Security – Page 4 – Maverisk / Étoiles du Nord

Goldielocks versus information security

If you expect some fable about budgets; not so much.
This post’s about the generation thing called the Goldielocks syndrome – every generation (aren’t they ever shorter, these days?) believing that they had it, and made the society they ‘created’ no less, better than any generation before and after them.
For many generations, tech is still something that ‘came in later’ [venturing that even the newest ones, will see major tech-driven societal / tools changes in their lives], and information security nitty-gritty stuff is a major part of what they experience of that technology.
And ‘we’ (all) have done a very poor job of making it easier, actually improving over what was, to take away rational arguments for the G syndrome. We rather have heaped tons of infosec micromanagement of the worst kind onto the mere use of the technology, not even mentioning the troubles in the content where automation turned into change and inefficiencies of the polished work that was, and all that to cope with issues not in the actual work but in the operation of that very technology and its (sometimes gross) imperfections that didn’t exist before.

So, we may have to re-strategise and re-implement about all that we have, qua technology and qua information security dyeing on top and after it.

There’s other reasons, too. And:
[When defences were, quite, a bit less buggy; Haut Koenigsbourg]

Weak Humans, the Top-10

Again, the reference in the title is useless but may attract more readers through Timeline/Prio Gaming(™ from now on) – and, this in return might have referred to the title but yet again, close but no cigar (again, less chances of a Cuban, anyway, for some by their own mistake).
What I meant was that humans are targeted by hackers since they’re so vulnerable read stupid may be true — relatively… actually meaning apparently Technology and [the empty shell phrase of; ed.] Process may be so perfected that hackers have nowhere else to turn to.

That, of course, is not true. Simply, false.

When looking at the disastrous error rates (bugs to be fixed, sometimes easily) in software, how would anyone be able to claim Technology is anywhere near kinda OK. And Process… Show me an office (however formal, or strikingly similar to a coffee shop of not the Amsterdam original kind, or any beach with WiFi [→ why aren’t we all there, yet …!? ed.]), and show me a ‘process’ there. Wrong. All you can show, is either concrete, chairs, etc. even if of the kanban billboard kind [how idiotically silly can one get ..?], or humans. I.e., Technology or People. Neither of which is Process. No, printer paper with some ink blots .. also not process (descriptions) but Tech..! Don’t believe the lies, people! Process doesn’t exist!
So, we have something half-crappy [surprise this blog editor still runs … ;-] and something non-existent, … and People. On what now would you want to build your security?

Ah, on the People that are the most flexible, attentive (to business objectives, not your overhead), and creative (well… but including the most meta<sup2 of abstract/meme evolution evah) that Nature has ever developed with her genetic algorithm play of Evolution.
Where did you leave your own mis- and totally-zero-understandings on Humans, to pursue Tech and “Process” (quod non) solutions to Human threats ..? Why weren’t human threats from the word Go protected against by the best that human defences could muster to protect human vulnerabilities ..? Not only qua passwords, with a method aligning with cardinal sin number …. [should re-read the Bible for that; ed.] being the quest for ever more money i.e. including the protection of what you have (see the link). But qua overall about-all controls you’d need. If done right, I bet a lot of tech controls would dwindle in significance (and possibly be executed much worse than today; zero gain).

Now I start to ramble. But you get the point, and you get:
[From here, the Strong came in. NY]

Yup, called, confirmed

Always pleasant, to read one’s (almost…) correct, on off-off-Broadway analysis and postpredictions. Like this one, corroberated here, in a way.
Yes, I kno. I almost got that correct. Enough to confirm the line of reasoning, if you read it / both correctly, they turn out correct. I’ll stop now. And:

[Check, for Dutch ad viewers; Valencia]

Some Quotum of Questions of Quantum

Am I the only one with questions how the following intertwine:
An article on how quantum-secured blockchain may be so safe, but possibly not in the hands of whom you’d want it? If in anyone’s hands at all, since no-one can be trusted forever; if you wouldn’t believe that, you declare yourself incapable of discussion on this subject…
A most brillant blog post on a related subject.
An equally insightful piece on how blockchain-of-command would lead to Totalitarianism.
An equally … Being the Why Johnny Can’t Encrypt, 2017 version. Notably, the previous versions hadn’t been patched properly…

So, you see a Perfect Storm or what ..?

