What Boxe and Knife Sparring teach about ICT Security

Time and Space are two key factors in any strategy, whether offensive or defensive.  This is true regardless you are involved in large scale, symmetric conflict, in an ambush or in a direct attack. There are, though, serious differences among the possible reactive approaches according to the different factual circumstances.

An empty hand attack can be handled by taking into account to be hit as a way to “close the distance” and gain a tactical advantage. This is best exemplified by the way boxeurs manage the opponent: maybe they get partially hit by a jab, but in the meantime they set themselves in the right position and time to hit with a devastating cross.

Knife sparring – let alone actual “fighting” or self-defense – requires an entirely different approach. In such kind of training it is mandatory not to be hit because a hit actually means a “cut”. Therefore the training is focused on being as far as possible from the blade, and hitting the opponent’s hand with the defendant’s knife (this is called “defang the snake”.) In knife sparring everything is faster and the reaction’s options are very limited, as you don’t backstep and then hit back, or try to catch&parry a knife flying around your face or guts, as you would with just a bare fist.

This key difference matches a common underrated assessment when designing an ICT security model: is the infrastructure able to sustain a hit and remains operational while the “defense team” is summoned (as in the Boxing Sparring)? Or the infrastructure is not designed to act like that and, once hit, its operational capability is progressively hampered (as in the Knife Sparring)?

The answer to this questions is important because it helps the security manager to better define the structure, the roles and the budget of the incident management team.

Taxonomy of a conference or: on the distillation of knowledge

A researcher has an idea. He shares it with his colleagues, they start brainstorming together and present it in a “geek-only” seminar.

A journalist stumbles upon the idea. He understands little and nothing about it, but writes a column about it because he is “the one who deals with innovation” and interviews the “expert”.

The “expert”, who has been answering whatever question in the same way for thirty years, explains to him that there are also “legal problems”.

A legal scholar reads the journalist’s article and the “expert” statement, understands about it  even less, but decides that he “knows best” and organizes the conference “legal aspects of XXX”.

A politician is invited to the conference. Until a minute before, he was dealing with something else, but he understands that this can lead to votes. He decides to jump on the subject and invites the legal scholar, the expert and the journalist (but not the researcher who had the idea) to join the “steering committee for XXX” – which worth nothing, but looks “cool” – and presents a bill.

Meanwhile, the researcher notices that his idea had some flaws. He tries to contact the journalist, the expert, the legal scholar and the politician, but nobody answers him. They can’t admit that they didn’t know s…omething.

Race is the new black

Since people have been anesthetized to the “privacy threats” that everybody and his cousin is seeing around, now “race” is the new trend to bash profiling, surveillance and whatever else the “human rights  warriors” pick as “enemy-of-the-day”.

This article from wired.com – that matches the same “philosophy” of this one published by Wired.it about the racism of algorithm – hints at  a new trend to give trollers something to (keyboard) fight for: forget privacy, RACE is the buzzword-to-go to show righteous indignation!

Algorithms are bad for RACE, Artificial Intelligence is bad for RACE, face recognition is a RACE thing… computer and RACE, smartphone and RACE, videogames and RACE, RACE, RACE,  RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE, RACE.

p.s. Sorry Monty Python.

Autonomous-driving and liability: a brief taxonomy

Summary: If you really want to regulate the field of autonomous driving, it would be better to establish – at last – the criminal responsibility of those who produce software and put an end to those shameful clauses of the user licenses that say that “software is as is, and not suitable for use in critical areas”.

Discussing with Prof. Alessandro Cortesi on Linkedin, an interesting debate emerged on the boundaries of legal responsibility for autonomous driving and on the relevance of ethical choices in the instructions to be given to the on-board computer of the vehicle to manage an accident.

Personally, in such a case, I find the use of ethics useless and dangerous.

Ethics is an individual fact which, through the political mediation of representatives of groups that share their own ethics, is translated into legally binding rules. If the State deals personally with ethics, it opens the door to crucifixions, burning and gas chambers.

On the “decision” in case of an accident: it is not the computer that “decides” but the man who programmed it that, (even if only as a possible malice / conscious guilt) takes responsibility for the degrees of autonomy (not decision) left to the software.

It is a fundamental and indispensable point not to transfer the legal consequences of behaviour from people to things.

Automatic driving cannot be allowed in such a way as to violate by default the laws that regulate driviing (conduct which, as it complies with the law, is presumed to be harmless).

The point, if anything, is the management of the extraordinary event (classic pedestrian that suddenly crosses): in this case – once again – the theme is the mal-functioning of the hardware or the bad conception, programming, interaction of the software, neither more nor less than what would happen in case of breakage of another component.

Moreover, when the machine loses control, there is no computer that can oppose the laws of physics.

The Austrian Data Protection Authority and the feasibility if a “quid pro quo” consent

The Austrian Data Protection Authority ruled that consent as a quid-pro-quo is a viable option as soon as an essentially similar consent-free alternative is given to the data subject.

The case was related to the way an Austrian newspaper managed cookie-based consent to access its services. The user was given the choice to access the service either without paying with a legal tender in exchange of the cookie consent or to access the site with no advertising cookies but by paying a subscription fees.

While saluted as a “good news” for online marketing, this decision is actually a cause of concern.

Continue reading “The Austrian Data Protection Authority and the feasibility if a “quid pro quo” consent”