Tag: Risk Management

SecPoll

Finally, a competition where you can win, too, seriously.

Yes you can, I’m serious. And you win something serious…
The deal:
Your top-3 predictions, in comments, about what new ‘cyber’security stuff (#ditchcyber) will happen in 2017.
In return, if you’re the top predictor (NO.), to celebrate you’ve best found ’17’s bubbles of the year you’ll receive a perfect bottle of ’17 bubbles.
The things you describe can be of any sort, related to information security in the widest sense. Something-cloud, something-privacy, something-Docker, something- Layer 7 or 8 firewalls, something-systemic-breachlike, whatever, it’s up to you. However:

Some terms and conditions [subject to updating when needed..! My call and prerogative]:

  • No editing your predictions after entering them;
  • Three apiece;
  • None should not be around per second half of December 2016;
  • All should be measurable, and measurably the largest over 2017, suggestions for measurement/metrics should be attached.

I’ll be awaiting your wisdom / totally random stuff with:
DSC_0789
[Who would’ve predicted the success, and beauty, of this/these, eh? DC]

Dense, but study

All about this here article. Yes I too, started out as picture browser through this. But more careful study unearthed a lot of gold, qua understanding of the issues. Even to the point of pointing out some gaps, here and there — well, the understanding did, not as much the overview — in ‘moral continuums’, that can and should be filled.
And, much work can be done on opeationalising the Obvious breaches of fundamental human rights (as per Universal Declaration) so don’t go babbling about commerce needs a chance.

[And now for a switch of goal but you’ll find the relation …!]

Where the latter is one big part often missing with ‘disruptions’ quod non:
Doing something simply illegal is just that and is not ‘allowed’ because innovation should be allowed to be tested.
Innovation should not be attempted when the new has been determined already to be illegal
How hard can it be? Laws had been put in place to protect the weak against the powerful, specifically at points where the need was obviated. IF some law has no purpose anymore, one should first do away with it, first through political ways and if that wouldn’t work out to be possible, only then, through e.g., courts for obvious unfairness (sic; if your law system is of the common type you’re hosed anyway). When you don’t succeeed in this the only legal ways, too bad that’s how democracy works, if.
If some law still has purpose but there’s negative side effects you’d want to do away with, do away with the side effects not the law; in the two ways as before doofus!

Oh well. Mock disruptors beware; the world does not need nor welcome you.
And:
dsc_0555
[Sometimes, Classics are perfect enough; Prague]

Some quick notes on Audit / service development

An invitation for co-development or I go it alone…
[This also being a copyright / idea claim]

  • Undecided what name will stick; either
    Ethics Test Services, or
    Autonomous Judgement/Decision Analysis Services;
  • Because it is about checking the morality baked into, or emerging from, algorithmic decisions and/or decisions and conclusions from autonomous and self-learning systems;
  • Contra “Computer says No”, obviously.
    If you’d want to learn what that refers to; see here;
  • [Intermission] Whereas some in European politics (sic) discuss to impose a limit where autonomous systems without one human in the loop anywhere would have to have an ‘explanatory’ function that can display in layman’s terms how it arrived at some decision, and that being contestable. But the questions are: What if the ‘system’ were hosted outside the EU (and just like inflation, Gresham will obviously apply), and what if (maybe ‘when’; we’re talking politicians here) such a very first step towards transparency may still not make it, and what if as a cheap escape trick the human would and could only click ‘OK’ — could (s)he be culpable?
  • Elements would be:
    • Process correctness,
    • Data correctness,
    • Exceptions handling; essential and necessary.
  • This, in Standard Form and with an overall human (me; run to the hills) judgement both over process/systems quality and over moral/ethical admissability;
  • Will have to extend the notions of ethics, morality et al. here; e.g., how humans make decisions in the first place with all their errors of all kinds, what to do when systems/humans don’t follow morality and/or the decisions from the systems.

So, everyone (dabbling in this space from now on,) will pay me serious license fees for using the above ideas in commercial services… [note: I’m serious]
And/or all help is welcomed.

To add:
DSC_0752
[Would deliver above services to this address for expense reimbursement only …]

Log not Log

About the resurgence of ‘logging’ as a thing.
In compliance, for whatever reason because everyone lost the Original purpose.
In ‘audit’ (like, checking bookkeeping — no you drop the pretense and lies that’s all there is to it!), since we (??) can now do den totalen Prozesskontrolle.
In systems management, to …:

  • Monitor the health of systems — note that a lot of logging will be superfluous for this purpose (lest the next bullet comes into play), and a lot of the other records will be processed near-completely-automated into nice dashboards; note also that in this environment, that seems to work whereas in enviroments where ‘dashboards’ have been promoted for ages (decades, mind you) without any success, with the cause already known just as long;
  • Detect/find, and process, intrusions. Being proxies for ‘fraud’ (quod non, and note that legally, there’s no such thing!) to be committed.

Most efforts of late go into the latter thing (apart from the good work (sic) done by, e.g., the Coney‘s of this world). Where we see a jump to the worst, most atrocious, of Big Brother privacy obliteration by processing each and every little in-systems program step that can be logged, traced. Even by, what could have been, proper all-out systems management integrating the traditional style of it, with IoT device management, as e.g., Splunk now is focusing on whilst leaving their core competence behind.
Missing the point that ‘systems management’ over all transactions having started with the human ones, was the Original purpose. To monitor (at the speed of annual bookkeeping ..!) the health of ‘systems’, the business as performed and understand that not all transactions could be perfectly in line with the, unthinkingly overstandardised ideal transaction patterns.

