This here masterpiece of course was bound to happen. Although with WiFi access, one would wonder about cloud sync / storage …
Oh WiFi hotspot no less…
Pic, again next time.
Tag: IT security
Players, sides, too many – where’s the (over)view?
Apart from the #ditchcyber aspects, in the (sometimes somewhat sportsy, even) battle about control, or is it temporary one-upmanship, over the world’s communications, so many parties play a role, in such varying sizes, and operating for so many sides, sometimes multiple sides at the same time, sometimes without even knowing that, with the interactions playing at various topics and levels of abstraction and with varying scopes, time horizons, strategies and plans (quality), I could really do with some clarity. Some mapping, interactive or not.
Which all was triggered by this post on yet another singleton developer taking on, inactively!, some well-funded TLA.
Will have to dive into the detail of it all, but know that I’ll end up losing the helicopter view. How many similar developments are out there, known or not? What stages of development, of deployment, of maturity, of starting to crack and leak are they all ..? It’s a hard life, this keeping up thing.
Hence, you deserve:
[As if moulded by a genetic algorithm, Porto]
Postdictions 2014-III
A progress report on the Predictions 2014 I made in several posts here, at the end of Q3.
I gathered some evidence, but probably you have much more of that re the items below. Do please raise your hand / comment with links; I’ll attribute my sources ;-]
First, of course, a picture:
[Iron fist, not often seen (by tourists anyway), Pistoia]
So, there they are, with the items collected from several posts and already updated once and twice before in this:
| Trust | Well, there’s this, and this on the financial penalties of trusting your assurance provider… | |||||
| Identity | See previous re the value of certificates. Otherwise, not much news this quarter. | |||||
| Things | The hackability of all sorts of home appliances has already become some sort of Mehhh… And apparently, there’s a spin-off in the IoBT …? And there’s progress in the auxiliary channels/architectures… as here and here. |
|||||
| Social | Not much. Some Ello bits, though. And more in the AI arena, as this shows. | |||||
| Mobile | Has gone to the Expired phase. | |||||
| Analytics | Wow, this one’s moving into the Through of Disillusionment quickly! Now get it to jump out at the other hand, as quickly. | |||||
| Cloud | Mehhh, indeed. May be in the Through of Disillusionment, or has gone into been there, done the grit work, no-one’s interested anymore. | |||||
| Demise of ERP, the | Turns out it’s very hard to fill vacancies in this arena, isn’t it? Due to the boredom to death surrounding them. | |||||
| InfoSec on the steep rise | Even if we haven’t seen enough on this!
|
|||||
| Deflation of TLD | See second link of Trust; Fourth line didn’t work, even. | |||||
| Subtotal | Already, with the previous follow-ups, clearly over 80% as we speak, when discounting for some fall-back here and there. |
The faint of heart wouldn’t necessarily want to speak the bold characters out loud.
See you at the end of the year ..!
IoTSec from IAM at entry to the end node
Now that you all are so busy implementing Internet of Things pilots everywhere, I mean at home like with this and this, but B2B everywhere as well (…!?) or are you doing it there not too, we may need to consider Security.
Yeah, Hans Teffer did a great piece on that (see here, in Dutch) and I blogged about that before [and many more links/posts…]. And, there’s quite some other issues with IoT. But the point here is – we haven’t thought of security before implementation.
And at the very few implementation’lets of IoT we see so far, security seems absent. Of course, you’d first want to make it work in the first place. But you’re doing it not right at the start, and you know that decisions made now (implicitly) will remain in the architecture for decades to come, in particular when today’s (almost) stand-alone implem’s become linked up into one giant uncontrolled, uncontrollable mesh.
Now, first, an intermission:
[At dawn]
So, ‘we’ all have been complaining about the security risks of IoT here and there and everywhere, in particular re the current risks of all sorts of industrial control being hooked up to the ‘net without anyone knowing or caring about proper sec.
And still then, we haven’t progressed beyond this Boy Crying Wolf position. Instead of moving to provide solutions. To begin with architecture ideas, the kind that we will need in order to branch out of the simpleton pilots.
On a walk, it struck me that one major part of any solution would be with Identification, Authentication (A1), and Authorisation (A2) – in particular at each and every end node in the network, the kinds you would want to reach to transit back to the Real, Physical world of Things and which are supposed to move ever closer to some form of smart dust… Whereas now, we often have the I and A1 usually at the front door, and the A2 somewhere in the/a network usually ‘near’ the end point (which also usually, is a relatively compute-enabled ‘large’ thing like a server with data).
