Hey why are so many using PICNIC instead of the age-old PEBKAC ..? No, I’m not complaining ‘because’ old, nor on the ‘ …, got the T-shirt’ route. Just would want to know. Is it that the latter is too difficult to remember the meaning of ..? If so: Sad for its Shallows calibre. If otherwise: Please advise.
Tag: IT security
Overwhelmed by ‘friendly’ engineers
The rage seems to be with chat bots, lately. Haven’t met any, but that may only be me — not being interesting enough to be overwhelmed by their calls.
Which will happen, in particular to those in society that have less than perfect resistance against the various modes of telesales and other forms of social engineering (for phishing and other nefarious purposes) already. Including all sorts of otherwise-possibly-bright-and-genius-intelligent-but (??)-having-washed-up-in-InfoSec-for-lack-of-genuine-societal-intelligence types like us. But these being the ones of all stripes that ‘we’ need to protect, rather than the ones apparently already so heavily loaded that they can spare the dime for development of such hyper-scaling ultra-travelling foot-in-the-door salesmen. Is this the end stage, where none have a clue as to which precious little interaction is still actually human-to-human, and the rest may be discarded ..?
As for the latter … It raises the question of Why, in communications as a human endeavor… Quite a thought.
But for the time being, you’re hosed, anti-phishing-through-social-engineeringwise.
Just sayin’. Plus:
[Retreat, a.k.a. Run to the hills / Run for your life; but meant positively! Monte Olivieto Maggiore near Siena]
Wats’on your bug-hunting program ..?
Tinkering with some unrelated ideas …:
How would one go about setting Watson (Clone, III) to work on bug hunting ..?
Where the Beast would be fed all sorts of past code / code patterns (source~ or executable~, or whatever style you’d prefer) with known bugs / errors / exploits and the way in which they failed, and then have the Big W scan, e.g., Win10 source code and come up with a list (in this case, assuming sufficient storage ;-| ) of bug red flags. Probably, to be classified in a range of Sure Thing, via Commonly, to Maybe. As we’re discussing patterns, certainty can’t be had for all found points of interest per se.
That being the simple part, what about automated immunization ..? If some patterns are near-certainly bugs/errors/exploit-points always, can they be plastered ex ante ..? It might be easy(er), too, to throw in an extra development test in the first place (“Sorry Dave, I can’t compile that”). But this sort of scope creep could easily lead to creepy behavior, e.g., if (??) the (??) system would get hijacked.
Oh well. Would still be glad to have your thoughts. And:
[“Tin”foil hat for actual protection (well, No.), at Haut K-bourg again]
Plusquote: Critique of the Pure Reasonlessness
This episode, by reference to the excellent Future Crimes (Marc Goodman, as here), one originally by G.K. Chersterton (The Blue Cross):
The criminal is the creative artist; the detective only the critic
To which we would want to add: And the auditor, only the disgruntled desk-bound traffic cop.
Since, the checker (and penaliser) of the trivial petty little rules, should remain in the third line, right ..?
Where by the way, the creativity of the artist is required to make the art work that sells — and hence all make their living off straightforward crime or would perish. The more you bureaucratise into totalitarianism, the more you see life wither, till death. Even if the crime keeps on being perpetrated — by laxity of the second and particularly third lines, in cahoots with the profiteers. … Maybe that’s a bit deep-but-overly-lapidary …
Hence, just:
[Panopticon Central, Strassbourg]
Miss(ed), almost ..?
One might have easily missed one of the most valuable annual reports … but if you trust it (you can) or would want to dismiss it (you can, for various reasons like the management babble leading to a great many missed threats and ~levels as here, always of course, but still), it is an important item when you’re in InfoSec despite #ditchcyber! so you’d better study it.
Oh, yeah, this being the thing.
OK now. Plus:
[In “cyber”space (#ditchcyber once more), easily scaled. Haut Koenigsbourg again.]
Emerging degrees of privacy
Given that ‘privacy’ is a property that emerges from good Security, more particularly from Confidentiality (and Integrity), there’s two avenues to succeed in this field:
- If quick and maybe even too dirty: Data minimalisation (as e.g., here, in Dutch)
- Else (OR?): Fine-grained protection, also against the default Read all down the stack (user / end point / comms channels / applications / middleware / servers / storage — with the latter maybe crawling up and down the stack again when virtualizing in the cloud)
- Because binary’s not my thing and keeping it real (i.e. (!) not being consistent) is: Would any of you have pointers to some science on possible degrees or levels of privacy ..?
