IRM – Page 15 – Maverisk / Étoiles du Nord

Comparatively innovative (Beetleroot)

There was this quite simple hack; in (very) pseudo-code: If 2-wheels Then { Rollerbank; diss up some fancy figures; }
Which calls to mind the Problem of BIOS hacking / backdoor/malware pre-installing, as explained here.

On the one hand, a solution is available: At a sublimated information level, encode, as here. In the physical, car, scenario this would be readily implementable as: Just test the emissions, not rely on data produced by the system itself. Prepared By Client is used pervasively in accounting (financial auditing part) as well so consider yourselves warned…
On the other hand [there always is another hand it seems, possibly because this is real life], in the VW scenario there will probably also be a call for source code reviews. Or at least, from the software development corners, there will be. But then one ends up in the same situation as spelled out in the Bury post: How to verify the verification and not be double-crossed? A source code review would be one part, but how to compare a clean (pun not intended at time of typing) compile / image to what is actually installed (continued, without change-upon-install-to-dirty-version or change-at-service) throughout in the field?

Another issue from this: How to overrule self-driving (or what was it; fully-autonomous) cars ..? The BIOS-hack and Car examples show some intricacies when (not if) one would have a need to overrule near-future “Sorry Dave, I can’t Do That” situations. Once no physical controls are left to take over manually, … Arrmagerrdon. Yes, that 2001 was a rosy, romantic, not horror scenario. And demonstrating that at a comprehensive abstraction level, Prevention still trumps Detection/Correction. But not by much, and the advantage will slip by careless negligence and deliberate deterioration efforts.

Oh well. We all knew that All Is Lost anyway, And then, this:

[(digi)10mm wasn’t wide enough to capture the immersion in this… Noto again]

PIA is KIA and KYD (?)

Since the whole Privacy thing has gained new traction with both the European Data Privacy Directive regaining (some…) steam and the European Court finally deciding what all with any bits of brain already knew i.e. that ‘Safe Harbour’ was a sour joke (to put it mildly), I realized, when working on a presentation for a forum centering on/around Identity and Access Management, that any Privacy Impact Analysis work comes down to two things; an objects-side analysis in the form of Know Your Data and a subject-side analysis by means of Know your (authorised OR actual) Identities and their Access, with some Privacy By Design thrown in at the solutions end.
Since I just like sentences of the right length, being entities that contain a discrete but complete set of logically coherent and united concepts.

And for those of you in the know; the above contains all there is to Know. Sort of. Maybe add in a bit of this (in Dutch; from the FD newspaper), for implementation. For a lot of implementation…
And, things may change in the somewhat near future with the advent of drones, IoT, robotics (humanoid or abstract), and ANI/AGI/ASI, in the IAM sphere alone. Just read up your huge backlog on this blog, and elsewhere as I cannot really summarise it all here…

I’ll give you some time space for that now. With:

[At the Ragusa Ibla end but of course you knew]

Proof gone crazy

Was reminded recently, again, over the Proofing Gone Crazy aspect of the ‘show me’ approach in the totalitarian, SOx-ignited tidal wave of filing requirements.
As if the better the files, would not prove the better the manager is at hiding ever more wrongdoing ..!
As if it wasn’t, and still is!, the job of the auditor, the overseer and what have we (under whichever laughable guise of ‘regulator’ or even anything with ‘governance’ pitched in; ludicrous misunderstanding of what that would actually entail), to go out and find the proof oneself, not bothering the ones doing real, serious work beyond the bare necessity.
As if anything improved in ‘quality’ except auditors’ fees and the efficiency thereof — as if that were the purpose of it all.
As if the little time left after all the overhead is done, to do that real, serious work, doesn’t deteriorate gravely in ‘quality’ by the utter demotivation and distraction of all overhead requirements.

As if ANY of the original objectives were achieved. Only those that bulldozer over them, and/or are outrageously bombing the whole circus into the ground by pushing the pennywise and poundfoolish over the hill by exacting rule-based perfection while themselves taking the principle-based approach to break all that could be dreamt up for moral and ethical rules that apply still, everywhere, achieve anything. That’s a nice split main cause sentence …

So we’ll have to fight.

If only because originally, I wanted to start off with a title ‘Proof Sets Free’ after some motto on a gate that is commonly taken to point at humanitarian atrocities of a historical monumental scale — that are a direct and difficult to avoid consequence of the bureaucratic way of thinking. Those that toil under this motto, are set free only by ‘death’, physical or mentally, that is caused by their toils in the first place.
Which fits nicely with the utterly immoral requirement to turn oneself in at every misdemeanor that will for certain be taken as grave crime, including producing all proof of fact, and paying not only all legal fees but also for the bullet with which one is shot. Yes the world over that is considered a crime by the courts… Only here, the courts do not comply with the trias of politica and have all the power…

Now, just for laughs, try to prove me wrong in the above. Clowns are fun.

