As we turn the leaf towards a new year, let’s not forget what values – in operation, operationalised – protect our Human Rights, in the form of de-mock-racy, and how they are ever so quickly being repelled by, e.g., AI and fake news but in particular, the deployment of bots as here.
Yes I know, that’s three layers of tools but still, the focus is on the first two but the latter plays almost the foulest role.
Yes I know, the ‘operationalised’ part may need elucidation on the side of ‘transparency’, ‘access and inclusion’ etc., but when you read after the link, you’ll understand that the issue is society-wide, not just FCC / net-neutrality.
Well, that was a quicky… hence:
[München, for zero (as in: 0.0) reason]
How is it that we tend to hear over and over again about ‘insider’ threats ..?
Even when it’s not the Board that is meant here, as the pinnacle of … the ability to drive a company into the ground, those pesky ‘insiders’ really are a pain in the place where you like that or the sun doesn’t shine.
Better get rid of any and all of those ‘insiders’ then, eh ..? AI here you come. But if AI system(s) would be a replacement for humans, wouldn’t they commit the same temporary, small, innocious and unconscious lapses of judgement..?
And what about off-boarding the biggest threats first ..? [Where I do men the above committee]
Maybe better to recall that we’re about to celebrate the fifteenth birthday [was there ..!] of deperimetrisation – with an s once you recognise its country of birth, and disclaim an all-out stupid Jabba the Hutt style claim of origin so no z’s anywhere – who’s an -sider when there’s no way to tell ..?
Also, it villifies the underlings that make your salaries and bonuses so if you punish them (by giving them less reward than yourself), they don’t get mad. They get even. Simple.
You gave them the tools You made them build their own tools superficially to keep you afloat but you wouldn’t recognise a buoy from an anchor so guess what you get… And when you’ve lost them, they aren’t much of the insider you’d want, right; morally they’d be on the outside again already.
Case in point: This miss by the venerable @HarvardBiz … Though the solutions offered, are valid – as very-starting points…
So Part I – Ω is to treat your underlings like you care. If, big if, you actually mean it (hence will not in an instant be found out to be a fraud at this), you’re saved for now. Otherwise, no fight against <whatever>sider threats, will be futile. Remember this ..? You get treated like you treat, it starts with you – your intentions towards the other, will be perceived. Positive/negative, the choice is yours.
Oh well. Plus:
[Some light’s also good for the inside; Utrecht (1924 ..!)]
Another one today!
This here piece, and the according official text (with interesting subheader, as downloaded from the official site…).
Because one should not expect either to be a fair representation of the Chief’s actual stance as what is in the speech text is so clearly wrong, or the Chief (his speechwriter) was badly misinformed by his own staff / speechwriter, probably down/up quite some chain of command before reaching either end. E.g.,
- “First, Admiral Bauer pointed out that cyber operations have significant drawbacks. In fact he called them a “too good to be true” scenario. Yes, they are fast, do not require boots on the ground, and have limited risk of repercussions. Yet they do require extensive preparations, and are tailored at a specific target, at a specific time, under specific circumstances. This makes them difficult to repeat. Conventional weapons can be used for years. Cyber weapons (e.g. malware) on the other hand have a limited shelf life as the vulnerabilities they depend on will be patched.”
Right … What about comparing a vulnerability of this sort (that can be patched so easily, i.e., a known bug that hadn’t been patched before! with a single bullet? That can be fired simultaneously at thousands, millions of foot soldiers that when hit, will turn on their Chief ..?
And the idea that once used in an attack (sic, because no-one is out looking for unknowns ..!), it will be patched before it will be used in an attack thus resulting in a contradictio, and
As if full patching of each and every exploitable vuln at once, has anything to de with reality whatsoever; if one thinks that: dream on and back to kindergarten. [As stated: No bearing on respect for the CHOD (why not CJCS?); one can for the above, and below, things not expect the speech text to be accurate – on second thoughts, is this a fake news detractor, to seed false info ..?]
Plus, this reads as if all patches are perfect all of a sudden. Now that would be news.
And, what about differences in sophistication? Weren’t all sorts of countries effectively kicked out of Afghanistan [to name one of a long list…’Nam anyone?] without succes (sic), by people with hand guns and IEDs only (no, the I stands for something)? As e.g., here. As if the many armies kicked out like that, those, not have had their ‘patching’ with armour all together…!?
- “Notice how this is different form ‘civilian’ cyber security. There an attacker has a distinct advantage over the defender because he does not need to attack a specific target (he can try many targets at once and settle for the weakest one), and typically has no deadline within which the attack must be successful. In a ‘civilian’ cyberattack periods of activity are separated by sometimes long periods of inactivity, because after a successful move the attacker stumbles upon a further line of defence that must be investigated.
Cyber operations do not have that flexibility, especially because they must form an integral part of existing military capabilities. The timing of a cyber operation thus depends critically on other, conventional, operations. (As someone later explained to me, if the commander of a military operation inquires whether the cyber team can hack say a bridge, the answer “probably yes, but we do not know how long it will take us” is not very useful.)”
