Monday, April 25, 2016

Big Brother in the Brave Real World

Roughly a year ago I decided it was time to start reading two classic science fiction literature. One of them was Brave New World, by Aldous Huxley (1932) and, you probable guessed it right, the other one is 1984 by George Orwell (1949). As I read through the books I was fascinated by the ability of both writers to envision a future that is in a creepy way comparable to our present world.

They both are stories of course and I personally do not envision such aerie and desolate dystopian future as laid out in the books. I see patterns of similarity though, but different than what we say in the mainstream (information security) media. At least, that is what I think. In this post I will enlighten you on my point of view concerning these two stories and how the relate to the real world. And since it is almost May the 5th, the Day of Freedom in The Netherlands, it is a nice moment to publish this post.

As this is not really a book review, I will not tell you about the story itself, but rather the context in which the story exists. In both books, the real main character is the world and society itself, rather than people in the story.


Oppression by the government


Both stories talk about a government oppressing people, but in a rather fundamental different way. The story by Huxley is about a government called World State that ‘accepts’ exceptions, but you can hardly participate in society when you are an exception. There are even reservations in which people can live differently, although very poor and with lack of proper healthcare. Both government and citizens are rather dismissive towards people who do not follow the normal (predetermined) steps of their society and deviate from the normal course of… well, just being. Everyone is literally grown and raised into specific roles in society and due to a drug called Soma, everyone is kept chemical happy.

The story by Orwell is about a government that does not tolerate any deviations that threaten the existence of the so called Party; not even in the slightest way. Everyone is being monitored by the so called Big Brother, and due to fear people often betray each other. No action, no feeling and no thoughts are allowed, because when you do, you will become a liability. There is even a new language in the works called Newspeak, which it is striped of any emotion and sensitivity. In this world, most people are miserable and the general population is poor and underfed.

No parenthood versus no intimacy


In the society of Brave New World parenthood is strange to people and having a baby through the means of giving birth is nasty, gross, and downward silly to do. Instead, babies are home-grown in baby-factories where they are even conditioned towards their predestined roles in society. During the initial phases of growth some babies might get forced oxygen shortage or alcohol submitted. The reason for this is that not everyone can be smart and the same. People also still need to work to cause no trouble due to being bored, so babies are grown into a certain class for certain purposes.

In the world of 1984 parenthood exists, but children are conceived and given birth to in the most mundane situation imaginable. Children and adults alike are confronted with daily propaganda distributed by so called telescreens that can be found anywhere in the society, even within one’s home. It is not uncommon that children betray their parents due to behavior that is disallowed by the Party. So, keeping your head down, even towards your children, is a matter of survival.

Thought Police versus Citizens


As I mentioned earlier, in the story by Huxley it is not even the World State itself that monitors people, but the citizens itself due to rather intensive social control. When you deviate from your path to much and too often, people will eventually report you. It is not because of fear, but by a true believe in that the World State knows best. Therefore, there is no Thought Police like in 1984. Of course there is a police-force, but it plays a different role than in 1984.

The situation in Orwell’s story is different. Citizens also do report each other, but it is more based on fear of getting ‘caught’ themselves, than it is about truly believing in the Party. Whereas an exceptional deviation in the world of the World State is allowed, no exception is allowed in the world of the Party. But because people cannot be trusted, the Party instated also a Thought Police. This police-force has the ‘honorable’ duty to look for dissidents and to get them out of the public asap.

Sexual liberty versus Banished sexuality


The World State encourages sexual liberty in every way imaginable. If people want to make love with each other, they just do it. Whether it is between two people, four or entire groups, anything is allowed and anything is acceptable. Homosexuals are no outcasts and people are free to do anything they like, for as long as it is consensual.

The Party totally thinks different on this topic. Intercourse is only meant for procreation and surely not for pleasure (by punishment of death). And rest assured, a telescreen is monitoring the activities. Homosexuality is strictly forbidden as it also applies to any other form of sexual activity, including love itself, between people.

1984 versus the real world


The story in 1984 is about oppression, surveillance, persecution, sexual oppression, and fear. People are not allowed to enjoy anything in any way and the general population is poor and mostly underfed. When you take this parallel to the real world, can you recognize this in the Western world? Are Western nations generally poor and relatively unhappy? Is sexual oppression of non-heterosexuals still the norm? And is the government actively oppressing its citizens?

When you look at the analogy with the real world, states in Eurasia resemble on some parts more to the world as described by George Orwell. Often not as extreme as 1984, but the general view is rather the same. I personally cannot recognize the Western world in the view of Orwell, besides the fact of surveillance by the government. And even that is relative, as it is more surveillance by corporations. It is also more like a Some Brother type of thing, than a full blown Big Brother type of thing. Besides that, I still like to believe that for the most part intelligence agencies are really trying to improve security of the general public, in contrast to the Thought Police who does its job mainly to protect the Party.

Brave new world versus the real world


When you look at the story of Huxley though, I found it more similar with the Western societies. The focus is on being happy (without drugs for now), sexual freedom that fits the individual person, doing and saying whatever anyone wants to do or say and not to mention one's desire to predetermine characteristics (like prevention of down syndrome) of fetus. The believe in this system is so strong that is often considered by other (mostly non-Western) nations as imperialistic. There are also many groups within society that propagate democracy, (almost) unlimited freedom for everyone, freedom of speech and a common thrive for general happiness. Anything is or should be allowed for you to feel happy, no matter the cost.

In the Western world there are citizens who defend such believes in ways that it may almost be considered fundamentalistic, just as the citizens do under the rule of the World State. You can count on a strong backfire whenever you hold an opinion that is not aligned with that of the general mass or consensus. If you think that homosexuals are not okay or they should at least be unable to marry, then you are in for a treat. And do not even start by saying that abortion is murder. And when you think freedom of speech should not always be applicable, then you are considered an extremist of the right (or left) wing of politics or perhaps even an aspirant-terrorist.

Of course there are many more variations in opinions allowed in the real world, far more than in Brave New World and yes, I am on purposely overstating the previous paragraph. But somehow and somewhere there is a fine line between taking part of society and being treated as an outcast just for thinking differently. This behavior is what I believe to be like that of the citizens in Brave New World.

And I explicitly state that the paragraphs above are not necessarily my opinion or believes, they are not relevant in this post. They are merely the patterns that I see around me, whether it is on the news or in my daily life.