Clearly, with the IoT we’ll need something else. All end points may float around somewhere out there, uncontrolled, un-tied-down in the giant global mesh network architecture. We will be systemically unable to tie any A2 server to an end point or vice versa (smart dust, spread out, remember), and the IA1-part will also be much, much less definable than it is today. But then, we’ll need much finer-grained access control at the end point, and much more flex at the (IA1) entry point or we leave it all free for all and only at the end point, the destination, check IA1 (again). For this IA1A2 at the end point, we need to consider:
- The end point(s) will very probably have very limited computing capacity; even with Moore et al., this will still lag required resource in a big way – because any type of ‘attack(er)’ will have vastly more computing power available. Hence, things will need to be really really simple at this point. We may need to consider global IoT mesh network segmentation or other pervasive and comprehensively secure forms of IA1 at entry points (how to guarantee complete coverage) or throughout the mesh (how to prevent complete coverage without even the slightest possibilities of evasion).
- Identities… ?? Where, how to manage the I’s and maintain the I+A1’s privacy, and transparency to the A2-owners ..?
- How to arrange A2 at all those end points, including the ability to maintain those ..? The dust (or some coarser-grained proxy, whatever) is out there, and can’t easily be uploaded all with the latest A2 tables we’d want – or that is done by some broadcast flash approach which is all too vulnerable for cracked use.
But still, we need something of that kind. And transparency built in to that, too… To ensure No Backdoors and accountability in general, as these cute little hidden holes would be exploitable by all the bad guys (official, and not). By the way, #ditchcyber.
I’m aware there’s more problems than solutions in the above. But you should be aware of the risks of letting them remain unsolved. Your suggestions, please!
And, just so you know:
RT @kauf: A Map of Every Device in the World That's Connected to the Internet http://t.co/t9RiPnwy0M pic.twitter.com/3ChTGRjWKC— GertJan Bos(@besocialonline) September 19, 2014
Managing Fortuna’s Risks
On how Risk Management is self-defeating… or just something one has to do while Life has other plans with you(r organization).
First, the übliche picture:
[Shadow (play) of Dudok, Hilversum again of course]
First, the Defeating part. This, we hardly discuss at length, full enough, but when we do, it’s so obvious you understand why: Because RM is about cost avoidance, even if opportunity cost avoidance. Which makes you the Cassandra, the Boy Cried Wolf of the courtiers (sic). It’s just not interesting, not entrepreneurial enough. [Even if that would be pearls before swines…]
Second, this is why it’s so hard to sell (no quotes, just outright sell for consultancy or budget bucks) the idea of RM to executives – they only see the cost you are. They don’t see themselves as delivering something if, if, if only, they had integrated RM into their daily ‘governance’ (liar! that’s just management!) / management. They don’t want to do anything. They just don’t understand to do something that doesn’t show to be effective even if others for once see no harm (though the others will not even care to flag the kindergarten-level window dressing that’s going on with the RM subject; too silly that, to call out).
Third, this happens not only with ‘boardroom’ RM (~consultancy/advisory), it has been well-established at lower ranks; all the way from the mundane IT security, Information Security, Information Risk Management, Operational Risk Management (where the vast majority of organisations don’t make anything tangible anymore), including the wing positions of, e.g., Credit and Market Risk (which are in fact, with the visors to mention, the same as the previous!), to Enterprise Risk Management altogether.
Fourth, we tie in Queuillism. The Do nothing part almost as in Keynesianism where in the latter, future-mishap prevention should be arranged during the years where government intervention wasn’t required as such. As in Joseph’s seven fat years contra the seven years of famine (Genesis 41). How does this reflect on RM? Would it not be just BCM in its widest, enterprise-wide sense? Isn’t that what ‘management’ is about, again..? Just sanding off the rough edges and for the rest, give room to the actual stars, the employees at all levels, to let them bring out their best – so exponentially much more than you can achieve by mere, petty, command & control. You raise KPIs, I rest my case of your incompetence. And this goes for governments even more. Just enormously expensive busywork.
Fifth, finally, the fourth trope points into the direction of Machiavelli’s Fortuna. Which was also covered by Montaigne, of course. It doesn’t matter what you do, in the end, Life has other plans with you. Sobering, eh? Oh but again, you can shave off the rough edges for yourself, too. Just don’t think in the end, that will matter much beyond some comfort to you. Katharsis, and move on.
