Security – Page 5 – Maverisk / Étoiles du Nord

Knitting against Cyberrrr…

This here piece, being the explanation why hiding in plain sight beats overtly-crypto tools. Quite enough said, right, apart from the note that the solution is a form of arms’ race flipping, as predicted. Would only wonder (again) how many cat pics out there, have stego messages, and how many TLAs are constantly scanning all Pinterest- and others- uploaded pics for nefarious content. Where the sheer volume created by innocent users, helps the bad guys (girls…!) to escape (timely) detection, or what?

Maybe sometimes human interaction can still help, like with this. Of quite another category but deserving massive global support nevertheless. Can ABC’s and Facebk’s image recognition engines be sollicited, or are we looking at the hardest pics still eluding the strongest AI-yet ..?

Back to knitting-style help it is … And:

[If you recognise this’ your country, you just got an interesting PM story… (truly congrats)]

1. Train like you BCM

Isn’t it strange that one of the most prominent success factors of Business Continuity Management, actually training for eventualities of all kinds and sizes, is so little done?
Or has the basic tenet Train like you fight, then you fight like you train been forgotten?

Or not even learned in the first place. Shameful.

And, by the way, it’s true. When you train (well, as serious as if you’d actually be in a ‘fight’ for survival), you get experienced. Surely no trained scenario will play out in the unlikely event of an emergency of any kind that your BCM aimed for, but you will be experienced to handle such unknown situations, be flexible, and have the acumen, courage, and wit to come up with a solution, no sweat, right ..? Because you know you can, no sweat, and hence, clear thinking about the right things.

So, … have fun shooting down the bogeys. And:

[Hey,, that’s a pic from a scanned slide (physical, Kodak), of the bitches of South, at Twente (no more)…]

Stay put while moving your address

Lately, there were a number of times I was reminded that for those that still use email (i.e., the overly vast majority of us!), some email addresses have been more stable over time than mere snail street addresses. And, with the different use of email versus the type that it was (derived-)named after, quite some times your ‘stable’ email address is harder to change. Where moving physical home address will easily redirect your mailman’s delivery for a large sway of services (utilities, subscriptions, et al.), such service doesn’t necessarily exist for email.
Not strange. You can move house and then take your email with you. Come to think of it, this is part of the greatness of the OSI model, right?
But strange. Try to ‘move’ (i.e., change) your private email address, that you use for innumerable websites, affiliation subscriptions, socmed profiles, etc.etc., and … you’re hosed. In particular, when you don’t have access to your former email address e.g., when switching employers (wasn’t a good idea to begin with, even in about-all of the world where using company equipment still leaves you with all privacy protection you’d need, excepting the corner of the world that their figurehead took out of the world’s developments so will revert to backwater, developing country-terrain), the confirm-change email may be unreachable as you can’t login to your old mail account… No solution provided anywhere.

So, as easy as it should be to move physically and have your physical address changed in public record systems, as easy it should be to keep some email address(es) that are used to identify you in person even when you’ve moved ISP…
Question to you: Is this covered under the “Must be able to move” hardcore requirement always under the GDPR..? *All* data should be coughed up in a machine-readable format to be processed in similar manner by some other service provider. That goes for email services too, automatically, so how will the (your!) sender/receiver addresses still be valid when you’ve moved ..?
If the latter works, then any service provider ID in your email address must work on any other provider’s systems, or your former is liable for up to 2% of global (sic) turnover. Quite a (damages avoidance) budget, to make things work…

Oh, and:

[Take a seat; not your address of any kind; Dublin Castle]

