Security – Page 12 – Maverisk / Étoiles du Nord

New! (RE yesterday's post)

Oh how appropriately timed, this…: A new version of l0phtcrack is here ..!

As I mentioned in the passing in yesterday’s post, defense-wise one would be hard-pressed to find anything that’s up to snuff qua being a step ahead of the Other Side, catching up is however still (if only just) feasible. Good to see that the tools once (we talk, like, ages ago, ages being circa 20) used offensively and having disappeared from view, return in all their sophisticated glory — be it as point solutions in a much evolved world but still.

All rejoice and ‘play around only to get to know it’…!

Remember… you may turn out to be such a toll all the same … And:

[Once, sufficient and hard to handle, for defense. Now, a model just for show]

Weird infosec science

Who would have thought — that total surveillance would reach into the house, no / hardly any backdoors need to be built in even.
As explained here, and here in closer-to-humanly-readable form.

If such are the Tempest inroads, who needs the newest-of-highest-tech solutions as they all will all succumb to either trivial complexity-induced-unavoidable sloppiness of implementation, or to circumvention in the above way…?

Of course all of it is an atrocity in ethics but … I won’t be utterly negative about humanity’s future so I’ll stop now. With:

[Art imitating life; Stedelijk Amsterdam]

Lightning says Sorry

“I intended to get me some ‘elk’ meat” …

If you have no clue what this is about: It is about this.

Bye for now.

[In similar vein, I have no clue what this picture does here.]

Clapton: 5 years for shooting sheriff

Singer not guilty of shooting deputy

August 9, 2016 by George Smith

A Clermont County, Ohio judge has sentenced Eric Clapton to five years in jail for shooting the sheriff. The British singer is said to have confessed in some Number 1 hit of 1974.

Clapton’s lawyer thinks the verdict is ridiculous: “They are trying to smear my client all over his home town. OK, he did indeed shoot the sheriff, but I swear it was in self-defense. And all they do is shout that is was a capital offense. Plus, the original was by Bob Marley so what the heck are we talking about??”

In the court hearings, Clapton did not reveal which friends gave him a little help. He did say he felt that five years was forever, man.

Schermafbeelding-2016-08-09-om-12.26.01-670x375

[Original, in Dutch, on the Speld; translated with permission]

Dronecatcher ..?

Was tinkering with ideas to get rid of drones around / over high-risk sites, e.g., critical infra (sites).

You know, like the radiant type of energy production.
Where drones pose a somewhat new but pesky risk. The newness, of course being not much of it when all sorts of attack with either plain vanilla or modified-to-autopilot RC controlled planes (possibly built in one’s garage) were around already and would hardly need any (suspicious) infra to take off and do their nefarious thing.
Though the proliferation of the new heli-style drones somehow raised the frequency/chance side of the risk equation. And, maybe, the ease of modding for sufficient tech capabilities of the kind you’d not want a.k.a. payload weights.

So, apart from the sudden realization that in times past, recent included, little did we know of the defenses surrounding critical infra against the classical winged type drones, we have the question: What now ..?

There seem to be two solutions required:
1. How to detect a drone, possibly rogue
1.5. How to handle false positives/negatives
2. How to down it.
Because I don’t color inside the lines only.

The first, might be feasible with some mini-/micro-installations of e.g., phased array radar in scan and track modes.
The second… My favorite would be a healthy dose of rounds, e.g., like a couple of full-on Goalkeepers around your install. Or have the lamo version of only (cross-?)beaming the GPS around your target out of the sky, or lasering it beyond melting point. These latter two might be the more difficult ones, qua aim/range specifity needed. But the former will probably not fly too well with overzealous environs freaks [note: not against the reasonable ones]. Oh well, we’ll just throw up some net structure when the threat is imminent — quick reloads available ..??

And there’s still the issue of not shooting two birds with(out) one drone. I.e., how to ensure you’re not offing all sparrows in a cloud, and miss the single drone’let that disturbed the birdies in the first place. Well, Why should I come up with the lame side-solutions ..?

Also:

[The unexpected, but disastrous scenario…]

Get the vibe

Or, how did you not think this would happen, everywhere, all the time ..??

I’ll finish with a pretty pic:

[When curtains would keep your salon business private …; Huis van Gijn Dordrecht]

ChainWASP

… With all the blockchain app(lication)s, in all senses, sizes and seriousnesses if that is a word, growing (expo of course) everywhere,
wouldn’t it be time to think about some form of OWASP-style programming quality upgrading initiative,

now that the ‘chain world is still young, hasn’t yet encountered its full-blown sobering-up trust crash through sloppy implementation. But, with Ethereum‘ and others’ efforts to spread the API / Word (no, no, not the linear-text app…) as fast and far and wide as possible, chances of such a sloppy implem leading to distrust in the whole concept, may rise significantly.

