‘ll teach it … ;-| Or, of course, the all-too human (sic) hybris will make the Big S not see a systemic flaw.

OK, enough for now:
Tate_Modern
[Relevant! Analog pic, on ‘film’, you know. And, of a former (!) power station…]

My Opia

Not being your topia anywhere or dys here topia or whatever.
Was struck by the surge in posts, columns, articles about security in IoT. Because it appears to indicate a need for a new index. Being on the level of myopia one needs, to understand the hype value (a la this). Or hyperopia (?). Or rather – what’s it called when one’s view is narrow, or broad ..? That was what I was after: With the above-linked Second-biggest G.’s Hype Cycle, one should have a perpendicular index of width/breadth of hype and/or potential impact. So that when one would consider oneself to somewhat suddenly be caught in relatively speaking the in-crowd of, purely e.g., IoT and IoT security/privacy issues that one has steered oneself into, it would come as no surprise that suddenly though with some lag, one sees the posts, columns, articles flying around on the same subject without any real news or rather more (for one!) Been There, Done That type of news reporting. For others, the news may be news…

A second aspect would be: How to position oneself. Doing hardcore research style environment scanning and reporting on that in traditional and SM media, would quickly become impossible as any field of study explodes in width and depth as it get off the ground, leaving the actual keeping up with all developments to be impossible. Even when your cutting edge development reporting wouldn’t catch on but with a few aficinados at the very most, and when you’d wait until aspects have crystallised to clarity far enough to be understood by your mainstream audience (if any), the subjects have a. watered down beyond being interesting to you, b. watered down beyond recognition still for your audience, c. still not yet reached interest-through-urgency / -news-value for them.

Whatever. Just an idea; any of your help in developing such a sight/scope index is very much appreciated…

In advance:

[Pretty close, no mirage; Segovia]

Better IoT privacy

Oh, I’ve been outdone again, in some ways. Which isn’t a big deal; ’twill happen to you, often, too. This time, it’s about the IAM in IoT that I signalled here and here, here, and here as a generic problem. Correct: Challenge.
Which all was readable. Hopefully. For all dealing with the stuff on a monthly basis (ahum, ‘weekly’ or ‘daily’ wouldn’t make sense; you’d be ahead of me probably…) that is. For a more general explanation, one can now turn to this here piece; much better at generalpublicspeak than I’d produce when diving onto it again.
Oh well. This:
DSCN6007
[Somehow, typically Madridean ;-| / Southern European / Latin style]

All against all, part 6; loose ends

OK, herewith the final-for-now Part VI of the All Against All matrix-wise attack/defense analysis labeling. This time, about tactical content of … mostly, the defense matrix of edition IV.

Where I wanted to do a full-scope in-depth analysis of all the cells of Matrix IV. Not the sequel but the actual original defense posture strategy matrix. Because that was put together in a straightforward sloppy way anyway.
But then… I wanted to detail each and every cell according to this here scheme:
Anti-F 1
After further analysis along the lines of this here approach:
COSO_2013_ISO_31000-english
but mixing that quite hard, according to this previous post of mine (certainly the links contained therein, too) and a great many others contra bureaucratic approaches… but also mixing in the guidance of (not stupid compliance with!) the new one that at last, has quite some ‘user’ involvement in it. But still is based on both the top-down and the step-by-step fallacies a bit too much.

But it’s late and I don’t feel like the tons of effort involved. Yet. Maybe in a future enormous series of posts …
And should include references to OSSTMM here, too. Because al of the above, in the super-mix, will have to be checked and sensitized (is that the word for checking that it all makes sense?). Short of the word ‘audit’ where the respective profession (a trade, it is… at most, a role) has let us down so much. If only by the kindergarten zeal about ‘governance’ and ‘value’ – phrases so hollow (or circularly defined) that they’re not worth the ink (light) they’re written with, when used in the auditors’ contexts.
So, OSSTMM may help. By inspection where the rubber meets the road. And fixing whatever needed to be. Duct taping the last few bits, where the beautifully AutoCADded [anyone remember what that was (for)!?] frameworks failed in the machine milling. Or 3D printing, or whatev’, due to design failures due to requirements failures due to failures in common reason at the upper levels…

Now, with all the all against all posts (1 to 6 indeed), would you be able to advise Sony, and the others, how to be better protected ..? You should. Or re-read the whole shazam until you do…

After all of which you deserve:
DSCN1367
[Cologne, of the massive kind]

Maverisk / Étoiles du Nord