Security and risk

Where is this blog continuing its life? In Linkedin

noreply@blogger.com (Unknown) — Fri, 23 Nov 2018 08:49:00 +0000

Testing a new way to share ideas: Linkedin

Dear subscribers and readers... for the time being this blog is quite silent you would think... however, action continues somewhere else: here in my Linkedin profile.

I am just testing which channel is best and gets more relevance.

I will keep you posted!

Regards and thanks for following me

Following the path of knowledge

Book highlights: "Hit refresh" by Satya Nadella

noreply@blogger.com (Unknown) — Thu, 01 Mar 2018 00:00:00 +0000

Very telegraphically, these are my impressions after reading "Hit Refresh":

- Impressive human being. He tells you how his personal experiences have shaped him, not only personally but also professionally.

Some of the ideas worth exploring that appear in the book are the following:

- Leadership is definitely an art.
- Empathy and compassion are skills leaders should have.
- We need to work comfortably with change and impermanence.
- "To be a leader here, oyur job is to find rose petals in a field of shit".
- The leader needs to link every employee's passion with the raison d'etre of the company.
- A sustainable ecosystem is required for a company to survive.
- Provide the environment for employees to find their personal balance.
- Other important topics: The link of technology, freedom and customers.
- The responsibility of a technology company with the world and the human beings.
- Most importantly, he also makes mistakes and learn from them.
- He is aware of the need to equally treat women and men in technology companies.

Learning every day

Book highlights: The Mathematics of Love by Hannah Fry

noreply@blogger.com (Unknown) — Thu, 01 Feb 2018 03:00:00 +0000

This brief book by Hannah Fry is inspired by her TED talk with the same title: The mathematics of love.

The main (very personal and non-comprehensive and biased) highlights I would like to share are:
- When finding a partner: Give people a chance. Reduce your requirement list to the minimum.
- Beauty is subjective and context-dependent. For singles, if you are invited to a party, get accompanied by a friend who is slightly less attractive (in general) than you.
- It's better to start a conversation with someone you feel attracted to rather than waiting for that someone to come to you. Maths say so.
- Online dating has potential (if people show themselves as they really are).
- Applying basic game theory, being disloyal is not economically benefitial.
- Complex network analysis help to study disease propagations.
- By showing rejection and disdain with your partner, the probability to split increases dramatically.

This time, nothing to do with Infosec. Or maybe yes?

food for thought?

Book tip: "Time management for system admins" by Thomas A. Limoncelli

noreply@blogger.com (Unknown) — Mon, 01 Jan 2018 00:00:00 +0000

Just some practical sentences about this book from 2005 by Thomas A. Limoncelli.

If you are working in Information Security or in Information Technology in general, and you need to improve managing your time and prioirities, this book deals with this eternal topic from a light (and IT based) viewpoint.

I do not favour a lot the omnipresent self-help books. However, this book could help if the reader needs to improve on this field or is under a lot of stress.

In a nuthsell, I would like to high light three points on time management:

- It needs to follow a focused and committed methodology.
- It helps organising any aspect of life.
- IT people has the advantage of being able to devise and use automation.

Happy reading!

Growing

Book review: "Own Your Future : How to Think Like an Entrepreneur and Thrive in an Unpredictable Economy" by Paul B. Brown et al. The ALBR process

noreply@blogger.com (Unknown) — Fri, 01 Dec 2017 01:00:00 +0000

I came accross this book by Paul B. Brown, Charles F. Kiefer and Leonard A. Schlesinger almost by chance. The title was enticing so I decided to give it a go. You can read it really fast and the structure is very approachable. Having an Information Security mindset, you can apply generic recommendations to our professional field and even try out some entrepreneurial experiments that could lead you to a professional change.

If you are going through a period of time after which you really need a positive? work-related change, reading this book could help you. As always, a little disclaimer: This post does not replace at any time the careful reading of the book and all points expressed here are extracted from the book but by no means complete, comprehensive or unbiased.

If I would have to summarise the book in only one sentence, I would say ALBR. The acronym of Act, Learn, Build and Repeat. This is what authors recommend to put in practice your own ideas. Note that they start with the word Action. The beauty of this book comes now: You select the scope and the context in which you will apply your own ideas: in your startup, with your current employer, at home, during your leisure time... actually these learning points can be applied everywhere and anytime.

I also like a lot the fact that this book, published in 2014 also proposes something that I was already suggesting in my first Information Security book: IT Securiteers - Information Security Management: Take baby steps, small steps so that you can always be in control and, if needed, revert back. Baby steps are an important risk-management measure.

The book is full of US-based examples. At the end of every chapter you have a nice little box with the key learning points (just as the IT Securiteers book, where you can also find a summary of the applicable MBA models at the end of every chapter).

The first section of the book describes how our professional world has changed compared to the one previous generations had and how this fact requires new skills (and new approaches) in all of us. Worth highlighting regarding risk management, the book confirms how the best entrepreneurs are quite risk averse.

The second section actually proposes the Act/Learn/Build/Repeat process to manage risk when starting off a new endevour. This process, plus the use of small baby steps, make you ready to fail safe, since there will never be something really major, or not manageable, at stake.

The third section is very realistic. It first confirms that not all our likes and passions will be payed by the market i.e. we can only follow our passion if we can (economically and realistically) afford it. Let's remember we need to live in this world. This is a convenient time to mention the model I wrote about in the IT Securiteers book on the intersection of your skills, your passions and the market to make a living.

The fourth section provides an interesting spin to starting something new: They propose to do it outside your everyday job. Certainly the possibility to start something new within your current job, providing even more value to your employers, should not be discarded. Actually, for those ranking high in risk-aversion, it is even recommendable.

This section continues with the small steps approach and how your long term goals can only be achieved focusing on small deltas every day. This also applies to Information Security programmes and projects.

I like this sentence from the book: "Remember, your next job is probably not your last one".

Lastly, the authors remind you that you are the ultimate control point of both your job (and eventually, your life).

