Cyberprevention

Just a signal, of a new movement. Which isn’t.

  • For one, the -prevention — doomed from the [ word Go | – part ]. Which becomes less and less valid. Yes, some deterrent actions may help, but one better focus on the fact of future break-ins… And act accordingly — much more efficient for almost all. Take the 1st graph of this, and weep / go / the rest of it, too.
  • For two, ‘cyber’ … #ditchcyber nails it, in the Manifesto.

Yes that’ll be all for today, including:
5a3dfc86-471d-49dd-b133-7a262a6d5ae5-medium
[So, you can #ditchcyber, too]

Oops, there it is! (now you don’t, see it)

Suddenly, there it is, almost as if it’s something new … Malware using stego, as if it might still surprise anyone whereas of course there already was this, and this, and this and this.

What next? Even smarter ad blockers ..? Will not work, as the latter are only in use with the smarter part of the bunch. And smarter ad blockers will be installed by even fewer, as the pay-off is less visible (timely enough).

No, what’s next is first an armageddon [Warning: cultural notion; propose to use the more profound Ragnarök] — of which the result hopefully … is that ads will be marginalised. A great many a socmed platform (looking at you, $FB and other (sic) unicorns) may (signifying possibility and hope) go asunder as ads are their value period

Then, hopefully, Yggdrasil will grow again. E.g., with truly egalitarian platforms; truly global (though that aspect may not have been sunk in the great flood) and free, meaning that also, the trolls can be captured and ring-fenced and not destroy some or many or the platforms / -ideas.

How philosophical one can get in dreams/dreaming, how far off today is the better-than-today’s-should-have-been.

Plus:
DSCN0241

[All sorts of meta-info (‘nothing to protect here just move on’/ Í can see you but you can’t see me’ et al); Segovia or what was it]

Errors of Your / Machine Learning

Any progress on the front of Machine Learning, i.e., the comparison with how/what humans learn from various teaching formats, and how machines are better at rote learning et al, and how does the perfection of machines learning facts, reflect on what is data processing, what is intelligence, and what is wisdom ..? Where the latter is the area in which of course re retreat ever more, but without the foundation of a life long of learning and experience ..?

[Intermission: Anyone out there still holding on to the ‘you only learn from experience, which is making errors and surviving’? What was so many years of school all about; you’re still no further with calculus than 1+1 equals something more than one — the max you can learn from ‘ experience’ … How did you ‘experience’ History, Science ..? Apparently, there’s quite a base of facts to learn, even (or more?? contra The Shallows) in times of Google. Or, you’ll be the doofus that can not (sic) learn to be intelligent nor wise, and will make any and all rookie mistakes in all situations everywhere, over and over again.
Seems like the base of learning, grows steadily — exponentially…]

Notwithstanding the road (path) to wisdom is through experience … which would ever less be available when machines start to take over the simple, the foundations (qua operationality of work-as-labour), and then the next stage, etc. (since none will be experienced enough to succeed pensionados that still have that subsequent level of understanding). Leaving the abstract thinkers ever more loose in the sky. Hey that’s what’s happening with accountancy, if the industry doesn’t move fast. And will happen everywhere.

But back to the main point: Has Watson-class learning (AlphaGo/Deepmind/Brain (sic), … no not Siri you m.r.n) learned us anything about learning, and/or have we changed learning since machines took over parts of rote learning? Have we changed our view on learing, intelligence, wisdom?

To the disappointed, apologies go; nothing here on how machine learning could lead to the unethics of Computer Says No… Too much of a mer à boire qua research — see here.

Plus:
DSCN1270
[Steep, to enlightenment; Girona]

Retrofitting IoT Security

Pitch before I did the idea that for a while be with us will Legacy IoT be, here.
But what about stubbing around it? Developing cheap and easy (necessary since/for backwards compatible, by definition) security solutions that can be plugged onto old IoT stuff.
What ya’reckon, are we too far gone with old IoT and economically-having to keep that alive, or is there sufficiently much more recent stuff to attempt such a thing (and ring-fence the real cr.p)..?

