Tag: IT security

COPE a Nope

Hm, this piece seems to miss the point entirely…

Because the move to BYOD had/has (sic) nothing to do with operability. But all with power. And speed. COPE will be much more of the same, but with an even more inexplainable awkward speed/flexibility/functionality trade-off. With nothing of (e.g., the European current and forthcoming Regulations’ and practices’) privacy in mind, just pipe dreams of regained totalitarian control. Heh, if that floats your boat, everyone’s including or except your boat has left the harbor because ships are safe there but it isn’t what ships are for. If you can’t see the analogy … you’ll be sunk.

And then, there’s a pic:
000004 (5)[Great for learning gaff rigging but for serious yachting…?]

Postdictions 2014-II

A progress report on the Predictions 2014 I made in several posts here, at the end of Q2.

First, of course, a picture:
DSCN1023
[New then, outdated now, La Défense]

So, there they are, with the items collected from several posts and already updated once before in this:

Trust Bitcoin may be in this corner, covering a lot of this subject [edited to add: it’s now legal in California ..!]. Also, Heartbleed pointed out our dependency on ‘anyone but us’ in actually checking/testing open source software like OpenSSL, and the trust placed in the great many low-level bits and pieces that make up ‘the’ Internet (connections).
[After publishing, I’ll cross-post my ISSA Journal column on this, as a post] —> [Here it is]
Identity Facebook allowing anonymous (fake) identities. Users deleting posts from socmed, and switching to ephemeral messaging (Snapchat et al.). The European Court ordering Google to delete histories at request. (The semantics of) identity proceeds to being manageable…
Things Moving into a focus, vanguard of Sensors. And the Glass successors are surfacing. Earables here …
Social Movement all around; with a focus on privacy as in my May 30th post.
Mobile See Things.
Analytics Wow, this one’s moving into the Through of Disillusionment quickly! Now get it to jump out at the other hand, as quickly.
Cloud Mehhh, indeed. Still. The focus shifts towards actual security implementations, and control over that. On the Slope of Enlightenment, I’d say.
Demise of ERP, the Dude, these platforms aren’t even audited otherwise than by the most boring of boring routines – anyone interested in things other than pure dry deadwood, are working on other things.
InfoSec on the steep rise Even if we haven’t seen enough on this!

On APTs: We’ve seen Heartbleed come. And not go. This being just a mere incident, incidental symptom…
On certification vulnerabilities: See the previous. Check.
On crypto-failures, in the implementations: Some minor Bitcoin stuff, not too much else.
On quantum computing: – still not too much –
On methodological renewal; as it was: I blogged about this (re Rebooting CIA and OSTMM). Some progress here and there, but no ✓ yet.
Deflation of TLD Really out of sight even in the most dull accountant’s circles.
   
Subtotal Already clearly over 80% as we speak, when discounting for some fall-back here and there.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud.
See you at the end of Q3 ..!

[In repeat, to add:]
Missed in the predictions ahead of time, but still worthwhile to watch: Google’s move towards banking via Gmail … as per this story, as commented ‘ere.

OSSTMMPerimeter ..?

Just a note; was struck by the OSSTMM approach towards the structure of infrastructure. [Disclaimer] though I am quite a fan of the OSSTMM approach (and do want to write up tons of whitepapers linking it with my ideas for moving forward in the InfoSec field without having to revert to #ditchcyber bla), I feel there’s a snag in it:
The analysis part seems to still take a perimetered, though onion, approach. The Defense in Breath is there, for sure, but still the main (sic) focus is on the primary axis of the access path(s). Does this still work with the clouds out there and all, focused as they are on principalled agnostics on where your data and ‘systems’ might hang out?

OK yes now I will go study the OSSTMM materials in depth to see whether this is just my impression and I’m proven horribly wrong, or …

So i’ll leave you with:
DSCN3689
[Hardly a street, next to Yonge]

Note: M$ is just a vendor

Microsoft declared the era of XP finally over, amongst others by not providing fixes in Updates per May 13 (not a Friday, but close).
Markets (use base out there) declared Microsoft to be just one vendor among many, not to dictate anything but to deliver at want, at need. No more. They did so through continued use of XP in oh so many machines, of the general-purpose computer type, and in embedded systems et al. Microsoft weighs, the user base decides.