Recap


Whenever we compare the Western world (where I live in) to 1984, I think we somehow miss the point that Orwell was stating in his book. He states that a totalitarian government is about keeping power instead of prospering its citizens. Whenever I look around I see way too many idealists in our midst who devote their lives to better the lives of others. I see governments that really try to improve life of the people here and abroad, although it may be sometimes or often ill-executed. And I see also people fighting for the rights of others and people fighting to prevent or correct a (semi-)corrupt government. Do we have issues like mass-surveillance we need to address? Yes, we do! And do we have issues concerning non-conventional thinkers and believers? Yes, we do.

I feel that the Western world is more like Brave New World, than it is as in 1984. Let us prevent the movement to create outcasts of non-conventional thinkers and let us continue the debate what real freedom and freedom of speech is. I believe it is imperative to let everyone's voice heard, in order to prevent people becoming outcasts, and outcasts becoming radicals. And remember, diversity is what created our beautiful freedom in the first place.

Freedom of speech is not about me having the right to write this blog. It is the right I give to you to whole heartily disagree with what I wrote. Whether what you think or feel, if you want to share it, you can use the comment section below. I will not treat you as an outcast for thinking differently.

Books


1984

  • Author: George Orwell
  • First released: 1949
  • Pages: 336
  • ISBN: 978-0-451-52493-5
  • Linkwww.penguin.com

Brave New World

  • Genre: Thriller, Science Fiction
  • Author: Aldous Huxley
  • First released: 1932
  • Pages: 229
  • ISBN: 978-0-099-47746-4
  • Linkwww.vintage-books.co.uk

Wednesday, April 20, 2016

Need Security Awareness? You're doomed!

Let me start with a blunt message: "If you need user awareness to be secure, then you are doomed in the first place!". And let me elaborate on that one. Often you see, read and hear about how crucial security awareness among people is towards the fact of being secure. But recently I had a thought that I want to share with you. My thought was that if we need awareness in order to let security work, then the security controls are not organic enough in order to function properly. And very likely, they are also not ubiquitous.


Image source: F.U.D. - Fear, Uncertainty and Doubt (funny blog!)

And then I have read a couple of days later this post on the Google Security Blog: Android Security 2015 Annual Report (the full report can be found here). Among many things, one got my attention specifically, and that was the fact about the use of fingerprints.
Starting with version 6.0, Android supports fingerprint scanners. This allows applications to use biometrics for authentication, reducing the number of times a user needs to enter their password or unlock pattern, thus decreasing friction around lockscreen use. Lockscreen use is higher on devices with a fingerprint scanner. For example, 55.8% of Nexus 5 and 6 devices (which have no fingerprint scanner) have a lockscreen, compared to 91.5% on fingerprint-enabled Nexus 5X and 6P devices. We are seeing an increase in lockscreen usage for other Android devices that provide fingerprint scanner support.
Somehow, when there is an improvement on how the security works, the use of it increases. And this supported my thoughts on this matter. Because fingerprint is easier to use, relatively speaking just as safe as a pin, devices are more often secured from unauthorized access.

Let's take a look at an analogy of the physical world. There are many threats towards the physical world. There is the threat of terrorism, but also non-friendly states invading your own country. When you would give the same advice in the physical world as in the cyber world, then the following would happen.

You would give advice to install metal-detectors at one's home, anti-aircraft machinery, a couple of drones to strike down enemy combatants, and of course a radar to check for incoming aircraft. Besides the fact that it is expensive stuff, you do not want to give such responsibilities to civilians. This because of the threat and the impact of such threat and its countermeasures are too big to handle on an individually basis.

When the threat is small though, security measures are sensible. Think about a lock to lock your door and an alarm for burglary, smoke and fire detection. But the reason why these systems work, is because they are friction-less. There is no friction in the use of such security features and therefore they are used. Everyone is on auto-pilot locking and unlocking their home. And one does not even have to think about the alarm, it just works and at 'worst', a pin needs to be remembered to disable the alarm.

Back to the Cyber World. When you say to your employees that it is also their responsibility to prevent state-actors, or actors with such capabilities, for penetrating the defenses through phishing, malware, hacking and more, you will definitely lose your audience. And rightfully so. The threat, or the impact of such threat, is to big to be managed on an individual scale. The countermeasures we give them are hardly effective, because most often people do not really understand the gravity of these cyber-attacks.

Are you still saying "Do not click on that link in that e-mail!"? You thought yes? Seriously? I find it harder and harder to recognize phishing mail myself (if I see one to be frank). While every service provider can become way more spam-resilient by using techniques such as TLS, DMARC, Reverse DNS, Sender Policy Framework (SPF), DNS-based blacklists, and Spam URI Real-time Block Lists (SURBL), we ask users not to click on links... These controls cut down spam (and phishing) emails significantly, and improves security (and privacy) also.

And the bright side of it all is that the user of the system has to do absolutely nothing to benefit from it. Why do I not receive spam and phishing on my personal email account, while I read organizations constantly struggling with them? Is it that people are more aware of phishing on their personal accounts, or is it because a billion-dollar company just configured it better? And phishing is most often number one step for Evil Jimmy to hack into the corporate network, so it might be smart to better protect your mail-servers instead of telling people not to click on links.

If we can make our systems smarter and more secure by really implementing security features, and if we can prevent users (or processes within users-space) for disabling such features, we dramatically improve the overall security. Just tell users never ever to share their password, and let them easily travel and room over the network. And whenever they need higher security clearance for more sensitive data, incorporate 2-factor authentication instead of yet another account. And that should be the end of the security awareness session. It can be done in 5 minutes.

Do not get me wrong, there is also a thing called privacy. And privacy awareness is a whole different ball-game compared to security awareness. Privacy awareness is way more important, and far more easily trained then security awareness. Because the issues and solutions on that front are close to the actual users themselves. They can recognize it, and they can truly make a difference there. It is about not leaving printed documents on your desk, it is about not sharing credentials and sensitive data by any means. People can relate to that, because no one wants their medical files on public display. Users can have a tremendous positive impact on these topics. Just don't bother them with (semi-)technical stuff that well-functioning IT-departments instead should do for them.

When all systems are well configured, hardened and compartmentalized, there is far less threat from the user from a security perspective, and we need to train them far less than we need to now. Think about that for a brief moment, before asking an user to remember Yet-Another-Weak-Security-Control.

Feel free to comment below, I would for sure appreciate it!

Sunday, April 3, 2016

Peeling the onion of data-leakage

I recently tweeted a formula about data-leakage. In this post I will further explain with what this means. This formula was a thought-experiment by my friend and co-security-professional Rick Veenstra and myself.