Happy future reading!

Away from monotony!

Book review: "Diary of a hedge fund manager" by Keith McCullough

noreply@blogger.com (Unknown) — Wed, 01 Nov 2017 02:30:00 +0000

Keith McCullough and Richard Blake wrote this book in 2011: "Diary of a Hedge Fund Manager: From the Top, to the Bottom, and Back Again". Keith McCullough was also the author of the mcmmacro blog (already discontinued in 2008). This book has nothing to do with Information Security. At least it does not have a explicit link. Why do I post this review then? Let's summarise it in telegraphic bullet points:

- Being a hedge fund manager is tough. The author mentions how starting work at 4 am was nothing extraordinary. Time required on a daily basis to follow companies and feel markets' sentiment is huge. Information security displays the same trait.

- The book uses the professional sports world (more specifically, hockey) as an analogy. In both fields, required efforts and focus and existing competition are comparable. Also applicable to Infosec? I think so.

- The mantra in hedge funding: Liquidity, transparency (well, actually the authors claim that during the first decade of this Century it was insufficient) and returns (on each and every single quarter!).

- This book also suggests a higher degree of self-involvement in personal financial investment strategies. I would also suggest the same for personal Information Security strategies.

- Short-term performance, during those early years of hedge funding, was given more priority than to adherence to principles. How is the Information Security field in this respect?

Please share your comment

Happy reading!

Expertise comes with time

Book highlights: The Sleep Revolution by Arianna Huffington

noreply@blogger.com (Unknown) — Sat, 30 Sep 2017 23:30:00 +0000

This time I share with my readers the main reading points of the book titled "The Sleep Revolution" by the famous entrepreneur Arianna Huffington, currently leading thriveglobal, probably the site to visit to keep yourself in balance.

Disclaimer: as always, a very personal and biased collection of thoughts extracted from the book. This collection by no means aims to replace the reading of this book.

These are some of the aspects I would like to highlight, especially to the Information Security community professionals, so that they do not waste themselves, either by working or worrying, into sleepless nights.:

Main takeaways

- Women need some more sleep than men.
- Lack of sleep produces overweight and heart attacks.
- Sleep is currently an underrated health habit. It is a side of life that should be as important as our awake time.

- People in key jobs such as drivers, pilots, doctors run higher risks when they are not well rested.
- Sleep changed from being a social and looked after event to being a despised need. Now there are changing times.
- Sleep is for the brain to be healthy. During sleep, the brain cleans itself from toxic proteins.
- Poor sleep transforms into poor memory.
- Sleep is key in the complex task of understanding our lives.
- Sleep on it: A smart way to learn and decide.

Sleep phases

0. Beta waves in the brain during our awake time.
1. Light sleep (starting to decrease our temperature and heart rhythm.
2. Deeper sleep (temperature drop)
3. Slow high amplitude delta wave sleep (if we wake up there, we feel disoriented)
4. REM (rapid eye movements), body rates increase again (blood pressure, temperature, movement). it is when we do most of our dreaming activity. REM sleep takes us offline.

The later dreams occur during the night, the more bizarre they are.
Normally we go through 3 to 4 sleep loops during a night.

Sleep and health

- Required to avoid illness and also required to recover from illness.
- Self control requires mental energy. Sleep gives us energy.
- From Freud to Jung: dreams are an internal experience, a possibility to learn and to link with our spirituality.

Programming dreams

- Dreams are essential for learning and memory.
- You can try to program your dreams first by writing them down right after having slept and subsequently by thinking on what to dream just before going to bed. Certainly without any digital device.
- Nice piece of advice: Keep a dreams diary.
- Dream incubation example: In which area of life would you like to receive guidance?
- Dreams regulate our experience, our emotions and our memories.
- Dreams contribute to emotional intelligence.
- Dreams reset the emotional compass.
- Innovations come also from dreams.
- Dream about an exam and you will score higher.
- Sports people practice this to get a better performance.

The best meditation is sleep

- Take deliberate actions to improve your sleep.
- Meditation and sleep are friends.
- Simple relaxation technique to try to sleep: Inhale with 4 counts, hold with 7 counts and exhale with sound on 8 counts.
- Use breathing to slow down yourself.
- Another simple relaxation technique: The half-smile relaxation.
- Try to find serenity through a picture, some music, the memory of a place.
- Bringing thoughts of kindness and gratitude certainly help: Think of the opportunites to help people that you used.
- Create a gratitude list.
- All this always via baby steps.
- A 30-min nap can reverse the hormonal impact of a night of poor sleep.
- We need more stillness in our lives.

Before going to bed
- No sugar, no alcohol, no big meals.
- Interesting thought: We will all die, thinking about this fact will let you distinguish what is important.
- Assertive statement "to practice death is to practice freedom".
- Use a mind-dump to-do list before going to bed to release you from those worries and... tomorrow will be another day.


The sleep house

Book highlights: The Filter Bubble by Eli Pariser

noreply@blogger.com (Unknown) — Thu, 31 Aug 2017 23:30:00 +0000

This time I write about a book by Eli Pariser first appeared in 2011. It title points to its main content: The filter bubble. How the new personalized web is changing what we read and how we think.

As it were real future-telling, the author, already in 2011, prepares the reader to understand the perils of web personalization and its potential consequences. Now, in 2017, those consequences have materialised.

Let's remember that an interesting part of Information Security is Personal Data Privacy (it that still exists!).

As always, little disclaimer, this collection of learning points do not replace the reading of the book and they constitute a very personal list of items. Let's start:

- The arrival of personalised Internet search by Google in 2009 contributed to make the user of that search a real product rather than a customer.

- The delivery of personalised search results creates, for each of us, a personal bubble in which we will live on. This is great in terms of confirming our interests, however this is not so great in terms of isolating each of us within our own bubble and system of beliefs.

- Different point but also worth highligthing: Asymmetry in email. The cost of sending an email is orders of magnitude lower than the cost of receiving and reading an email (in terms of human time devoted to it). This is the main reason why email spam exists.

