Information security – Page 20 – Maverisk / Étoiles du Nord

Note (bank-, bankable); ICYMI

Hmmmmm… Who would be able to mine the easy pickings already, in the Bitcoin world ..? Who has sufficient resources, old-money wise and miners wise ..?

As the firsts through the gate may gain an insurmountable head start at the game of the future. Also, re this on the as yet ill-understood, hardly visible / overseeable spin-off world. DACs are just one part. When incumbent countries’ / nations’ and supra-governments find themselves competing not only with each other but also with anon societies existing virtually (non-geographically – though in the end, physical servers will have to be somewhere), will the latter be re-invented like wheels, with or without preventing the failures of history …?

Since it will be very interesting, sociologically, but still years away (I think…), this:
[Guess where. Netherlands]

Postdictions 2014-III

A progress report on the Predictions 2014 I made in several posts here, at the end of Q3.
I gathered some evidence, but probably you have much more of that re the items below. Do please raise your hand / comment with links; I’ll attribute my sources ;-]

First, of course, a picture:

[Iron fist, not often seen (by tourists anyway), Pistoia]
So, there they are, with the items collected from several posts and already updated once and twice before in this:

Trust

Well, there’s this, and this on the financial penalties of trusting your assurance provider…

Identity

See previous re the value of certificates. Otherwise, not much news this quarter.

Things

The hackability of all sorts of home appliances has already become some sort of Mehhh… And apparently, there’s a spin-off in the IoBT …?
And there’s progress in the auxiliary channels/architectures… as here and here.

Social

Not much. Some Ello bits, though. And more in the AI arena, as this shows.

Mobile

Has gone to the Expired phase.

Analytics

Wow, this one’s moving into the Through of Disillusionment quickly! Now get it to jump out at the other hand, as quickly.

Cloud

Mehhh, indeed. May be in the Through of Disillusionment, or has gone into been there, done the grit work, no-one’s interested anymore.

Demise of ERP, the

Turns out it’s very hard to fill vacancies in this arena, isn’t it? Due to the boredom to death surrounding them.

InfoSec on the steep rise

Even if we haven’t seen enough on this!

On APTs: Only the most interesting hack attacks get into the news these days. Turns out they’re all this kind.

On certification vulnerabilities: In hiding. Still there. Ssssht, will hit. Suddenly.

On crypto-failures, in the implementations: Not much; passé.

On quantum computing: – still not too much –

On methodological renewal; as it was: Some progress here and there, but no ✓ yet.

Deflation of TLD

See second link of Trust; Fourth line didn’t work, even.

Subtotal

Already, with the previous follow-ups, clearly over 80% as we speak, when discounting for some fall-back here and there.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud.
See you at the end of the year ..!

Regulation Renegation Abomi nation

So, after privacy-enhancing regulations finally got some traction here and there – mentally, hardly in implementation yet – we’re getting the full bucketloads of bovine-produced fertilizer regarding adapted protection through ‘Data Use Regulation’.
Which already throws back actual regulation in intent and in the letter of it. But has many more nefarious consequences… As is in this article; couldn’t word it better.

We should be vigilant …

For now, I’ll leave you with this:
[A spectacle, Jerez]

Security accountability: We’re off

Remember the Vasco i.e. Diginotar certificate breach scandal ..? For the many that don’t read Dutch easily enough, the gist of this court decision is that the previous owners of Diginotar are accountable for the damages to Vasco following the breach since the previous Diginotar owners hadn’t secured their systems well enough.

There’s a lot to be said here.

E.g., that the security lapses could have been known. Due diligence …? Well, the PwC reports were all green traffic lights, at the procedures-on-paper level. But a couple of years before the take-over, already a third party (ITSec, which I know for their good work [disclaimer: have no business relations]) had notified Diginotar about shop-floor level deficiencies. That remained uncorrected.
Add to that, that actually, the previous owners themselves started legal claims. Because a major part of their sale proceeds were still held in escrow, and they wanted the monay. Vasco filed a counter claim; logically, and won.
Also, the auditors that had time and time again ‘assured’ the security of the scheme (and don’t get me started about limiting the scope of such assurance in scope vagueness or in the fine print!), haven’t felt too much backfire. Yet, hopefully. Though recently, the same firm announced an initiative towards a new, proprietary one can guess, security standard. Right.

So, are we finally seeing accountability breaking through ..? I already posted something on the Target Cxx stepdown for similar security lapse(s). Now this one. The trickle’s there, let the deluge follow. That‘ll teach ’em! And of course, generate a humongous market for backlog bug remediation, from the software levels up through controls to governance levels…
Even if that would stifle innovation for a while. Would that be a bad thing; having only the real improvements breaking through and not the junk ones ..?

OK then, now for a picture:
DSCN0358
[Monteriggione security was effective, until not, then abandoned as control approach… they did, why not all of us today?]

IoTsec as expected

Yawn. A decade of humongous growth in Information security is coming. To tackle the likes of this.
Think of where the somewhat organized, somewhat budgeted, somewhat up to it corporate world now is. (With the public organization world lagging, seriously, on all counts.) Then think of what it would take to make the general public ‘safe’.