I’m not completely sure how one would approach this thing, technically, but cannot imagine that there aren’t solution models around like, potentially, some form of hardened (lean and mean and armour-coated) enterprise IoT bus thing, possibly with security zones, et al., similar to the obvious and hopefully ubiquitous separation of office automation (why isn’t SAP dead yet? This, some time ago. Oh, might be useful to set up separate mandates to ‘run’ factories yes, which was its original purpose, right; what did E-R-P stand for ..?) from Process Automation, and within the latter, Supervisory Control from operational (close-in) control, engineering-wise, but then with subsets for safe/unsafe hardware.
The isolation stubs could then act as gatekeepers between zones, between potentially-safe and the legacy-most-probably-unsafe.

Though I suspect that the ‘zones’ will have to ‘air’gap at many network layers, including towards the physical end of OSI — meaning that higher up, the connection will have wider gaps, not less why is this so often overlooked ..?

On a separate end note: Where are the wares that should have followed the scares, i.e., we have had a couple of years (yes) now of IoT scares; have the vendors truly stepped in or was it just window dressing e.g., dole out some monitoring tools and good luck with it..?

Progress… and:
DSCN1834
[See? Engineering is beautiful; Brussels]

Temporary Awareness

A call for poignant pointers.

You may be aware that research is on-going (among other, by Yours Truly) in the area of sustained ‘security awareness’ — a misnomer for security habit change. Which is driven by psychological stuff like everyone’s individuality, everyone’s individual circumstances (not only at work, not only formal short/medium term) and everyone’s learning and operations style and preferences. And hence, habit change would also have to cater for all these differences. One-time ‘awareness training’ (sic), yeah, right on.

Still, such would be a somewhat valid approach … for perm staff.
Not for infrequent visitors, like your garden variety (IS) auditor, that would drop in every now and then and till have access to sensitive data; on purpose or not, benign or malign leakage or not.
Not for temps, interns et al., that are around too short for true awareness to sink to the back of the head, for instinct reflexes (oh ideal). Or the induction program would be a grilling drill; conter-productive.
Not, and this is where my problem is mostly, with third party staff, that primarily work for the vendor and have other KPIs than client security — at least, higher on their agendas. They come in (physically or remotely), do their thing that hooks quite deep into your operational processes (physically like cleaners and installers, logically through e.g., software and parameter updates) almost always at arms’ length control with still their other KPIs first, and then leave you possibly vulnerable or robbed, and ith full accountability without grip on actual operations taken place.

Apart from the platitudes of requiring transparent compliance with all your security policies (purely hypothetically, IF you’d be able to find and collect them, they’d be sorely outdated, and 50% or more wouldn’t be applicable but which 50% you have no clue), what about the above-mentioned change to the good sufficient habits ..?
Your input would be much appreciated…

Also:
DSC_0546
[Temp attention, eternal bliss; Syracuse]

SecPoll

Finally, a competition where you can win, too, seriously.

Yes you can, I’m serious. And you win something serious…
The deal:
Your top-3 predictions, in comments, about what new ‘cyber’security stuff (#ditchcyber) will happen in 2017.
In return, if you’re the top predictor (NO.), to celebrate you’ve best found ’17’s bubbles of the year you’ll receive a perfect bottle of ’17 bubbles.
The things you describe can be of any sort, related to information security in the widest sense. Something-cloud, something-privacy, something-Docker, something- Layer 7 or 8 firewalls, something-systemic-breachlike, whatever, it’s up to you. However:

Some terms and conditions [subject to updating when needed..! My call and prerogative]:

  • No editing your predictions after entering them;
  • Three apiece;
  • None should not be around per second half of December 2016;
  • All should be measurable, and measurably the largest over 2017, suggestions for measurement/metrics should be attached.

I’ll be awaiting your wisdom / totally random stuff with:
DSC_0789
[Who would’ve predicted the success, and beauty, of this/these, eh? DC]

Some quick notes on Audit / service development

An invitation for co-development or I go it alone…
[This also being a copyright / idea claim]

