Mostly on wine. Also: IRM/InfoSec/I-Advisory and -Audit services. Positive contrarian, inspirator, loosen-upper.
Sometimes one feels like one’s in a partial Gourndhog Day or 2:22 …
When 7 december 2006, there was this meet about the maturity of infosec, as a field. Which was compared, by Yours Truly, to the then (and now!) equally immature IS audit world – which had a couple of decades more under its development belt but was is still quite immature still.
Then there’s the first paragraph of this. ’nuff said..?
And:
[This, still fresh which is a different thing …; Barça of course]
Dindn’t we feel it coming, if not in the air tonight than at least, after we signalled that BIOSes had been targeted… that there’s always a layer deeper one has to be on guard for infosec leakage and backdoors… How did this ‘surface’? Bypassing all the O/S features …
Just putting in down here. E.g., which, how many, platforms would be vulnerable to this; how much and what sorts of traffic could you send around through this …? Would one be able, when in so deep, to pick up system/sysadmin/root rights/credentials when browsing around ..?
And here we (not) are, all fleeing to the End User Is Stupid mantra, away from our own failings in tech but hey, users are the weakest link so we shove tons of hard protocol i.e., stupidity, on them. And burying them in awareness smotherlectures, instead of creating real behavioural change.
Oh well. And:
[Buried under the tons of network traffic, there’s a pay(ing)load you see? Nyagra]
This of course being the right message. If you can read it when I Send it you. And, for your viewing pleasure:
[Anonymous but blurry and far from privacy-complete, this physical cloud exchange…; NY Grand Central]
If you expect some fable about budgets; not so much.
This post’s about the generation thing called the Goldielocks syndrome – every generation (aren’t they ever shorter, these days?) believing that they had it, and made the society they ‘created’ no less, better than any generation before and after them.
For many generations, tech is still something that ‘came in later’ [venturing that even the newest ones, will see major tech-driven societal / tools changes in their lives], and information security nitty-gritty stuff is a major part of what they experience of that technology.
And ‘we’ (all) have done a very poor job of making it easier, actually improving over what was, to take away rational arguments for the G syndrome. We rather have heaped tons of infosec micromanagement of the worst kind onto the mere use of the technology, not even mentioning the troubles in the content where automation turned into change and inefficiencies of the polished work that was, and all that to cope with issues not in the actual work but in the operation of that very technology and its (sometimes gross) imperfections that didn’t exist before.
So, we may have to re-strategise and re-implement about all that we have, qua technology and qua information security dyeing on top and after it.
There’s other reasons, too. And:
[When defences were, quite, a bit less buggy; Haut Koenigsbourg]
Again, the reference in the title is useless but may attract more readers through Timeline/Prio Gaming(™ from now on) – and, this in return might have referred to the title but yet again, close but no cigar (again, less chances of a Cuban, anyway, for some by their own mistake).
What I meant was that humans are targeted by hackers since they’re so vulnerable read stupid may be true — relatively… actually meaning apparently Technology and [the empty shell phrase of; ed.] Process may be so perfected that hackers have nowhere else to turn to.
That, of course, is not true. Simply, false.
When looking at the disastrous error rates (bugs to be fixed, sometimes easily) in software, how would anyone be able to claim Technology is anywhere near kinda OK. And Process… Show me an office (however formal, or strikingly similar to a coffee shop of not the Amsterdam original kind, or any beach with WiFi [→ why aren’t we all there, yet …!? ed.]), and show me a ‘process’ there. Wrong. All you can show, is either concrete, chairs, etc. even if of the kanban billboard kind [how idiotically silly can one get ..?], or humans. I.e., Technology or People. Neither of which is Process. No, printer paper with some ink blots .. also not process (descriptions) but Tech..! Don’t believe the lies, people! Process doesn’t exist!
So, we have something half-crappy [surprise this blog editor still runs … ;-] and something non-existent, … and People. On what now would you want to build your security?
