The enemy from below

I know, I’ve been guilty of it too. Thinking, tinkering, and musing about all sorts of abstract risk management schemes, how they’re a giant mess, mostly, and how they could be improved. Here and there, even considering a middle-out improvement direction. But mostly, ignoring the very fact that in the end, information risk management hinges on the vastly complex technological infrastructure. Where the buck stops; threat-, vulnerability- and protection-wise.

A major (yes, I wrote major) part of that low-level (Is it? To whom? It’s very-highly intellectual, too!) technological complexity is in the trust infrastructure in there. Which hinges on two concepts: Crypto and certificates. In fact, they’re one but you already reacted towards that.

For crypto, I’ll not write out too much here about the wrongs in the implementation. There’s others doing that maybe (sic) even better than I can.
For certificates, that hold the crypto keys, the matter is different. Currently, I know of only one club that’s actually on top of things, as they may be for you as well. Yes, even today, you may even think the problem is minor. Since you don’t know…

Really. Get your act together … This is just one example of how deep, deep down in ‘the’ infrastructure, whether yours or ‘out there’, there’s much work to be done, vastly too much complexity to get a real intelligent grip on. How will we manage ..?

And, of course:
002_2 (13)
[Showboating tech, London]

Cryptostego

Just as last week I’ve been discussing stego with colleagues, I missed this Bruce’s post
Be sure to read the comments, though. A couple on stacking steganography over cryptography, which is what I would presume would work.

And, again the question: what would you know of actual use ‘out there’; is it common, rare, what are the characteristics of its users ..? Is it the next big thing after (?) APTs …?

Oh, here it is; the pic you expected:
DSCN2526
[Would ‘Riga’ be a hint that there’s more to the picture …!?]

Column on Open Source code Bystanders

Well, the column is out there now… Will be published in the July 2014 ISSA Journal but here’s a preview, in Dutch

And, of course:
DSCN6225
[S’bourg, or Brussels – always mix them up and end up in the wrong place for a meeting]

Maverisk / Étoiles du Nord