  • Undecided what name will stick; either
    Ethics Test Services, or
    Autonomous Judgement/Decision Analysis Services;
  • Because it is about checking the morality baked into, or emerging from, algorithmic decisions and/or decisions and conclusions from autonomous and self-learning systems;
  • Contra “Computer says No”, obviously.
    If you’d want to learn what that refers to; see here;
  • [Intermission] Whereas some in European politics (sic) discuss to impose a limit where autonomous systems without one human in the loop anywhere would have to have an ‘explanatory’ function that can display in layman’s terms how it arrived at some decision, and that being contestable. But the questions are: What if the ‘system’ were hosted outside the EU (and just like inflation, Gresham will obviously apply), and what if (maybe ‘when’; we’re talking politicians here) such a very first step towards transparency may still not make it, and what if as a cheap escape trick the human would and could only click ‘OK’ — could (s)he be culpable?
  • Elements would be:
    • Process correctness,
    • Data correctness,
    • Exceptions handling; essential and necessary.
  • This, in Standard Form and with an overall human (me; run to the hills) judgement both over process/systems quality and over moral/ethical admissability;
  • Will have to extend the notions of ethics, morality et al. here; e.g., how humans make decisions in the first place with all their errors of all kinds, what to do when systems/humans don’t follow morality and/or the decisions from the systems.

So, everyone (dabbling in this space from now on,) will pay me serious license fees for using the above ideas in commercial services… [note: I’m serious]
And/or all help is welcomed.

To add:
DSC_0752
[Would deliver above services to this address for expense reimbursement only …]

Log not Log

About the resurgence of ‘logging’ as a thing.
In compliance, for whatever reason because everyone lost the Original purpose.
In ‘audit’ (like, checking bookkeeping — no you drop the pretense and lies that’s all there is to it!), since we (??) can now do den totalen Prozesskontrolle.
In systems management, to …:

  • Monitor the health of systems — note that a lot of logging will be superfluous for this purpose (lest the next bullet comes into play), and a lot of the other records will be processed near-completely-automated into nice dashboards; note also that in this environment, that seems to work whereas in enviroments where ‘dashboards’ have been promoted for ages (decades, mind you) without any success, with the cause already known just as long;
  • Detect/find, and process, intrusions. Being proxies for ‘fraud’ (quod non, and note that legally, there’s no such thing!) to be committed.

Most efforts of late go into the latter thing (apart from the good work (sic) done by, e.g., the Coney‘s of this world). Where we see a jump to the worst, most atrocious, of Big Brother privacy obliteration by processing each and every little in-systems program step that can be logged, traced. Even by, what could have been, proper all-out systems management integrating the traditional style of it, with IoT device management, as e.g., Splunk now is focusing on whilst leaving their core competence behind.
Missing the point that ‘systems management’ over all transactions having started with the human ones, was the Original purpose. To monitor (at the speed of annual bookkeeping ..!) the health of ‘systems’, the business as performed and understand that not all transactions could be perfectly in line with the, unthinkingly overstandardised ideal transaction patterns.

Can we now, now that we do have the mechanics (log writing speed, all-connectivity, and storage (!) and processing tools available) regain that latter part..?
Hopefully.

And:
DSCN2229
[Modern (purpose), still also a sun dial; Barça]

WindTalker

Right. So we have a side channel attack where your hand movements over your mobile, when typing in your key, will interfere with WiFi signal patterns in a detectable, traceable way thus revealing your key. Like this (PDF).
Would this, on a second trend note, destroy or obviate even more the need for, Active Access Control ..?

Plus:
20161025_150242
[Mock-up for fabrics not mockery of your security; Stedelijk Amsterdam]

The legacy of TDoS

So, we have the first little probes of TDoS attacks (DoS-by-IoT). ‘Refrigereddon’.
As if that wasn’t predictable, very much predictable, and predicted.
[Edited to add: And analysed correctly, as here.]

Predicted it was. What now? Because if we don’t change course, we’ll achieve ever worse infra. Yes, security can be baked into new products — that will be somewhat even more expensive so will not swarm the market — but for backward compatibility in all the chains out there already, cannot be relied upon plus there’s tons of legacy equipment out there already (see: Healthcare, and: Utilities). Even when introducing new, fully securable stuff, we’re heading into a future where the Legacy issue will grow for a long time and much worse than it already is, before (need to be) huge pressure will bring the problem down.

So… What to do ..? Well, at least get the fundamentals right, which so far we haven’t. Like this, and this and this and here plus here (after the intermission) and there

Would anyone have an idea how to get this right, starting today, and all-in all-out..?

Plus:
20150323_213334
[IRL art will Always trump online stuff… (?); at home]

Maverisk / Étoiles du Nord