Ah, on the People that are the most flexible, attentive (to business objectives, not your overhead), and creative (well… but including the most meta<sup2 of abstract/meme evolution evah) that Nature has ever developed with her genetic algorithm play of Evolution.
Where did you leave your own mis- and totally-zero-understandings on Humans, to pursue Tech and “Process” (quod non) solutions to Human threats ..? Why weren’t human threats from the word Go protected against by the best that human defences could muster to protect human vulnerabilities ..? Not only qua passwords, with a method aligning with cardinal sin number …. [should re-read the Bible for that; ed.] being the quest for ever more money i.e. including the protection of what you have (see the link). But qua overall about-all controls you’d need. If done right, I bet a lot of tech controls would dwindle in significance (and possibly be executed much worse than today; zero gain).
Now I start to ramble. But you get the point, and you get:
[From here, the Strong came in. NY]
Always pleasant, to read one’s (almost…) correct, on off-off-Broadway analysis and postpredictions. Like this one, corroberated here, in a way.
Yes, I kno. I almost got that correct. Enough to confirm the line of reasoning, if you read it / both correctly, they turn out correct. I’ll stop now. And:
[Check, for Dutch ad viewers; Valencia]
Now that it by and large seems to be that GDPR hypestuff is mostly pushed into the legal corner, … let it stay there. Let the others do their job, and reap all the benefits. I.e., via the avenue (required budget-wise; wildlands qua budgets received) of data discovery [Uchg ugly word I meant inventory] / data minimalisation/cleansing / data security [the old way, like information security, not the #ditchcyber fail] towards magnificent efficiencies in IT ops, and much clearer, exponentially better profile’able data even if Big.
Hey, the DPO was so self-inflatedly Important, right? Let him (sic) handle all the fan mail then… Let him panick-crash during every high-pressure breach BCM handling.
And then a. get fired, b. get sued, c. get replaced by yet another legal scholar turned business savvy (quod non) ‘executive’ [who executes who?].
But … in the mean time, someone would have to discharge the DPO. Not from internal audit because they’re part of the problem organisation.
OK, let’s have that done by an external auditor, then. A specialist, hopefully.
Hereby my claim to that specialty. Will develop fully-compliant methodology, will travel (charging expense…).
And:
[As an external auditor specialist, I love to have this sort of view; NY]
Am I the only one with questions how the following intertwine:
An article on how quantum-secured blockchain may be so safe, but possibly not in the hands of whom you’d want it? If in anyone’s hands at all, since no-one can be trusted forever; if you wouldn’t believe that, you declare yourself incapable of discussion on this subject…
A most brillant blog post on a related subject.
An equally insightful piece on how blockchain-of-command would lead to Totalitarianism.
An equally … Being the Why Johnny Can’t Encrypt, 2017 version. Notably, the previous versions hadn’t been patched properly…
So, you see a Perfect Storm or what ..?
Plus:
[Why did you cross the street, you chicken? M’drid]
As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:
How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.
Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?
Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?
Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:
[On a bright day, for Stockholm, the Knäckeboat museum]
When dealing with awareness, certainly in the infosec field (#ditchcyber!), there seems to be a lot of confusion over the mere simple construct under discussion. Like, the equasion (with an s not a t) of Awareness with Knowledge plus Attitute plus Behaviour. Which, according to the simplest of checks, would not hold. Since Knowledge, and maybe Attitude, are apt components. But Behaviour is what eludes the other two, by the unconscious that drives 95% of our behaviour, in particular when dealing with any but the most hard-core mathematical-logic types of decision making and interaction.
Which is why so many ‘Infosec awareness programs’ fail …
First of all, they’re Training, mostly, even when in the form of nice posters and QR cards [that’s Quick Reference, not QR-code you history-knowledgeless i.e. completely clueless simpleton-robot-pastiche one!], and it’s true that “If you call it Training, you’ve lost your audience’s want to learn” – your audience will figure out it’s Training despite you packaging it differently; they needn’t even explicitly but intuitively (the level you aimed for, or what?) they will.