Plus:

[Why did you cross the street, you chicken? M’drid]

Nudging to intermittance; 5 steps to awa success

As by now you have become accustomed to, this isn’t anything about five steps, or success. Or, I mean, the latter, maybe. Was triggered by the to be, should be classic on all thing #ditchcyber ψchology, where it discusses the lure of games and the reward structure therein. From there I wondered three things:

How can we deploy true gaming (not the quiz / survey kind) in raising, and maintaining, awareness in information security praxis for end users? Like, not the Training kind, but the Knowledge → Attitude → Behaviour – into eternity kind. For end users, and for infosec-(more-)deeply involved staff, differentiated.
The latter, probably requiring training upfront, but towards actual technology deployment, tuning (!) and use. And, moreover and probably much more important to get right, BCM style training. Train like you fight, then you’ll fight like you train. Since when it comes to damage control (and in infosec, the “it’s not if but when” is even harder fact than elsewhere!), one wants to have trained all on cool, controlled response not mere panicky reaction even more rigorously than in about any other direction.

Where does the Nudging part come into gaming ..? The thing, nudging rewards and penalties, is in use everywhere in public policy, to inobtrusively (sic; by governments yes, beware of the Jubjub Bird!) coerce people to change their social habits. At least a frog will jump out of slowly heating water… [Yes it does. But how did you want to jump out of the complete, total slavery of the Social Contract ..? You can’t. You’re bound from and by birth. You’ll be a slave forever, the more so when your mind is free…]
But besides; how do ‘we’ use nudges in infosec behaviour change games? How, in daily mundane practice where attention is to other things only, not to infosec as that stands in the way of efficient objectives realisation ..?

Third, how are the above two things combined, through ‘intermittent rewards’ as the most addictive element in games ..?

Just wanted to know. Thanks for your pointers to answers. [Have I ever received any? Nope.] And:

[On a bright day, for Stockholm, the Knäckeboat museum]

Car disruption

Have governments gone insane?? They penalise anyone (but certainly not everyone) going over some completely [?] arbitrary speed, whereas my car can do double that, easily. This needs to be disrupted! Just drive as fast as you can handle, don’t care about the ‘others’ that stand in the way of you in your fundamental rights to freedom and the pursuit of happiness, and fight government in courts when they go after you – they are the stupid ones! They can’t stand you disrupting the traffic market by being quicker than the stupid sheeple [or is that you disruptor-user ..?] from A to B! People will die in traffic (e.g., by being so stupid as to always stay on the pavement but wanting to cross the road at a pedestrian crossing; fools. Children will veer off onto the streets; too bad. There will always be some less lucky and they take themselves out of the gene pool, just let them not hinder the Winners.

I’m into privacy. Which is of course completely different? from traffic ‘markets’ where the road is a commons, bound by rules (like, one doesn’t have priority but should give it to others when due) to make it reasonably safe for anyone (as a commons: no over-use till Tragedy Of). Just like hotels having to live by all sorts of safety rules (training staff, smoke alarms, hygiene, etc.etc.) for a reason. The same reason (or worse, given casuality of visitors) that goes for the V-sign company?
So, privacy in public space, the more virtual the more so [at least, no bit less so], can one (ab)use it when in breach of laws of common decency – that go much beyond mere laws or constitutions ..?

Not even a personal thing, the above … and:

[Perfect space for street racing…? Wouldn’t even hit too many ‘innocents’ here…; Zuid-As Ams]

Macrodots on your Opsec training card

Already a couple of weeks (month) ago, the whole secret-microdots-ID-your-printer thing came out. Re the leakage of something-TLA in relation to electionhacking [let’s write that as one word, better aligning the construct] or what was it, where the leakster was IDd quickly because the microdot on the published material(s) revealed the printer used.
Here I was, thinking that this microdot thing – Some claim it goes with laser printers only, not inktjet/dot matrix ones; anyone has any definitive confirmation of this? If confirmed, how many non-stupid bad guys will still use laser printers not have switched already …? – was wider known (like, I had yet to meet anyone in the infosec field that didn’t know of them or could not expect them, nor give any canary) but was supposed to not be used for any but the most extreme evidence-requiring circumstances. Like, you let incidental bombers walk because you don’t want to reveal your methods in order to be able to trace networks of them.