- Facebook focuses on relationships among people and Google on relationships in data.
- Facebook focuses on what you share, Google on what you click.
- Both aim the same final objective: User (product) lock-in.

- The author also talks about user behaviour as a commodity and how some companies monetise that e.g. acxiom.

- Interesting fact: Google News was created as an initially easy way to curate news after 9/11.

- A fact: More voices means less trust in a given voice.
- In the US in 2011 people watch TV on average 36 hours per week.
- Definition of TV: Unobjectionable entertainment.

- The key to keep audiences happy: Creating content in response to their likes.
- Personalised filters affect the way we think and learn.
- We tend to convert papers with lots and lots of data into "likely to be true".
- Information itself wants to be reduced to a simple statement.

- The more expert you are in a topic, the more reality-bias you have and the less successfully you will predict.

- Consuming information that conforms to our ideas is super easy. That is why we do it.
- The filter bubble shows us things, but it also hides other things to us and we are not as compelled to learn about new things if we do not know about them.

- It is important to be able to do what you would like to do but also to know what is possible to do.
- For the time being, Internet personalisation does not capture the difference between your work self and your play self.
- There is a difference between that we watch and what we should watch.
- Profiling gives companies the ability to circumvent your rational decision making.
- Personalisation still does not distinguish signal to noise.
- If our best moments are often the most unpredictable ones, what will happen to us if our bubble is fully predictable?
- The bottomline: In the book the author mentions that we do not know the effects of this filter bubble. However, six years after its publication, we can see its real consequences in terms of fake news and isolation.

- The existence of the cloud. Personal data in the cloud, outside your computer, is much easier to search than info on your computer.
- Statement extracted from the book (published in 2011): "Personalised outreach gives better bang for the political buck".

- In the post-materialism era we buy things to express our identity, not because we need the item we buy.

- The personalised bubble make getting people from a community to make better collective decisions more difficult.

- Peter Thiel, American entrepreneur, e.g. Paypal founder, states that "freedom and democracy are no longer compatible".

- Engineers resists the idea that their work has moral or political consequences.

- Small pieces of advice: Delete our browser history every now and then. And if you dare, your cookies ;-) Use the incognito tab in your browser.

- Be aware of the power of default e.g. by default when you open the browser you do not land on the incognito tab.

- The author states that there are also possibilities to improve using this technology if companies are transparent in explaining how their filters work and how they use our data.

- Corporate responsibility is required, and probably also a kind of oversight.

- Personal data should be considered a personal property.

Too much to think about in only one post!
Happy reading!

Hello to a new world

Book highlights: Willpower: Rediscovering the Greatest Human Strength by Roy Baumeister and John Tierney

noreply@blogger.com (Unknown) — Tue, 01 Aug 2017 00:00:00 +0000

This book about Willpower by Roy Baumeister and John Tierney is worth reading it to prepare the next term, especially when the to-do list is long and the leisure temptations are formidable.

In a super concise nutshell, and never replacing its reading, the points I highlight for those Information Security experts following this blog already for years are the following:

- A monthly plan is much more effective than a daily plan. Days go differently as planned but months give you the time you need to achieve your goals.
- Short-term targets need to be anchored to long-term targets, otherwise they are very dangerous.
- Our will power requires energy. More specifically, it requires glucose in our brain.
- Decision taking also requires energy. If you have no energy, do not take decisions that time.
- We can train our will power. Start with baby steps, right as I recommend in my IT Security Management book.
- Being part of a community with goals similar to ours always help to grow will power. The opposite is unfortunately also true.
- When you prepare your to-do lists, fine grain your complex goals into manageable activities.
- Proposal: Work with bi-weekly or monthly plans and revise them.
- For parents: Make your children participate in the creation of the family's plans and their plans (and even yours).
- If you are tired, do not decide or get exposed to tempting situations. Maybe the most important learning point of this book.

Happy will power!

The sky is the limit

Book Review: Site Reliability Engineering. How Google runs production systems

noreply@blogger.com (Unknown) — Sat, 01 Jul 2017 16:19:00 +0000

Intro
The following points come from a book by many Googleans and related colleagues such as Betsy Beyer, Chris Jones, Jennifer Petoff and Niall Richard Murphy title "Site Reliability Engineering: How Google runs productions systems".

Disclaimer
Disclaimer: As always, in every book review I have posted, these reviews are just invitations to read the book. Not a replacement!

Rationale
"Traditionally system developers ended their task once we threw their creation into production". This brought only trouble both to the final customers and to the staff in charge of providing the service.

Objective
This book is basically Google's attempt to revamp the role of system administrator and operator in production. To place it at the same level system developers were and are.

How?
No magic solution, just common smart sense i.e. giving system admins in prod the possibility to improve the system themselves, to automate and to scale. The authors confirm that their proposal is a specific DevOps way.

Automation
From manual steps to externally maintained automation, both system specific and generic, then to internal automation and finally autonomy.
Reliability
How do they define reliability: "Probability that a system performs a function with no failure under stated conditions for a period of time". An outage for the SRE, when planned, is a change to improve the system, to innovate.

Service reliability hierarchy
Bottom-up: Monitoring, incident response, post-mortem/root cause analysis, testing and release procedures, capacity planning, development and product.

"Hope is not a valid strategy"
70% of outages come from changes in a live system.

Monitoring
Monitoring software should do the interpretation and humans be notified via alerts, tickets or logging (according to the criticality). No email alerts, use a dashboard with flashy colours. Nowadays monitoring is more a collection of time series (more powerful than only SNMP) i.e. a sequence of values and timestamps. The data source for automated evaluating rules.

Black box monitoring (how is the user experience?) and white box (monitoring system internals).

This way we reduce the MTTF (mean time to failure) and the MTTR (mean time to repair).

Latency vs throughput
System engineers need to understand what is best for their system, the smart mix between latency (how long) and throughput (how many). Think about cost vs projected increase in revenue. Key point: Aim for the right Service Level Objective. Do not overachieve. Over-achievement in terms of availability prevents you from innovating and improving the system.