In return, you get this:

[Somewhat better here; The Hague (?)]

Vendors pitchin’ — reality’s b… moving elsewhere

Was reminded today that still, a great many vendors in the (Info)Security arena are pitching their worn-out warez to a laggerd crowd — or is it just me to see that, in particular where IAM is concerned, all eyes are still on some vault idea of data storage and systems, behind some mirage of a perimeter of the ‘data center’ (as it is presented ..!).
Luckily, I met this old friend of mine of Zscaler that see that today’s access and wider security concerns are over Cloud (storage, services) and Users (out there, anywhere). How nice would it be if not too much time would be wasted anymore on the classical, outdated (sic) model(s) and we’d all move to this new world ..?

This, for your viewing pleasure:

[Watching the ships go by, Amsterdam]

TLD: Shoo! Shoo!

Awwww was reminded today that the fallacy of Three Lines of “Defence” is a stubborn one. Debunked by a great many, among others on this blog over a year+ ago, but still much too much alive. So let me remind you with the following picture that speaks for itself (or …):

[No high-class design frenzy, just the blot-down in an angered jolt]

Yes, that’s right, still, and is until y’all ditch the TLD idea on the rubbish heap of history: the lines DO NOT stand between the threats and the vulnerabilities. And Boards et al can bypass the circus at their leisure. The lines (aren’t) of defense (aren’t) only stand between all that has gone wrong, and the regulators so the latter are placated with three rounds of white washing and window dressing.

In the past, everyone I discussed this with, agreed the whole thing’s a joke. A sour, very expensive, delusional one. Everybody reacts, nobody responds… Which will need to change or massive damage will occur.

OK, I’ll stop now before my language over the totalitarian, mind- and ethics-genocidal bureaucracy gets out of hand.

A quantum leap

Remember, that (not) a great many days ago I posted some bits on crypto ..? There’s a new twist to it all, after the venerable Bruce noted that some agency started a new, this time ’round bit more fundamental round, on crypto algorithms. And then, some notes on the approach of quantum computing. Well, the latter is still five to ten years off (current estimates; could be three, could be twenty, as such estimates go).
But impacting. So, the following flew by:
CryptographyChart-1-482x745
Which explains a lot, hence I just wanted to pass it on. Bye for now.

Trivial TLA Things-Tip

If you Thought This Time Things would be easier, as the universality of plug-‘n-play has spread beyond even the wildest early dreams into the realms of the unthought-of non-thinkingness, think again. Drop the again. Think. That was IBM’s motto, and they created Watson. No surprises there.
However… It may come as a surprise to some that now, an actual TLA has some actual tips, to keep you safe(r). As in this. Who would have thought… On second thought, this agency of note might have no need for the access disabled themselves anymore, as they’ve provided themselves of sufficient other access (methods) by now and just want to hinder the (foreign) others out of their easy access ..?

Oh well, never can do well, right? And this:

[Another one from the cathedral of dry feet — only after, making sticking fingers in dykes worthwhile; at Lynden, Haarlemmermeer]

Complexity beaten by [The mechanics of Joe Average]

Yes it’s time to remind you again. And again. That the mechanics of the mindset of Joe Average (notice how that’s a he not she …?) will beat even the best laid-out strategic plans, Von Moltke-style. As can be read in this here piece; instructive both on the surface and in the sub-surface semantics, meaning. I.e., that JA is even ‘smarter’ than you thought when it comes to achieving JA’s actual objectives of GetOffMyBackWithYourStupidTargets. Through which it all reminds us, being you too, to build security around actually desired functionality — as desired by end users to get their in-tray empty. Nothing more, certainly not your lofty functionality goals, that’s just burdensome nuisance. If you hinder the former and leave space for abuse in the latter, you’ll be doomed doubly. All the pain, no gain.
Be reminded, too, that your efforts down the blind alley will result in complexity that JA will beat, but maybe, all too often, you don’t. Meaning even that, is for nothing and will leave you out to dry.

Hm, as a pointer, this point needs both much more elaborate thought, in your heads, and is depleted for write-up here. Go and do well.

[In the Cathedral of Pump; Lynden, Haarlemmermeer]

Darn Drone-Downers

Another alliterating ad-lib post here. About the right (not) to take care of your own privacy behind your own front door. Seriously; here now is an item of societal structure that needs fixing and for once can be fixed ahead of time but still will very probably not be — because some of the many parties involved, will not see how their own tardiness leads (with certainty) to loss of life, of life’s full enjoyment, of the pursuit and realization of happiness. Is there a term for this sort of extreme autism denying one’s responsibilities, accountability beyond the mere received rational-only knowledge..?

OK, I get it; you want time to think. Delivered. And:

[Whatever floats your big a.. boat]

Product security needs a holistic approach (reblog)

A reblog today, of an expert for once