Privacy – Page 7 – Maverisk / Étoiles du Nord

The CyberDarwins

As we’re nearing the end of the year (Western calendar, others not spoiling the party — learning point), we draw towards the ‘people being stupid with fireworks’ scenes that are oh so similar to ‘people managing systems’ situation. The former, focusing on the most beautiful display and/or the loudest Bang, the latter the same if you think of it.
The former, with latent recognition of ‘safety’ also re bystanders and collateral injuries possibly grave or life-, liberty- and happiness-threatening. The latter, with a desperate few considering ‘security’ and ‘privacy’, a even fewer thinking of collateral damage and implicit injuries and infractions to life, liberty and happiness — if you think that’s overrated, have you ID stolen.

The former has the Darwin Awards, for those that improve the gene pool by taking themselves out of it.
The latter, none such yet.

That’s where I aim:
Shouldn’t we instate the CyberDarwin Awards (acknowledging #ditchcyber), for the most egregious (i.e., outrageous, glaring, flarant) mindlessness in information security in the widest sense that fly in the face of basic common decent thinking?
So that by their occurence, the candidates volunteer to be taken out of the connected environment which, being their oxygen, improves what’s left (the most).

I have no idea how to pull this off; there should be some sort of portal where candidates may be proposed and results be displayed for common laughter but who will build and maintain such a thing before it can become a success, advertisers will flock in droves to sponsor for ads, and I take over again to reap all the financial benefits… #helpappreciated

And:

[This has zero relevance. Toronto]

No C3PO, just PO

Section 4, article 37, 1(b) of the General Data (sic) Protection Regulation ‘of 2018’ (sic): When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;, the instantiation of a Functionary for Data Protection is mandatory.
Yes this includes all organisations dabbling in web analytics… No there’s no threshold (that previously was) of 250 or 500 staff minimum.
But hey, there’s arrangements to hire a Functionary — Privacy Officer works better — for less than full-time or on an (on-going) assignment basis. Come to think of it; the mandatory full independence of the PO (party commissioner, anyone?) may sit better with a hired hand/consultant than with someone on the payroll.
Still, one better study the task list for such a PO. Not a C3PO… The bumbling-through-overly-decent butler is not quite the role model you’d want. Or… you’d want the PO to be such, a harmless nuisance. But then, you waste the PO and budget, and still will be vulnerable. The common anglo-saxon (hopefully -only but doubtful) approach that if something goes wrong, you fire the sitting duck scapegoat and hey presto no more worries all are done, satisfied and no damage’s done, will not work here if it ever did. On the contrary, purposeful negligence, wrongful act, et al., may easily be construed, resulting in long-term mismanagement (still a capital offense…! Oh why can’t we jail all the white collar criminals) the misfortune of all your employees, clients etc. will fall on the Board for once… last paragraph of this applies.

To return to the positive: When arranged well, some things in business may have to change but overall, both your processing will run more smoothly (sic) and you public posture will improve (leading to improved data quality, new clients, and the world is yours, right?).
So, draft a PO Charter and hire me.

Plus:

[Back in the days before live-cams…]

Nocial Media

… How did yesterday’s post know about what I type here now ..?

Too easy. Now for something real:
Nocial Media.
Which is about the distribution of socmed interactions.

Because, the best we have so far is stratified data, by country, age group / gender. Which totally misses that, my guess [hence: fact], a great many relations, either current/frequent or distant/loose, are distributed over a different set of classes. Like, a chunk will be global among peers of any sort (or several of such groups), but also the other chunk will be local, traditional, geo- or socially close like (well, F2F peers but they’re an in-between group) family, IRL colleagues, and association co-members.

Now, would any of you have data on such, probably exponential-in-many-directions, distributions ..? I’d love to hear, TIA.

Oh and on a side note; maybe worthwhile to have some sociology expert elucidate on this: What-how is our future when ‘kids these days’ use /Insta…/Snapch… etc. that leave so little trail; how will your future self be able to browse through old youth pics …? [Advertisers will … Be very sure of that…]

Plus:

[What bin you’re in — Zuid-As Amsterdam]

Dense, but study

All about this here article. Yes I too, started out as picture browser through this. But more careful study unearthed a lot of gold, qua understanding of the issues. Even to the point of pointing out some gaps, here and there — well, the understanding did, not as much the overview — in ‘moral continuums’, that can and should be filled.
And, much work can be done on opeationalising the Obvious breaches of fundamental human rights (as per Universal Declaration) so don’t go babbling about commerce needs a chance.

[And now for a switch of goal but you’ll find the relation …!]

Where the latter is one big part often missing with ‘disruptions’ quod non:
Doing something simply illegal is just that and is not ‘allowed’ because innovation should be allowed to be tested.
Innovation should not be attempted when the new has been determined already to be illegal
How hard can it be? Laws had been put in place to protect the weak against the powerful, specifically at points where the need was obviated. IF some law has no purpose anymore, one should first do away with it, first through political ways and if that wouldn’t work out to be possible, only then, through e.g., courts for obvious unfairness (sic; if your law system is of the common type you’re hosed anyway). When you don’t succeeed in this the only legal ways, too bad that’s how democracy works, if.
If some law still has purpose but there’s negative side effects you’d want to do away with, do away with the side effects not the law; in the two ways as before doofus!