Avoid toil
Manual, repetitive work needs to be automated. Monitoring data not being used is a candidate for renewal. Blending together too many results is complex. In a 10 to 12 SRE team, 1 or 2 people are devoted to monitoring.

Release engineering
Includes also config management at the beginning of the product lifecycle. Frequent releases result in fewer changes in between versions. Distinguish between inherent complexity and accidental complexity and avoid the latter.
In software, less is more (and more expensive). Versioning APIs is a good idea.

Incident management teams
Multi-sites teams incur in a communication overhead. How do you know the team is in the sweet spot? When handling an incident takes 6 hours, including root cause analysis and post-mortem. Prefer the rational, focused and cognitive (procedure-based) process rather than the intuitive, fast and automated. Provide clear escalation paths and follow a blameless postmortem culture. Use an incident management web based tool.

Avoid operational overhead. If there are too many alers, give the pager back to the initial developer. Prepare for outages, drill it, test the what if...? Team members should be on-call at least once or twice per quarter.

Separation of duties in incident management: ops (rotating roles among teams and time zones), communication and planning.

Testing
Testing is continuous. Testing reduces uncertainty and reliability decreases in each change. Include configuration tests.

Team size
It should not scale directly with service growth.

Best practices
Fail safely. Make progressive rollouts. Define your error/bug budget. Follow the monitoring principles (hierarchy), make post-mortems and include capacity planning.

Latency
Look not only at mean latency but also at distribution of latencies. Prevent server overload by means of built-in graceful degradation.

Availability
Leader election requires a reformulation of the distributed asynchronous consensus problem. It cannot be solved using heartbeats (but rather replicated state machines). A byzantine failure is e.g. an incorrect message due to a bug or a malicious activity.

Production readiness review
An early involvement is desired. SRE can only work with frameworks to scale. Data integrity is the means, data availability is the goal.

Rocky landscape

Happy reliable reading!
Interested in the mindmap of it? Here you are part 1.

And part 2.

Book Review: Practical Data Science with R by Nina Zumel and Jim Porzak

noreply@blogger.com (Unknown) — Wed, 31 May 2017 23:00:00 +0000

This is a very very brief collection of points extracted from this book titled "Practical Data Science with R". For those starting in this field of Data Science a recommendable foundational reference.

The main parts: An introduction to Data Science, modelling methods and delivering results.

As always, an important disclaimer when talking about a book review: The reading of this very personal and non-comprehensive list of points, mostly taken verbatim from the book, by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

Part 1 - Intro to Data Science

I would highlight the method the authors propose to deal with data investigations:

- Define the goal - What problem are you solving?
- Collect and manage data - What info do you need?
- Build the model - Find patterns in data that leads to a solution
- Evaluate and critique the model - Does the model solve my problem?
- Present results and document - Establish that you can solve the data problem and explain how
- Deploy the model - Deploy the model to solve the problem in the real world.

Part 2 - Models

Common classification methods such as e.g. Naive Bayes classifier, Decision trees, Logistic regression, Support vector machine.
To forecast is to assign a probability (the key is how to map data into a model).

Model types: Classification, scoring, probability estimation, ranking and clustering.
For most model evaluations, it is usual to compute one or two summary scores using a few ideal models: a null model, a Bayes rate model and the best single variable model.

Evaluating scoring models:
- Always try single variable models before trying more complicated techniques.
- Single variable modelling techniques give a useful start on variable selection.
- Consider decision trees, nearest neighbour and naive Bayes models as basic data memorization techniques.

- Functional models allow to better explore how changes in inputs affect predictions.
- Linear regression is a good first technique to model quantities.
- Logistics regression is a good first technique to model probabilities.
- Models with simple forms come with very powerful summaries and diagnostics.
- Unsupervised methods find structure (e.g. discovered clusters, discovered rules) in the data, often as a prelude to predictive modelling.

Part 3 - Delivering results

Nowadays information systems are built off large databases. Most systems are online, mistakes in terms of data interpretation are common and mostly none of these systems are concerned with cause.

Enjoy the data forest

Wannacry related interim timeline

noreply@blogger.com (Unknown) — Sun, 14 May 2017 18:30:00 +0000

Let me share a timeline I constructed regarding Wannacry during the last days. The interesting point I shared with some colleagues was that the patient zero (o patients) infection vector is not referenced or described as of now yet.

15th February 2017 Microsoft cancels its monthly patching for that month

9th March 2017 Wikileaks press release regarding Vault7, "the largest-ever publication of confidential documents on the agency" according to Wikileaks.
https://steemit.com/wikileaks/@ausbitbank/wikileaks-vault-7-march-9th-press-conference-transcript

14th March 2017 Microsoft publish security update MS17-010 for SMB Server
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

14th April 2017 (according to https://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers) Equation Group (see https://en.wikipedia.org/wiki/Equation_Group) releases some exploits, EternalBlue among them. EternalBlue took advantage of the vulnerability that Microsoft patch MS17-010 fiexed.
https://github.com/misterch0c/shadowbroker/

14th April 2017 Microsoft publish their triage analysis on the exploits
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

15th April 2017 Security companies analyse exploits. One example of the anaylisis of EternalBlue is the following:
https://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully-patched-cobalt-strike/

15th April 2017 Some news sites start to wonder how come that the patch existed before the release e.g. https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/

12th May 2017 WannaCry appears in the wild
https://en.wikipedia.org/wiki/WannaCry_cyber_attack

Some sources mention that the infection vector was a phishing email
https://www.heise.de/newsticker/meldung/WannaCry-Was-wir-bisher-ueber-die-Ransomware-Attacke-wissen-3713502.html
http://www.wired.co.uk/article/wanna-decryptor-ransomware
https://www.cylance.com/en_us/blog/cylance-vs-wannacry-wanacrypt0r-2-0.html

However, no analysis yet of that mentioned phishing email, its attachment and its modus operandi in general.

