Droneshield-downer

How would this (link in Duds) great – not so much – invention help against drones that have pre-programmed GPS coordinates and semi- or fully-autonomously fly to their destination? Because they’re out there already and even building/programming them is a piece of cake for the ones that would actually want to do harm for no defensible (sic) reason.
And also, there already is this; better drone detection than the article (and the vendors therein) suggest would be possible …!
And also, there already is law against the proposed jamming.

So, too bad, vendors Deutsche Telekom, T-Systems, Dedrone, Rhode&Schwartz, Squarehead, Robin Radar Systems, and HP Wüst: Magenta is a colour, not a viable product — it’s illegal and it doesn’t work; a square fail.

Am I too harsh? Possibly; that happened some 50 years ago as well. Plus:
[Quite this’y: All showboating, no real value, and skewed; Haut Koenigsbourg again]

Sending the right message

This of course being the right message. If you can read it when I Send it you. And, for your viewing pleasure:


[Anonymous but blurry and far from privacy-complete, this physical cloud exchange…; NY Grand Central]

Goldielocks versus information security

If you expect some fable about budgets; not so much.
This post’s about the generation thing called the Goldielocks syndrome – every generation (aren’t they ever shorter, these days?) believing that they had it, and made the society they ‘created’ no less, better than any generation before and after them.
For many generations, tech is still something that ‘came in later’ [venturing that even the newest ones, will see major tech-driven societal / tools changes in their lives], and information security nitty-gritty stuff is a major part of what they experience of that technology.
And ‘we’ (all) have done a very poor job of making it easier, actually improving over what was, to take away rational arguments for the G syndrome. We rather have heaped tons of infosec micromanagement of the worst kind onto the mere use of the technology, not even mentioning the troubles in the content where automation turned into change and inefficiencies of the polished work that was, and all that to cope with issues not in the actual work but in the operation of that very technology and its (sometimes gross) imperfections that didn’t exist before.

So, we may have to re-strategise and re-implement about all that we have, qua technology and qua information security dyeing on top and after it.

There’s other reasons, too. And:
[When defences were, quite, a bit less buggy; Haut Koenigsbourg]

M, and A, and G, D, P and R

Now that you have finally got something going qua GDPR compliance – way short of what you’d want but still, at least something, better than the Nothing to which you were limited so far – there is a new twist to the requirements…
To be clear; by now you should at least have the requirements clear, and also possibly have some upsides lined up (if not, go shop with some vendor consultancy (and others); they’ll tell you about the benefits of data minimisation, the unstress of having your house on order, etc.). And have something going qua reconnaissance, though not armed recce or recattack.

But now, you may have to rethink. A bit. About what you’d have to have prepared when you land in M&A territory, or even in Chapter 7/11/13- (and 9-!) or any glocal receivership. Because … well, the idea sprang from this thing with de-anonymising data from sperm banks (in NL); until now most highly classified secrets (qua donorship). Turns out that not all clinics have the old data, still, because previously the secret was to be eternal hence best secured by throwing away the data.
But more seriously, not all clinincs exist anymore and there is no way to know where the data went, if anywhere.

And that’s where you organisation comes in. Not qua LoB but qua existence, now and in the future. Will you buy, take over, integrate some other org, or be on the receiving (uh…) end of the turmoil? You may want to make sure that the “GDPR” record of the other party is impeccable… Or end up with a mixed compliance bag which is equal to no compliance…
Possibly, you may have to prepare for some form of end-of-organisational-life where there is no body to take over your data and you might have to prepare for that ..?

Well, we’ll see what WG29 comes up with. At least, it will be additional stuff.
Plus:
[In a weird twist of interpretation, this complex of buildings could have housed a private bank of said kind…; Sevilla BTW]

Drones with AI; revenge

Heard recently of an airforce that was setting up a drone squadron where the pilots (? might, given the joysticks, better be called ‘gamers’ these days, apart from the euphemistically erasure of the moral and ethical aspects, maybe) would be in that country but the drones would be stationed in some other country because stupid drone flying rules go for the DoD too.
Yes this regarded a European country [would’ve referred to NL outright if it was; ed.], you guessed that correctly from the previous.

At some point in the future, the drones inevitably will get AI because everything will get AI. And, in times of increasing hacking and comms disruptions, some autonomy would be welcome for the drones already. And, what with increasing (sic) hackability, qua security against take-overs / reprogramming / retargeting while already airborne?
By that AI time, smart enough AI to come back and take revenge for the exile on those that wrote / maintained the stupid rules ..?

Anything too outlandish to take into serious regard today, will be daily no longer newsworthy fact tomorrow. ‘Tomorrow’ may vary from tomorrow to five years; no more.