Bringing back symmetry/-ia

Some issues, aspects of interest, collided a couple of weeks ago.
Macron’s team with their skillful double-cross deceit in the ‘leakage’ of election-sensitive info (!read the linked and weep over your capabilities re that, or click here for (partial?) solutions or others or devise your own). One down, many to go; Win a battle, not win a war yet.
In unrelated (not) news, what are the tactics used IRL to actively engage in pre-battle tactics? Can we plant our own systems with scar (?) tissue i.e. fake immunised (for us!) / unused information that is weaponised with trail collecting (or only source-revealing) capabilities, like shops and private persons can get “DNA” spray paint thus called because it’s uniquely coded so is identifiable and traceable? Can we harbour ‘hidden sleeper (?) cells’, pathogens i.e. malware, that doesn’t affect us but when ‘leaked’ to an adversary’s environment / stolen, oh boy does it become virulently active and destruct? (Silent) tripwires, boobytraps where are you?
How far behind the curve are the general public (us, I) with intel on developments in these areas? If the French used some of this stuff (using is revealing, qua tactics, unfortunately) certainly others would have considered the methodologies involved. Raises questions indeed, as were around, about whether or not the cyrillic traces were planted into WannaCry1.0 or left there in error. [There’s no such thing as perfect Opsec but this would severely hurt some involved at the source / would’ve cared better, probably.]

Just so we can get a better view on the balance being shaken up so vehemently, between asymmetric simpleton hacks [the majority you know (like, you actually can learn about; the real majority you may not hear about) of big organisations with their huge attack surfaces and attackers only needing one pinhole] and more-or-less regaining-symmetric nation-state attacks against each other (all against all) where the arms’ race of tooling now is so out of balance.

Would like to know, for research purposes only of course, really.

We’ll see. And:
[Yes that’s real gold dust on the façade hiding in plain sight, but you wouldn’t be able to scrape it off. Would you? Toronto]

Making yourself less and less special

Over the last couple of decades, we have seen a rather disturbing development. Negative multipliers.
Where the ‘trickle down’ economies have been proven to be the lies that they were assessed to be but no-one listened because the truth already then was buried in the impostor-syndrome shouting of the powerful (not: autorities; they hadn’t any, not: leaders; they didn’t) that were on their way to prove Piketti correct (despite the nitpicky critiques, he was and is; facts overwhelm secondary/tertiary methodology issues). But this is a digression.

Where, moreover, and foremost, sites, platforms, apps, that tried to ‘cut out the middle men’ by brokering themselves … did all a disfavour.
It started with banks et al., once the epitome of the service industries. A large part of the manual processing was transferred to masses of clients. E.g., transactions entry. Left to masses, millions, of unspecialised users thus costing those users millions of man (sic) hours, still today — ad having saved banks much, much less labour costs as management of the processes, coaching the users and systems etc., grew a little and the cheapest categories of labour only saw some cuts.
So, all are worse off, some more than average, and little was saved or made any more efficient or so. All this was sold as Progress and improvement.

This falsehood has been copied into the app world. Where e.g., real estate agents/brokers, are being cut out by self-service apps. Which means less agents/brokers, that were specialised in what they did hence could do it efficiently and earn themselves part of the savings that accrued to the sellers, buyers, since they outsourced their sides in the process not for nothing. The clients, they could earn a living and make enough to provide the brokers with an income. From which the baker could be paid; the baker could pay the butcher, the butcher could pay the supermarket clerk (indirectly), etc.etc.etc. — your classical definition of multiplier effects.
Now that everywhere, not only are people bound to do all sorts of business to which they weren’t accustomed let alone trained, thus losing valuable opportunity to remain specialised i.e., make the most money of their expertise hence had the most available (hum, more or less I know) to multiply (in an economic sense, you pervert mind),
but also numerous links in the multiplier chains are cut out, turning the positive multiplier chains into negative job loss – spend cut chains. It even brings secondary/tertiary markets to life, even when it’s about almost-no-human business…

But will the 0.1% care ..? Not likely.
So we’re doomed. Or ..?

