Two stikes and you’re out of third party standards

What a wobbling title.

When already for a second time (here), the European Supreme Court has ruled that laws requiring broad (meta)data retention for trawling are illegal per se, with a minute few exceptions, making it illegal to consider it legal (i.e., have a law requiring it — which of course is much stronger than just doing it on private company want) you’d better comply.

That’s all, folks, only adding the following thus undoing that:

  • You may read back some posts on how to pull off better Privacy (-compliance) in a fun and efficient way;
  • And note how this seems to run counter the above, or does it ..? Distinction is finer than initially thought;
  • Standards as yet fail to address sufficiently the main cause of leakage, being third parties or in your case, second parties; known for being the #1 Saying Yes (on paper) Doing No when it comes to maintaining security to the impeccable standards of yours. Those impeccable standards of yours that … can’t even seriously assume you’re at those levels. Can’t assume the second parties are anywhere near your levels even, because of their business model which is Profit over Non-profit [think that through] so have no incentive to take the moral high ground and all the incentives to the opposite … Those second parties of course are in your standards (are they? certainly not everywhere) under transparency towards first parties (customers) regulators if ever they’d look so (only just beyond skin-) deep or rather disregard the issue;
  • If not when those your standards would have been clear enough to yourself to collect and put them up as requirements, and properly communicated to the second parties, and (checked to have initially been) implemented with them;
  • But then no-one really knows how to pull off even core but real oversight over the infosec quality at second parties — don’t fool yourselves: reporting, always throught their Marketing/Sales, will give no real info (info being the things you’d want to notice, not the stuff you can skip because it’s green lights/smileys all the way); actual audits, are either by third parties most usually on pay of second parties hence on their hand (don’t believe the outright lie of independence [I’ve been there, countless scores of times..]) e.g., when ISAE- or other certification is in play (certification after petty-rules-compliance checking not Auditing see tomorrow’s post) or by your own auditors — how good are they, anyway, when this outsourced stuff is special to them too (as you outsourced, their knowledge / experience re this, tumbled) and again it’s a side show to their audit universe, hard to pull off (have a look at the notification requirements and their freedom of movement in the contracts…) and still with an interest of the second parties to show a nice picture not truth which is almost completely in their hands, or by some third party hired and paid by you, for which the latter flaw of pretty-picture needs; the Diginotar case anyone?
  • Summa summarum: You may be hosed.

Even more so, when it comes to Privacy. Either as an organisation, or as private person [ditch the oh so pejorative ‘individual’ and ‘citizen’ — don’t start me on the utter ridicule of the moronic ‘corporate personhood’], or both.

Oh well:

DSC_1024

[May be prone to strike the wrong way, too, anyway; DC]

A parachute to your Dutch granny budget

If you have no clue about the title, read on.
It’s about a Dutch ‘granny bike’. And about your bosses’ golden parachutes. And how to get budget for the playthings bare minimum tools you require.

First off: the biker part. Note that this has unsurpassably been written up here. On how crappy banger bikes, are locked with supremo but ridiculously expensive gear and how this out-of-all-proportion control-cost still makes sense. Reading is believing.
Second: These days, FUD is Real; à la the “Either you’ve been hacked or will be, soon” line and including the ever bigger transparency in the press. With a warning of impeding disaster for all your remotely involved (even if by negligence — wait did I write ‘if’ ..?) bosses and their tenure, as these days, too, a great many including CEOs get fired / are forced to quit / commit seppuko almost, when <youknowwhat> hits the fan and always runs downstream, hence getting a lot of you superiors their golden parachute. Their mileage may vary, but the threat finally (…!) is a believable one. Either they believe (wrongly) to be able to escape the gauntlet anyway but should then, officially, care about the parachutes’ cost to the company and take that as a clue about the (tenfold++) reputational damage to the company, or … they aim to take the money and run and go on disastering elsewhere, leaving said reputational damage and parachute costs to the laggerds left behind — you inform the odd superior here and there that their colleagues/peers are about to pull their leg and leave the sweeping up of the damage to the stayers.
Summing up to: At the cost side, the rationale is such that the ceiling of any of your proposals takes off to, at last, suitable levels. At the benefits side (cost-avoidance), suddenly the decision makers’ personal interest is there.

