Information security – Page 11 – Maverisk / Étoiles du Nord

"This is impossible!"

‘tWas not long ago, when all that knew their way in Infosecland (when the land had not expanded and complexified beyond grasp of mere mortals and AI was not yet needed to have taken over) would point at the stupidity of any claim like “That can’t happen here because our security beats every threat till Kingdom come”.
And the claimants would have it, by sheer power play. When dinosaurs roamed, it was in your interest to move over when they’d want to pass.

Now, the dino’s are on the way out (well, the current stock of them; new ones in the wings), and this of course happens.
Where the complete ignorance of the dino’s is displayed by their response, as if something new happened.
Where we haven’t heard enough calls for claw-backs of even standard salaries for, give or take, a decade or two back due to willful and (should-have-)self-knowing incompetence, especially at C-level and up.
But then, justice is served cold, by history making a fool of the true culprits (the authoritarian dino’s) at best, or forgetting them in old Greeks’ second hell as deserved.

Can we be friends now; you being the entry-level kindergarten ‘students’ and the rest of the world you scoffed, as your nannies …? For that:

[At least they acted as proper Night Watchmen; at the Rijks, Amsterdam]

Weird infosec science

Who would have thought — that total surveillance would reach into the house, no / hardly any backdoors need to be built in even.
As explained here, and here in closer-to-humanly-readable form.

If such are the Tempest inroads, who needs the newest-of-highest-tech solutions as they all will all succumb to either trivial complexity-induced-unavoidable sloppiness of implementation, or to circumvention in the above way…?

Of course all of it is an atrocity in ethics but … I won’t be utterly negative about humanity’s future so I’ll stop now. With:

[Art imitating life; Stedelijk Amsterdam]

Risk Chagrins

It’s just a matter of Karma…

As long as ‘risk’ ‘managers’ deal with negativity (admit it; focusing on the negative is even written into quite a number of definitions involved ..!), they’ll become the sourpusses they want to see all around (remember, the “passing back risk management to the ‘first’ line” ..?), and according to which they’ll behave ever more, finding evidence everywhere they’re on the ‘right’ track.
Quod non, but conspiracy theorists as they are, they will not listen …

Oh, and this:

[Your ‘risk’ ‘heat map’, accurate picture]

ChainWASP

… With all the blockchain app(lication)s, in all senses, sizes and seriousnesses if that is a word, growing (expo of course) everywhere,
wouldn’t it be time to think about some form of OWASP-style programming quality upgrading initiative,

now that the ‘chain world is still young, hasn’t yet encountered its full-blown sobering-up trust crash through sloppy implementation. But, with Ethereum‘ and others’ efforts to spread the API / Word (no, no, not the linear-text app…) as fast and far and wide as possible, chances of such a sloppy implem leading to distrust in the whole concept, may rise significantly.

Which might, possibly, hypothetically, be mitigated by an early adoption of … central … Oh No! control mechanism of e.g., code reviews by trusted (huh?) third parties (swarms!) where the code might still remain proprietary and copyrighted.
Or at least, the very least, have some enforceable set of coding quality standards. Is that too much asked …??

I know; that’s a Yes. So I’ll leave you with the thought of a better near-future, and:

[Horizontal until compile-time errors made adjustments necessary (pic); beautiful concept — other than Clean Code, actually executed to marvelous effect]

Fintech: Babble-fork

Coining (pun not even intended as I wrote this — lame non-landing anyway) a new phrase: Babble-fork.
Which is what happens now in the financial industry with fintech:

Banks et al. think they have a role to play in the applications of blockchain technology in the financial industry of the future.
As bc is just a distributed ledger technology [ref. Tapscott the Elder & the Younger], right?
Obviously, dead wrong. Or, ‘the Internet’ is just phone lines between mainframes.

Otherhandly, the start-ups that have no role or place for the incumbents. The start-ups that expect the old ones to die [1:03 of the linked]… and then, it is already a mockery of a flattery to relate the financial industry-that-was with that commander that never made it to captain (Navy); an outright self-delusion of the grandest scale when such industrialists think they’ll still be able to catch up with the innovation tidal waves already rushing to their shores (unseen, over still deep seas until reaching their shallow tropical beach sides ..!).
Since bc is the very counterpoint of centralized (‘trusted third party’-, quod non par excellence!) trust, being the utter distribution of it hence contra anything however remotely approaching the delusion of importance that may still be with the traditionalists.

So, fintech forks ferociously for the financial future as a tenable alliteration runs only so long. But you get it. Time again to ask for the entry password — with the wrong answer leading to …?

Well then, I also have for you:

[Dear Lord. In the Attick; Ams]

Reverse firing squad (LIBORgate et al.)

When designing cross-organizational processes ‘hence’ including cross-organizational control structures, who will be accountable to look after the controls in question?

Take LIBOR(gate). Someone(s) dreamt up a structure of ‘self-regulation’, which even the most brief moronically-superficial gleaning over history will tell will fail, and then forgot one’s accountability for putting in place such a sure to fail thing.