And then think of how many InfoSec professionals would be needed. Yeay! Indeed, as in:
[Onto Val d’Orcia, as you spotted]

Gotta TruSST’MM

Had been planning for a long (?) time already to write something up on the issue of Trust in OSSTMM3© – in particular, how it doesn’t conform with received (abstract) notions of trust and how that’s a bit confusing until one thinks it through wide and deep enough.

First, a picture:
DSCN4198
[Controlled to I/O, Vale]

Then, some explanation:
As I get it (now!), the OSSTMM model defines Trust as being an entry into or out of a system/component (objects, processes). The thing you may do when you are trusted. Literally, not the protection wall but the hole in that wall. Which isn’t some opinion thing the holder has of the visiting tourist. Interesting, but troublesome in its unsettling powers.

Dang. Running out of time again to delve into this deep enough – in particular where I wanted to link this to a previous post about identity and authentication … (this post in Dutch). OK. will move on for now, and return later. Already, if you have pointers to resolution of the differences (the whole scale (?) of them), don’t hesitate.

Welcome to Hotel SV

Just a short note; tinkering with more ‘cybersecurity’ songs (to support (or not) #ditchcyber), I came across the following snippets…:

“Welcome to the Hotel California”
“Such a lovely place”
Such a lovely face
Plenty of room at the Hotel California
Any time of year
You can find it here”

“Bring your alibis”

“Mirrors on the ceiling”

And she said “We are all just prisoners here, of our own device”

Last thing I remember, I was
Running for the door
I had to find the passage back
To the place I was before
“Relax, ” said the night man,
“We are programmed to receive.
You can check-out any time you like,
But you can never leave!”

How’zat (sorry (no I’m not Canadian) USofA, culturally you’re still 99% British so you should get that reference) for the famous search engine’s approach ..?

And, of course:
[Yeah Breck is CO not CA, about two decades back]

Crowdjustice

Wellicht zullen gevestigde belangen (weer ten onrechte … DNB-kneuterpietluttigheid-waarschijnlijk-uit-doodsangst-uit-onbegrip (hoewel dat d… terecht, en gewenst?) vs California State…) gaan waarschuwen voordat de vergelijking met de huidige feitelijke situatie voldoende fundamenteel en objectief is gemaakt, maar dit is natuurlijk een interessante nieuwigheid; crowdsourcing justice. En voor degenen die jury-rechtspraak iets engs vinden wat wat de boer niet lust, leze nee bestudere dit werk eens.
Plots komt zo veel samen… Vreugde alomom zo veel culturele vooruitgang.

[Edited to add: Zie de post van 25 augustus 2014…]

En dus een vrolijk:
[Kan dubbel zijn, swa]

Bewijs van legitieme identiteit

Bij wijze van vraag aan @iusmetis / @ictrecht …:
In het dagelijks Nederlands taalgebruik kennen we nog (…) het verschil tussen legitimatie en indentiteit, als in -bewijs respectievelijk -sbewijs. De laatste ook nog equivalent gezien met ‘ID’.
Waarbij de vragen komen:

Bestaat er ook juridisch (nog) verschil tussen beide ..? Waar komt dat verschil if any vandaan, hoe wordt het (nog) toegepast?
Hoe is de ‘mapping’ naar (identificatie,) authenticatie en autorisatie zoals die termen in de ICT van vandaag worden gebruikt..?

Met name dat laatste lijkt me bestuderenswaardig omdat a. de juridische termen lang hebben gehad om uitgekauwd te raken, en ‘dus’ nog relevante verschillen naar voren kunnen brengen met de relatief pas oh zo kort geleden ontwikkelde ideeën over toegang tot systemen/gegevens.
En het verwarren van de functie van ‘elektronische’ ID met ware identiteit en de dubbelrol van b.v. een ‘user-ID’ is ook nog wel wat beschouwing waard.

Maar goed, eerst maar eens e.e.a. definitietechnisch helder naast elkaar zien te krijgen.

En uiteraard het plaatje van de dag:
[Hey kèk nâh ze hadden hier in Lucca al heel vroeg Starbucks…?]

Quick note: Privacy is about Info, not Data

Just a quick note to drop it, here, already before my holiday. May elaborate on the subject later, in a much extended form. The idea being:

Privacy is about Information, not about Data. Privacy sits on the divide, or jump, from data to information, as in this previous post.

Data doesn’t mean a thing. And yes there’s use in protecting data, but that’s only part of the picture. To discuss ‘directly or indirectly identifying data’ one needs to understand the value, and information, in data combinations. So you’ll have to keep the information value in mind always.

Which also means that if you discuss topics with various categorically-not-understanding-anything-other-than-bonuses stakeholders under the common header of personal data protection, you have lost connection to them. By giving up before you started; they will not ‘get it’. They know ‘data’ only in the abstract, as something to stay away from. If you don’t keep the (distinction AND connection) in mind and exepelainify it extensively ‘externally’, you lose.

Same, if you don’t bridge the gap ‘internally’ in your in-group. Only when an exhaustive search for all meaning of any combination of data has been completed, would one know what data elements could possibly be necessary for identification and hence are privacy-sensitive.
This would probably set the threshold very low indeed. But hey, that’s your problem right there. Offer perfect protection of get sued into oblivion.

I’ll return on this. Thank you:
20140306_151133[1]
[Kei-good design.]