And, of course:
DSCN7921
[A sunny pic of Ståckhølm]

WIoTables

Am I too late with this post, or are people still mixing up the Internet of Things and Wearables ..?

First, a picture:
DSCN0468a
[Rarely seen Cala, at ON]

Because we’re talking quite distinct things. Yes, there’s a crossover area where e.g., the sensors or ‘reflectors’ we wear, operate in the IoT realm of ambient intelligence.

But for starters, there’s wearables. Mostly, human-to-Matrix sensors / Matrix-to-human feedback interfaces. Hooking you up in a blue pill world. Oh yes so helpful; often providing morsels of value like Likes through displaying to all out there, mostly to trolls, your (under)achievements. Or calling attention to your slacking; business can’t wait! (You’re not essential though, by the way, easily dumped by the wayside if some human or not algorithm plays it that way).

And there’s the IoT, sensors, networks, actuators, and Central Scrutinisers (1979 mind you!!) that form the Matrix itself. Out of control, soon to be out of control of any human or (alternatively) TLA. Soon to be run by its transient Singularity.

Now, don’t make that error again!

Not news, still suppressed?

Why is it that this paper on chip-and-pin fraud hasn’t gained much more attention in the Netherlands ..!?

Maybe because NL has only just sort-of completely switched off the magstripe to EMV.
Which even before its comprehensive roll-out here in NL, was known to be weak. Years before. And still no-one took action.

A picture for your efforts. But (payment) industry, you fail with a big F again
MEDIUM09
[London temp, also years back]

CIAAEE+P

Privacy came to the fore last week, at a very interesting ISSA NL event.
Where we discussed the prevalent Confidentiality-Integrity-Availability approach (where impacts mandatorily regard the data subject(s), not you the processor, as the data subjects are legally owner of their info …!) and whether those three actually cover privacy aspects sufficiently.

Well, we did conclude that for now, CIA is ‘still’ the common denominator. But … hey, Auditability might be added, as that’s a sort-of requirement throughout privacy protection. And Effectiveness and Efficiency – of the data handling! – have a place as well, being representative of proportionality and legal-grounds-for-the-privacysensitive-data-handling-in-the-first-place (i.e., real purpose / purpose limitation!); if you collect more than very, very strictly necessary, you’re culpably inefficient in a hard legal sense, and at least part of your data handling is not effective.

But should we add Privacy as yet another factor ..? Does it have value in itself? Initially, I thought so, as the common CIA somewhere will always have lost its connection to information value, e.g., through the Bow Tie effect and other deviations (lagging) from modern developments.

Which I’ll discuss below. But now, first, an intermission picture:
OLYMPUS DIGITAL CAMERA
[Yup, Whistler]

So, as said, Privacy may be covered by CIA. But, … with specific deviations of interpretation. Continue reading “CIAAEE+P”

Can’t have your cake

I guess you can’t have your space cake and eat it over your keyboard.

If only they’d hire me. I bring [1337 hacker skillz and dope use]negated; not-fully and absolute none, respectively.

But then, …:
DSCN1297
[Beeb]

Aweariness.

Tweeks ago, at this successful! symposium, I noted the developments in the Awareness side of our IRM business. Multiple speakers were onto the subject without hesitating to move beyond the mere annual poster campaign for awareness, and moving into the daily-normal subconscious behavioral change work that was for a long time so much lacking. From ISO 2700x as well.

Which of course is a very, very good thing. Before the 80% of hard work in IRM as such (after discounting the first 80% in hardcore information security), the 80-100% of effort should go into this socio-/psycho-/behavioral fluffy stuff that yields so many benefits and returns. Though we ‘still’ may not be good at it, at least there is development, and leading examples. Thanks, speakers, for that; and for now:
DSCN1807
[Your guess. No, not Paris, Reims; not even Strasbourg and that’s a hint]

Who has your back; who’s up your back side?

Depends on how you foresee the world’s wheels of fortune turn…:
cntzyd5kxvsfhujxspwj
[Plucked via some byways from this originating site. Worth a visit!]

But beware … Things may change rapidly.

Maverisk / Étoiles du Nord