Tag: Information security

All against all, part 1

Tinkering with some research that came out recently, and sometime(s) earlier, I had the idea that qua fraud, or rather ‘Cyber’threat analysis (#ditchcyber!), some development of models was warranted, as the discourse is dispersing into desparately disparate ways.

The usual picture suspect:
DSCN2891[Odd shape; maybe off-putting as a defense mechanism ..!?]

First up, then, an extended version of the matrix I’ve been presenting lately, about offense/defense characteristics. Just to expose it; would want to hear your feedback indeed. (Next up: The same, filled in with What the attacker would want to get out of it, information-wise. After that: Strategy, tactics commonly deployed; rounding off with least-ineffective defense postures (?))

Fraud matrix big part 1

Merely convicted by PPT

Hm, there was this meme about Death By Powerpoint. Now, the toned-down version, conviction (attempt) by PPT, has been found in the wild. As in this here article. Where the prosecutor was too dumb to not hide the culpose text behind the 24-images-per-second visibility screen. [Is that ‘stego’ ..?]

Incentives, incentives…
DSCN1210[Vic chic]

ID card house coming down

With the ‘eavesdropping’ or whatshallwecallit of the German Defense Minister’s fingerprint, it seems that yet another card was pulled from the infosec card house of solutions. It looks like a distant relative in infosec land, on the ID side, has faltered. Or, has shown to be not 100% perfect. Dunno if that is newsworthy; apparently is.
Though apparently, in unrelated (?) news reports, not all tools out there have (yet) been cracked by TLAs. With Tor and Truecrypt as shining examples, but haven’t vulnerabilities in the schemes of those been demonstrated (at least theoretically)? So, are the leaked documents just bait to pull in as many ‘script’/privacy kiddies into environments where they actually can be tracked? If the leaked docu are false admittance of uncrackability … who can you trust, then?

Or is it all The Return To Normalcy, where we know all and every tool and method are not 100% perfect, let alone in themselves, and we will have to return to do a risk weighing for every action we take – allowing the Other Side(s) to also be relatively lax and fetch only the clearest of wrong-doer signals. This would require:

  • the boys-cried-wolf to tone down a little. Maybe selling less tools, maybe achieving more by more carefully spending the budget; a Win;
  • the n00b and drone mob users (think @pple users and like meek followers) to raise their constant awareness; a Win;
  • the ‘adversaries’ to not want to be perfect Big Brothers. Hard, to admit, and to not utterly destroy human rights, but necessary and sobering; a half Win.

So, … this card house tumble may turn out to be Progress.
I’ll leave you with:
DSCN1388[Fragile new, sturdy old; Cologne]

Postdictions 2014-IV and Final

A progress report on the Predictions 2014 I made in several posts here, at the end of the year. So, going for final verdicts. And quite a score and end result…
I gathered some evidence, but probably you have much more of that re the items below. Do please raise your hand / comment with links; I’ll attribute my sources ;-]

First, of course, a picture:
20141027_131258_HDR[3]
[Yes this one one more time, as the future’s the flip side of the past …]

So, there they are, with the items collected from several posts and already updated several times before hence I’ll just highlight a few things:

Trust ✓ And double-check. Maybe the issue slowed in attention over the course of the year, but… intermediate and final kickers make this one a true ✓
Identity Hmmm, recurrent issues with strength of pwd methodologies, but for the rest… oh there’s XYZcoin with its trust-through-maximum-distribution-and-maximum-anonymity …! ✓
Things Oh absolutely ✓ Or you’re surfing blind. Is that an expression, yet ..?
Social Ello, Viv, etc., and for the rest, it has all been Business As Usual. Which makes it a ✓
Mobile Has truly gone to the Expired phase when all-platform(-agnostic) design has come and gone as a hype and has turned into a basic requirement. ✓
Analytics After the evangelists, now into the BAU lands. ✓
Cloud Mehhh! ✓ It’s Docker that will be next year’s Thing. Note that.
Demise of ERP, the Have almost heard nothing let alone ‘exiting’ about this. So ✓
InfoSec on the steep rise Even if we haven’t seen enough on this!