But here, a simple case of whistleblowing (is it, or is there more at play, like, Western democracy or even something serious, unfake …?) and everyone knows it now, in the open. Strange.
Tons of good info in the link, BTW.

Also strange that someone with such high clearance wouldn’t be better trained in Opsec, hence a. know about microdots and b. have used more covert leak channels. If training of such critical staff is so poor, there’s more serious troubles than just the demise of democratic institutions forthcoming.

Or maybe pretty-face leakster was ousted for not (falling for blackmail pushing to) providing some kind of services. Who knows. No one, these days of non-non-repudiatable news.

Oh well. And:

[In some relation to the above, that guy on the pole would know much better than to want encryption banned or backdoor’d to counter some moronic attackers like latter-day flat-out lying PMs]

Top 5 things that Awa isn’t

When dealing with awareness, certainly in the infosec field (#ditchcyber!), there seems to be a lot of confusion over the mere simple construct under discussion. Like, the equasion (with an s not a t) of Awareness with Knowledge plus Attitute plus Behaviour. Which, according to the simplest of checks, would not hold. Since Knowledge, and maybe Attitude, are apt components. But Behaviour is what eludes the other two, by the unconscious that drives 95% of our behaviour, in particular when dealing with any but the most hard-core mathematical-logic types of decision making and interaction.

Which is why so many ‘Infosec awareness programs’ fail …
First of all, they’re Training, mostly, even when in the form of nice posters and QR cards [that’s Quick Reference, not QR-code you history-knowledgeless i.e. completely clueless simpleton-robot-pastiche one!], and it’s true that “If you call it Training, you’ve lost your audience’s want to learn” – your audience will figure out it’s Training despite you packaging it differently; they needn’t even explicitly but intuitively (the level you aimed for, or what?) they will.
Second, all the groupwise that you do, doesn’t reflect in-group dynamics at the actual workplace and work flows, nor does it reflect the actual challenges, nor the individuals changing moods (attitudes). Oh the latter: Your attempt at changing Attitude is geared towards A in relation to infosec but that’s only such a tiny, so easily overlooked and forgettable part of the A all-the-time in the workspace.
Third, and arguably foremost, to plug ‘arguably’ as a trick’let to appear more interesting, What you aim for is not blank flat knowledge, nor even attitude, but Behavioural change. Do you really use the methods to achieve that ..?

No you don’t.

Oh and of course I titled this post with something-something 5, to get more views. Geez, if you even fell for that… And:

[Your ~~kindergarten~~ Board wish they could ever obtain such a B-room; Haut Königsburg]

Ten reasons quantum crypto will not

There may be more reasons that quantum crypto will not protect you against those evil villains out there, as suggested here (in Dutch) but quod non!!! (as I said; in Dutch ;-| ), for the not ten but one single reason:

When ‘hackers’ will not be able to access your comms when you will be using quantum crypto, so governments will also not so forget about it you will be jailed for life for using quantum crypto in the first place and also you are the most suspect of all and if still you’d try to use it, you will be whacked off-line … and your house raided, etc.etc. Because this.

And because, however clever you might think you are, obviously in vein, there will always be the ‘endpoint-to-you gap’ where parties may intervene.

Or they put a gun to your head. Good luck refusing.

And governments will restrict to their own comms; the most powerful one grabbing the scene and leaving all of the rest in the dust. And IF you believe their beneficial ethics, well you just removed yourself from serious discussion.

Anyway:
[Drone with too much tilt shift, or ’70s display scanned from an (actual, physical) slide..? (mine; ed.); <undisclosed location>]

Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]