Summarily: yolosec

Yes that’s the summary title at once describing the sum total result of all your humongous efforts to ‘secure’ … whatever scope, in infosecland. HT to @thegrugq
To which we may add the find of yeauleau for francophones. Of course.

That’s it for today. With:
DSCN8135
[Fashionable Without A Cause, too; (i.e.) Milan. Look to the left (shop) and shiver…]

Pro-nun-ciation

OK.
We already had the CGEIT title certification. Which is pronounced in Dutch as ‘See goat’.
Now let’s add CSX. Pronounced by all as ‘See sex’.

Oh jolly! One is ignorant, XOR one is prepubescent.
Either way, #fail – big time. Let alone for content. This, if you’re still a believer.

You still deserve?
DSCN6161
[To be in your stroller; Nancy city park]

P( Danger(You) > 0.5 ) ⇒ Shutdown( You )

For the Fellow Travelers among you, that still believe that AI (AGI or ASI) will bring us joy and an arcadic peaceful creative work-free life forever after, please do consider this here piece. And see that we’re only at the beginning.
[Oh for AGI/ASI reference, see here.]

Luckily, hopefully, the tide will turn. But there simply is no guarantee it will.

And on this most pleasant note, I’ll leave you with:
DSCN7386
[Málaga – but when the struggle is forbidden and ‘ratio’ quod non might seem to prevail, the Dark may roar and explode out of its confines in utterly destructive ways. As in this previous post…]

Signalling healthy process

Yet some more cross-over ideas from the IoT world into the administrative bureaucratic office world: Streams of transactions as signals.
Of the health of the process, of course. To be defined, obviously, as the fit to the surroundings. The fit may be off, either intentionally (wanting to let the world adapt to the process, enforcing (?) change) or unintentionally left blank                i.e., having to cope with exceptions to what was envisaged as transactions’ content or form.

Now apply yesterday’s first picture of process control.
Now, too, consider what one could do with sampling theory (as a subset of ‘Shannon’, if properly elaborated, possibly skirting with ‘classical’ statistics ..?). Taking 2log(n) samples (where n is the number of transactions ..?? Just a wild guess) and being able to reconstruct the ‘signal’ then taking its integral (discrete transactions … just summing it up ..?) for the total. Or Fourier-transforming it all and … get your basic theory straight before dreaming of moving on so don’t start at the other end as ‘accountant’…! And/or treating exceptions (as e.g., found by the sort of analysis that these girls/guys are so good at; that not even being meant as a cynical qualifier) as noise to the signal. Never fully suppressable, but useful to pick up secondary signals, stacked in their variation of frequencies, amplitudes an wavelet transformations. That all tell you something, if you listen. Whether you want perfect, over-HiFi replay [intermission: Ugh I’m getting old, even knowing that HiFi was a thing…], or lively veracity, actual fullness of music. And take in again the ole’ industrial process control with its recipe / derivative function(s), et al., and be able to better control it all from the ‘dashboard’ in the control room. When all of the routine stuff, the routine 80%, of business is done by … ‘robots’. Humanoid or digital-machines, IDC.

And hey, while we’re at it, why not throw in attempts to include in bookkeeping not only discrete numbers (arbitrarily rounded to hunderds, of random currencies) but Real numbers or even Complex numbers as well ..? The latter, e.g., to indicate VAT surcharges, etc.; leading to tuples-as-single-‘numbers’ in bookkeeping. Maybe somewhat harder to track that all is booked correctly, but also maybe powerful in capturing singular transactions and some processing rules/logic, and controls, in one tuple (‘record’).

Where AI may then be applied to do sanity checks. Not on this author; no AGI or ASI would suffice…

OK, for now:
DSCN1436
[“What a shoe box” but yes that *is* the Bata shoe museum, Toronto]

ICShape

Doing some pondering, digging and backtracking on the issue of IoTA. But, … already got stuck when considering how to (best?) model the architecture at lower levels. Would a classical picture, or a somewhat-less classical picture work best to gain understanding of the risk areas ..? As in:
Industrial control cycle
[Own pic]
Or
open-standards
[Plucked, adapted from the site linked below]
Where the former is from the industrial, process-oriented engineering world, and the latter from the digital networking world.

Yes I’d really like your advice on how to ‘marry’ both to be able to optimally visualise where the risks are; the potential, intentional or not, noise on the signal, or the wrong signals altogether. What might cause that, how to protect against that, etc.
Yes, taking into account the work already done here – which is impressive, but somewhat (?) protocols-oriented, not architecture-/risk-oriented. Yet. Something like
SCADASmartGridEfficacy_Page_2_Image_0002
[plucked off a simple search] is what I’m after.