Update 1: Response and proposals from Microsoft

Rocky days

Book Review: Bitcoin and other virtual currencies for the 21st Century by J. Anthony Malone

noreply@blogger.com (Unknown) — Sun, 30 Apr 2017 23:30:00 +0000

A very handy book to approach Bitcoin.

Let me try to share with you the main learning points I collected from this book. As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive summary by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

The book starts first with the concept of money, how money was an innovation itself, the functions of money as a medium of exchange, a unit of account, a store of value, a deferred payment and a value measure. It also provides some insights on the history of money and how credit is older than cash and, finally, a key concept: the monopolistic role of the government in terms of currency issuance.

There are some hints in the book to consider Bitcoin a starting point to end the monopoly of central banks. It claims that the Bitcoin value scheme is inspired on the old gold standard. It is interesting to read the links that the author sees between the Austrian School of Economics and Bitcoin.

The point that Bitcoin does not have a centralised clearing house is certainly a key point in the book. It also mentions that the blockchain public ledger is the heart of the Bitcoin technology. It also mentions that Bitcoin is inflation-free (there is a fixed number of Bitcoins that can eventually be minted). The supply of Bitcoins does not depend on the monetary policy of a central authority. It also remembers the Keynesian line of thought on deflation and how it encourages individuals and businesses to save money.

To use Bitcoins, you just need a Bitcoin wallet and a Bitcoin address. Technically, Bitcoin has currently a transaction limit of 7 per second.

There is a section of the book on legal aspects of Bitcoin. Apparently virtual currencies do not have legal tender status in any jurisdiction. Bitcoin has the properties of a payment system, a currency and a commodity. There is still a bit of regulatory ambiguity in terms of Bitcoin. There are some appendixes in the book related to a very useful glossary of terms, a legal guidance issued by FinCEN in the US, also from US GAO (Accountability Office), from the Inland Revenue Service, some input from revelant regulators and legal documentation on different Bitcoin-related cases.

Happy growing!

Book Review: Bitcoin and Mobile Payments: Constructing a European Union Framework (Palgrave Studies in Financial Services Technology) edited by Gabriella Gimigliano

noreply@blogger.com (Unknown) — Sat, 01 Apr 2017 00:00:00 +0000

This book sheds some light on how Bitcoin and mobile payments interact with EU rules and regulations. A key point certainly are the PSD and PSD2 directives on payment services in the internal market.

Let me try to share with you the main learning points I collected from this book. As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive summary by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

The book has been built into 4 parts:

- Institutional strategy and economic background
The institutional strategy can be an enabling factor for a sound growth of new instruments and certainly for the security of payments. The definition of an effective “cyber security strategy” at national and European level is one of the pillars of the creation of the “digital single market”. The financial services and the payment industry are an essential component. Certainly the role of SEPA (Single Euro Payment Area) is considered. Interestingly, Bitcoin is an alternative payment scheme without fiat or banking money. There is an interesting statement, “Bitcoin has a tendency to create an oligopoly in terms of miners”.

- The framework – a European outline and a comparison with other frameworks
There is a lack of specific regulations in terms of virtual currencies. Can they be considered payment instruments? What are they really? What is the role of self-regulation in all this? In Europe we see a technological fragmentation of the payment chain. It is still too early to know which path will be followed. Experts suggest an adaptation of the laws for newcomers such as bitcoin.

- Regulatory challenges (e.g. protection of customers’ funds, data integrity, soundness of payment and financial system, competitiveness of European market)
A basic requirement is to have an adequate security that encourages the usability of the system. What happens when there is no central service provider? The increasingly stronger general rules for data protection in the EU will eventually require equally strong sector-based rules.
Mobile payments’ legal situation regarding Anti Money-Laundering is legally certain. Virtual currencies’ legislation not.
Interesting detail: Bitcoin does not attract too many VAT complications within the EU.
For the time being, there is a lack of a fully implemented and integrated business model in the mobile payments ecosystem in Europe.

- Evolution of payment services
Only two sentences on this topic. Bitcoin is really a conceptual revolution, mobile payments are really an evolution.

Happy constructing!

Quick Book Review: Value Web by Chris Skinner

noreply@blogger.com (Unknown) — Wed, 01 Mar 2017 00:00:00 +0000

I thought I would share with my readers a selection of the points mentioned in the book (modest disclaimer: it is a non-comprehensive, and personal, quick summary that does not replace the reading of the book)

The book is titled "Value Web" by Chris Skinner.

-          The author is an independent commentator in the financial industry.
-          Summary in a sentence: There is a network transformation of how we exchange value.
-          This network transformation is linked to our secure digital identities.
-          The author describes the blockchain technology also as an authentication technology.
-          He touches also upon the history of money and how farming created money as an instrument to keep value.
-          A detail: It was China inventing paper-based money.
-          An interesting thought: “Simplification comes from kids and complexity comes from incumbents”
-          Clear statement: Banks don’t trust each other anymore.
-          Interesting story of an attempt to regulate: https://en.wikipedia.org/wiki/BitLicense
-          The author sees banks more than as money stores as value stores. His stance: value stores need regulation.
-          Three different roles played by fintech players in the banking industry: wrappers, replacers and reformers (vis a vis traditional banking).
-          How free apps can make money? By creating additional (not currently existing) value and by being relevant.
-          The potential to re-invent banking (rather than to disrupt banking)
-          However: Let’s be realisitic. In the UK 62% of the population still prefers face to face in a branch as preferred channel to access bank services.
-          Banks already require a digital core, a platform. So that channels are replaced by access. In the digital era, they talk about access (to that digital core) and not channels anymore.

The last part of the book includes interviews to key players in this field. My 2 cents. Follow these three names on twitter: @jonmatonis, @brockpierce and @chrislarsensf

Happy valueing!

