IRM – Page 5 – Maverisk / Étoiles du Nord

D-raacdronische maatregelen

Okay, for those of you unable to understand the disastrous (understatement) word-play in the title because it’s in Dutch… It’s about a court case (verdict here) where neighbours were in this vendetta already and now one flew a camera drone over the other’s property succinctly the other shot down the drone.
Qua culpability for the damage to the drone, the Judge ruled that a. the drone pilot was trespassing so put the drone illegally where it was shot down, b. the gunman [an experienced shot, apparently] was not to damage other peoples’ property, both are guitly and should share the damage (and share the legal expense).

Side note: the verdict also states through witnesses, that the damage incurred was to one rotor only (after which the drone made a controlled landing; not such a good shot after all) and it had been flown into a tree before the incident (not such a good pilot in the first place), so the damage amount as reported by an independent expert were doubtful, even more so since the independent expert nowhere indicated in the report how the assessed drone was identified or identifyable, as the drone in question or otherwise.
Stupid amateurs.

Moreover, the Judge stated that a breach of privacy weighed no more of less that a breach of property rights. Now there‘s the Error [should be all-caps] in the assessment of current-day societal ethics which in this case, where the Judge appears to demonstrate a sensibility of the case i.e., the vendetta between the neighbours having dropped to a state where mediation is an option no more, would have called for understanding of the derogation of property rights by the privacy concerns as is prevalent (yes; fact) in society in which the verdict should fit. Apparently, neighbour considered the privacy breach already of more value that the risk to his property otherwise would have abstained from the risk of property damage. And the property rights should be compared with the privacy rights one has when e.g., throwing away printed materials; when discarded in the dumpster, one has surrendered one’s right to privacy-through-property re the dumped information. When voluntarily move into or over another one’s property, certainly without consent and against that other one’s want, does one not surrender one’s [protection of!] property rights to the other one? Of course one can ask one’s property back but what if the other one refuses or uses it as security re exchange for something else?

Legal scholars don’t seem to Always have a “hackers’ mentality” when it comes to finding all the side roads … Most unfortunately!
And:

[From the department of infinitely high control; Ronchamps]

Appetite for destruction ..?

Not even referring to the Masterpiece. On the contrary, we have here: … Well, what?
Interested as we all are in the subject, since it is defined still so sloppily, we all look for progress, I started. But stopped, when it turned out … risk appetite is defined in hindsight, with a survived disaster being the appetite threshold. Nice. So you’ll know what your appetite is when it hit you and were lucky enough to survive. If you didn’t survive, you now know you passed the threshold. Same [?] with projects: Only if it fails, do you have to write off the investment. The idea of sunk costs may be an enlightenment..?

Etc.

I believe the CRISC curriculum has other, actually somewhat useful, information on this, and on risk tolerance ..?
Your comments, please.

Plus:
[For 20 points, evaluate the risks, e.g., qua privacy, bird strikes, value development; Barça]

Not there yet; an OK Signal but …

But the mere fact that Congress will use ~~strong crypto~~ Signal, can mean many things. Like, “we” won the crypto wars, as Bruce indicated, or the many comments to that post are correct and it’s for them only and will be prohibited for the rest (us), or … nobody cares anymore who uses Signal, it’s broken and those that balked in the past, now have some backdoors or other coercive ways to gain access anyway. [Filed under: Double Secrets]

But hey, at least it’s something, compared to nitwittery elsewhere… And:

[Ode to careless joy; NY]

Having fun with voice synth

In particular, having fun the wrong way.
Remember, we wrote about how voice synth improvements, lately, will destroy non-repudiation? There’s another twist. Not only as noted, contra voice authentication for mere authentication (banks, of all, would they really have been in the lead, here, without back-up-double auth?), but in particular now that your voice has also become much more important again [after voice had dwindled in use for any sorts of comms, giving way to socmed typed even when with pixels posts of ephemeral or persistent kinds; who actually calls anyone anymore ..?], we see all sorts of Problems surfacing.

Like, mail order fraud. When hardly anyone still goes on a shopping spree through dozens of stores before buying something in store but rather orders online, of course Alexa / Home/Assistant / Siri / Echo / Cortana are all the rage. For a while; for a short while as people will find out that there was something more to shopping than getting something — but recognising the equilibrium that’ll turn out, may be in favour of on-line business, with physical delivery either at home, or at the mall.
The big ‘breakthrough’ currently being of course some half-way threshold / innovation speed bump overcome, with the home assistant gadgets that were intended to be much more butler first, (even-more-) mall destructor second. But that second … How about some fun and pranking, by catuyrig just some voice snippets from your target, even when just in line behind ’em at Wallmart, and then synthesizing just about any text? When a break-in on the backside of your home assistant (very doable; the intelligence is too complex and voluminous to sit in the front-end device anyway [Is it …!? Haven’t seen anything on this!] so at least there’s some half-way intelligent link at the back) may be feasible per principle but doing a MiM on the comms to some back-end server would be much more easy even, and much easier to obfuscate (certainly qua location, attribution), a ‘re’play of just any message is feasible.