The idea keeps floating around in my skull. Including degrees of invasion! Where sometimes, the required degree (as set by the subject) would be less than the degree for some government agency so everything goes … for this some data point only. Yes, Value creeps in as a boring subject but isn’t everything. Should be a field of study …?
Thanks anyway for all your pointers on the last item… (none); hence:
[It’s watching over your shoulder….! Het Loo]
Repeat: Trawling for noise
So… Legal developments go at glacial ‘speed’, thus mumbling critical oversight to sleep. Happened, once again, in NL. Mass collection (sic) of and trawling through all sorts of data ‘out there’ is free game for gov’t agencies.
NO the oversight committee will not do anything. Anyone saying so, plainly and simply lies under oath to overthrow the constitution (isn’t that high treason?)
But what will happen of course, is that those that in the past weren’t able to connect the dots (proven fact), will now be swamped in enormously bigger piles of noise data. At the very very best (??) they’ll find bucketloads of false positives — ruining perfectly normal, perfectly legally operating citizens’ lives, of course without any serious recourse or restitution of lost life’s pleasure and happiness…
And the false negatives will also explode, induced by the very ‘countermeasures’.
So, also those that propose and implement and work with such ‘solutions’ quod non, will be culpable to.
Oh well Or well was right. Plus:
[I don’t want or like, but do expect, a similar thing again; for different reasons but with no really different methods — Prinsenhof Delft ya’know]
Crash’in the wings
… Thinking back of the Taleb’ian remarks, and truths, on Extremistan, and how some more or less closely watched parameters may lose their variance but not their uncontrol since such petering out of shock’lets are just the precursors of an asteroid impact scale collapse, I wondered what is about to happen in infosecland. Since for weeks, nay months already, there has hardly been any news… Apart from the usual suspects (#ditchcyber ..!), there hasn’t been anything serious, has there, by means of yet another class break or more comprehensive controllability breakdown?
Which is why everyone should sit more uneasily, in stead of the opposite sleeping better than ever.
But then, this was the message from your Wolf-crying boy …?
To which:
[Since last Friday, you know this isn’t a reindeer but an elk that is no moose, at least not everywhere]
Security so(m)bering
There’s this discussion going down on the merits of privacy versus security. Whether the one is part of the other, or the other way around, or both. Whereas the smarts are with considering privacy enhanced by good confidentiality settings ’cause they see that privacy is an issue of higher (abstraction) order than mere confi; achieved by it but only as infosec are the bricks and mortar when all you wanted is not bricks or so but a wall.
Through which you may reflect on compliance in infosec. Because hardly ever, is that taken to include compliance with the principles and business objectives and conditions that include being sparse with hinder to the business. Really, those that truly set only guiding rails not enforcement rails, are the unicorns of the trade. No, not those unicorns, those are just frauds anyway.
You may try to do better; really. It starts with risk … when properly applied, you would not get the remarks about ‘why, it has never happened to us before / what are the odds?’ but might even get better support for some slightly hindering process changes and better (but less end user detectable) ‘infra’ i.e., everything under the users’ level of visibility.
So, I’m not sombering or if, about the eager beaver pervasive prevalence. Because sobering up, wising up, may win the day and may be due…
We shouldn’t somber too much… Isn’t this a perfect opportunity to finally demonstrate how we do (… can …) link up information security to real business issues at the highest GRC levels. Since we shouldn’t be passive, and leave ‘privacy’ to be taken over by lawyers jumping into the current Privacy Officer void. Since we can translate all the operational and tactical work that we do on privacy, all the way up to strategic levels and still be very concrete. And not have to wait till ill-understandable “guidelines” (shackles) keep us from achieving something.
No more wannabe whining about ‘deserving’ a seat at the Board table or at least be heard; not asking to be allowed but matter-of-factly showing ‘Done.’ … if, not when, you did informtion security right all the way…
The ides of March
… aren’t today only, but are indicative of … well, a lot of what goes on in infosecland these days.
Who to trust, when your buddies and experts and both in ones, may carry knives or worse. Like, turning their your defenses against you behind your back. Like the Brutus’es and Ed S.’s did because their consciousness revived (true in both cases ..!), like the great many are doing without tipping you off already. Until it’s too late. And, in similar vein, how’zat for your backdoors built in ..?
But then, as long as you can sit there like a rabbit in the headlights … sleep now in the fire [insert appropriate link to RATM clip] because the Time Till Collapse may leave you less room for Après Nous la Déluge than ever before.
Just to wake you up, by the way; if you read the above as some kind of chagrain I may have achieved my aim of making you think beyond mere Mehhhh.
So, I’ll leave you with:
[Shifting politics, shifting alliances…]