But the other work, too. All, to overlay with risk lists on all surfaces at all levels… Then, to see how to protect that all against the (generic?) risks, and how one would audit sufficient (?) protection is in place. Not ‘controls’ – those are the losers’ weak retreats, the “didn’t want a cookie anyway” fig leaves. Taking into account this breakthrough though.
But for now, again already, leaving you with:
DSCN2075
[Life in stead of straight angles, Barça]

Overabsolute Majority Report

On this sad day (in NL), only a hint of a mer à boire on our future that will be – not so happy. Possibly.
Where the dystopian future scenarios are more right than the on the surface by and large generic tending-to-rosy robot movies predict. With Ex Machina having some interesting thoughts (again) on AI and what it is to be human but in the end also falling back to common standards. And with the similalry common flaw of expecting ‘robots’ to become near-human possibly to the point of indistinguishability [nice word] – that will then operate in a world where ‘individuals’ would be the unit of existence-currency. With no ‘government’ in sight, at least not in today’s sense where even the largest governments (agencies) are still made up of human elements. There is something, but it doesn’t matter too much for the discourse. Where the dystopian worlds we’ll live in (big question marks all around) may have quite a different set of physical media, e.g., all-digital.

Which makes it possible to see today’s (supra-)governments, the largest of them in particular and including the globally biggest private companies, where ‘company’ isn’t between a platoon and battalion of men anymore, as supra-national organisation forms in the abstract.

This already causes problems when one would want to get redress from e.g., the ‘financial industry’ and before, to tackle the military-industrial complexes that were (are?). This will cause problems now that the complexes are informational-industrial-military, with the middle part in the driver’s seat and the two others as wingman, protecting.

In the future further out, the global complex may be beyond the Singularity (negative view), about which I posted quite a bit before. How will we approach such overlord(s) when completely abstracted, sublimated ..? Hm, gotta read up on Negri&Hardt a bit more…

But for now:
DSCN6043
[When centres/seats of power were only this big; Madrid]

Ack or ook ..?

Yes, there we are again, on the subject of ‘Ethical’ hacking.
Because I came across such a ‘Certified Ethical’ Hacker once again. Which made me think (again…) about the allure of that. And then it struck me: It’s just a matter of replacing ack with ook and we’re all set!

Think about it; and ook does for money what others do for fun and ulterior motives… So does an ack. An ook can be certified (licensed) and get government-controlled medical/physical check-ups, by another bodily-educated professional. An ack can be and get the same; through permanent education requirements and peer review.

But what an ook can’t get, is the Ethical label that the ack has – for no apparent reason and it should be the other way around: Where the ook has proven her (majority; unless some ladies in the readership have sufficient experience to validly claim the opposite) role in society since the dawn of time/mankind/human society, the ack dabbles in what somewhat similar but short by aeons, is a crook’s business.

So, CEH better refer to the ooks out there. For now:
DSC_0081
[It’s … Name That City time again!]

Oh hey, quoted (at a distance)

Oh hey, I got quoted (almost … I mean at an enormous distance) by some reputable (?) institution.
Where that body did jump to all sorts of conclusions (see my next Monday 27 April post squared with my 3 April post against (?) those), but in the passing mentioned an arms’ race known to modern man already for decades as if it were something new. In this here piece.

What’s the aim, then? To have all sorts revert to Flipping ..?

To leave you with:
DSCN3994
[Still? against intruders, Trier]

Culpable misinformation

The inescapable Bruce was very mild, characterising Comey’s texts as a joke. Like here, on this. Whereas puppets everywhere (in NL as well, here) can show only a handful cases if any at all where mass surveillance (like this by InfoSec Taylor:
CBgp99KVIAAt4wn
explains) has been key. Referring not to any paraphrase (here) of Ben Franklin (“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”) ..?

But the point is: Where failure to act may be culpable in the same way that acts may be, deliberate (intentful) misrepresentation by omitting knowledge and/or presenting false conclusions may be as culpable as outright lying. In particular, when in the public sphere (of income) where speaking the truth (the whole, and nothing but…) is part of the deal, however indirectly through defense of a constitution. Wilful neglect of that duty (that may include informing oneself properly!) is a scam, con, deceit, fraud.

So, come clean. And:
??????????
[F..tis didn’t get away with it; too simpleton despite pretense]

Here, First

Integrity at any level is the Yggdrasil of any CIA or other quality of the layers on top of it.

I.e., if at the platforms level the integrity of software (à la Turing, engine/programs and data) cannot be fully 100,000…% be guaranteed, no extreme of measures op top of it can restore the missing percentage, only (somewhat) limit further deterioration of the stack on top.

Okay, this being a bit abstract, a somewhat more simple and extensive explanation will follow.
Till then:
DSCN6859
[No base, no glory; Sevilla]

Maverisk / Étoiles du Nord