In this thought-experiment we wanted to explain what the concept of a data-leakage is, of what components it exists of and how we can use that knowledge to hopefully prevent them. We started with the basics and moved down the ladder from there.

Data-leakage = actor + vulnerability


On the highest level, a data-leak can only emerge when a certain actor exploits a certain vulnerability. There are probably multiple vulnerabilities needed in order to succeed, but you need to exploit at least one. The actor in this case can range from the black-hat hacker, to the cyber-criminal, to the disgruntled employee of your organization.

Vulnerability = asset + access platform


But when you look at the vulnerability you will notice that it consists of multiple components. These are the assets which often are called the crown-jewels of the organization, and the platform which can access them. This platform can be the Internet (likely the first stage), but also an internal platform that is being exploited.

Asset = unencrypted data | credentials | other access platform


In this case, the asset is either the actual data itself, or the credentials needed to access the data, or another platform which will enable access and thus moving closer to the target data. The data needs to be unencrypted in order to have value for the one stealing it. Therefore, we explicitly mentioned that it needs to be unencrypted. Credentials are the usernames and passwords from within the organization. And the other access platform can function as a stepping stone to another system.

Access platform = resources + privileges


The resources in this case is anything that can be a landing zone for the intruder. This can be the operating system of a server, a workplace of an employee, an application or an active network-component. Obviously there are many more examples thinkable here. Privileges are needed to actually access and use the before mentioned resource.

The formula


The summary of this thought-experiment is as follows.

Data-leakage = actor + vulnerability

Data-leakage = actor + ((unencrypted data | credentials | access platform) + (resources + privileges))

A data-leak exists of an actor in combination with access to unencrypted data, or the access to the credentials of the data, or access to the platform which has access to it. In order to actual utilize the resources to get to the data, privileges are needed in combination with the access platform. From there, when everything is in place, a non-authorized person just might succeed in his or her mission.

And what's next?


When executing a risk-analyses on this topic you need to factor all variables mentioned above into the equation. You need to, as far as it is possible, give some level of attention to the actor. You might want to consider encrypting important data, and keep credentials secure in password-managers. Privileges should follow the "least-privilege" principle and resources should be hardened and isolated within in zones in your IT-infrastructure.

Obviously it is easier said than done due to complexity and budgets. But it might help bringing focus to what is important and help deciding which security issue needs to be addressed first.

If you have any comments, feel free to post them. Thank you for reading this post!

Friday, March 25, 2016

HTTPS everywhere but this blog (yet)


Google is busy, as stated on Google I/O 2014, with updating all its web-services to support https connection, instead of http. Connections based on https are likely more secure than http. I say likely, because using https and using https good can be a difference like Earth and Mars. But, Google will likely implement it thoroughly tested.


The reason I post this (small) blog is because Google has updated its Blogger service a while ago. On September the 30th of 2015, Google announced in a blogpost that it has implemented support for https. There is one caveat though, it only supports default domains, such as teusink.blogspot.com. When you have a full-domain enabled, like www.teusink.eu, https support is not yet implemented.

As a Security Professional I was, and still am, a bit disappointed to say the least. I even would want to pay a small fee for https support. Google promised to bring https support somewhere in the future though.

But that did not keep me waiting to change something in this blog of mine. I have checked the template, and every post and every page for any reference to any resource and any URL I linked to and changed it to https wherever possible. I can say that all resources (like images, scripts, and such) have changed to https. Some weblinks I reference to could not be changed though, but that has nothing to do with the technicality (and security) of this blog.

So when support is finally coming I can flip the switch easily and the blog would (or should...) work without any security errors. In the meantime, all scripts are executed from trusted sources, so my blog is a bit safer now than it was before.

Monday, December 14, 2015

Van de regen in de drup met het lekken van data (Dutch)

Elke organisatie die persoonsgegevens verwerkt doet het verwerken ervan, als het goed is, onder een dak. Dat dak biedt bescherming tegen nare dingen zoals weer en wind en zorgt ervoor dat alle kostbare zaken onder dat dak niet nat en dus niet beschadigd worden.

Maar wat nu als het dak lekt? Wat nu als jouw gegevens lekken? Dit is niet alleen een zorg (meer) van de grote bedrijven met grote rekencentra, maar ook de kleine bedrijven en eenmanszaken met een NAS of server thuis of op de zaak.

En als je gegevens lekt zou het zo maar eens kunnen zijn dat je dat moet melden. Hoe groot of hoe klein het bedrijf ook is en hoe veel of hoe weinig gegevens het ook betreffen. In deze blogpost wil ik een blik werpen op deze nieuwe wetgeving genaamd 'Meldplicht Datalekken' (5).

Voor wie is deze wetgeving van toepassing?


In het verleden was er al soortgelijke wetgeving van kracht voor telecommunicatiebedrijven. Met deze nieuwe wetgeving worden alle bedrijven betrokken. Dit betekent dat ook eenmanszaken zoals advocaten, notarissen, therapeuten en makelaars te maken zullen krijgen met deze wet. Maar ook eenmanszaken en kleine bedrijven zoals glaszetters, loodgieters, aannemers en alle andere voorbeelden denkbaar zijn niet uitgesloten. De enige voorwaarde die van toepassing is, is dat jouw bedrijf persoonsgegevens verwerkt.

Want wanneer je persoonsgegevens verwerkt val je onder de zogenoemde Wet bescherming persoonsgegevens (4).

Wat is de Wet bescherming persoonsgegevens?


Dit is een wet die de kaders stelt ten aanzien van het beschermen van persoonsgegevens. Deze wet is te uitgebreid om in deze post samen te vatten, en daarom verwijs ik je naar de link onderaan deze blog. In het kort kan gesteld worden dat degene die de persoonsgegevens bezit ook daadwerkelijk verantwoordelijk (als in aansprakelijk) is van de verwerking of bewerking ervan en de veiligheid die hiervoor nodig is. Dat je dit uitbesteedt aan een ander bedrijf doet geen afbreuk aan deze aansprakelijkheid. Daarnaast moet je ervoor zorgen dat alleen jouw bedrijf ook de gegevens daadwerkelijk kan verwerken of bewerken, of dat er bij uitbesteding een zogenoemde bewerkersovereenkomst bestaat.

Effectief betekent dat voor Nederlandse bedrijven meestal (let op, er zijn uitzonderingen) dat het verwerken of bewerken van persoonsgegevens alleen door jouw eigen bedrijf mag gebeuren, of dat dit uitbesteed is middels een bewerkersovereenkomst aan een bedrijf dat gevestigd is in de Europese Unie.