Second, all the groupwise that you do, doesn’t reflect in-group dynamics at the actual workplace and work flows, nor does it reflect the actual challenges, nor the individuals changing moods (attitudes). Oh the latter: Your attempt at changing Attitude is geared towards A in relation to infosec but that’s only such a tiny, so easily overlooked and forgettable part of the A all-the-time in the workspace.
Third, and arguably foremost, to plug ‘arguably’ as a trick’let to appear more interesting, What you aim for is not blank flat knowledge, nor even attitude, but Behavioural change. Do you really use the methods to achieve that ..?
No you don’t.
Oh and of course I titled this post with something-something 5, to get more views. Geez, if you even fell for that… And:
[Your kindergarten Board wish they could ever obtain such a B-room; Haut Königsburg]
Voor sigaren bepalen we het profiel aan de hand van de criteria Smaak, Balans, Body, Sterkte, Aroma en Finish.
Voor Smaak pakken we het aromawiel erbij. Let wel I; wat u proeft of verwacht, kan gedurende de diverse fasen van het roken nog variëren... En let wel II; er zijn ook aspecten die nog niet zozeer als aroma staan aangegeven in het wiel, we denken aan termen als (ja de sigarenwereld is langzamerhand, helaashelaas US-, Engels geworden) zesty, tangy, floral, en earthy, of soms zelfs metallic. Lijkende termen die een combi zouden kunnen zijn van diverse aromas en papillaire en olfactorische/nasale sensaties en -tactiele invloeden. Hierbij komen termen als 'complex' uiteraard ook bijgepakt, om in dit geval te beschrijven dat er vele aromas herkenbaar zijn. Rustig roken, dat is niet alleen beschaafder en allerlei sigarenrokeneffecten-versterkend maar biedt ook meer kans om aromas te onderscheiden.
Balans is voor de hand liggend; of de zoete, zure, zoute en bittere tonen (OK, en 'umami'...) in balans zijn. Ja, ook bij een sigaar – al zal het meestal gaan over de balans tussen 'creamy' en 'spicy' en gaat het meestal mis door te veel bitter of te veel spiciness.
Body gaat over de volheid, in dit geval vooral te bepalen aan de volheid, dikte, dichtheid van de rook. Die ook een gevoel geeft; 'light' is als een licht bier, 'full-bodied' is als een rechttoe-rechtaan whisky of cognac.
Overigens hoort bij Body ook textuur, 'leathery', 'meaty', 'silky', 'creamy', 'soft', 'succulent', 'woody', 'chalky', 'dry', 'oily' en 'spicy'. Die dus net niet hetzelfde zijn als de aroma-indicatoren uit het wiel; soms overlappend. Niet handig maar zo is het nu eenmaal.
Sterkte is een wat eenvoudiger maat voor het nicotinegehalte van de sigaar. De topbladeren van een tabaksplant heeft meer nicotine dan de lagere bladeren – me(n) dunkt dat de topbladeren zijn waar de plant verder wil groeien en dus betere bescherming nodig heeft van de nico; lager is het wat ouder en 'expendible' dus ga je daar als plant niet je nico op concentreren ..? Waar de sigaar van gemaakt is, heeft dus invloed. Kan je meestal niet kiezen, maar wel proeven. Rustig roken is ook hier handig; om een nico-klap/duizel te voorkomen bij het opstaan.
Aroma dan, vervolgens. Ook hier kan het aromawiel worden ingezet. Vreemd genoeg is het moeilijk de aromas te bepalen als we zelf roken; iemand anders' rook kunnen we beter analyseren. Of we blazen de rook door de neus uit ('retrohaleren'), dan hebben we wel de volle verfijning (ga ik vanuit, lezer!) van onze neus ter beschikking. Bedenk bij het 'benoemen' overigens dat we veel meer uit ons geheugen putten, qua eten en drinken!, dan we wellicht zelf(s) denken. Dus rare smaken herkennen is niet raar.
De Finish ten slotte is kort of lang, naargelang de aromas lang op de tong (sic) blijven hangen. Milde sigaren zijn nogal eens kort – hetgeen niks zegt over de complexiteit, overigens. Hierin zit ook de reden om een zwaar (sterkte)kanon na een milde te nemen, niet andersom.