Security sites to bookmark: fireeye, darkmatters.norsecorp and blueliv

noreply@blogger.com (Unknown) — Tue, 31 Jan 2017 23:30:00 +0000

New trends in security intelligence services

A traditional marketing element already present in most security providers' Internet presence is a blog on current topics of interest: A smart way to attract readers while announcing their added value as a security company.

This is the case of three international players. They are relatively new in this sector and they all combine technology solutions with intelligence services: they are FireEye, founded in 2004, Norse, created in 2010 and Blueliv, founded in 2009. The first two even team up together for customers as relevant as the US Department of Energy.

FireEye, the veteran in this field, is a company that quickly grasped, already in 2004, the relevance to the business world of the advance persistent threats (customised cyber attacks, at the end of the day). When these attacks were already hitting the mass media news, they already devised a product and a service to protect companies.

FireEye offers two blogs:

- ThreatResearch talks about current Internet threats. I recommend a visit to those who want to know about technical details of new malware campaigns and espionage operations that come to light.

- ExecutivePerspectives, less technical, is focused on business matters. It raises awareness among executive managers and budget decision-makers in terms of cyber (in)security.

Let's remember that in 2014 FireEye acquired Mandiant, the security consulting firm led by Richard Bretjlich.

Norse Corporation offers also both an appliance to install and security intelligence services to hire. In its blog it presents news related to current cyber attacks together with their executives' public appearances such as the ones from Sam Glines, Norse co-founder. It also provides a link to a colourful world map with current Internet attacks that seems to be updated in real time. A very effective way to amaze those who do not work in our sector.

An example of a typical blog post is the one showing the use of Splunk, the popular and successful log search engine, with their security intelligence data feed i.e. the product that provides the data presented in the attack map mentioned above.

Blueliv was founded by Daniel Solis. It value proposition is innovative. Gartner mentioned it in 2015 as a "cool vendor". Its blogs contains targets business people, researchers and industry practitioners. There are also some free resources ranging from datasheets to reports and videos. They also display an impressive cyber threat map.

In short, the visit of these three blogs could be a first step for those security professionals willing to get introduced to the security intelligence services arena.

Happy security intelligence gathering!

Shades

Book review: The wisdom of crowds - A leveraging tool

noreply@blogger.com (Unknown) — Sun, 01 Jan 2017 00:30:00 +0000

The book by James Surowiecki titled "The wisdom of crowds" fell into my hands and I read it during the summer of 2015. These are the main learning points that I drew from its reading.

Disclaimer: By no means this personal and non-comprehensive post aims to replace the reading of the book. This post is a biased set of thoughts, most of them extracted from the book, that went through my mind during the reading of this book.

- Diversity and independence are key to be kept in collective decisions.
- To these two points, add also decentralization and aggregation.
- A decision market is a working method to capture collective wisdom.
- Making a group diverse makes it better at problem solving.
- Expertise is spectacularly narrow.
- A large group of diverse and independent people will come up with better decisions.
- Collective decisions are only wise when they draw from very different information sources.
- Centralization is never the answer. Aggregation is.
- Betting markets are very good at predicting markets.
- Crowds find the way to collectively benefit even without speaking to each other if everyone knows that everybody is trying to make a decision.
- We live in a society in which convention has won over rationality (e.g. why all films costs almost the same in the cinema?).
- Maybe as individuals we do not know where we are going but as a group we can achieve great accomplishments.
- People think that people should be where they deserve. Merit is a key element in accepting reality.
- Vehicle traffic: Very easy to create traffic jams. Very complex to get rid of them. As a swarm, we drive quicker if we coordinate with surrounding vehicles.
- If the traffic jam is massive, no easy solution. Personal thought: Maybe then stop the car and read a book.
- Academic challenges in a collaborative environment are a morale booster.
- Reputation should not become the basis of a scientific hierarchy.
- Sometimes, being a member of a group can make people dumber (especially if the group is small and it has leaders on it).
- Sometimes small groups start already with the conclusions instead of reaching them after an evidence-gathering based process.
- Small group view polarization exists. Hierarquies make it worse even.
- The order in which people speak pays an important role.
- People who think of themselves as leaders will influence groups more than others, even if they lack expertise on what they talk about.
- Groups need an efficient way to aggregate their members' opinions.
- Investors not always behave rationally.
- Investors get emotionally attached to their shares.
- Individual irrationality can create collective rationality.
- On average crowds will give you a better answer than individuals.
- Healthy markets are led both by fear and greed.
- Bubbles and crashes are examples of crowd decisions going wrong.
- Groups are smart only when their information sources are balanced in terms of its ownership.
- All these points can be applied (and they are actually being applied) also into the business world.
- These thoughts justify why democracy is preferred to other organisational systems.

As Infosec professionals, if we can have these points in mind when designing security controls and security awareness sessions, our delivered value will be higher.

Happy crowded reading!

Groups fly!

Economics Book Review: Global Financial Systems: Stability & Risk by Jon Danielsson

noreply@blogger.com (Unknown) — Thu, 01 Dec 2016 07:00:00 +0000

How come that an Information Security blog posts now a review of a book dealing with the foundations of modern finance?

If you wonder why, then probably you are starting as an Information Security professional. Good luck to you! Train your psychological resilience.

If you will read this post to find out why the reading of this book is recommendable, then surely you have wondered how Information Security can provide value to the business.

This book titled Global Financial Systems: Stability and Risk is used by his author, Jon Danielsson, in his lectures about Global Financial Systems in the London School of Economics.

In 19 Chapters and in several weeks' reading time, readers get an first comprehensive idea of what has happened in the last decade and what it is currently happening in this global financial crisis. Not only that, readers get also an understanding on key financial concepts.

This information will be of great help to understand the business functionality of the IT Systems that you will probably pen-test or secure or harden or white-hat hack. And not only in the financial sector, literally in any industry sector somehow related or affected by banks i.e. in all industries.

Chapter 1 deals with systemic risk. Worth being highlighted are the interlinks among different risks and the concept of fractional reserve banking.

