OM als tooltje

Wat ik me bij deze link nou afvraag:

  • Het genoemde risico van concurrentie-pesten / uitschakelen (het Internet vergeet niets, en daar kan heel de rijksoverheid of wie dan ook geheel niets aan doen) is levensgroot, ondanks de minieme en volledig transparante schaamlap van eigen beslissing die bij de betaaldiensten wordt gelegd – die zullen zich zeker (ontkenning diskwalificeert van handelingsbekwaamheid) verschuilen achter het OM. Wat gaat het OM daartegen doen?
  • Zoals in het commentaar bij bovenstaande link; de ‘bewijslast’ is een aanfluiting en treft de kleinere webwinkels veel zwaarder dan de grotere die veel meer middelen hebben om hun ‘onschuld’ (juist daar: quod non!) te ‘bewijzen’ afgezien van hun marktmacht richting betaaldiensten. Drie klachten voor de grotere, drieduizend voor de kleinere wellicht ..?;
  • Als het OM informatie doorgeeft waarvan volslagen duidelijk is dat doorgifte disproportioneel is (hoeveel aangiftes van véél kwalijker zaken werden/worden ook alweer geseponeerd omdat dozijnen ambtenaren gewoon geen zin hebben om hun werk te doen?), zijn zij mede aansprakelijk voor de gevolgen. Gemiste omzet, gederfde levensvreugde (juist bij de kleinere webshops die door de groten aan de kant zullen worden geschoven – dát zijn pas onoirbare praktijken, maar ja die groten hebben de willoze lendepop het OM in hun zak – zal een blokkering wegens de minste aantijging van ongeoorloofd gedrag, hoe onterecht later ook zal blijken, al snel tot volledige sluiting leiden, met alle faillisementskosten en afwikkeling op privévermogens van dien – het leven van de eigenaar zal nooit meer hetzelfde zijn. De aanzet die eerst blokkeren, dan uitzoeken inhoudt, is een regelrechte omkering van de bewijslast, en treft zéér onevenredig veel onschuldigen (valselijk beschuldigd, onevenredige en onherstelbare schade) terwijl de schuldigen gewoon verder zullen shoppen; die hebben de plan-B betaaldiensten allang opgelijnd.
  • Het OM legt dit betreffend onderdeel van haar taak naast zich neer, derhalve dient het evenredig te worden gekort op het budget. Ad infinitsimum. Het OM laat zich willens en wetens als ‘conduit’ misbruiken door de grotere webshops, en verspeelt daarmee haar gezag en rechtsgrond van optreden. Sluiten die tent dus ..?

Het is duidelijk: Als dit wordt doorgezet, failleert het OM zichzelf. Toch ..?
[Van bastion tot ruïne; Cardona]

Arms / race coming to an end ..?

When this is still necessary and (counter)x-measures will continu to be developed, for sure, how will this little nugget of WP29 change things?
Because it has power. That may lead to a throwback. For how long? The harder the throwback, the longer to recover. But the more powerful will be that rebound ..? We’ll see. For now, canvas blockers are still the way forward, so implement them, right?

This post was brought to you as a public service announcement from the sanity of browsing for information security and privacy blog you’re reading.
But seriously, why is there so little analysis of the WP29-on-Profiling stuff ..!? And:

Norm over substance of risk management

Overheard: A major company in a relevant industry re infosec – and well-known for their good and even so recently much improved infosec posture – doesn’t follow the mantra of “risk management first, policy/standards second” but first sets some quite rigid standards and then, when vendors can’t deliver (even when the standards are strict but quite reasonable and doable), do some form of risk analysis plus compensating controls / acceptance or what have we.
Because otherwise, everything gets so mushy (hey, normal (?) risk analysis is business driven, what do ‘they’ know ..!?) that the end result is a chaos of quasi-accepted risk all on one huge unmanageable infra heap of backdoors and byways (those in particular) which results in zero security. And because this way, standardisation is encouraged and security plus manageability hugely increased i.e. big bucks are saved.

