Tag: Infosec

C’est arrivé près de chez vous; LoRaWAN

Yet another major building block of the Future … in place. [And, not a ref to some City of Light atrocities]
Where’s the Privacy and (OR) Security experts …? For certainly, though almost out of public view, the undercurrents develop fast, into a maelstrom — I’d like it even more in this form — of possibilities; to be abused before being controlled, as has always been the case throughout history.

Oh well, can’t stop Progress, certainly not of the Technology kind… But one can hope we (sic or huh?) the Concerned will be in sufficient numbers to be able to and to be allowed to insert the appropriate controls into the whole shazam.
Like, you know,
DSC_0752
[Or is this an Tocqueville’ian opposite ..?]

Privvezy Protrection

An off the cuff — where’s gentlemens’ style, these days? — remark hit a nerve. When an interesting company had some very interesting speakers and me. On IAM, data leakage and … well, what was it, data protection XOR privacy …?

Because the little collateral remarks was about Privacy being the ethical imperative, but being implementable straight away, would need translation to operational Data Protection.

Yes, where the core of legislation is about the latter, in an attempt to achieve the former… to the degree feasible, achievable, and wanted.
Demonstrating that all legalese, even of the EU kind, is just about white washing whatever you’d want to get away with.

A sore reminder that when one would want (hypothetically, for the sake of the argument that such would be theoretically possible) Privacy, one’s still on one’s own. Against all that is formally formed or not as Institutions, against the windmills that all want you to believe don’t exist or have power over you…

But hey, I’m a happy bunny so I’ll leave you with:
DSCN0770
[When Penzance would be at Bergen On The Beach]

Comparatively innovative (Beetleroot)

There was this quite simple hack; in (very) pseudo-code: If 2-wheels Then { Rollerbank; diss up some fancy figures; }
Which calls to mind the Problem of BIOS hacking / backdoor/malware pre-installing, as explained here.

On the one hand, a solution is available: At a sublimated information level, encode, as here. In the physical, car, scenario this would be readily implementable as: Just test the emissions, not rely on data produced by the system itself. Prepared By Client is used pervasively in accounting (financial auditing part) as well so consider yourselves warned…
On the other hand [there always is another hand it seems, possibly because this is real life], in the VW scenario there will probably also be a call for source code reviews. Or at least, from the software development corners, there will be. But then one ends up in the same situation as spelled out in the Bury post: How to verify the verification and not be double-crossed? A source code review would be one part, but how to compare a clean (pun not intended at time of typing) compile / image to what is actually installed (continued, without change-upon-install-to-dirty-version or change-at-service) throughout in the field?

Another issue from this: How to overrule self-driving (or what was it; fully-autonomous) cars ..? The BIOS-hack and Car examples show some intricacies when (not if) one would have a need to overrule near-future “Sorry Dave, I can’t Do That” situations. Once no physical controls are left to take over manually, … Arrmagerrdon. Yes, that 2001 was a rosy, romantic, not horror scenario. And demonstrating that at a comprehensive abstraction level, Prevention still trumps Detection/Correction. But not by much, and the advantage will slip by careless negligence and deliberate deterioration efforts.

Oh well. We all knew that All Is Lost anyway, And then, this:
DSC_0142
[(digi)10mm wasn’t wide enough to capture the immersion in this… Noto again]

PIA is KIA and KYD (?)

Since the whole Privacy thing has gained new traction with both the European Data Privacy Directive regaining (some…) steam and the European Court finally deciding what all with any bits of brain already knew i.e. that ‘Safe Harbour’ was a sour joke (to put it mildly), I realized, when working on a presentation for a forum centering on/around Identity and Access Management, that any Privacy Impact Analysis work comes down to two things; an objects-side analysis in the form of Know Your Data and a subject-side analysis by means of Know your (authorised OR actual) Identities and their Access, with some Privacy By Design thrown in at the solutions end.
Since I just like sentences of the right length, being entities that contain a discrete but complete set of logically coherent and united concepts.

And for those of you in the know; the above contains all there is to Know. Sort of. Maybe add in a bit of this (in Dutch; from the FD newspaper), for implementation. For a lot of implementation…
And, things may change in the somewhat near future with the advent of drones, IoT, robotics (humanoid or abstract), and ANI/AGI/ASI, in the IAM sphere alone. Just read up your huge backlog on this blog, and elsewhere as I cannot really summarise it all here…

I’ll give you some time space for that now. With:
DSC_0305
[At the Ragusa Ibla end but of course you knew]

Vendors pitchin’ — reality’s b… moving elsewhere

Was reminded today that still, a great many vendors in the (Info)Security arena are pitching their worn-out warez to a laggerd crowd — or is it just me to see that, in particular where IAM is concerned, all eyes are still on some vault idea of data storage and systems, behind some mirage of a perimeter of the ‘data center’ (as it is presented ..!).
Luckily, I met this old friend of mine of Zscaler that see that today’s access and wider security concerns are over Cloud (storage, services) and Users (out there, anywhere). How nice would it be if not too much time would be wasted anymore on the classical, outdated (sic) model(s) and we’d all move to this new world ..?