I identified four concepts that could have a reflection also in the Information Security field: procyclicality, information asymmetry, interdependence and perverse incentives.

Chapter 2 talks about the Great Depression from 1929 to 1933 and four potential causes such as trade restrictions, wrong monetary policies, competitive devaluations and agricultural overproduction.

Chapter 3 talks about a very special type of risk: endogenous risk. The author mentions a graph on how perceived risk goes in time after actual risk. Very interesting concept to apply also in Information Security.

Chapter 4 deals with liquidity and different models bank follow (or should follow). Liquidity is essential but, reading this chapter, complex. The distinction between funding liquidity and market liquidity is also an eye-opener.

Chapter 5 describes central banking and banking supervision. The origin of central banking dates from 1668 in Sweden and from 1694 in England. The author mentions two key roles in central banking: monetary policy and financial stability.

Chapter 6 teaches us why short-term foreign currency borrowing is a bad idea.

Chapter 7 describes the importance of the fractional reserve system and a concept that it is almost opposite to what information security professionals face on a daily basis: moral hazard (literally, "it is what happens when those taking risks do not have to face the full consequences of failure but they enjoy all benefits of success").

Chapter 8 deals with the complexity of coming up with a smart deposit insurance policy that would avoid "moral hazard" possibilities in a fractional reserve banking system.

Chapter 9 describes the problems that trading actions like short selling can bring into the financial system. An impartial reader of this chapter would see the need to come up with an effective and worldwide trading regulation. Concepts such as a "clearing house" and a "central counterparty" are mentioned.

Chapters 10 and 15: Market participants need to know probabilities to default when engaging in credit activities. These chapters explain securitisation concepts such as Special Purpose Vehicles (SPV), Collateralised Debt Obligation (CDO), Asset Backed Securities (ABS) and Credit Default Swaps (CDS). Could you think of similar concepts being used in Information Security?

Chapter 11 presents the "impossible trinity" i.e. no country is able to pursue simultaneously these three goals: fixed exchange rate, free capital movements and an independent monetary policy. Remember that the biggest market is the foreign exchange market.

Chapter 12 focuses on mathematical models of currency crises. The reader can see how these models evolved and how the global games model was proposed.

Chapter 13 goes through the different sets of international financial regulation i.e. Basel I and Basel II. There is also an appendix referring to the Value-At-Risk model.

Chapter 14 could trigger some discussions. There is a patent political element in bailing banks out. Should governments contribute or not to move private sector bank losses into the public sector?

Chapter 16 shows the need to take into account concepts such as tail risk, endogenous risk and systemic risk. Very very interesting reading for us information security professionals.

Chapter 17, 18 and 19 deal with current developments. Chapter 17 studies the period from 2007 to 2009 of the latest financial crisis, chapter 18 describes efforts taken in developing financial regulations and chapter 19 talks about the current sovereign debt crisis and its relation with the common currency and the challenge of a transfer union i.e. a higher degree of unification.

In addition, the website of the book offers the slides of every chapter, a link to modelsandrisk.org and three additional chapters with updated information on the European crisis, financial regulations and current challenges in financial policy.

Happy risk management!

Risky times

Book Review: Executive Data Science by Brian Caffo, Roger D. Peng and Jeffrey Leek

noreply@blogger.com (Unknown) — Tue, 01 Nov 2016 17:13:00 +0000

In the introduction to the Data Science world, one needs to build the right frame surrounding the topic. This is usually done via a set of straight to the point books that I mention or summarise in this blog. This is the third one. All of them appear with the "data science" label.

The third book that I start with is written by Brian Caffo, Roger D. Peng and Jeffrey Leek. Its title is "Executive Data Science". You can get it here. If you need to choose only one among the three books I talked about in this blog, probably the more comprehensive one will be this one.

The collection of bullet points that I have extracted from the book is a way to acknowledge value in a twofold manner: first, I praise the book and congratulate the authors and second, I try to condense in some lines a very personal collection of points extracted from the book.

As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive list of bullet points by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

In approximately 150 pages, the book provides literally the following key points (please consider all bullet points as using inverted commas i.e. they show text coming from the book):

- "Descriptive statistics have many uses, most notably helping us get familiar with a data set".
- Inference is the process of making conclusions about populations from samples.
- The most notable example of experimental design is randomization.
- Two types of learning: supervised and unsupervised.
- Machine Learning focuses on learning.
- Code and software play an important role to see if the data that you have is suitable for answering the question that you have.
- The five phases of a data science project are: question, exploratory data analysis, formal modeling, interpretation and communication.
- There are two common languages for analyzing data. The first one is the R programming language. R is a statistical programming language that allows you to pull data out of a database, analyze it, and produce visualizations very quickly. The other major programming language that’s used for this type of analysis is Python. Python is another similar language that allows you to pull data out of databases, analyze and manipulate it, visualize it, and connected to
downstream production.
- Documentation basically implies a way to integrate the analysis code and the figures and the plots that have been created by the data scientist with plain text that can be used to explain what’s going on. One example is the R Markdown
framework. Another example is iPython notebooks.
- Shiny by R studio is a way to build data products that you can share with people who don’t necessarily have a lot of data science experience.
- Data Engineer and Data Scientist: A data engineer builds out your system for actually computing on that infrastructure. A data scientist needs to be able to do statistics.
- Data scientists: They usually know how to use R or Python, which are general purpose data science languages that people use to analyze data. They know how to do some kind of visualization, often interactive visualization with something like D3.js. And they’ll likely know SQL in order to pull data out of a relational
database.
- kaggle.com is also mentioned as a data science web site.

The authors also provide useful comments on creating, managing and growing a data science team. They start with the basics e.g. "It’s very helpful to right up front have a policy on the Code of Conduct".