So, it’s an interesting High Baseline Minus approach. Though I guess you may have some comments, so take it away …:

Oh, and already:

[Maybe green, but not fond of blaugrana ..? M’drid]

You had no idea …

Did the one(s) behind this have any clue ..? Letting your biggest adversary by far, in on some source code like this ..?
Or, is it a. scareware-news, like, alt-fact fake news to placate some faction that might profit from confusion or FUD over this, in any direction …, b. just untrue, and Onion article slipped into the mainstream c. a ploy to get the Other to not see double-crossing ..?

Anyhow, it may not be the publicity one’d need – or playing on that trope …

Oh how great the scenario analysis is on this … And:

[Would you trust what’s served here ..? Amsterdam Zuid-Oost food (really?? ed.) court…]

Fog(gy) definitions, mist(y) standards

If you thought that containers were only something to ship wine in, by the pallet, you a. would be right, b. would maybe have overslept on the new concept, c. would not mind I introduce the next thing, being fog computing. I’m not making this up as a part, or extension, of low-hanging cloud computing.
You think I’m kidding, right? Or, that I should have called it mist computing which is a thing already but only a somewhat different thing… You’re still with me?

Then it’s time to read up. And weep. Over this here piece that sets the standard, quite literally.

There. You see ..? Indeed low-hanging, as in the stack … That wasn’t so hard. But implementation will be, if required to be secure. Have fun, will TLS. Or so.

OK, this post was as it stated just an introduction to the IoThing – I was serious though about the Go Study part. Plus:
[Cloudy top cover, smiley backside of a place of worship; Ronchamps FR]

3D of the nudging to simplest infosec behaviour

Before you’re put off by the title its complexity … [Oh. You clicked. Wave function collapsed long before; ed.] This post is about improving the People part of infosec. Beyond the mere ‘awareness’ that begets you … a couple of days’ attention, then slippage into muchlessofthesame.

Two roads away from the dead end you were in, open up:

  • Nudging. Which is about small, inobtrusive and non too brainwashing incentives and disincentives, rewarding and penalising the good and bad so that ‘users’/people choose to do right without having to rationalise through all sorts of intricate, overly (sic) complex lines of reason why some shimmy is better than another twist. Just gently guide, don’t Law and Forbid. [Edited to add: This post was drafted and schedules for release weeks ago, before that Nobel Laureate was awarded his medal for this very method…]
  • Secure simplest option. Like the great many traffic controls; no traffic lights but roundabouts – the former, can be run through at high speeds in the middle of the night (and other times); the latter, require slowdown or you’re thrown off the road. The secure solution being the obviously simplest – the simplest solution being the secure one. People will take the simple road in stead of the difficult one. Better make the simplest one the safest. Not require the user to jump all sorts of complex hoops for safe behaviour! Like password complexity rules: The more you make them ever more difficult, the harder it is for users to resist finding loopholes and escape vents like writing them up (which isn’t a bad solution per se, but …). And in the end, you’ll loose the arms’ race against skillful attackers anyway; at the point where their smartness is hardly less than benign users need to get into your systems, you’ll have to revert to some other way anyway (re: dead end roads).
  • Ah, I’m not one for counting all that simple…
    Smart trickery. This of course being a perfect example … a 3D zebra (road-crossing). Many great, very-marketable other such solutions may exist, to your (image’s!) advantage.