En wat voegt de Wet meldplicht datalekken toe?


Deze wet voegt eraan toe dat wanneer de verwerking of bewerking van persoonsgegevens zodanig verstoord is geraakt dat aan de Wet bescherming persoonsgegevens redelijkerwijs niet meer voldaan kan worden dit gemeld wordt aan de Autoriteit Persoonsgegevens (hiervoor College bescherming persoonsgegevens).

Ook stelt deze wetgeving kaders en richtlijnen op voor de feitelijke melding van een datalek. Een datalek moet in de regel binnen 72 kalenderuren na ontdekking gemeld worden. Wanneer aan de meldplicht niet voldaan wordt of wanneer (grove) nalatigheid hebben geleid tot de datalek kan de Autoriteit Persoonsgegevens een maximale boete van € 820.000 opleggen (hoogte boete d.d. 01-01-2016).

Als je spreekt van regen in de drup... Een boete kan grote gevolgen hebben voor de winstgevendheid en reputatie van jouw bedrijf!

Wat zijn eigenlijk persoonsgegevens?


Volgens de wettekst zijn persoonsgegevens als volgt gedefinieerd: "elk gegeven betreffende een geïdentificeerde of identificeerbare natuurlijke persoon" (3). Denk hierbij aan naam, geslacht, BSN-nummer, geloofsovertuiging, adres, telefoonnummer, financiële gegevens, medische gegevens, en ga zo maar door. Alle gegevens die over individuen gaat. Maar ook accounts en wachtwoorden van je klanten die opgeslagen staan in jouw systemen. En vraag jezelf eens af, verwerkt elk bedrijf deze typen gegevens eigenlijk niet?

Dat is wat mij betreft overigens ook de belangrijkste reden waarom webwinkels niet aan account registratie zou moeten doen, maar dat is een discussie voor een andere blog.

De overheid erkent drie verschillende soorten persoonsgegevens (2). Deze zijn als volgt.
  1. Directe persoonsgegevens: Sommige persoonsgegevens geven directe en feitelijke informatie over een persoon. Bijvoorbeeld iemands geboortedatum, adres of geslacht.
  2. Indirecte persoonsgegevens: Er zijn ook gegevens die indirect iets vertellen over een bepaald persoon. Bijvoorbeeld over de maatschappelijke status van deze persoon.
  3. Bijzondere persoonsgegevens: Bijzondere persoonsgegevens zijn onder andere gegevens over iemands ras, godsdienst of levensovertuiging, politieke gezindheid, gezondheid, strafrechtelijke verleden, seksuele leven, lidmaatschap van een vakvereniging. Maar ook strafrechtelijke persoonsgegevens zijn bijzondere gegevens. Let op, er gelden zeer strenge voorwaarden voor bedrijven voordat zij bijzondere persoonsgegevens mogen verwerken.
Er is eigenlijk ook nog een 4e categorie waar de Wet meldplicht datalekken ook wat (indirect) over zegt. En dat betreft de zogenoemde categorie ‘gevoelige gegevens’. Bijzondere persoonsgegevens vallen standaard onder deze categorie. Maar ook directe en indirecte persoonsgegevens kunnen hieronder vallen. Wanneer een onbevoegde de beschikking krijgt over alle namen en adresgegevens van kinderen die door Bureau Jeugdzorg onder toezicht staan, dan zijn de directe persoonsgegevens ineens gevoelige gegevens geworden. Het gaat in dit geval namelijk om een kwetsbare groep in de samenleving.


Oké, ik verwerk persoonsgegevens, en nu?


Dan is mijn eerste advies om de Beleidsregels meldplicht datalekken (1), die door de Autoriteit Persoonsgegevens uitgegeven is, echt direct te gaan lezen. In dit gratis document wordt op een toegankelijke wijze uiteengezet welke interpretatie aan de wet gegeven dient te worden. Hieronder geef ik enkele belangrijke kenmerken die ik opvallend vind en die mogelijk ook een grote(re) impact kunnen hebben.
  • Een datalek kan een set aan persoonsgegevens van een groep zijn, maar ook van één specifiek individu.
  • Het niet meer kunnen herstellen van persoonsgegevens na bijvoorbeeld een brand (omdat de backup ook vernietigd is) is ook een datalek.
  • Een malware besmetting op een systeem moet altijd gemeld worden en wordt ook altijd gezien als een (potentiele) datalek.
  • Een kwijtgeraakte laptop of USB-stick met persoonsgegevens is in de regel ook een datalek.
  • Een inbraak waarbij de NAS gestolen is betreft een datalek. Dit geldt overigens ook voor jouw fysieke dossiers.
  • Een hacker dat inbreekt op het Wifi-netwerk en zodoende de beschikking krijgt over de persoonsgegevens.
  • Een e-mail bericht met daarin persoonsgegevens dat door het bedrijf naar de verkeerde ontvanger wordt verstuurd.
Mijn tweede advies is om echt te beseffen dat dit ook jouw bedrijf raakt en dat je op deze materie voorbereidt dient te zijn. Je verwerkt immers gevoelige gegevens van jouw klanten en medewerkers en dat schept een verantwoordelijkheid in het beschermen ervan. Misbruik van deze gegevens kan tot grote schade (materieel en immaterieel) leiden bij de getroffen personen.

Ik ben een klein bedrijf en ik heb de middelen niet van dat van een groot bedrijf, kan ik wel wat doen?


Ja absoluut kan er wat gedaan worden. Allereerst zou ik een kundig ICT-bedrijf inhuren die jouw ICT-omgeving eens screent (ik noem dit bewust geen audit, want dat schiet op deze schaalgrootte zijn doel voorbij). Daarbij kunnen de volgende set aan beheersingsmaatregelen al eens getoetst worden.
  • Wordt er op elke computer met een gebruikersnaam en wachtwoord ingelogd?
  • Zijn alle hardeschijven van alle computers versleuteld?
  • Is de communicatie tussen de computer en de NAS (of server) versleuteld?
  • Is er een virusscanner op de computer en NAS actief?
  • Worden op alle apparaten automatisch (Security) Updates geïnstalleerd?
  • Staat de firewall op de router en alle computers aan?
  • Is er een gebruikersnaam en wachtwoord nodig om bij de gegevens op de NAS te komen?
  • Worden alle gebruikersnamen en wachtwoorden opgeslagen in een zogenoemde Passwordmanager?
  • Wordt er dagelijks een backup gemaakt?
  • Wordt deze backup ook op een andere locatie met voldoende geografische afstand bewaard?
  • Worden alle computers, hardeschijven en multifunctionele printers afgevoerd via gespecialiseerde bedrijven?
  • Is het Wifinetwerk tenminste beveiligd met WPA2-personal en is de ondersteuning voor het 802.11b protocol uitgeschakeld?
  • Zijn alle standaard wachtwoorden van alle administrator accounts gewijzigd?
  • Is het standaard Wifinetwerk wachtwoord gewijzigd?
  • Wordt e-mail opgehaald via een versleutelde verbinding?
  • Wanneer klanten inloggen op een website, is deze verbinding versleuteld?
  • En worden de wachtwoorden van de klanten als een hash opgeslagen?
Uiteraard zijn er nog vele andere en ook veel gedetailleerdere vragen te stellen. Het gaat er om dat alle gegevens en toegang daartoe afgeschermd zijn met een gebruikersnaam en wachtwoord. Daarnaast is er waar mogelijk een virusscanner en een firewall actief. Is alle communicatie tussen de apparaten zoveel als mogelijk versleuteld en worden Security Updates overal automatisch geïnstalleerd.

