Droneshield-downer

How would this (link in Duds) great – not so much – invention help against drones that have pre-programmed GPS coordinates and semi- or fully-autonomously fly to their destination? Because they’re out there already and even building/programming them is a piece of cake for the ones that would actually want to do harm for no defensible (sic) reason.
And also, there already is this; better drone detection than the article (and the vendors therein) suggest would be possible …!
And also, there already is law against the proposed jamming.

So, too bad, vendors Deutsche Telekom, T-Systems, Dedrone, Rhode&Schwartz, Squarehead, Robin Radar Systems, and HP Wüst: Magenta is a colour, not a viable product — it’s illegal and it doesn’t work; a square fail.

Am I too harsh? Possibly; that happened some 50 years ago as well. Plus:
[Quite this’y: All showboating, no real value, and skewed; Haut Koenigsbourg again]

Sending the right message

This of course being the right message. If you can read it when I Send it you. And, for your viewing pleasure:


[Anonymous but blurry and far from privacy-complete, this physical cloud exchange…; NY Grand Central]

M, and A, and G, D, P and R

Now that you have finally got something going qua GDPR compliance – way short of what you’d want but still, at least something, better than the Nothing to which you were limited so far – there is a new twist to the requirements…
To be clear; by now you should at least have the requirements clear, and also possibly have some upsides lined up (if not, go shop with some vendor consultancy (and others); they’ll tell you about the benefits of data minimisation, the unstress of having your house on order, etc.). And have something going qua reconnaissance, though not armed recce or recattack.

But now, you may have to rethink. A bit. About what you’d have to have prepared when you land in M&A territory, or even in Chapter 7/11/13- (and 9-!) or any glocal receivership. Because … well, the idea sprang from this thing with de-anonymising data from sperm banks (in NL); until now most highly classified secrets (qua donorship). Turns out that not all clinics have the old data, still, because previously the secret was to be eternal hence best secured by throwing away the data.
But more seriously, not all clinincs exist anymore and there is no way to know where the data went, if anywhere.

And that’s where you organisation comes in. Not qua LoB but qua existence, now and in the future. Will you buy, take over, integrate some other org, or be on the receiving (uh…) end of the turmoil? You may want to make sure that the “GDPR” record of the other party is impeccable… Or end up with a mixed compliance bag which is equal to no compliance…
Possibly, you may have to prepare for some form of end-of-organisational-life where there is no body to take over your data and you might have to prepare for that ..?

Well, we’ll see what WG29 comes up with. At least, it will be additional stuff.
Plus:
[In a weird twist of interpretation, this complex of buildings could have housed a private bank of said kind…; Sevilla BTW]

Discharging DPOs by auditors

Now that it by and large seems to be that GDPR hypestuff is mostly pushed into the legal corner, … let it stay there. Let the others do their job, and reap all the benefits. I.e., via the avenue (required budget-wise; wildlands qua budgets received) of data discovery [Uchg ugly word I meant inventory] / data minimalisation/cleansing / data security [the old way, like information security, not the #ditchcyber fail] towards magnificent efficiencies in IT ops, and much clearer, exponentially better profile’able data even if Big.

Hey, the DPO was so self-inflatedly Important, right? Let him (sic) handle all the fan mail then… Let him panick-crash during every high-pressure breach BCM handling.

And then a. get fired, b. get sued, c. get replaced by yet another legal scholar turned business savvy (quod non) ‘executive’ [who executes who?].

But … in the mean time, someone would have to discharge the DPO. Not from internal audit because they’re part of the problem organisation.

OK, let’s have that done by an external auditor, then. A specialist, hopefully.

Hereby my claim to that specialty. Will develop fully-compliant methodology, will travel (charging expense…).

And:

[As an external auditor specialist, I love to have this sort of view; NY]

Some Quotum of Questions of Quantum

Am I the only one with questions how the following intertwine:
An article on how quantum-secured blockchain may be so safe, but possibly not in the hands of whom you’d want it? If in anyone’s hands at all, since no-one can be trusted forever; if you wouldn’t believe that, you declare yourself incapable of discussion on this subject…
A most brillant blog post on a related subject.
An equally insightful piece on how blockchain-of-command would lead to Totalitarianism.
An equally … Being the Why Johnny Can’t Encrypt, 2017 version. Notably, the previous versions hadn’t been patched properly…

So, you see a Perfect Storm or what ..?

Plus:

[Why did you cross the street, you chicken? M’drid]

Nudging to intermittance; 5 steps to awa success

As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:

How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.

Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?

Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?

Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:

[On a bright day, for Stockholm, the Knäckeboat museum]

Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]

Knitting against Cyberrrr…

This here piece, being the explanation why hiding in plain sight beats overtly-crypto tools. Quite enough said, right, apart from the note that the solution is a form of arms’ race flipping, as predicted. Would only wonder (again) how many cat pics out there, have stego messages, and how many TLAs are constantly scanning all Pinterest- and others- uploaded pics for nefarious content. Where the sheer volume created by innocent users, helps the bad guys (girls…!) to escape (timely) detection, or what?

Maybe sometimes human interaction can still help, like with this. Of quite another category but deserving massive global support nevertheless. Can ABC’s and Facebk’s image recognition engines be sollicited, or are we looking at the hardest pics still eluding the strongest AI-yet ..?

Back to knitting-style help it is … And:

[If you recognise this’ your country, you just got an interesting PM story… (truly congrats)]

Chasing the GDPR hippo

As I was reminded of the ‘Kill the Hippo’ meme, I realised its application is valid in specific circumstances, too.
Where the Hippo is of course here. And the application that I was thinking of, is here.
Not this one, that may stay where appropriate (which is much less than always)…

No, your Usual Suspect isn’t the CEO or whatever, and suggesting the CISO is just a pun, but … the lawyer(s) involved…
All you have to do, is take a look at their billing rates. And at the hippo-original abbrev meaning (sometimes, even the original meaning outright qua looks but in the most-expensively-dressed-in-the-room version, hopefully?) — pointing at the need to not listen to them as the most effective way to deal with the issue(s) at hand since they may on occasion (50,1%++) have the least useful insights to bring to the table…

Oh well. I’ll leave you with:

[Dead straight, according to your lawyer. Cromhouthuis Ams]

2FA is illegal!

Just when you thought the solutions to your eternal (not) pwd problems were getting mature enough to deploy – nudged to annoyance by all the vendor FUD – and you forgot the solution is totally easy and already in your infra everywhere, you will find … 2FA is declared illegal …

Oh …, it turns out to concern the party drug kind only, not 2FA but 4-FA. Like, here. Phew!
But stil, kids, don’t rely on 2FA either; help users reduce complexity not hinder ’em!

Oh, and:

[When all sober and straight would have been Boring; Lille]

Maverisk / Étoiles du Nord