’cause only accountability will force ‘taking’ responsibility and actually doing both parts of Trust But Verify.
No, the latter part was not taken up by the individual banks involved. Because they had perfect (O)RM in place. That, by perfectly sensible, justified, and objective achievement-perfecting arrangements, focused on the risks to the own organisation only as they were, are, internal departments working for the optimization of the organisation (taking into account local Board’s risk appetites and attitudes, risk estimations, budgets, cost/benefit analysis and what have we); nothing more or they would bordering-on-(?)-the-illegally overstep their remit. Hence, intra-organizational conspiracy was not something any individual bank’s (O)RM department, or manager, had to worry about let alone be actively fleshing out as a potential risk.

The supra-organizational oversight required, the level where the scheming took place (huh I mentioned ‘supra’ not for nothing..!), could technically, operationally, tactically and strategically only have been envisioned at that same supra level, with the regulator(s) at that level, that instated the L-scheme. [Oh I could add a ton here on how any ‘lower’ level cannot in any logical way have ‘seen’ the risk(s)] So, accountability and responsibility, for setting up a scheme that was prone to the risk(s) in the first place and for not applying due control and oversight (from the strategic all the way to the operational/technical levels!), was and still is with those regulator(s).

How then have they escaped being kicked and imprisoned ..? By claiming ‘temporary’ insanity where Reality in the L-process and elsewhere, is only a string of ‘temporary’ moments ..? The lack of competence is appalling. But drowned in the finger-pointing flying all around except in the right directions.

Uch. One could get very depressed, and/or feel belligerent. Or see the mirror of a firing squad. In the latter, a number of soldiers fire, with only one round not being a blank so no-one knows who did it so none can be held accountable individually for the collective shooting of some villain. [If only in some miracle world it wouldn’t be that most victims are the Honorable very much in an Aristotelian Virtue sense.] Now, we have ‘one’ regulator shooting a whole squad, and all of the squad are blamed …!?

[Just a MSc uni in Delft. Because science ..!]

Said, not enough

Here’s a trope worth repeating: Humans are / aren’t the weakest link in your InfoSec.

Are, because they are fickle, demotivated, unwilling, lazy, careless, (sometimes! but that suffices) inattentive, uninterested in InfoSec but interested in (apparently…) incompatible goals.

Are, because you make them a single point of failure, or the one link still vulnerable and through their own actual, acute, risk management and weighing, decide to evade the behavioral limitations set by you with your myopic non-business-objectives-aligned view on how the (totalitarian dehumanized, inhumane) organisation should function.

Aren’t, because the human mind (sometimes) picks up the slightest cues of deviations, is inquisitive and resourceful, flexible.

Aren’t, because there’s so many other equally or worse weak links to take care of first. Taking care of the human factor may be the icing, but the cake would be very good to perfect for making the icing worthwhile…!

Any other aspects ..? Feel free to add.

If you want to control ‘all’ of information security, humans should be taken out of the (your!) loop, and you should steer clear of theirs (for avoiding accusations of interference with business objectives achievement, or actually interfering without you noticing since your viewpoint is so narrow).

That being said, how ’bout we all join hands and reach for the rainbow ..? Or so, relatively speaking. And:

[Where all the people are; old Reims opera (?)]

Right. Explain.

Well, well, there we were, having almost swallowed all of the new EU General Data Protection Regulation to the … hardly letter, yet, and seeing that there’s still much interpretation as to how the principles will play out let alone the long-term (I mean, you’re capable of discussing 10+ years ahead, aren’t you or take a walk on the wild side), and then there’s this:

Late last week, though, academic researchers laid out some potentially exciting news when it comes to algorithmic transparency: citizens of EU member states might soon have a way to demand explanations of the decisions algorithms about them. … In a new paper, sexily titled “EU regulations on algorithmic decision-making and a ‘right to explanation,’” Bryce Goodman of the Oxford Internet Institute and Seth Flaxman at Oxford’s Department of Statistics explain how a couple of subsections of the new law, which govern computer programs making decisions on their own, could create this new right. … These sections of the GDPR do a couple of things: they ban decisions “based solely on automated processing, including profiling, which produces an adverse legal effect concerning the data subject or significantly affects him or her.” In other words, algorithms and other programs aren’t allowed to make negative decisions about people on their own.

The notice article being here, the original being tucked away here.
Including the serious, as yet very serious, caveats. But also offering glimpses of a better future (contra the title and some parts of the content of this). So, let’s all start the lobbies, there and elsewhere. And:

[The classical way to protect one’s independence and privvecy; Muiderslot]

Golden Oldie Pic of the Day

Yes, again, since Cucumber Time is early, this year…

Nopsrisk, Irisk

When it’s time, it’s time. Of course, meaning that the tough get going.
Lately, there has been a resurgence in Risk Management. In particular, in Operational risk management. That has been outclassed. Due to, among others, the calimero hanging-on at the tails of financial risk management but having failed to gain traction because the latter’s models were wholly inapplicable and seriously outright unusable for ops risk, due to having no clothes of one’s own (still, the upstart little peasant kid wanted to be emperor), due to having been outflanked by its little nephew of Information / IT Risk Management. That took on the coat of ‘cyber’ (#ditchcyber!) and gained prominence on all the vast wastelands that were left for the picking — and are now overwhelming the heartland with their successes in actual, frontline, FLOT hand-to-hand combat and battles (won).

Time, maybe, to give IRM the prominence it deserves, and forego the subsumption under ops risk ..?

It’s nothing personal…

[Soon again: Serralves]