Tag: IT security

Nudging to intermittance; 5 steps to awa success

As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:

How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.

Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?

Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?

Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:

[On a bright day, for Stockholm, the Knäckeboat museum]

Macrodots on your Opsec training card

Already a couple of weeks (month) ago, the whole secret-microdots-ID-your-printer thing came out. Re the leakage of something-TLA in relation to electionhacking [let’s write that as one word, better aligning the construct] or what was it, where the leakster was IDd quickly because the microdot on the published material(s) revealed the printer used.
Here I was, thinking that this microdot thing – Some claim it goes with laser printers only, not inktjet/dot matrix ones; anyone has any definitive confirmation of this? If confirmed, how many non-stupid bad guys will still use laser printers not have switched already …? – was wider known (like, I had yet to meet anyone in the infosec field that didn’t know of them or could not expect them, nor give any canary) but was supposed to not be used for any but the most extreme evidence-requiring circumstances. Like, you let incidental bombers walk because you don’t want to reveal your methods in order to be able to trace networks of them.

But here, a simple case of whistleblowing (is it, or is there more at play, like, Western democracy or even something serious, unfake …?) and everyone knows it now, in the open. Strange.
Tons of good info in the link, BTW.

Also strange that someone with such high clearance wouldn’t be better trained in Opsec, hence a. know about microdots and b. have used more covert leak channels. If training of such critical staff is so poor, there’s more serious troubles than just the demise of democratic institutions forthcoming.

Or maybe pretty-face leakster was ousted for not (falling for blackmail pushing to) providing some kind of services. Who knows. No one, these days of non-non-repudiatable news.

Oh well. And:

[In some relation to the above, that guy on the pole would know much better than to want encryption banned or backdoor’d to counter some moronic attackers like latter-day flat-out lying PMs]

Top 5 things that Awa isn’t

When dealing with awareness, certainly in the infosec field (#ditchcyber!), there seems to be a lot of confusion over the mere simple construct under discussion. Like, the equasion (with an s not a t) of Awareness with Knowledge plus Attitute plus Behaviour. Which, according to the simplest of checks, would not hold. Since Knowledge, and maybe Attitude, are apt components. But Behaviour is what eludes the other two, by the unconscious that drives 95% of our behaviour, in particular when dealing with any but the most hard-core mathematical-logic types of decision making and interaction.

Which is why so many ‘Infosec awareness programs’ fail …
First of all, they’re Training, mostly, even when in the form of nice posters and QR cards [that’s Quick Reference, not QR-code you history-knowledgeless i.e. completely clueless simpleton-robot-pastiche one!], and it’s true that “If you call it Training, you’ve lost your audience’s want to learn” – your audience will figure out it’s Training despite you packaging it differently; they needn’t even explicitly but intuitively (the level you aimed for, or what?) they will.
Second, all the groupwise that you do, doesn’t reflect in-group dynamics at the actual workplace and work flows, nor does it reflect the actual challenges, nor the individuals changing moods (attitudes). Oh the latter: Your attempt at changing Attitude is geared towards A in relation to infosec but that’s only such a tiny, so easily overlooked and forgettable part of the A all-the-time in the workspace.
Third, and arguably foremost, to plug ‘arguably’ as a trick’let to appear more interesting, What you aim for is not blank flat knowledge, nor even attitude, but Behavioural change. Do you really use the methods to achieve that ..?

No you don’t.

Oh and of course I titled this post with something-something 5, to get more views. Geez, if you even fell for that… And:

[Your kindergarten Board wish they could ever obtain such a B-room; Haut Königsburg]

Ten reasons quantum crypto will not

There may be more reasons that quantum crypto will not protect you against those evil villains out there, as suggested here (in Dutch) but quod non!!! (as I said; in Dutch ;-| ), for the not ten but one single reason:

When ‘hackers’ will not be able to access your comms when you will be using quantum crypto, so governments will also not so forget about it you will be jailed for life for using quantum crypto in the first place and also you are the most suspect of all and if still you’d try to use it, you will be whacked off-line … and your house raided, etc.etc. Because this.