Again, a gross mis-take on what ‘cyber’warfare [#ditchcyber] is about. As if, as if, ‘cyber’warfare, were any different than normal warfare, Clausewitz-like – not! as you can read for yourself; the civilian long-term ‘warfare’ is exactly the same as the 5th kind.
If the commander would ask a squad whether they can take (out, I guess) a bridge with physical means, and any ‘yes’ would be taken as certainty, the commander will not be in charge too long… The right answer is seldomly the most useful one, as, relevant, is e.g., the question why one is there: this (3rd bullet).
- “A second thing that stood out in the speech of Admiral Bauer was the acknowledgement that in cyberspace, the difference between cyber security and national security becomes fuzzy. Whereas defending the latter is clearly a task of the military, their role in protecting the former is less clear. As Admiral Bauer put it: “the Armed Forces are not the national firewall”. Yet it is clear that by developing cyber weapons and cyber defences, their impact (both positively and negatively) on cyber security increases. This requires closer cooperation with the government, law enforcement, the private sector and research institutes. Admiral Bauer would like to invite people from cyber industry to work directly with or for the Armed Forces.” [From 1st link above]
Another non-sequitur. As if the CHOD could not see that border defense (what are ‘we’ doing in all sorts of places around the world, then ..? Far, far overstretched, qua capacity and capabilities) is the same, either physical or abstract. If people had to defend for themselves … they should have the right to all bear arms in ‘cyber’space, to defend themselves, just as they would have the right to bear arms in physical space, right? With those arms necessarily being of at least equal combat value as the opponents’ ones. I can have my own F16 squadron! (And I would certainly want it to be as great as ‘my’ 322sqn … with Block 52+ Advanced / -V or what have we … Hey isn’t this a great and desperately cheap alternative to (jump) the money guzzling F35s ..!?)
And “no physical sand bags” (2nd link) ..!? What are patches, then?
- Et cetera. One could go on, ever more certain that this is not the official military stance on the issue but some sickly surrendermonkey civil servant (if only they did) kind of underling dweezil sort of misinterpretation of seriousness.
[All analog (literally, slides!) to digital scans; from the time we built (rather, had around still from years before) diarama’lets and there were shows for the public when Twente AFB still existed – like, 1983 or so, you know, from times when Defence was something Real]
As a pointer to what this is about…
You know, like the oldest tricks in the book, still going strong when all the world’s (worlds’?) arms’ races are going nowhere. As predicted. Where the title of course doesn’t reference a major part of the sec controls, stego.
But that’s a finesse point. Let’s be happy that research into faster horses continues, with results.
[Stylish; what’s hiding here ..? Even when you know where]
Yet again, some seem to not understand what they’re talking about when it comes to transparency in AI…
Like, here. Worse, this person seems to be a rapporteur to the European Economic and Social Comittee advising the European Committee. If that sounds vague – yes it does even for Europeans.
For the ‘worse’ part: The umpteenth Error, to consider that the secrecy of algorithms is the only thing that would need to change to get transparency about the fuctioning of a complete system.
1. The algorithm is just a part of the system, and the behaviour of the system is not determined in anything close to any majority part by the algorithm – the data fed to it, and the intransparent patterns learned by it, are. The transparency needs to be about the algorithm but much more about the eventual parameters as learned throughout the training time and the training/tuning after that. [Update before press release: There seems to be an erroneous assumption by some way too deep into EC affairs that the parameters are part of the ‘algorithm’ which is Newspeak at its worst, and counterproductive certainly here, and hence dangerous.]
2. The algorithm can just be printed out … If anyone would need that. One can just as easily run an AI code analyser (how good would that be? They exist already, exponentially increasing their quality, savvyness) over the source- or decompiled code.
3. The eventual parameters … not so much; they’re just there in a live system; unsure how well they are written out into any file or so (should be, for backup purposes – when not if AI systems will get legal personhood eventually (excepting the latter-day hoaxes re that), will a power switch-off be the same as attempted murder, and/or what would the status of a backup AI ‘person’ be ..?).
4. Bias, etc. will be in the parameters. The algorithms, mostly-almost-exclusively will be blank slates. No-one yet knows how to tackle that sufficiently robustly since even if the system is programmed (algorithm..!) to cough up parameters, the cleverer systems will know (?) how to produce innocent-looking parameters instead of the possibly culpable actual ones. Leads into this trickery by AI systems, have been demonstrated to develop (unintentionally) in actual tests.
5. How to trick AI pattern recognition systems … the newest of class breaks have just been demonstrated in practice – their theoretical viability had been proven long before – e.g., in this here piece as pointed out only yesterday [qua release; scheduled last week ;-]. Class break = systemically unrepairable … [ ? | ! ].
Let’s hope the EC could get irrelevant just that little less quickly by providing it with sound advice. Not the bumbling litlle boys’ and girls’ type of happythepreppy too-dim-wits. [Pejorative, yes, but not degrading: should, maybe not could, have known better ..!]