Oh and on a lighter note:[Oh hey look, a street car! Sevilla]

Weak Humans, the Top-10

Again, the reference in the title is useless but may attract more readers through Timeline/Prio Gaming(™ from now on) – and, this in return might have referred to the title but yet again, close but no cigar (again, less chances of a Cuban, anyway, for some by their own mistake).
What I meant was that humans are targeted by hackers since they’re so vulnerable read stupid may be true — relatively… actually meaning apparently Technology and [the empty shell phrase of; ed.] Process may be so perfected that hackers have nowhere else to turn to.

That, of course, is not true. Simply, false.

When looking at the disastrous error rates (bugs to be fixed, sometimes easily) in software, how would anyone be able to claim Technology is anywhere near kinda OK. And Process… Show me an office (however formal, or strikingly similar to a coffee shop of not the Amsterdam original kind, or any beach with WiFi [→ why aren’t we all there, yet …!? ed.]), and show me a ‘process’ there. Wrong. All you can show, is either concrete, chairs, etc. even if of the kanban billboard kind [how idiotically silly can one get ..?], or humans. I.e., Technology or People. Neither of which is Process. No, printer paper with some ink blots .. also not process (descriptions) but Tech..! Don’t believe the lies, people! Process doesn’t exist!
So, we have something half-crappy [surprise this blog editor still runs … ;-] and something non-existent, … and People. On what now would you want to build your security?

Ah, on the People that are the most flexible, attentive (to business objectives, not your overhead), and creative (well… but including the most meta<sup2 of abstract/meme evolution evah) that Nature has ever developed with her genetic algorithm play of Evolution.
Where did you leave your own mis- and totally-zero-understandings on Humans, to pursue Tech and “Process” (quod non) solutions to Human threats ..? Why weren’t human threats from the word Go protected against by the best that human defences could muster to protect human vulnerabilities ..? Not only qua passwords, with a method aligning with cardinal sin number …. [should re-read the Bible for that; ed.] being the quest for ever more money i.e. including the protection of what you have (see the link). But qua overall about-all controls you’d need. If done right, I bet a lot of tech controls would dwindle in significance (and possibly be executed much worse than today; zero gain).

Now I start to ramble. But you get the point, and you get:
[From here, the Strong came in. NY]

Yup, called, confirmed

Always pleasant, to read one’s (almost…) correct, on off-off-Broadway analysis and postpredictions. Like this one, corroberated here, in a way.
Yes, I kno. I almost got that correct. Enough to confirm the line of reasoning, if you read it / both correctly, they turn out correct. I’ll stop now. And:

[Check, for Dutch ad viewers; Valencia]

Discharging DPOs by auditors

Now that it by and large seems to be that GDPR hypestuff is mostly pushed into the legal corner, … let it stay there. Let the others do their job, and reap all the benefits. I.e., via the avenue (required budget-wise; wildlands qua budgets received) of data discovery [Uchg ugly word I meant inventory] / data minimalisation/cleansing / data security [the old way, like information security, not the #ditchcyber fail] towards magnificent efficiencies in IT ops, and much clearer, exponentially better profile’able data even if Big.

Hey, the DPO was so self-inflatedly Important, right? Let him (sic) handle all the fan mail then… Let him panick-crash during every high-pressure breach BCM handling.

And then a. get fired, b. get sued, c. get replaced by yet another legal scholar turned business savvy (quod non) ‘executive’ [who executes who?].

But … in the mean time, someone would have to discharge the DPO. Not from internal audit because they’re part of the problem organisation.

OK, let’s have that done by an external auditor, then. A specialist, hopefully.

Hereby my claim to that specialty. Will develop fully-compliant methodology, will travel (charging expense…).

And:

[As an external auditor specialist, I love to have this sort of view; NY]

Some Quotum of Questions of Quantum

Am I the only one with questions how the following intertwine:
An article on how quantum-secured blockchain may be so safe, but possibly not in the hands of whom you’d want it? If in anyone’s hands at all, since no-one can be trusted forever; if you wouldn’t believe that, you declare yourself incapable of discussion on this subject…
A most brillant blog post on a related subject.
An equally insightful piece on how blockchain-of-command would lead to Totalitarianism.
An equally … Being the Why Johnny Can’t Encrypt, 2017 version. Notably, the previous versions hadn’t been patched properly…

So, you see a Perfect Storm or what ..?

Plus:

[Why did you cross the street, you chicken? M’drid]

Nudging to intermittance; 5 steps to awa success

As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:

How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.

Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?

Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?

Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:

[On a bright day, for Stockholm, the Knäckeboat museum]

Maverisk / Étoiles du Nord