And because, however clever you might think you are, obviously in vein, there will always be the ‘endpoint-to-you gap’ where parties may intervene.

Or they put a gun to your head. Good luck refusing.

And governments will restrict to their own comms; the most powerful one grabbing the scene and leaving all of the rest in the dust. And IF you believe their beneficial ethics, well you just removed yourself from serious discussion.

Anyway:
[Drone with too much tilt shift, or ’70s display scanned from an (actual, physical) slide..? (mine; ed.); <undisclosed location>]

Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]

Knitting against Cyberrrr…

This here piece, being the explanation why hiding in plain sight beats overtly-crypto tools. Quite enough said, right, apart from the note that the solution is a form of arms’ race flipping, as predicted. Would only wonder (again) how many cat pics out there, have stego messages, and how many TLAs are constantly scanning all Pinterest- and others- uploaded pics for nefarious content. Where the sheer volume created by innocent users, helps the bad guys (girls…!) to escape (timely) detection, or what?

Maybe sometimes human interaction can still help, like with this. Of quite another category but deserving massive global support nevertheless. Can ABC’s and Facebk’s image recognition engines be sollicited, or are we looking at the hardest pics still eluding the strongest AI-yet ..?

Back to knitting-style help it is … And:

[If you recognise this’ your country, you just got an interesting PM story… (truly congrats)]

Stay put while moving your address

Lately, there were a number of times I was reminded that for those that still use email (i.e., the overly vast majority of us!), some email addresses have been more stable over time than mere snail street addresses. And, with the different use of email versus the type that it was (derived-)named after, quite some times your ‘stable’ email address is harder to change. Where moving physical home address will easily redirect your mailman’s delivery for a large sway of services (utilities, subscriptions, et al.), such service doesn’t necessarily exist for email.
Not strange. You can move house and then take your email with you. Come to think of it, this is part of the greatness of the OSI model, right?
But strange. Try to ‘move’ (i.e., change) your private email address, that you use for innumerable websites, affiliation subscriptions, socmed profiles, etc.etc., and … you’re hosed. In particular, when you don’t have access to your former email address e.g., when switching employers (wasn’t a good idea to begin with, even in about-all of the world where using company equipment still leaves you with all privacy protection you’d need, excepting the corner of the world that their figurehead took out of the world’s developments so will revert to backwater, developing country-terrain), the confirm-change email may be unreachable as you can’t login to your old mail account… No solution provided anywhere.

So, as easy as it should be to move physically and have your physical address changed in public record systems, as easy it should be to keep some email address(es) that are used to identify you in person even when you’ve moved ISP…
Question to you: Is this covered under the “Must be able to move” hardcore requirement always under the GDPR..? *All* data should be coughed up in a machine-readable format to be processed in similar manner by some other service provider. That goes for email services too, automatically, so how will the (your!) sender/receiver addresses still be valid when you’ve moved ..?
If the latter works, then any service provider ID in your email address must work on any other provider’s systems, or your former is liable for up to 2% of global (sic) turnover. Quite a (damages avoidance) budget, to make things work…

Oh, and:

[Take a seat; not your address of any kind; Dublin Castle]