Combined, this should as written suffice to finally get sufficient budget for the playthings bare minimum tools you require. Or what.

I tell you what: The above even now may still not make sense to the … [expletive censored] bosses above you. Plus:
DSCN0770
[Harmless sea beggars on the Dutch coast; Bloemendaal]

DoS Internals

No, no typo. Not DOS Internals or so. Rather, internal DoS attacks.

Are they tractable? [Uhh, that may sound like they’d be positive things to be able to do — sorry, just hinting at “technical feasibility” here]

Yes they are. Stuxnet was the prime example. Something similar would be tractable once one is (somewhat) on the inside, I guess. Like, an APT exploring the internal networks for topology, infecting routers along the way, and then blowing them up all, all at once, with megazillion tons of traffic, internally generated. Denying (internal) network services to all. Or even bricking routers with e.g., flash-ROM attacks. Feasible.

The same, with surreptitious tweaks of kernel scheduling processes, Stux style. Or, there, too, diving deep into and under the virtualisation layers and bricking the core BOISsen and other Level 0 / 1 server software. Overflowing disks with random data (be sure to buffer tons, so restarts / re-mounts will not help too easily).

Hmmm, once one starts thinking about it, the possibilities are huge. Maybe some nationstate party/ies has some arsenal out there in the wild already. Think yesterday’s post; on its own or in combo with Elections, whose interests where?

Oh whatever … plus:

DSCN7411

[A hole in your servers’/routers’ “floatation” capabilities will sink your infra; Baltimore]

Did / Did Not (Know Who Did)

Anyone still have an overview of where we (?) stand qua attribution of “cyber” attacks [ #ditchcyber, of course ] ..?? Apart from this

There’s so much development in attribution with or without proof, e.g., about hacking elections in some outer corner of the world’s population; was it truly hacks, was it some nation state, was it some scapegoat hackster, was it all a set-up, where are Wikileaks, Anonymous, [fill in your favourite Four Horsemen party and colour the pictures] … the possibilities are endless.

But there are indeed flashes like this and this, which spark some controversy whilst blurring the overall picture. And we’d want unblurred pics of hotel room showers oh wait not I.
And what with all the tools out there (remember, the FBI’s stash stolen and now on fire sale for 99% off the previous list price, right?), planting others’ fingerprints and DNA, so to speak (no, literally ..!), and have pictures and videos even that are near-indistinguishable from proof; what evidence if any is still admissible in courts? None …!? So, what attribution …!?

When others talk about “controlling the cyber battlefield” (no, not the FBI but the extraterritorial agency), isn’t there a protracted “cyber” [ #ditchcyber ] world war under way already ..? Just not as hot as the previous one, more like the Cold one, schlepping on ..?

Just accept all Peace For Our Time‘s … and:

hC467CB09

[The SocMed approach: Look! Moose babies!]

Walking away from your desk

This, re yesterday’s post that was in some vincinity (though with quite some distance to spare…) of ranting about bureaucratic stupidity being a pleonasm.
By means of a pic, with:

  • A Bureacrat certainly designed this. The ejection seat would to a bureaucrat mean the danger of you escaping from the post you were supposed to hold no matter what — since in the bureacratic only thinkable scenario, nothing would ever happen or you’re unfortunate collateral loss but hey, the System continues to perform.
  • For all others (the handful, the few good men), the ejection seat is apparently surrounded by just that danger, and to be used to escape from from that immediate and urgent, life-threatening danger of death by utter boredom, by sitting still. Noting that the rig that the sign is on, invariably is one made for dangerous action, not for danger evasion… Ships are safe in harbour but that’s not what ships are for; kites [your check] so much, much less so!

Which side are you on; the sit-stillers’ or the Action Men’s ..?
danger-eject-svg

Hoodies are off

Truly, we have arrived in a distopian world when crime fighters go after the petty ‘criminals’ only — if there were any bigger catches, the headlines would be flooded and as we hardly ever see that, this is the best for the fighters that they can brag about ..?
I mean, have a look at <link>; a real Cyberrr! (#ditchcyber) criminal was caught! How incredibly clever he was! Being traceable by his ‘own’ IP address and own bank account. So certain of his own greatness that he didn’t even seem to have worn a hoodie — you know, the device that keeps all ‘hackers’ [Dammit! Learn the difference between hacking and cracking!!! or remain a stool forever] completely anonymous. And in Russia. Or did I say R I meant China, when it’s about nation-state retaliation (sic!).