Like, a ‘re’play of ordering substances that would still be suspicious even when for ‘medicinal purposes’. Or only embarassing, like ordering tools from the sort of fun-tools shop you wouldn’t want to see your parents order from. Of course, the joke is at delivery time [be that couriers, DEA/cops, or just non-plain packages] — oh wait we could just have the goods delivered to / picked up at, any address of our liking and have the felons/embarressed only feel that part plus non-repudiability.

This may be a C-rated-movie plot scenario, hence it will happen somewhere, a couple of times at least. Or become an epidemic. And:
[No mall, but a fun place to shop anyway; Gran Vía Madrid]

No surprises here; qua attribution

Is anyone surprised that apparently, “there’s traces of North-Korean involvement” in the WannaCry hiccup ..?
As yesterday’s post (below) already noted; no-one cares about WannaCry1.0 anymore hence ‘hiccup’. Has 2.0 come ’round already?
But how much repudiation by the North-Koreans would reach our general news …? So, how easy it is to blame the NKs for anything that goes wrong ..? Like,

North Korea used an NSA exploit stolen by Russia to deploy malware that ransoms data in exchange for cryptocurrency.

Just saying it aloud.

— Patrick Gray (@riskybusiness) May 16, 2017

Whereas, … Russia did claim it was also ‘hit’ by WC1.0 [oh the abbrev], but no damage ensued because they were able to stop it at the front door. Right. By lack of actual true snippets from 1600 Penn Ave, we now consider anything that comes out of Russia to be tru-er than what comes from DC, just like that ..? Because that would indeed leave ‘North Korea’ the only reasonably believable/unsurprising culprit.
On the other hand, the embedded tweet indicates Russia actually stole something. Until now, wasn’t it that the exploitable was leaked? Quite different … What is Russia’s involvement now, that those that have info of leakage only, don’t have intel on ..?

[Edited pre-press to add: there… ]

Oh, I’ll just leave it for you to ponder. And weep. And:

[Yes from that ridge, Gettysburg…]

Notnews

Remember it’s a two weeks flashback already
Monday morning’s watercooler discussion: Did you hear about this WannaCry attacks all around the world? The sky is falling! And what a hypecycle the ‘solutions’ vendors piled onto it immediately and oh hey look cat pics how cute oh now it’s Friday again how time flies CU on Monday for more cat pics.

So true it’s sobering; appropriately. And:
[Will never learn. NY]

GDPR is just a legal attempt at Y2k

Suddenly I realised, as one who profited handsomely (not in money but in perks’ way), that the whole GDPR compliance thingy is becoming quite similar, all too similar, to the hype that was called The Millennium Problem … too bad we now know how that ended, otherwise an illustrative movie could be made of the latter – now only (?) a documentary review is worthwhile, as history writing. Too bad it isn’t out in the open that despite all efforts then made, actually quite a lot of companies ended up having to hire temps to do all sorts of manual corrections in their administrations due to e.g., spreadsheets [the very things the toughest, most important business decisions hinged, and still hinge on!] going heywire over date fields.

To come back to the Issue … Are you not hit by that, almost sudden, avalanche of GDPR compliance warnings lately, like, the past couple of weeks ..? Is it not a warning that you need to do loads of things now, starting with hiring consultants (call to action; they’re Sales messages of course) this time not of the tech kind – engineers that see a problem, craft a solution and we’re done –, but of the legal kind – profiting only from prolongation of your insecurity.

And ah, there’s the snag! Multifaceted it is;

One: With some deadline suitably near to instill fear of lurking deadlines but suitably far to be able to still write you up with many, many ticks (per 6 or 3 minutes ..!?) at ridiculous rates, will be written;
Two: Unlike the patching that was the core solution (after Inventory – you did keep that in appropriate order in your wide-scope CMDB ever after 31/12/00, right ..? Even with some global outpost in the corner writing that down as 12/31/00. What stupid value loss if you didn’t! We’re only 17 years on! Did you really think legacy problems would have gone away by now …!?), we now see there is no solution but just getting compliant with all sorts of stupidly unprofitable, inefficient (and might we add, ineffective! yes if you are realistic, that’s what it is) good-for-nothing overhead;
Three: The good-for-nothing part — maybe not fully nothing, but oh so limitedly good for anything that you should’ve done already long ago not only for any ‘privacy’ compliance but for effective and efficient IT, -security included.

Following on this Lotus list, indeed there’s a lot of work to be done to become compliant … on the Legal side. On the IT side maybe also, but what needs to be done there, is (re)implementation of sound practices that should have been common daily practice anyway, and when implemented as such, ready; done.