Bringing back symmetry/-ia

Some issues, aspects of interest, collided a couple of weeks ago.
Macron’s team with their skillful double-cross deceit in the ‘leakage’ of election-sensitive info (!read the linked and weep over your capabilities re that, or click here for (partial?) solutions or others or devise your own).   One down, many to go; Win a battle, not win a war yet.
In unrelated (not) news, what are the tactics used IRL to actively engage in pre-battle tactics? Can we plant our own systems with scar (?) tissue i.e. fake immunised (for us!) / unused information that is weaponised with trail collecting (or only source-revealing) capabilities, like shops and private persons can get “DNA” spray paint thus called because it’s uniquely coded so is identifiable and traceable? Can we harbour ‘hidden sleeper (?) cells’, pathogens i.e. malware, that doesn’t affect us but when ‘leaked’ to an adversary’s environment / stolen, oh boy does it become virulently active and destruct? (Silent) tripwires, boobytraps where are you?
How far behind the curve are the general public (us, I) with intel on developments in these areas? If the French used some of this stuff (using is revealing, qua tactics, unfortunately) certainly others would have considered the methodologies involved. Raises questions indeed, as were around, about whether or not the cyrillic traces were planted into WannaCry1.0 or left there in error. [There’s no such thing as perfect Opsec but this would severely hurt some involved at the source / would’ve cared better, probably.]

Just so we can get a better view on the balance being shaken up so vehemently, between asymmetric simpleton hacks [the majority you know (like, you actually can learn about; the real majority you may not hear about) of big organisations with their huge attack surfaces and attackers only needing one pinhole] and more-or-less regaining-symmetric nation-state attacks against each other (all against all) where the arms’ race of tooling now is so out of balance.

Would like to know, for research purposes only of course, really.

We’ll see. And:
[Yes that’s real gold dust on the façade hiding in plain sight, but you wouldn’t be able to scrape it off. Would you? Toronto]

D-raacdronische maatregelen

Okay, for those of you unable to understand the disastrous (understatement) word-play in the title because it’s in Dutch… It’s about a court case (verdict here) where neighbours were in this vendetta already and now one flew a camera drone over the other’s property succinctly the other shot down the drone.
Qua culpability for the damage to the drone, the Judge ruled that a. the drone pilot was trespassing so put the drone illegally where it was shot down, b. the gunman [an experienced shot, apparently] was not to damage other peoples’ property, both are guitly and should share the damage (and share the legal expense).

Side note: the verdict also states through witnesses, that the damage incurred was to one rotor only (after which the drone made a controlled landing; not such a good shot after all) and it had been flown into a tree before the incident (not such a good pilot in the first place), so the damage amount as reported by an independent expert were doubtful, even more so since the independent expert nowhere indicated in the report how the assessed drone was identified or identifyable, as the drone in question or otherwise.
Stupid amateurs.

Moreover, the Judge stated that a breach of privacy weighed no more of less that a breach of property rights. Now there‘s the Error [should be all-caps] in the assessment of current-day societal ethics which in this case, where the Judge appears to demonstrate a sensibility of the case i.e., the vendetta between the neighbours having dropped to a state where mediation is an option no more, would have called for understanding of the derogation of property rights by the privacy concerns as is prevalent (yes; fact) in society in which the verdict should fit. Apparently, neighbour considered the privacy breach already of more value that the risk to his property otherwise would have abstained from the risk of property damage. And the property rights should be compared with the privacy rights one has when e.g., throwing away printed materials; when discarded in the dumpster, one has surrendered one’s right to privacy-through-property re the dumped information. When voluntarily move into or over another one’s property, certainly without consent and against that other one’s want, does one not surrender one’s [protection of!] property rights to the other one? Of course one can ask one’s property back but what if the other one refuses or uses it as security re exchange for something else?

Legal scholars don’t seem to Always have a “hackers’ mentality” when it comes to finding all the side roads … Most unfortunately!
And:

[From the department of infinitely high control; Ronchamps]

Not there yet; an OK Signal but …

But the mere fact that Congress will use strong crypto Signal, can mean many things. Like, “we” won the crypto wars, as Bruce indicated, or the many comments to that post are correct and it’s for them only and will be prohibited for the rest (us), or … nobody cares anymore who uses Signal, it’s broken and those that balked in the past, now have some backdoors or other coercive ways to gain access anyway. [Filed under: Double Secrets]

But hey, at least it’s something, compared to nitwittery elsewhere… And:

[Ode to careless joy; NY]

Maverisk / Étoiles du Nord