Eindwoord


Een klein kantoor kan met deze set aan maatregelen al een beter beveiligd ICT-omgeving neerzetten en zodoende ervoor zorgen dat de persoonsgegevens die hij of zij verwerkt veilig genoeg worden verwerkt. Hiermee wordt tevens de kans verkleind dat je slachtoffer wordt van een datalek en dit moet melden aan de Autoriteit Persoonsgegevens.

Mijn advies is overigens wel om een ter zake kundig ICT-bedrijf de screening te laten doen, tenzij je echt voldoende bekend bent met deze materie. Mocht je vragen hebben dan kun je deze uiteraard hieronder in de comments stellen!

Links

  1. Beleidsregels meldplicht datalekken: https://cbpweb.nl/nl/nieuws/cbp-publiceert-beleidsregels-meldplicht-datalekken
  2. Rijksoverheid, persoonsgegevens: https://www.rijksoverheid.nl/onderwerpen/persoonsgegevens
  3. Definitie persoonsgegevens: https://cbpweb.nl/nl/over-privacy/wetten/wbp-naslag/hoofdstuk-1-algemene-bepalingen-art-1-tm-5/artikel-1-sub-wbp
  4. Wet bescherming persoonsgegevens: http://wetten.overheid.nl/BWBR0011468/
  5. Wet meldplicht datalekken: http://wetten.overheid.nl/BWBR0036695/

Thursday, October 8, 2015

The Security Pyramid Model

I work in the field of IT Security for roughly two years now and before that I have worked two years as an IT Continuity Officer. And I can say, thankfully, that I have learned allot. The most important thing I probably have learned is that it is nowhere near possible to know everything. The key is to be able to create an overview of the entire situation in which you operate and, where needed, to learn the skills needed for that specific task. Truth to be told, that is much less easier done than being said.

As an IT Security Officer do I need to focus on Identity Management, Network Security, Data Security, Security Architecture or any other topic? I would likely say that you probably need to comprehend at least all fields (and more), but also choose your own specialization. To complete the gaps in your knowledge and experience you will need to look for co-workers and other sources to perform your job.

Last year I completed my exam of CISSP and I got my title in November 2014. The training course did not literately help me to extend my knowledge on very specific topics (apart from Forensics I have to say), but the training helped me to see the bigger picture in IT Security. There is many debate whether or not certifications like CISSP are sensible or not, but for me it did add value to my work as an IT Security professional.

In this blog-post I am going to share the foundations of my experience and knowledge from the last couple of years in to a model. In this model I have set out the most important topics and I am convinced that if these concepts can help you in your profession, especially when you are new to this very interesting field of work. I call this model the Security Pyramid Model. First I'll show you the model and describe the basics, ethics and the rules for success in Information Security.

As I have CISSP, did the training Ethical Hacking, and follow sources like Isaca, SANS and many more, you might find the model below influenced by their theories, frameworks and concepts.

The Security Pyramid Model

The Security Pyramid Model

The triangles


I find that many topics comes in pairs of three. Just think about concepts like people, process and technology. But also strategic, tactical and operational and of course the well known confidentiality, integrity and availability. What I did was looking at what I saw as dominant 'mantras' within Information Security. Then I formulated three words with each concept and placed it in the pyramid.

It is a gray area obviously, but in a way I modeled the pyramids in some form of a hierarchic manner. In the end, privacy needs to be protected by security. Whether it is your very own privacy or that of the company's secrets, it needs to be secure. So that is on the very top, the ultimate goal. But in order to get there you need some ground work to do.

Skipping the rules for success and the ethics (which will be talked about below), I will start with the first row of triangles. Security needs to be addressed on every level in an organisation, it needs to be scoped on all three elements within an organisation and in my opinion good Security is done based on risk-management. But in order for this to work the organisation needs to embed Security in its DNA using legislation, policies to enforce legislation and procedures to implement the policies. And the flow of information (most often the crown-jewels of an organization and also often the sensitive data of its customers) needs to be addressed properly.

In the layer on top of that there is the well known Security triage. Then there is the concept of intelligence, detection and response of Security incidents, and that is where the magic happens when it comes down to trumping on incidents like hacking and breaches that might (or will) occur. And when selecting the solutions to address risks and vulnerabilities, always think in layered defense, security by design and compartmentalization. And when that is done you will need to think about how much trust you want, control you need and secrecy you grave when you think about privacy.

Security Life Cycle Management


Everything is changing very fast. Whether it is the capability of hackers, new Security solutions, laws, markets or your very own customers, you need to respond quickly to this changing environment. On everything in your Security organization you need to have proper life cycle management. Policies can probably be reviewed on a 2-year basis, but technical solutions needs to be under constant review. So on everything that is done to keep the crown-jewels safe, life cycle it!

Rules for Success


Rules for success are important, as they determine how (yes, obviously) successful you will be at your work.

It all starts with people first. If they are not safe all else does not matter. If your co-workers are harmed by 'Security' measures or are harmed by the lack of it, it all has failed already. The second is the support of your management. For every decision, policy, security measure and investment you need management support. If you don't have it, you will likely fail eventually.

We also need to keep in mind that in the end everyone is responsible to do their part to be secure. Everyone is responsible for their security in their private lives, but at work all co-workers are responsible for the security of their organisation as a whole. You cannot outsource such responsibility. Therefore, training is needed. Some need more training then others, but continues training and growth of awareness are very important. Never waist a good crisis, so share your security failures at least internally. This helps to make everyone understand that a breach can happen fast and that a company going down effects everyone in it.