Where in Lucky Luke and Billy the Kid was it that the quote passes “Yes yes be silent dear little boy we do know you’re a really grow-up thug.” ..?
Time to hold this to the Police …?

Oh, and:
DSCN9971
[Surely, no-one would dare to attack here? Surely, this is just a decoy and nothing of value would be inside ..? — Well, the value’s not only in the hotel facilities but much more in the wine cellars … next door; Castello Gabbiano]

Two AI tipping point(er)s

You may have misread that title.

It’s about tips, being pointers, two to papers that give such a nice overview of the year ahead in AI-and-ethics (mostly) research. Like, this and this. With, of course, subsequent linkage to many other useful stuff that you’d almost miss even if you’d pay attention.

Be ware of quite a number of follow-up posts, that will delve into all sorts of issue listed in the papers, and will quiz or puzzle you depending on wether you did pay attention or not. OK, you’ll be puzzled, right?

And:
DSCN1441
[Self-learned AI question could be: “Why?” but to be honest and demonstrating some issues, that’s completely besides the point; Toronto]

No, you're hacked

OK, we have a couple of little things:

  • “It’s not if but when an organisation is hacked”
  • This leads to access to some of your personal data however innocious (or not)
  • Only a handful of your however innocious personal data is needed to identify you and/or take over your ID
  • Your personal data however innocious on the surface (sic) is with so many organisations.

Syllogically, ID theft will ruin your life, pretty soon.

Now you may counter that … blabla you’re not interesting enough (maybe, but how sure are you, and if you’re so clean your ID has value to the not-so-clean), it won’t happen to you because it hasn’t happened to you (yet, that’s the point) … et cetera.

But oh, you will be hit …

And with that positive reminder, this:

DSCN8391

[If life were as simple as at once major global city Edam…]

Four horsemen, with a badge

Now that ‘our failproof heroes of integrity’ (one of those five words is correct) have gained the right to hack and exploit each and every users’ device in their battle (huh) against the four horsemen, each, all and every proof of misconduct of however grave or minor import that anyone would conduct using any such ‘cyber’ device would not hold in court because no-one can prove it was the general user / suspect (sic) that put the data onto there or used it and the police would be implicated as well but cannot prove satisfactory it wasn’t them.

Obliterating any chance of ever proving actual foul horsemen…

But hey, they seem to have wanted that. For a reason? E.g., the above suspects were in majority already among the pursuers ..?

Why would I care… and:
DSCN8626cut
[Your ‘straight’ thinking…; Zuid-As Amsterdam]

The year of IT is no more Department

Or, once upon a long, long time ago in a land far, far away, there was IT, the hero department that ruled over all of information processing. Because information processing was a strange and dangerous thing and if you chopped off one security flaw, seven others would be introduced. So, the IT department was well-trained in keeping the architecture-and-infrastructure beast alive, with all its fresh new and old legacy body parts, fed every now and then with a fair maiden project.

Oh how things evolved. Lately (being the past couple of decades), the department was split, incompletely, between Development/Maintenance, and Operations. Things were run with ITIL and CobIT — as In Name Only as PINO was to the Prince, II.

The INO part being audited throughout (see previous post) but without anyone really caring about the outcomes of that. NO not even regulators or so, so devoid of truly understanding that the qualification ‘parasite’ isn’t too far off, even.

And now, there’s a slow but steady breakthrough of bands of liberators. Deperimetrisation, socmed, cloud, Big Data, flex work(place), hackers-contra-cyber (#ditchcyber), … the many-headed Central Scrutiniser is sprayed wth acid from all sides and is slowly shrunk. Softly wailing for mercy, some do but to not much avail. Maybe an embrace of Sloterdijk’s Part III foams may help.

Ah, I’m not positive but can be — at least, life will remain in the body that is infrastructure management (-coordination) and incident management, etc.

First, this:
6c38c8af-0c9f-406c-a57b-e892c7ee37f5-original

Then, this:
DSCN8135

[Outsourcing basic shopping to the experts at Milan]

Maverisk / Étoiles du Nord