OK, since you held out so long:
[The same, from another angle]
Security accountability: We’re off
Remember the Vasco i.e. Diginotar certificate breach scandal ..? For the many that don’t read Dutch easily enough, the gist of this court decision is that the previous owners of Diginotar are accountable for the damages to Vasco following the breach since the previous Diginotar owners hadn’t secured their systems well enough.
There’s a lot to be said here.
- E.g., that the security lapses could have been known. Due diligence …? Well, the PwC reports were all green traffic lights, at the procedures-on-paper level. But a couple of years before the take-over, already a third party (ITSec, which I know for their good work [disclaimer: have no business relations]) had notified Diginotar about shop-floor level deficiencies. That remained uncorrected.
-
Add to that, that actually, the previous owners themselves started legal claims. Because a major part of their sale proceeds were still held in escrow, and they wanted the monay. Vasco filed a counter claim; logically, and won.
- Also, the auditors that had time and time again ‘assured’ the security of the scheme (and don’t get me started about limiting the scope of such assurance in scope vagueness or in the fine print!), haven’t felt too much backfire. Yet, hopefully. Though recently, the same firm announced an initiative towards a new, proprietary one can guess, security standard. Right.
So, are we finally seeing accountability breaking through ..? I already posted something on the Target Cxx stepdown for similar security lapse(s). Now this one. The trickle’s there, let the deluge follow. That‘ll teach ’em! And of course, generate a humongous market for backlog bug remediation, from the software levels up through controls to governance levels…
Even if that would stifle innovation for a while. Would that be a bad thing; having only the real improvements breaking through and not the junk ones ..?
OK then, now for a picture:
[Monteriggione security was effective, until not, then abandoned as control approach… they did, why not all of us today?]
Progress: Hacked (short note)
OK, so there’s progress… hackers (of the ethical kind …! …?) actually improving security, as per your Nest thermostat.
Contrary, of course, to the hacking of your home security system as spelled out here and already ‘predicted’ by means of requiring solutions, quite some time earlier here…
For their, and your, viewing pleasure:
[The ‘old’ shouldn’t be underrated by not being rated well enough…]
Mind posting/reading
This new Mindmeister feature looks interesting:
Grappig. Met Google Glass ideetjes vastleggen in MindMeister: http://t.co/L5zSXJmto1
— Paulus Veltman (@paulusveltman) July 18, 2014
Except for two things:
- It will create a bucketload of ‘Tourettists’ at all sorts of public venues (coffee shops, terraces, the beach, side walks, etc.) when all sorts of, mostly, self-inflated hipsterlaggerds start recording their every doodle out loud instead of just clicketing it to Kik / Tele- / Instagram / WeChat / Line / Viber / Wicker / Threema / surespot et al. Yapping out somewhat loud will be even more annoying…
- Who reads your doodles at the back side ..? Yes this is already an issue with like programs, in particular if (not when) one would use them to sketch outlines and content ideas for concepts / posts / columns / articles / books that might be construed to reflect a societal(ly -) or political(ly less wanted) opinion of sorts.
Already now, of course, who reads what you’re working on, even when stored off-line ..? But this will become an even greater issue when even the slightest of your mind’s burps might get captured immediately by your own doing.
How far till this turns into actual mind reading?
Would someone (AI (yes, being someone), or human if you’re still in old school thinking mode) be able to immediately present you with position-changing tweets etc.?
Well, we’ll see… Singularity, here we come! We want you! After that, we’re done.
Hopefully, CitizenMe will be trending
This may be a trend: Decide yourself what personal data to ‘sell’, and for how much. First step: Know what you ooze out. Hopefully, through this we’ll awake and implement Jaron Lanier’s dreams…
And even before this post came out, there’s an [update] to do … With this.
And then, of course:
[‘goza just like that, for no apparent quality or reason]
Gotta TruSST’MM
Had been planning for a long (?) time already to write something up on the issue of Trust in OSSTMM3© – in particular, how it doesn’t conform with received (abstract) notions of trust and how that’s a bit confusing until one thinks it through wide and deep enough.
First, a picture:
[Controlled to I/O, Vale]
Then, some explanation:
As I get it (now!), the OSSTMM model defines Trust as being an entry into or out of a system/component (objects, processes). The thing you may do when you are trusted. Literally, not the protection wall but the hole in that wall. Which isn’t some opinion thing the holder has of the visiting tourist. Interesting, but troublesome in its unsettling powers.
Dang. Running out of time again to delve into this deep enough – in particular where I wanted to link this to a previous post about identity and authentication … (this post in Dutch). OK. will move on for now, and return later. Already, if you have pointers to resolution of the differences (the whole scale (?) of them), don’t hesitate.