This, for your viewing pleasure:
20150911_143510
[Watching the ships go by, Amsterdam]

A quantum leap

Remember, that (not) a great many days ago I posted some bits on crypto ..? There’s a new twist to it all, after the venerable Bruce noted that some agency started a new, this time ’round bit more fundamental round, on crypto algorithms. And then, some notes on the approach of quantum computing. Well, the latter is still five to ten years off (current estimates; could be three, could be twenty, as such estimates go).
But impacting. So, the following flew by:
CryptographyChart-1-482x745
Which explains a lot, hence I just wanted to pass it on. Bye for now.

Trivial TLA Things-Tip

If you Thought This Time Things would be easier, as the universality of plug-‘n-play has spread beyond even the wildest early dreams into the realms of the unthought-of non-thinkingness, think again. Drop the again. Think. That was IBM’s motto, and they created Watson. No surprises there.
However… It may come as a surprise to some that now, an actual TLA has some actual tips, to keep you safe(r). As in this. Who would have thought… On second thought, this agency of note might have no need for the access disabled themselves anymore, as they’ve provided themselves of sufficient other access (methods) by now and just want to hinder the (foreign) others out of their easy access ..?

Oh well, never can do well, right? And this:
DSC_0070
[Another one from the cathedral of dry feet — only after, making sticking fingers in dykes worthwhile; at Lynden, Haarlemmermeer]

Complexity beaten by [The mechanics of Joe Average]

Yes it’s time to remind you again. And again. That the mechanics of the mindset of Joe Average (notice how that’s a he not she …?) will beat even the best laid-out strategic plans, Von Moltke-style. As can be read in this here piece; instructive both on the surface and in the sub-surface semantics, meaning. I.e., that JA is even ‘smarter’ than you thought when it comes to achieving JA’s actual objectives of GetOffMyBackWithYourStupidTargets. Through which it all reminds us, being you too, to build security around actually desired functionality — as desired by end users to get their in-tray empty. Nothing more, certainly not your lofty functionality goals, that’s just burdensome nuisance. If you hinder the former and leave space for abuse in the latter, you’ll be doomed doubly. All the pain, no gain.
Be reminded, too, that your efforts down the blind alley will result in complexity that JA will beat, but maybe, all too often, you don’t. Meaning even that, is for nothing and will leave you out to dry.

Hm, as a pointer, this point needs both much more elaborate thought, in your heads, and is depleted for write-up here. Go and do well.

DSC_0084
[In the Cathedral of Pump; Lynden, Haarlemmermeer]

Darn Drone-Downers

Another alliterating ad-lib post here. About the right (not) to take care of your own privacy behind your own front door. Seriously; here now is an item of societal structure that needs fixing and for once can be fixed ahead of time but still will very probably not be — because some of the many parties involved, will not see how their own tardiness leads (with certainty) to loss of life, of life’s full enjoyment, of the pursuit and realization of happiness. Is there a term for this sort of extreme autism denying one’s responsibilities, accountability beyond the mere received rational-only knowledge..?

OK, I get it; you want time to think. Delivered. And:

20150911_145750
[Whatever floats your big a.. boat]

Let’s celebrate (with) a contest for the dumbest security

On this celebration day (for me/us), let’s instate an annual contest — over the most precise prediction of the dumbest information security breach of the upcoming year.
So, the following:

  • Your prediction, storified (½ – 1 page, at most slightly formatted);
  • Realistic, i.e., a combination of dumb and dumber, and stupid and worse, of (non)actions and responses, on the attack and ‘defense’ sides. Realistic, but keep it realistic…;
  • Hence, do include lots of cyberhere, cyberthere, cybereverywhere and only a little bit of #ditchcyber …;
  • Deadline: 1 January 2016;
  • The predictive element means that no sign of the thing actually occuring yet, may be found in the (whatever medium) press already;
  • Prize… ah, there you go. I’ll try to figure out a way to ship a bottle of the finest champagne to the winner;
  • No discussions about my judgement.

Well, off for now. Have fun:
DSC_0161
[Shaky ground (huh, just photographer’s lack of proper alignment due to hurry);
 somewhat relevant, in the opposite (of today)]

Maverisk / Étoiles du Nord