Now that you’ve read the above, how would you change your infosec ‘controls’ throughout …? Like, filling out the last matrix of this, in a smart way and changed to general infosec …?
For an additional bonus, outline how you apply this to your GDPR-compliance efforts… And:
[Advertising the trust you can have in this Insurance co.; Madrid]

Measure and/or die

For 10 points only, not the usual 50/100/150 and without pictures to color, identify the stupidity of this here rambling with an air of sophistication
The ‘quality’ (quod non) of which is nicely summed up in the ‘metrics chart’ ..: “If you can’t measure it, you can’t improve it” – referring to the degree (sic) of the stupidity; unimprovable…?
Be aware Always (link, here again yes), people, …:
Not everything that counts, can be counted, and not everything that can be counted, counts ..!
Oh well. Nice effort to get from ‘nothing’ to ‘something’: when shot for the moon and missed, one ends up between the stars.
In a vacuum, light years away from any matter. [Excepting virtual Heisenberg’ian particles; ed.]

Plus:

[To hope that one day, this king’s -dom may understand the British Crown / Commonwealth model before an all-out civil war breaks out…]

Fighting the Fifth Estate

The Fourth Estate it was called, before it succumbed to sycophantry and fake news. The journalistic world, that by its moral code and behaviour cleansed the news so that the trias politica, and the populace, could do its job of monitoring and correcting each other.
Now that the fourth is no more (effective) [edited to add: some holdouts, like Bellingcat], but the Fifth is (Facebook, Google, … the Frightful Five), one might need extra resources to get the first few scratches of control back.
With this little device. An anti-bug. Not preventative yet, but detective with resilience against detection. Counter-intelligence.

Oh this was just a HT to the developers. And BTW, any half-decent TLA would support these guys [edited to add again: Bellingcat], for their adherence to lofty principles does in fact align with the ultimate, ulterior purpose of any country’s TLAs. Only the stupid will fight against noble straight-backs.

Oh and:

[Yes even HMs GCHQ would, in principle, concur. Or, they work for the Dark Side; London]

AI Blue-on-Blue

We keep on hearing these great things about how AI will help us in the battle against no-gooders qua information security. Like, in hunting for bugs in software (as asked for here, borne out in various much more recent cases or rather, news items hinting at pilot prototype vapourware) or hunting for fraudsters, possibly hiding in plain sight (superrrintelligent anomaly detection; unsure how false positives / false negatives are handled…).
Where on the Other side, great strides are also feared to be made. Deploying AI to improve (better fuzzify) attack vectors, and help with improvements in evasion and intelligence gathering in various other ways.

Pitted against each other …
When you know what Blue On Blue stands for (first of this), you will now see it coming, inevitably. What if autonomous (for speed of response!) retaliation kicks in …?

Never mind. I’ll like the fireworks show. Plus:

[Yeah, yeah, ships are safe in harbour but that’s not what they’re made for – I’ll just enjoy this view from a truly excellent restaurant; Marzamemi Sicily]

Stochastic culture (change)

This ‘personal research’ hobby of mine had taken me into the ‘From Security Awareness all the way to Behavioural Change’ alley(s).
Where it got stuck. Among others, through the realisation that ‘culture’ as such doesn’t exist, certainy not within larger organisations. Local cultures, yes. Overall cultures … maybe as the most degenerate common denominator; the more numbers you throw in a basket, asymptotically but very fast the common denominator will come crashing down to 1.

In infosecland, it’s worse. To actually adress and change the oft unconscious parts of personal culture (behaviour), one has to move away from organisation-wide awareness training ouch if you call it that, all are lost – into the realms of individual coaching, for each and every employee.

But then the stochastic cooling of particle physics rears its head, as a phrase that is. Can we somehow differentiate the to-be-learned from one-size-fits-all into separate sets of behaviours to be rote trained (in practical use; experienced) so the sets become unconscious behaviour(s), and then overlay these transparent sets [Remember, the ‘sheets’ you could stack on an overhead projector? You don’t – even know from a museum what an overhead projector is… Oh. ed.] over the organisation populace, according / in relation to the expectance to need such behaviour ..?

I’m rambling, as usual. Anyway:

[Not all grapes are evenly grown, still great wine is made without stochasctics…; Valle dell’Acate]

Maverisk / Étoiles du Nord