Which might, possibly, hypothetically, be mitigated by an early adoption of … central … Oh No! control mechanism of e.g., code reviews by trusted (huh?) third parties (swarms!) where the code might still remain proprietary and copyrighted.
Or at least, the very least, have some enforceable set of coding quality standards. Is that too much asked …??

I know; that’s a Yes. So I’ll leave you with the thought of a better near-future, and:

[Horizontal until compile-time errors made adjustments necessary (pic); beautiful concept — other than Clean Code, actually executed to marvelous effect]

Fintech: Babble-fork

Coining (pun not even intended as I wrote this — lame non-landing anyway) a new phrase: Babble-fork.
Which is what happens now in the financial industry with fintech:

Banks et al. think they have a role to play in the applications of blockchain technology in the financial industry of the future.
As bc is just a distributed ledger technology [ref. Tapscott the Elder & the Younger], right?
Obviously, dead wrong. Or, ‘the Internet’ is just phone lines between mainframes.

Otherhandly, the start-ups that have no role or place for the incumbents. The start-ups that expect the old ones to die [1:03 of the linked]… and then, it is already a mockery of a flattery to relate the financial industry-that-was with that commander that never made it to captain (Navy); an outright self-delusion of the grandest scale when such industrialists think they’ll still be able to catch up with the innovation tidal waves already rushing to their shores (unseen, over still deep seas until reaching their shallow tropical beach sides ..!).
Since bc is the very counterpoint of centralized (‘trusted third party’-, quod non par excellence!) trust, being the utter distribution of it hence contra anything however remotely approaching the delusion of importance that may still be with the traditionalists.

So, fintech forks ferociously for the financial future as a tenable alliteration runs only so long. But you get it. Time again to ask for the entry password — with the wrong answer leading to …?

Well then, I also have for you:

[Dear Lord. In the Attick; Ams]

Said, not enough

Here’s a trope worth repeating: Humans are / aren’t the weakest link in your InfoSec.

Are, because they are fickle, demotivated, unwilling, lazy, careless, (sometimes! but that suffices) inattentive, uninterested in InfoSec but interested in (apparently…) incompatible goals.

Are, because you make them a single point of failure, or the one link still vulnerable and through their own actual, acute, risk management and weighing, decide to evade the behavioral limitations set by you with your myopic non-business-objectives-aligned view on how the (totalitarian dehumanized, inhumane) organisation should function.

Aren’t, because the human mind (sometimes) picks up the slightest cues of deviations, is inquisitive and resourceful, flexible.

Aren’t, because there’s so many other equally or worse weak links to take care of first. Taking care of the human factor may be the icing, but the cake would be very good to perfect for making the icing worthwhile…!

Any other aspects ..? Feel free to add.

If you want to control ‘all’ of information security, humans should be taken out of the (your!) loop, and you should steer clear of theirs (for avoiding accusations of interference with business objectives achievement, or actually interfering without you noticing since your viewpoint is so narrow).

That being said, how ’bout we all join hands and reach for the rainbow ..? Or so, relatively speaking. And:

[Where all the people are; old Reims opera (?)]

Right. Explain.

Well, well, there we were, having almost swallowed all of the new EU General Data Protection Regulation to the … hardly letter, yet, and seeing that there’s still much interpretation as to how the principles will play out let alone the long-term (I mean, you’re capable of discussing 10+ years ahead, aren’t you or take a walk on the wild side), and then there’s this:

Late last week, though, academic researchers laid out some potentially exciting news when it comes to algorithmic transparency: citizens of EU member states might soon have a way to demand explanations of the decisions algorithms about them. … In a new paper, sexily titled “EU regulations on algorithmic decision-making and a ‘right to explanation,’” Bryce Goodman of the Oxford Internet Institute and Seth Flaxman at Oxford’s Department of Statistics explain how a couple of subsections of the new law, which govern computer programs making decisions on their own, could create this new right. … These sections of the GDPR do a couple of things: they ban decisions “based solely on automated processing, including profiling, which produces an adverse legal effect concerning the data subject or significantly affects him or her.” In other words, algorithms and other programs aren’t allowed to make negative decisions about people on their own.

The notice article being here, the original being tucked away here.
Including the serious, as yet very serious, caveats. But also offering glimpses of a better future (contra the title and some parts of the content of this). So, let’s all start the lobbies, there and elsewhere. And:

[The classical way to protect one’s independence and privvecy; Muiderslot]