Blog‎ > ‎

Privacy, Surveillance, Crypto Wars, 2FA, Data, Automation, Trust, Validation, Anomalies, Misinformation

posted Mar 19, 2016, 12:40 AM by Sami Lehtinen   [ updated Mar 19, 2016, 12:49 AM ]
  • All these privacy questions are really interesting in Europe. Privacy, Terrorism, Anonymous, Internet, Rights, Legalization, etc. Will Europe allow mass surveillance in name of terrorism prevention or what will happen. It remains to be seen. Some logs are highly sensitive and must be destroyed, but must be kept for minimum time of x, and so on.There's huge pressure from both sides. There will be only more or less interesting compromise between these boundaries. Same applies to that encryption must be banned but all sensitive encryption must be adequately protected, which means that it has to be encrypted by law.
  • Hacking 2FA "Verification Code Forwarding Attack" - Well well, no news. If social engineering is included in hacking, then everything is trivial. People are just so easy to trick. No news at all. Actually friends have used this technique for quite a long to collect 'free' stuff which is linked to your phone number so you'll get only one free deal / number. All you need to do is use other numbers and ask them to forward the code. Surprisingly many people do it. Doing all that with scripted bot is also trivial.
  • World's biggest (distributed) robot by Bruce Schneier - Yet. That's happening. Just wondering how fun it will be when it gets hacked. Did you think hacking movies are bad? That's nothing. Kw: World-Sized Web WSW. Will the SkyNET be here eventually?
  • Actually this was really fun primer to the things I just thought today. Because one "entity" told me that the problem is that their system isn't showing "enough". I thought darn, that's easy to fix. I can generate data and produce what kind of content you want. Yep, it won't reflect reality, but it'll be a great fantasy for you. This lead to the idea that what if they complain about such thing and I think as engineers think. They'll invent some way to fix the issue, how crazy or unethical it might seem to be. It's pure logic. So if customer says that revenue isn't enough, I'll make just system which grows their revenue. Yep, it won't fix their bank account, but it will make the top management system to show more revenue. Next question was that does the management really know what's happening? Most probably they do not, because they monitor the business via systems which get fed with data from somewhere and it could mislead them? So their actions could be based on completely face data and expectations? Let's say (just as random example as large chain with huge number of stores and staff) that I would run the Target chain BI / CRM / ERP / Analytics. What if I just reset parameters and let the high profit items run out and stuff stock with items that won't sell and over price items and so on. Basically unoptimze the system optimally. How long it would take before the people in the loop figure out that their system is giving them misinformation leading to mismanagement on purpose? Of course competent people should almost immediately catch that. But would it happen and especially how long it would take before they figure it out? In the air crash series it has been seen over and over again. When something bad happens, people are like, I don't know. WTF. Let's put the automation on and let's that something good happens. What if the automation is the actual problem? It would be really interesting to see in this kind of experiment when people realize that darn, this can't be right, we need to get this done manually and fix it. The automation is tricking and mismanaging us indirectly affecting the real world space (meatspace). I just think that it would take surprisingly long to figure out. I could imagine that the staff in stores would be like, uh? This item X is out of stock, everyone's asking for it and we got loads of item Y which nobody wants to buy. But when that data would actually hit the management so they would acknowledge it. If they have been trusting their systems so far, and it has served them well. I'm pretty sure it would take a while, even if it's very obvious that it's not doing what it should be doing. Also it's been proven over and over again that it takes a long time for people to figure out this kind of situations. If the temperature meter shows you 50C but the metal is glowing red, would you believe it? What if this is advanced industrial attack. And the control room is showing 100% falsified information shown them by the central control system? Yep, nothing new. Just a very worrying thoughts. People learn to trust the automation and very dangerous when it's trying to be used out of scope. That's why there are the people who's job it's to manage system when automation fails. Probably many drivers like car's ABS and TCS and other systems. As well as if the cars are self-driving they might drive the car them selves, but assume that the computer prevents them killing anyone or crashing the car. Who's in control really? Most probably in bad situation people just would press button, turn on full automation, because I don't know what I'm doing. I'm hoping that the computer is smarter than me and manages to save this situation in someway. Many people seem to prefer, I don't know, I don't care attitude. It also means that they don't know what they're doing and wouldn't spot nor figure out anomalies like that. I've seen many businesses which do not even bother to track money, so if they don't care about money enough to follow and monitor it, what do they care about then? This I don't know, and I don't care is also extremely common reason for severe security and privacy issues. I guess someone will deal with the issue X later. I did see it's going wrong, but well, it's not my job really, or at least I would prefer to think so. But now I'll be going home and sleep well.
  • Also Smart Traffic and distributed automated traffic controls might be interestingly vulnerable to targeted attacks. We've seen some concepts of this in some TV series where they use mobile data to track people, trigger 'events' and modify navigation routes so that they'll get people where they've set 'welcoming' etc.
  • Previous topic is also very common in data analytics. Does anyone bother to check the data quality and anomalies? Or are those caught 'yearly' or some other ridiculously sparse interval and only when data is drastically wrong. I've seen many examples of this. As well as drastically bad data passing as good data for the people responsible for it.