Als het gaat over de champagnes en hun profielen, pakken we er de (echte en semi-)klassieke wijn-analyses bij die we allemaal wel kennen; onderscheidend in [Hier verder. In ieder geval https://www.wijnwinewein.nl/hoe-proef-je-wijn/ en aromawiel + zuurgraad/tannines/body(viscositeit/alcohol/tannines/smaakintensiteit/mondgevoel)/afdronk + Aanzet/Zuren/Zachtheid/Tannine/Body en alcohol/Afdronk/Smaken dus de aromas bijna-los van structurele criteria. Dan de smaken matchen met die van sigaren, of niet; Klosse's overlap/contrasten erbij halen en dan verder. En toespitsen op champagnes... pak het smaak-plaatje van het CIVC erbij!]
Dear reader; bij deze dus de waarschuwing dat u vanaf hier (?, inderdaad, echt niet alleen hier) serieus te lange zinnen tegenkomt.
Ach, daar ben ik me prima van bewust, mijn hele blog is immers ook een poging tot schrijfoefening in alle facetten. Sommige posts daar blinken uit door korte zinnen en ellipsis; ook deze pagina is opgesteld als tegenwicht. En ik vertrouw erop dat u dat gewoon doorlezend aankunt.
Als voorbeeld: Oplettende lezers zullen opmerken dat onderstaande waar het uitweidingen achter links naar andere pagina's betreft wellicht beter met behulp van OnMouseOver's, alt-tekstblokken of andere tags per pop-uppable item zou kunnen zijn geïmplementeerd maar ik heb het zo gekozen en ik kan best komma's toevoegen in deze zin maar ook dat heb ik achterwege gelaten zonder de leesbaarheid of de begrijpbaarheid in het gedrang te brengen.
Inderdaad, het ontwikkelde, ik schreef, een en ander vanuit een voortdurende, voortgaande research. Na zoeken in het wilde weg algemeen, navraag bij het Comité (iv) Champagne, een aanvullend zelfzoeken met Google Satellite én Street View zowel rond de officiële als in het algemeen, kwam ik tot de Lijst Van (uiteindelijk) 78. De en passant gevonden kaarten leidden tot enige aanvulling. Toen kwam ik Weinlagen.de tegen en tsja dan ben ik niet meer te houden qua sys-te-matisch alle streken én plaatsjes af! Hoewel, ... in onderstaande tabel heb ik maar niet meer voor ieder stuks de Street View erop losgelaten of onderstaand ingevuld. Terwijl ik er vanuit ga dat dit alles nog aanvulling kan krijgen ... Les Clos Inconnus zijn uiteraard zichzelf.
De gangen kwamen al zeer onregelmatig door, en met andere tafels die uitliepen en/of (weer) bijtrokken, tot zeer ver inhalen zelfs, tot gang 6 van de 7 tachtig (schrijve: 80) minuten op zich liet wachten, ondanks diverse malen navraag. Waarna het nauwelijks-opgewarmde pompoen met koude polenta bleek te zijn; "dat hoort zo" ammehoela. Nee, het niet-koude nagerecht erna hebben we niet gehaald; we zijn opgestaan en weggegaan. Die zien ons nooit meer, zeker omdat de bediening ook Zwak was (gangen aan verkeerde tafeltjes serveren want die waren al twee gangen verder), etc. En balsimaco-saus dus, 'et al.'...
Huh, da's écht voor de Insiders..? Inmiddels wel toegestaan als aanplant, maar nog zo'n drie tot tien jaar onderweg voor er de eerste re-de-lijke wijnen van kunnen worden gemaakt en dan is het nog maar afwachten. En dan had je Floreal, Artaban en Vidoc nog niet gezien. Die mogen (in de toekomst) ook... En dan is het Comité Champagne ook nog bezig met kruisingen van de Top 3, Arbane, Meslier, en Gouais. #feest