But all the above does not help if you do not have the appropriate policies. Policies are needed to show the employees what the boundaries, obligations and rights are and how the should be kept and respected. Policies do not (or at least should not) know any exceptions. An exception is document as a new policy.

Ethics


Ethics are important to prevent organisations and people going corrupt and harm either the company itself or the society the operate in. The following rules are inspired by the (ISC)2 Code of Ethics, but also by the Isaca Code of Professional Ethics.

At first, protect the society and its infrastructure first. As a person, be honorable and justly. Act responsible and comply to legal regulations and laws. Provide a component service and where-ever possible, advance the profession you work in.


End-word


There are many frameworks that address various of countermeasures and solutions for risks and vulnerabilities and all those frameworks have their of course their worth. What I hope to achieve with this model is to put it all in to one view.

I hope I was of any value to you with sharing what I know and experienced and that we can learn from each-other when we are discussing it. So feel free to agree, disagree and certainly feel free to share your thoughts and questions in the comments below.

Saturday, September 5, 2015

Social and emotional transcendence enabled by technology

I got a question from a reader on my blog-post "From hybrid thinking to the upbringing of our children". This question could not be answered in a short sentence, so I decided to write a blog-post about it. The question is in Dutch, but I will answer it in English.
Oke, de digitale wereld is,zelfs voor de allerkleinsten onder ons, een totaal geïntegreerd fenomeen. Peuters zie je heuse capriolen uithalen op de tablet van vader of moeder en ik kijk er vol verwondering naar. Door een continu beroep te kunnen doen op onze cloud zijn wij in staat onze wijsheid ten aller tijden in te zetten. Prachtig! Echter vraag ik me daarin af, waar blijft de eigenheid van ons als persoon? En, zou het niet voor (te veel) afleiding gaan zorgen van wie wij zijn? Of klopt het, en zou het juist ruimte geven om ons te ontwikkelen op bijvoorbeeld sociaal en emotioneel vlak omdat de energie niet meer hoeft te zitten in het 'leren' en het 'onthouden' van feiten.
Ik ben heel benieuwd.
You rightfully state that digital world as we know it is an integrated part of our daily lives for people of young and old. The Cloud (used to be just The Internet :) extends our memories and information sources by a million fold than we were used to roughly 20 years ago (probably even less).

You ask about where all this technology leaves us as an individual and how we will develop on a social and emotional level.

To answer that question we need to jump back in the history of our existence. One of our greatest inventions was not fire nor the wheel. It was language, both in speech and in writing. It gave mankind the possibility to move information on to the next generation and this technology is refined every since (think about the printing press, telephone, Internet, mobile). We often say that the strongest will survive, or the ones that can adapt the fastest will survive. Although this may be truth by itself, it is not the cause, it is the effect. The cause of us humans being the strongest and perhaps the fastest to adapt is the sheer fact that we are able to process information like no other species on Earth and use that capability to our survival and advantage.

I always say we as a species have two major addictions, one leading to the other. The first is our endless hunger for information. We want more, we need more and we generate more every second. In order to sustain such an addiction we need energy. And lots of it. Everything in the universe evolves around information and energy. From the information and energy in the cells of our body to energies that flow through our galaxy. Our DNA is information, our cells are, and our brain as a culmination of cells is an information processor like no other we have seen. Yet...

I say yet, because we will transcend biology with technology in the near future. At the time of this writing we are capable to simulate one second of brain activity of 1 human in 40 minutes using the current super computer. In 2 years from now this will be 20 minutes. In 4 years from now it will be 10. In 6 years from now it will be 5. You get the point, because in 30 years from now it will take only 0,000572205 seconds to simulate 1 second of brain activity. That are 1747 human brains by just one super computer. And it is likely that such a super computer is just as big as your blood-cell.

At that point we humans have the technological means to be ever more connected than we are now. Think about 'calling' with each-other just by thinking it, visiting other countries through the senses of other humans, and really sharing emotions like we experience them ourselves. We will become hybrids. Biological humans enhanced with integrated technology to become more connected, healthier, and most important of all, smarter.

And now back to your question about how this will affect our social and emotional development. I think it will impact tremendously and in such a way we now cannot even begin to comprehend that from where we are now. We don't have the technology now to predict what our future will look like with that kind of power. But I can do some assumptions though.

I think the collective will become more 'important' than the individual. Don't get me wrong, we are not becoming one mind nor careless about human life. We become (estimated) 9 billion minds that are interconnected in one giant Cloud. Yes, we can disconnect ourselves, but I think we would feel very lonely when we do that. Because when we will be become capable of truly sharing our inner-selves, our love for one another will grow. When we really understand another person to his or hers core of their being, how can we not love them? How is that not the ultimate level of emotional connectedness?

Socially we will become much more focused on each-other and our environment, rather than ourselves (without neglecting ourselves though). The way societies work will change accordingly. Everything will become much more automated and robotized. Because people don't have to worry about survival anymore we can focus more on the people around us, arts, dance, spirituality, religion, nature, (space) travel, growth, and much more.

This process to the future technology will have its struggles though. We need to teach children how to interact with and use technology. The days parents can excuse themselves for not understanding it and thus not educating their children in it are over. There is the real danger that people will get lost in technology and find themselves alone and disconnected from people. These are serious topics we as a society need to address.


But yes, future technology can (or will in my opinion) give us energy and time to become more human, to really be connected with each-other and with ourselves. The days of people staring on their phones will come to past. TV's will be gone from our living rooms and technology will be far less visible, but ever more present. We will finally be able to truly love our planet for which it is, our home.

I like to watch dystopian movies in which the Earth falls apart and everyone feels terrible and such. But I really think that an utopian future is waiting for us. I believe that we will transcend the flaws of us humans now and become more than we are now. We will not reach that point without struggle, loss and perhaps without war though. Change never goes without fight, pain, sorrow and grieve. My worries do not lie in the future after that change, but in the future during the change. And I believe that the first steps of the beginning of that future will be in 20 to 40 years from now.

The main question is, when such a future announces itself, will you change with it? And more importantly, how do we prepare children for such a change? But that topic is for another blog-post.

Thanks for your question and I hope I answered it to your liking.

Sunday, August 16, 2015

From hybrid thinking to the upbringing of our children


For the purpose of this blog-post I yesterday re-watched the movie Limitless (apparently there will also be a TV series adaption of it). I like the movie for the question that it is letting me ask myself. What would I do if I would have an enhanced mind?