Can we now, now that we do have the mechanics (log writing speed, all-connectivity, and storage (!) and processing tools available) regain that latter part..?
Hopefully.

And:
DSCN2229
[Modern (purpose), still also a sun dial; Barça]

Sticky Wicked

I’ve been seeing ‘wicked problem’ turn up again lately. Again, hardly in its original sense let alone to the criteria. But rather, as problems where the counterforces to solutions are just too dug in against change, to be overcome. As human, societal problems rather than something systemically hard. To bulldozer over, with a MBT, maybe ..? What a fine demonstration of irritation to let loose.

And, of course:
maxresdefault

WindTalker

Right. So we have a side channel attack where your hand movements over your mobile, when typing in your key, will interfere with WiFi signal patterns in a detectable, traceable way thus revealing your key. Like this (PDF).
Would this, on a second trend note, destroy or obviate even more the need for, Active Access Control ..?

Plus:
20161025_150242
[Mock-up for fabrics not mockery of your security; Stedelijk Amsterdam]

Dear Trudy. My baby doesn't even notice my Post-Its.™

My baby doesn’t even notice my Post-Its. How can I make clear it has to stop crying?

November 18, 2016 by Trudy
trudie-660x386

Dear Trudy,

My four months old cries day and night. I’ve put up Post-Its in its crib with a kind request it stops that. But now I begin to realise it doesn’t even notice them. How to make clear that I am not positively inclined to let this disregard pass just like that?
Regards,
At Wits’ End

Dear Wits’ End,

Probably your baby does not want to be micromanaged by Post-It. A lot of people take that badly. It isn’t your cleaning maid for one thing! So please try to take a more gentle approach. E.g., next time don’t write “Please don’t cry” but rather “How can we manage to agree to not cry after 2AM ;)”

[Original, in Dutch, on the Speld; translated with permission]

First Rule of Risk

First rule of risk: Never underestimate risk. Even when you follow this rule, and even when your estimates seem ‘proper’.
Where of course, the propriety of your estimates is in grave doubt, either on the “This has never happened to us so / Come on, get real, [we’re not a target because we’re of no interest to anyone] what are the odds!? / Ho hum, there’s the boy cried wolf again”,
or on the “I’ve been reading this thing about CYBER! Arrrgh! In the Inquirer so why aren’t all staff hiding under their desk and we didn’t yet have the Marines take over and destroy the office to defend it ..?” FUD-side.
[Side note: You did have ‘consultants’ over (office (culture, motivation) destroyed, seems like a preventative measure?), but be aware that’s the opposite of Oorah]

Because when every nanosecond brings the possibility of an ‘event’ (how’s the repeat of sampling with (! … is it?) replacement over so many draws working out in your frequency estimations..!?), one can be sure that a 99% chance of something not happening, will result not in the virtually certainly not happening every time, but in the certainty that the 1% will strike, repeatedly, and a strike will endure much, much, much longer that the inception of it. The ‘event’ isn’t measured in nanoseconds, but in days, weeks, months and sometimes even years (think the, near-certain, reputational damage). So, your estimates are too low, all too low.

But since the detractors are always downplaying your estimates due to their other-directed agendas, do follow the First Rule of Risk …

fight-clib
[Your in-house security gurus are quite like that, yes, being the absolute rookies at the BlahBlah Seat At The Board Table — probably available only when the Board is out — or any level they’re relegated to]

Lament / Where have ‘Expert Systems’ gone ..?

Those were the days, when knowledge elicitation specialists had their hard time extracting the rules needed as feed for systems programming (sic; where the rules were turned into data, onto which data was let loose or the other way around — quite the Turing tape…), based on known and half-known, half-understood use cases avant la lettre.
Now are the days of Watson-class [aren’t Navy ships not named after the first of the class ..?] total(itarian) big data processing and slurping up the rules into neural net abstract systems somewhere out there in clouds of sorts. Yes these won out in the end; maybe not in the neuron simulation way but more like the expert system production rules and especially axioms of old. And take account of everything, from the mundane all the way to the deeply-buried and extremely-outlying exceptions. Everything.
Which wasn’t what experts were able to produce.

But, let’s check the wiki and reassure ourselves we have all that (functionality) covered in “the ‘new’ type of systems”, then mourn over the depth of research that was done in the Golden Years gone by. How much was achieved! How far back do we have to look to see the origins, in post-WWII earliest developments of ‘computers’, to see how much was already achieved with so unimaginable little! (esp. so little computing power and science-so-far)

Yes we do need to ensure many more science museums tell the story of early Lisp and page swapping. Explain the hardships endured by the pioneers, explorers of the unknown, of the Here Be Dragons of science (hard-core), of Mind. Maybe similar to the Dormouse. But certainly, we must lament the glory of past (human) performance.

Also,
20150215_144700
[Is it old, or (still) new ..? Whatever, it’s prime quality. Spui, Amsterdam]

Maverisk / Étoiles du Nord