On APTs: Almost the only interesting thing aaround, still. ✓
On certification vulnerabilities: In hiding. Still there. Ssssht, will hit. Suddenly. ✓ without you knowing it.
On crypto-failures, in the implementations: Quite some news in the underwires… you may not have noticed, but the in-crowd has. Definite ✓
On quantum computing: – still not too much – which is something of a surprise. No ✓ here. Despite this late entry.
On methodological renewal; as it was: Some progress here and there, close to a ✓
Deflation of TLD As per ERP above. ✓ as the logical and methodological failures have prevented anyone to attach oneself to it for risk of looking dumb. Except for the ones still clinging to it, where the risk has materialized…
Subtotal Well, let’s call it an off the cuff 95%+, being an A+ indeed.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud. And my nerw predictions are out there already; see the December 9th post.
Which leaves me to a link that you may want to get for me, for ‘winning’ my own predictions contest. Thank you!

Careful times

This day and age, one cannot be too careful with one’s digital traces. To the point where normal functioning in modern society is impacted. And then, that’s not enough. Your mere existence may cause trouble by you not being the only one recording your life. As in this here piece

Which, apart from its many manifest errors of thought on the side of the wannabe good guys that by being absolute n00b sorcerer’s apprentices at best, has this nugget of inhumanity: “The RMV itself was unsympathetic, claiming that it was the accused individual’s “burden” to clear his or her name in the event of any mistakes, and arguing that the pros of protecting the public far outweighed the inconvenience to the wrongly targeted few”. Well, if you think that, you might as well join terrorists in the Middle East; they think the same and wouldn’t be allowed to be at all, in any functioning society.

Well, I’ll stop now before suggesting the ones doing such erroneous thinking should be locked up safely in some asylum of the old kind, and leave you with a calming:
20141101_150551[1][On how life actually is]

Your info – value

Wanted to post something on the value of information. Then, this came out a couple of weeks ago. By way of some sort of outside-in determinant of the value of (some) information… [Oh and this here, too, even more enlightening but for another discussion]

who-has-your-back-copyright-trademark-header
Which appears to be an updated but much shortened version of what I posted earlier. Players disappeared or doesn’t anyone care anymore about the ones dropped out ..?
Anyway.

Yes I wasn’t done. Wanted to add something about information value within ‘regular’ organisations, i.e., not the ones that live off ripping off people of their personal data for profit as their only purpose with collateral damage functionality to lure everyone, would value the information that they thrive on, by looking inside not circling around the perimeter.
I could see that being established via two routes:

  • The indirect avenue, being the re-build costs; what it would cost to acquire the info from scratch. Advantage: It seems somewhat tractable. Drawback: Much info would be missed out on, in particular the unstructured and intangibly stored. Employee experience …!?
  • The direct alley. Not too blind. But still, hard to go through safely. To take stock of all info, to locate it, tag it, among other things, with some form of revenue-increase value. Advantage: Bottom-up, a lot of fte’s to profit from the Augean labor (Hercules’ fifth). Drawback: the same.

OK, moving on. Will come back to this, later.

Clustering the future

Was clustering my themes for the future of this blog. Came up with:
Future trend subjects[Sizes, colours, or text sizes not very reflective of the attention the various subjects will get]
Low sophistication tool, eh? Never mind. Do mind, to comment. On the various things that would need to be added. As yes I know, I have left much out of the picture, for brevity purposes. But will want to hear whether I missed major things before I miss them, in next year’s posts. Thank you!
And, for the latter,
DSCN0924[Bah-t’yó! indeed]

A simple explanation of Bitcoin “Sidechains”

Noteworthy. In one sense, a dilution. In another, a move to widespread adoption and acceptance. From which, probably, some unforeseeable, maybe even weird, whole new societal developments may spring.
And, for the heck of it:
000013 (7)[Pre-1998 analog to digital, FLlW @ Bear Run obviously]

Players, sides, too many – where’s the (over)view?

Apart from the #ditchcyber aspects, in the (sometimes somewhat sportsy, even) battle about control, or is it temporary one-upmanship, over the world’s communications, so many parties play a role, in such varying sizes, and operating for so many sides, sometimes multiple sides at the same time, sometimes without even knowing that, with the interactions playing at various topics and levels of abstraction and with varying scopes, time horizons, strategies and plans (quality), I could really do with some clarity. Some mapping, interactive or not.
Which all was triggered by this post on yet another singleton developer taking on, inactively!, some well-funded TLA.

Will have to dive into the detail of it all, but know that I’ll end up losing the helicopter view. How many similar developments are out there, known or not? What stages of development, of deployment, of maturity, of starting to crack and leak are they all ..? It’s a hard life, this keeping up thing.

Hence, you deserve:
DSCN8926[As if moulded by a genetic algorithm, Porto]

Maverisk / Étoiles du Nord