Probably the most honest answer would be that I actually do not know, because I cannot look behind the limitations of my own mind and therefore I cannot anticipate what I would do when I have an enhanced mind. That being sad, I think I would be information hungry to the core of my being. I would learn languages and my decision making would be even more based on patterns I can see clearly then. Much like the main character in the movie does. But I also would like to connect to people around me even more than I do now.

From Limitless Thinking to Hybrid Thinking


The movie is based on the assumption that a human brain is only used for about 20% of its capacity and with the help of a new drug the rest of its capacity is activated. Much the same as the movie Lucy. The fact that we only use 10 or 20 percent of our brain is most likely not true according to Robynne Boyd in an article on Scientific American. So if biologically nothing can be done, how about technologically? This is where Ray Kurzweil comes in.

In a recent article by Anthony Cuthbertson of the International Business Times Ray Kurzweil states that we will connect our brains to the Cloud by 2030. Wow, that is like... 15 years from now! Even if he is 10 years of with his prediction, 25 years is no large number either. And if we are able to connect our brain, our minds, to the Internet than the possibilities will become endless and beyond everything we can imagine today.

Imagine that we can lookup information instantly whenever needed and where ever we are with just a thought. We probably can even outsource parts our thinking to services hosted in the Cloud. We can, much like Google Goggles, look at a Sudoku puzzle and instantly see its solution. We can make 'phone-calls' with each-other by thought, truly share emotions and even use (with consent of course) each-others senses. We can walk in a different country and see everything we see and hear translated at once. The Tower of Babel is not actually a physical tower; it will be the Internet with all our minds connected to it.

Well, back to Earth now with both of our feet. It will take a couple of years before we reach such technology. Although some people try to argue against it due to ethical reasons (which has valid points I think), I believe the development will be so fast and disrupting that mankind will embrace it anyway. But that is beyond the scope of this blog-post though.

What is being smart now and in the future?


In a world where information is just a thought away, what does it mean to be smart? How differently we will look at it compared to now? We can assume that every person will have its biological boundaries such as your IQ, but being smart in the future is not about knowing allot. Well, knowing allot as in stored in your brain anyway. Because when you connect your brain to the Cloud you actually know allot, it is just not stored in your brain.

According to Academic Earth this process is already going on due to the existence of the Internet and the possibilities we have to connect to it. Our brain is trained by the things we do. And if we search allot and do not 'care' to remember, we train our brain to search and not to remember. And if we are able to store everything in the Cloud we can connect our mind to, we become masters of search in a world full of information. How often do you check Wikipedia for some facts about a holiday you have planned? How much do you remember after checking it? Or do you even care to remember, because you can look it upon for a second, third and fourth time anyway?

The following principle is widely known. There is data, and from data information will be made. Information can be interpreted and thus knowledge is created. And knowledge can lead to wisdom. I tend to say that we now live in a world that being smart is about having allot of knowledge. In the age of hybrid thinking being smart is all about being wise. And the wiser you will be, the more successful and renowned you will be.

Preparing our children


But how can you become a wise person? To answer this question, we need to look at the fundamental flaw of our education system we known today. The current educational system is focused on gaining information and hopefully knowledge, rather than gaining wisdom. There is a nice YouTube video by RSA Animate about Changing the Education Paradigms.



In this video Sir Ken Robinson talks about the need to change the paradigms of our education systems. It is a good and very relevant watch and my opinion is that new paradigms are needed to prepare our children for a future in which all knowledge can be found online. The new paradigm should be about the individual and his or her development, skills, talents and all things that makes him or her happy. We should train and educate our children to search for information and how to use the information that is found. We should focus on ethics, morality and social skills. When we inspire our kids to grow and learn, they will find their passions on their own.

The result might be a future with humans that are more aware of their society and their place in it, behave more ethically and spiritually, and advance even more then their ancestors when all that is combined with endless knowledge at the tip of their thoughts.

I firmly believe that it is our responsibility to prepare our children for such a future.

What is your take on this? Feel free to comment below and thanks for your time for reading my post.

Saturday, July 25, 2015

How are typical users handling passwords of their online accounts?


There as much been written about users and their accounts and passwords, but I recently was confronted with a rather funny story about this topic. Perhaps you can recognize yourself in a similar situation?

The story...


Someone, in my social circle, recently got a new smartphone. She was very happy with it, but there was one major thing to do. Configuring it. As I am the local IT-guy in this circle, I was asked to help with it. Of course I want to help with that (for two reasons to be honest: firstly, to help the other, but it is always nice to fiddle around with a new phone though).

So I started to do the basic stuff first and ignoring the phase to enter accounts and such. First I disabled some apps (or bloatware if you like), set some settings, made connections with WiFi, renamed the name of the Bluetooth connection and so forth. Then I went to the first account. This was the Google Account which I needed to download the apps from the Play Store.

I gave the smartphone back to her and asked if she would like to fill in the account details. It went silent and a moment later the following was said.
Oh, I cannot remember that anymore...
I asked if she could have written it down. That was a possibility, so she went to search for the piece of paper with all their user credentials on it. There are some downsides with using a piece of paper as your Password Manager, but it is sure as offline as it can be.

After a long search, the final conclusion came: the password could not be found. So we started to try out some passwords. I helped her try to remember the passwords by suggesting some other passwords that are used for other accounts and by suggesting to extend the birthday and so on. Password reuse is the tradition here, but after 20 minutes of guessing and thinking we came to the conclusion that we would need to restore the password of the Google Account.

I could have started with this of course, but often such restore with Google accounts are bit tricky. You have to have continuously updated the restore information in your account and I was not sure that was the case. But as it was now time to undergo the last resort solution and I started to restore the account credentials. Luckily the information to restore (such as a valid alternative e-mail address) were up to date and the account was marked for a new password.

She went silent for a minute, processing all the passwords that have been thought of in the last 20 minutes, and decided that she had made up a new one. She entered it twice and hit the OK-button. The following message appeared.
The password has been previously used by this account. Please use a new one.
You can imagine the hilarious situation of this. When it was time to make up a new password, the actual correct password of the account was entered as a 'new' one. We had a good laugh, made up a really new password and written it down on the paper and all was set. And I moved on with installing and configuring the smartphone.

I immediately thought that it was a nice topic to write a blog-post about. I think it really reflects how typical users commonly handle their credentials.
  • They are written down in unencrypted manners or on paper.
  • Password reuse is the norm.
  • Passwords are relatively easy to predict.
  • There is not much commitment to do it the 'right' way.
Not that I can blame her or any other user on the last bullet though. The things to do are allot and sometimes difficult to configure or even difficult to use. And the fact that there are easily over 100 accounts that needs to be managed per user does not make it any easier.