The legal side on the other hand, sees all sorts of enduring challenges, like many cultural changes; no leaning back and await questions for advice to be answered out of hand with “It depends…” / “Come with a proposed solution and I’ll tell you whether it may or may not be permissible”, but for once being actively engaged and delivering definitive answers, and designing, implementing, and carrying out your (Legal) selves reams of procedural stuff. Acting on assessments, acting in communications, acting in control(s), etc.

You get it — the GDPR brings many problems for many organisations, the biggest of the problems being how to manage back the (Legal) consultancy fees… Remember, when data leakage isn’t preventable (as some dunces might still believe, many on the Legal side of GDPR compliance among them – hey they even think pseudonymisation amounts to anything), bad things are bound to happen. When (not if) not already via the avalanche of information requests …

I rest my case now, for you to have time to process the above, get it, and leave you with:

Your GDPR compliance looks much, much worse (this is actually quite good!); Toronto]

Note to self: GDPR scrum with or without the r

Just to remind myself, and you for your contributions, that it’s seriously time to write up a post on Agile development methods [OK, okay, I mean Scrum, as the majority side of the house]; how one is supposed to integrate GDPR requirements into that.
Like, we’re approaching the stage where the Waterfall model of security implementation, will be Done for most organisations. Not Well Done, rather Rare or Pittsburg Rare, at your firm [not Firm …]. But then, we’ll have to make the wholesale change to Maintenance, short-term and long-term. And meanwhile, waterfall has been ditched for a long time already in core development work, hence we have a backlog (huh; the real kind) qua security integration (sic; the bolt-on kind doesn’t work anyway) into all these Agile Development methods of which word has it everyone and their m/br-other seems to make use these latter days.

But then, the world has managed to slip security into that. Which is praiseworthy, and needs more Spread The Word.

And then, there’s the GDPR. May we suggest to include it in ‘security’ as requirements flow into the agile development processes ..?
As said, I’ll expand on this l8r.
If only later, since we need to find a way to keep the DPOs out of this; the vast majority (sic) of them, with all due [which hence may be severely limited] respect, will not understand to a profound level they’ll try to derail your development even without the most basic capability to self-assess they do it, in ways that are excruciatingly hard to pinpoint, lay your finger on.

But as written, that’s for another time. In the meantime, I’d love to see your contributions (if/when serious) overflowing my mailbox… Plus:
[Lawyers lurking next door…; Zuid-As Ams]

Mixing up the constitution

When your state secretary is mixing up all sorts of things. When at the official site, at last email (and other ‘telecomm’) is listed to be included as protected on the same footing as snail mail has always been, qua privacy protection.

Which raises the question: Does that include the right to use (uncrackable) encryption, because that is what is equivalent to a sealed envelope ..? When the same government wanted to ban that, or allow simply-crackable [i.e., with bumblinggovernment means – the most simpleton kind or ‘too hard’] encryption only?
Why would this have to be included so explicitly in the constitution no less, when just about every other tech development isn’t anywhere there, and in the past it has always been sufficient to interpret/read the constitution to automatically translate to the most modern tech without needing textual adaptation ..? [As has been the case in every civilised country, and maybe even in the US too.]
And where would GDPR impinge on this; is the rush necessitated by GDPR (with all its law-enforcement exemptions, pre-arranging the ab-use of those powers GDPR will give), or is this an attempt to pre-empt protection against Skynet overlords (pre-pre-empting GDPR protection for citizens), – recognising that anything so rushed will never be in favour of those citizens – or what?

One wonders. And:
[So many “unidentified” office buildings in NY, NY …]

Collateral (un)patching; 0+1-day

Is this a new trend? Revealing that there had been a couple of exploitables, backdoors in your s/w when you patch some other ones and then have to roll back because you p.’d off the wrong ones since you accidentally also patched or disabled some hitherto secret ones.
At least, this is what it seems like when reading this; M$ stealthily (apparently not secretly enough) patching some stuff in negative time i.e., before-zero day. When later there’s rumours about this patch(ing, possibly parts of) is retracted.

For this, there appear (again) to be two possible reasons:
a. You flunked the patch and it kills some Important peoples’ system(s);
b. You ‘flunked’ the patch and you did right, but the patch effectively killed some still-not-revealed (in the stash) backdoors that the Important peoples (TLAs) still had some use for and were double-secretly requested to put back in place.

I’m in a Movie Plot mood (come to think of it, for no reason; ed.) and go for the second option. Because reasons (contradictory; ed.). Your 2¢ please.

Oh, and:
[So crowded and you’re still much less than a stone’s throw from a Da Vinci Code (was it?) big secret — I may have the pic elsewhere on my blog…; Barça]