Oh well. Mock disruptors beware; the world does not need nor welcome you.
And:

[Sometimes, Classics are perfect enough; Prague]

Commoditised exploits

What was first; the exploits or the use of them ..?
When now, we have this kind of reasoning, aptly, there already was this, too.

So, … What now ..?

20161025_163321
[This being the state of (the best of … ;-[ ) Duts design nowadays. Yes the rest is worse, much worse. Law of handicap of head start; Zuid-As]

New Normal Hacking

Errm, anyone still surprised about (not) new news on data being stolen, ransomware striking, or democracy perverted, anywhere, all the time ..?

Got a bit worried, and wondered whether there would be others the same, about the current Mehh impression of everyone in the loop, about even political parties [now openly], voting machines, etc., getting cracked and data stolen which combined with at last, at very last finally, the hackability of voting machines not, against all sane arguments, being tamper-resistant — which leads to the vulnerability and class broken-ness of fundamental human values.

And still, there’s hardly more than Mehhh.

Would anyone have a reason not to worry …?

Ah:

How you know that you are old in infosec: you remember when you were trying to get the world to care about improving security.

— Dino A. Dai Zovi (@dinodaizovi) October 6, 2016

Oh well, blue pills everywhere …? Plus:

[Sorry to say lads and lassies of the Royal Academy of Arts, but the Gemeentemuseum did beat you, on this one]
[Edited to add: No, this post was written before the NIST October 7 ‘news’ came out that (‘end’?) users are tired of hack-warnings (security fatigue), if that were a thing. Which is also not quite what I meant above, which is worse…]

Data Classinocation

I was studying this ‘old’ idea of mine of drafting some form of impact-based criteria for data sensitivity when, along with a couple of fundamental logical errors in some of the most formally adopted (incl legal) standards and laws, I suddenly realised:

In these times of easily provable easy de-anonymisation of even the most protective homomorphic encryption multiplied with the ease of de-anonymisation throught data correlation of even the most innocent data points, all even the most innocent data points/elements must (not should) be classified at the highest sensitivity levels so why classifiy data ..!?

This may not be a popular point, but that doesn’t make it less true.
In similar vein, in European context where one is only to process data in the first place if (big if) there is no alternative and one can process for the Original intent and purpose only,

To prevent data from unauthorised disclosure internally or externally, without tight need-to-know/need-to-use IAM implementation, one already does too little; with, enough.

That’s right; ‘internal use only’ is waaay too sloppy hence illegal — it breaks the legal requirement for due (sic) protection, and if the use of data is, ‘by negligence’ not changing a thing here, let possible, the European privacy directive (and its currently active precursors) do not allow you to even have the data. This may be a stretch but is still understandable and valid once you take the effort to think it through a bit.
Maybe also not too popular.

Needless to say that both points will not be understood the least by all the ‘privacy officer’ types that have rote learned the laws and regulations, but have no experience/clue how to actually use those in practice and just wave legal ‘arguments’ (quod non) around as if that their (song and) dance is the end purpose of the organisation but cannot answer even the most simple questions re allowablity of some data/processing with anything that logically or linguistically approaches clarity. [Note the ‘or’ is a logical one, not the sometimes interpreted xor that the too-simpletons (incl ‘privacy officers’) interpret but don’t know exists.]

OK. So far, no good. Plus:

[Not a fortress, nor a real maze once you see the structure; Valencia]

New! (RE yesterday's post)

Oh how appropriately timed, this…: A new version of l0phtcrack is here ..!

As I mentioned in the passing in yesterday’s post, defense-wise one would be hard-pressed to find anything that’s up to snuff qua being a step ahead of the Other Side, catching up is however still (if only just) feasible. Good to see that the tools once (we talk, like, ages ago, ages being circa 20) used offensively and having disappeared from view, return in all their sophisticated glory — be it as point solutions in a much evolved world but still.

All rejoice and ‘play around only to get to know it’…!

Remember… you may turn out to be such a toll all the same … And:

[Once, sufficient and hard to handle, for defense. Now, a model just for show]

Weird infosec science

Who would have thought — that total surveillance would reach into the house, no / hardly any backdoors need to be built in even.
As explained here, and here in closer-to-humanly-readable form.

If such are the Tempest inroads, who needs the newest-of-highest-tech solutions as they all will all succumb to either trivial complexity-induced-unavoidable sloppiness of implementation, or to circumvention in the above way…?

Of course all of it is an atrocity in ethics but … I won’t be utterly negative about humanity’s future so I’ll stop now. With:

[Art imitating life; Stedelijk Amsterdam]

I can see your pulse

Just to drop a note; that Big G’s Glass is still around — but the same may, on a comparative after-launch timescale (sic), possibly not be said about Big A’s Watch.
Come to think of it… Watch isn’t what it’s made for; ‘flix on your wrist would be a hard view. More like Big B-rother watching your intimate (sic) health data…

— As an intermission, this (esp. 0:00-0:11 and 2:45—) deserves many more clicks —

But as said, some competitor is still larger in pulse-racked computing, at least (without having the energy to google for actual data) when it comes to visibility and leadership of the pack.
So, let’s wait and see what v2.0 Big G will come up with next. Maybe there’s a real serious and immediately obviously useful tool lurking just around the corner, just out of sight, not out of pulse. Not like, the iProducts that started as massively dumbed-down versions of stuff already around, with a Braun rip-off design.

Oh well, never take one’s point too far so I’ll stop already. Plus:

[Warped real life imitation, not usurpation]