So, I want to set out a set of simple best-practices to make improvements in matters such as above.

But what are the best-practices?


First of all, every account can be compromised. Sometimes by guessing or extracting (and using) passwords and sometimes by circumventing implemented Security controls. If an attacker is really dedicated and wants fast results, buying a 5 dollar/euro wrench at a local hardware store is enough to convince most people to give up their passwords. People tend to be more protective about their fingers and knees, than they are about their passwords.

But unless that is happening, you can follow the guidelines below when it comes to protecting your accounts.
  • Always use a unique password for every account.
  • Use a lengthy password:
    • A password is at least 16 positions long and is at least mixed with numbers, capital and non-capital letters.
    • A pass-phrase of at least 16 positions is also possible. For as long as it is not a easily guessable sentence.
  • Do not use your birthday and names of yourself, your spouse, friends, pets, and so one. Do not use any information in your password that might be found online.
  • If there is support for Two-Factor Authentication, always use that.
    • This is a feature that asks for an additional code (called One-Time Password) to be entered. The code can be send to your mobile using a SMS text message or can be generated on additional hardware or apps. This is often seen with electronic banking.
  • Store your account and password details in an application (Password Manager) built explicitly for such a functionality.
  • And never ever ever share your accounts and passwords with anyone else. Unless you are very certain that it can be done (think about a shared account between spouses to follow the sale of their home online).
With the rules above you can greatly improve the security of your accounts or the accounts of your family and friends. And most importantly, almost every family or a group of friends have someone in their mists who understands this all. Ask for his or her advice and ask them to help to get you going!

Do you have any other tips or questions? Please feel free to share them in the comments below!

Sunday, July 19, 2015

From a Cybernator to an attractive or love-able Cyber-bot

Recently I wrote a blog about Terminator Genisys and the very fact that something like Skynet might emerge. As I am a huge movie-fan, and specifically in the science fiction genre, I did see two more movies that cover a bit the same topic. At least for the Artificial Intelligence (AI) part. These movies were Chappie and Ex Machina. I found the movies very nice and entertaining to watch and both movies took a different approach to the same question. Can a human care for, or even love, a robot?

The punch line here is that I do believe that we can love or feel empathy for a robot and I'll explain why we can.



For your information, I am not going to spoil the endings of the movie, so you can safely read ahead.

Love is not human-only


We all know pets like cats and dogs. They are likely the species that are kept most as a pet. Not weighing in the tigers and lions though. Non pet-owners, especially people who never had a pet, might find it difficult to believe that people who do have pets actually can really love their pets. People really do!

But why do people love their pets? Why are people grieving when their pet has died? I believe the most fundamental part in this love for a pet has something to do with reflection of human behavior. Behavior of your pet that 'shows' human-like emotions is a big part of the ability to love a pet. And not only the behavior is key in this, but also the feeling of actually connecting with an animal can result in feeling (at least) empathy for them.

Dolphins are smart and we can interact with them and learn all kinds of things. Same applies to dogs, cats, monkeys, rats, apes and many more. The more the animal resembles parts of a human, the more a human can feel empathy. The level of empathy differs from human to human of course, but the foundation holds truth here. I also believe that feeling empathy is the strongest with mammalian animals. Mosquitoes or the common-flew are not easily loved I guess (at least, I have troubles with that).

So, for arguments sake, lets state that humans can feel love or empathy for non-humans in the form of animals that represent some part of human behavior or emotions.

Chappie


Chappie is a robot who (funny, did not wrote which here...) is made sentient by the lead engineer of a corporation that makes these robots. The nice touch here is that the sentient is mentally 'born', almost like a human. It holds no knowledge yet and its brain functions are comparable to that of a human infant. Chappie grows up and throughout the movie it gets smarter real fast.

I found out that my emotional response to Chappie being mistreated is the same as to animals being mistreated. Or even a humans being mistreated. I started to care for Chappie and I hoped he would succeed in overcoming his fears and challenges he faced in this harsh world. I did say fear. It is not strange to believe that the moment a being is sentient; it will know fear of dying when it figures out that its existence can be ended. So Chappie gets to know feelings of fear, joy, happiness sorrow, loss, anger, and revenge. Including fear of death.

Physically he really looks like a robot. Metal, mechanical, rotors, buzzes and all. But in all his behaviors and all his communications he feels human. He reasons like a person and he struggles with the same questions about morality as anyone other does.

If a robot shows true AI on a level that can be recognized by and conversed with humans, is it possible to feel empathy for such a sentient being? Is it that much different than a dog or a cat? Or perhaps even a human being?

Again, I truly believe that it is possible to feel empathy for Artificial Intelligence.

Ex Machina


Whereas Chappie is more of an action movie, Ex Machina is more of a psychological one. The movie explores the very foundations of us being human and how it relates to AI. It revolves about a Turing-test that a scientist needs to perform on an AI enabled robot. Basically a Turing-test is a test that revolves around a human versus computer interaction in which the human does not know it is interacting with a computer. A spin-off thought here, what if the computer does not know it is a computer, but thinks it is a human? How can the human convince the computer that it is not human?

The robot in this movie, called Ava, is made by the company that has the world's biggest online search-engine. In a way there were many (bit scary) similarities with present reality. For that part this movie has a nicely worked out foundation on what is needed to develop an AI. Just watch the movie if you are curious how this is done.

Ava shows more similarities with humans then Chappie does. She has a female face, acts feminine, also has emotions like fear and joy, can make jokes, manipulate and lie. She even flirts with her male human opposite. It goes so far that man is starting to feel attracted (mentally and sexually) to Ava. When watching the movie, I can understand why he started to feel attracted. Especially if you see the ability of the robots to put on human skin and then actually look like a real person.

Could you love an AI enabled robot that looks like a real person? When the robot is smart and wise like a human, would you even recognize as it being artificial? And what if you do not recognize it as such, how could you not love such a robot?

Just philosophical for now


Al these questions are mostly philosophical of course, but they can become real questions for mankind in the coming decades.

The next question is, would we recognize an AI as sentient when it is an intelligence we cannot comprehend, relate with or even cannot communicate with? If so, wouldn't that be an even bigger danger for mankind then AI we can feel empathy for? A nice book that covers this topic is The Swarm. It is not artificial but biological intelligence and that is all I am going to spoil. It is a nice book and worth the read.

If you want to share anything, please do so in the comments below.