[Already at a slight distance, it gets hazy what goes on there; from the Cathédrale]
Recently, was reminded (huh) that our memories are … maybe still better than we think, compared to the systems of record that we keep outside of our heads. Maybe not in ‘integrity’ of them, but in ‘availability’ terms. Oh, there, too, some unclarity whether availability regards the quick recall, the notice-shortness of ‘at short notice’ or the long-run thing, where the recall is ‘eventually’ – under multivariate optimisation of ‘integrity’ again. How ‘accurate’ is your memory? Have ‘we’ in information management / infosec done enough definition-savvy work to drop the inaccurately (huh) and multi- interpreted ‘integrity’ in favour of ‘accuracy’ which is a thing we actually can achieve with technical means whereas the other intention oft given of data being exactly what was intended at the outset (compare ‘correct and complete’), or do I need to finish this line that has run on for far too long now …?
Or have I used waaay too many ””s ..?
Anyway, part II of the above is the realisation that integrity is a personal thing, towards one’s web of allegiances as per this and in infosec we really need to switch to accuracy, and Part I is this XKCD:
All that work for a private sector organisation who take (wrong) decisions based on false information – or, essentially, dismiss accurate, helpful information that would have steered to other decision alternative(s) – will be fired when the truth of the bad decision comes out.
Which would be helpful if applied to sectors where people’s money is so abjectly abused, too. E.g., like this one. Or this one (in English, some info here, and the whole idea of usefulness of having more and more data is debunked endlessly everywhere (you search)). Or this one, completely debunked here. The list is endless.
All of which points to a serious problem. The trouble with the world is that the stupid are cocksure and the intelligent are full of doubt (Bertrand Russell) AND the stupid (to which, ‘immensely’) seem to be masters at picking the wrong advice. Once ‘immensely’ is indeed added, one recognises the ‘politician’. Playing the role of the Fool (not the Jester), unsurpassibly perfectly.
But how now can we get those stupidestest ideas go to die, sooner rather than later ..?
The fact that an opinion has been widely held is no evidence whatever that it is not utterly absurd; indeed in view of the silliness of the majority of mankind, a widespread belief is more likely to be foolish than sensible (BR again). That’s completely true; moreover, it’s Maverisk’s motto.
[To defend the Truth; Châteauneuf not the -du-‘ish or so]
And you thought fraud detection was about bank transactions or even counterfeiting physical stuff. Boh-ring, when you read this. Takes it to another level, eh?
Which brings me to an important issue: Are we not still studying and practising infosec from the wrong angle, doing a middle-out sort of development in many directions but starting at a very mundane ‘CIA’ sort of point. Which is of course core, but there is so much to cover that some outside-onto view(point) might be beneficial. We’re in the thick of the fight, and no matter in which direction you go, when you wade through the thicket with your control measures machete, you achieve little – when you then turn around to try to clear some area in another direction, all has grown dense with state-of-the-art arms’ race bush again already.
And yes, of course one can educate, etc. in some form of hierarchical approach, top-down. But that leaves us with many, all too many that float comfortably on the canopy where the view … isn’t that great as one’s very certainly in thick fog of the monsoon rain. And nothing is being directed (ugch) deeper down. Or controlled (?). Just more, most partial world views unconnected and behaving erratically.
The e.g. in this is that link above. A tiny subset of situational scenario. Not solved pervasively, once and for all. Now think about the hugely, vastly, enormously wider scope of ‘all’ of infosec that would need to be covered to a. arrive at sub-universes of control, b. overview.
The latter remains Open.
Me not happy.
Solutions, anyone ..?
[Ah! The days when this sort of ‘defence’ was enough to conquer! Alésie of course]
When one would be interested to keep up with what’s happening, and where future class breaks might be, a nice intro would be this little book. Like, when virtual machines came to the fore, it was declared that this would be a solution because of course the VMs would be impenetrable. By the utterly clueless, since it was the stupidest thing possible in infosec to say that. Though it cost some time to show the real value (positive) net of the risks (that indeed showed up…). With this subject, the same will happen. Future fact.
Oh and the post title just refers to shipping single pallets across the big pond, e.g., for these. Groupage, degroupage, forwarders, stewards, you know. The old, still there. And:
[Pro question: Beaune or Dyon ..?]
At least, that’s what the Quartz article comes down to, too. At least, if you don’t want to go down with the oh so often recurring banks/bankers’ demise. Indeed all that recognise Yeshua as having had at least something valid to contribute to the world, see/heard/read that the swiping the Temple clean of the money changers, was a demonstration of the ethically very worst being thrown out of civilised society. When, as a family, one would want to stay in touch with one’s rightful place (geographically; name one family that made its fortune in a fully legal and ethical way ..?) in good style, one may better not depend on bankers…
Oh well why am I complaining – we learn from history a. that we don’t learn from history b. that, with the demise of the Afterlife, those left behind (e.g., economically) in their mortal life, have no vindication in the After. Those that do allsorts of things considered (cardinal) sins, are not punished there/then… It may all be a ploy to keep the meek in check. [Pun not even intended; ed.]
Oh well part two:
[We learn from this chap that what the … is he doing on the floor of a Catholic cathedral..!?; Siena]