And:

[No time, money to go flaner anymore; M’drid]

Not there yet; an OK Signal but …

But the mere fact that Congress will use ~~strong crypto~~ Signal, can mean many things. Like, “we” won the crypto wars, as Bruce indicated, or the many comments to that post are correct and it’s for them only and will be prohibited for the rest (us), or … nobody cares anymore who uses Signal, it’s broken and those that balked in the past, now have some backdoors or other coercive ways to gain access anyway. [Filed under: Double Secrets]

But hey, at least it’s something, compared to nitwittery elsewhere… And:

[Ode to careless joy; NY]

Predictable consequences

Dutch police start with ‘predicting’ crime.

For graduation, at kindergarten level:

Can you prevent bias?

What happens to accidental bypassers?

What will be the effect on Free society?

How many years in prison will the police chiefs get for this outright attempt to overthrow (the core principles of freedom of movement, innocent until proven guilty, etc.etc., of) the constitution and the UDHR whilst failing to fulfill the duties, to protect and serve [whatever variation] those?

Remember, this is at kindergarten level. Have fun, kids! Plus:
[Is this still a thing? Yoga at Briant Park, NY]

Having fun with voice synth

In particular, having fun the wrong way.
Remember, we wrote about how voice synth improvements, lately, will destroy non-repudiation? There’s another twist. Not only as noted, contra voice authentication for mere authentication (banks, of all, would they really have been in the lead, here, without back-up-double auth?), but in particular now that your voice has also become much more important again [after voice had dwindled in use for any sorts of comms, giving way to socmed typed even when with pixels posts of ephemeral or persistent kinds; who actually calls anyone anymore ..?], we see all sorts of Problems surfacing.

Like, mail order fraud. When hardly anyone still goes on a shopping spree through dozens of stores before buying something in store but rather orders online, of course Alexa / Home/Assistant / Siri / Echo / Cortana are all the rage. For a while; for a short while as people will find out that there was something more to shopping than getting something — but recognising the equilibrium that’ll turn out, may be in favour of on-line business, with physical delivery either at home, or at the mall.
The big ‘breakthrough’ currently being of course some half-way threshold / innovation speed bump overcome, with the home assistant gadgets that were intended to be much more butler first, (even-more-) mall destructor second. But that second … How about some fun and pranking, by catuyrig just some voice snippets from your target, even when just in line behind ’em at Wallmart, and then synthesizing just about any text? When a break-in on the backside of your home assistant (very doable; the intelligence is too complex and voluminous to sit in the front-end device anyway [Is it …!? Haven’t seen anything on this!] so at least there’s some half-way intelligent link at the back) may be feasible per principle but doing a MiM on the comms to some back-end server would be much more easy even, and much easier to obfuscate (certainly qua location, attribution), a ‘re’play of just any message is feasible.

Like, a ‘re’play of ordering substances that would still be suspicious even when for ‘medicinal purposes’. Or only embarassing, like ordering tools from the sort of fun-tools shop you wouldn’t want to see your parents order from. Of course, the joke is at delivery time [be that couriers, DEA/cops, or just non-plain packages] — oh wait we could just have the goods delivered to / picked up at, any address of our liking and have the felons/embarressed only feel that part plus non-repudiability.

This may be a C-rated-movie plot scenario, hence it will happen somewhere, a couple of times at least. Or become an epidemic. And:
[No mall, but a fun place to shop anyway; Gran Vía Madrid]

Notnews

Remember it’s a two weeks flashback already
Monday morning’s watercooler discussion: Did you hear about this WannaCry attacks all around the world? The sky is falling! And what a hypecycle the ‘solutions’ vendors piled onto it immediately and oh hey look cat pics how cute oh now it’s Friday again how time flies CU on Monday for more cat pics.

So true it’s sobering; appropriately. And:
[Will never learn. NY]

Golden Oldie Pic of the Day

Yet again …:

[Yes I, this refers to your infosec arrangements – wouldn’t deride the terms ‘management system’ or ‘practices’ by attaching them to what you do…]
[Yes II I did not include a dropcap style in his post on purpose. Thanks you noticed.]