- Data science is an iterative process.
- The authors also mention the different types of data science questions (as already mentioned in the summary of the book titled "The Elements of Data Analytic Style".
- They also provide an exploratory data analysis checklist.
- Some words on how to start with modeling.
- Instead of starting to discuss causal analysis, they talk about associational analysis.
- They also provide some tips on data cleaning, interpretation and communication.
- Confounding: The apparent relationship or lack of relationship between A and B may be due to their joint relationship with C.
- A/B testing: giving two options.
- It’s important not to confuse randomization, a strategy used to combat lurking and confounding variables and random sampling, a stategy used to help with generalizability.
- p-value and null hypothesis are also mentioned.
- Finally they link to knit.

Happy data-ing!

Find your way

Book Review: The Elements of Data Analytic Style by @jtleek i.e. Jeffrey Leek

noreply@blogger.com (Unknown) — Sat, 01 Oct 2016 15:46:00 +0000

In the introduction to the Data Science world, one needs to build the right frame surrounding the topic. This is usually done via a set of straight to the point books that I will be summarising in this blog.

The second book that I start with is written by Jeffrey Leek. Its title is "The Elements of Data Analytic Style". You can get it here. It is a primer on basic statistical concepts that are worth having in mind when embarking on a scientific journey.

This summary is a way to acknowledge value in a twofold manner: first, I praise the book and congratulate the author and second, I share with the community a very personal summary of the books.

Let me try to share with you the main learning points I collected from this book. As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive summary by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

In approximately 100 pages, the book provides the following key points:

Type of analysis
Figure 2.1, titled the data analysis question type flow chart is the foundation of the book. It classifies the different types of data analysis. The basic one is a descriptive one (reporting results with no interpretation). A step further is a exploratory analysis (will the proposed statements be still valid in a qualitative way using a different sample?).

If this also holds true in a quantitative manner, then we are in an inferential analysis. If we can use a subset of measures to predict some others then we can talk about a predictive analysis. The next step, certainly less frequent, is the possibility to seek a cause, then we are in a casual analysis. Finally, and very rarely, if we go beyond statistics and find a deterministic relation, then those are the mechanistic analysis.

Correlation does not imply causation
This is key to understand. The additional element to really grasp it is the existence of confounding elements i.e. additional variables, not touched by the statistical work we are embarked on, that connect the variables we are studying. Two telling examples are mentioned in the book:
- The consumption of ice cream and the murder rate are correlated. However, there is no causality. There is a confounder: the temperature.
- Shoe size and literacy are correlated. However there is a confounder here: age.

Other typical mistakes
Overfitting: Using a single unsplit data set for both model building and testing.
Data dredging: Fitting a large number of models to a data set.

Components of a data set
It is not only the raw data, but also the tidy data set, a code book describing each of the variables and its values in the tidy data set and a script on how to reach the tidy data set from the raw data.
The data set should be understood even if you, as producer or curator of the data set, are not there.

Type of variables
Continuous, ordinal, categorical, missing and censored.

Some useful tips
- The preferred way to graphically represent data: plot your data.
- Explore your data thoroughly before jumping to statistical analysis.
- Use a linear regression analysis to compare it with the initial scatterplot of the original data.
- More data usually beats better algorithms.

Section 9 provides some hints on how to write an analysis. Section 10 does a similar role on how to create graphs. Section 11 hints how to present the analysis to the community. Section 12 cares about how to make the entire analysis reproducible. Section 14 provides a checklist and Section 15 additional references.

Happy analysis!

Happy stats!

Book Review: How to be a modern scientist by @jtleek i.e. Jeffrey Leek

noreply@blogger.com (Unknown) — Thu, 01 Sep 2016 17:30:00 +0000

In the introduction to the Data Science world, one needs to build the right frame surrounding the topic. This is usually done via a set of straight to the point books that I will be summarising in this blog.

The first book that I start with is written by Jeffrey Leek. It is not a Data Science book by itself but rather an introductory set of tips on how to aspire to make science today.

The title of the book is "How to be a modern scientist" that you can get here. Actually, the series of posts that I start with this one is a consequence of reading this book. It is a way to acknowledge value in a twofold manner: first, I praise the book and congratulate the author and second, I share with the community a biased version of value that they could obtain by reading this book. These two processes are currently also present in the scientific community, together with more traditional aspects such as scientific paper reading, and, certainly, writing.

Let me try to share with you the main learning points I collected from this book. As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive summary by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

Paper writing and publishing
There are currently three elements in modern science, what you can write, what you can code and the data you can share (the data you have based your investigation on).
The four parts the author states that a scientific paper consists of are great: a set of methodologies, a description of data, a set of results and, finally, a set of claims.
A key point is that your paper should tell or explain a story. That is why the author talks about "selecting your plot" for your paper i.e. once you have an answer to your question is when you start writing your paper.
These chapters distinguish between posting a preprint of a paper (for example in arxiv.org and submitting the paper to a peer-reviewed journal. For junior scientists, the mix the author mentions of using a preprint server and a closed access journal is very adequate.

Peer review and data sharing
The author proposes some elegant ways to carefully and timely review papers and also mentions the use e.g. of blogs to start sharing a serious and constructive review.
Regarding data sharing, his suggestion is to use a public repository that would remain accessible throughout time such as e.g. figshare.com.

Scientific blogging and coding
A way to market your papers can be via blogging. The three recommended platforms are blogger.com, medium.com and wordpress.org.
The author also reminds us that the Internet is a medium in which controversy flourishes.
In terms of code, the suggestion for general code is github.com and bitbucket.com.

Social media in science
An useful way to promote the work of others and your work.

Teaching in science
Post your lectures on the Internet (be aware of any non-disclosure agreements with the University or the educational institution to teach at. Share videos of your lectures and, if resources allow it, create your own online course.

Books and internal scientific communication
Three platforms are suggested: leanpub.com, gitbook.com and amazon kindle direct publishing.

Regarding internal communication, slack.com is one of the proposed tools to keep teams in sync.

Scientific talks and reading scientific papers, credit and career planning and online identity
This are the last sections of the book: some hints on preparing scientific talks, reading papers constructively and, very important, giving credit to all those community members who have help you out either by writing something you use or by creating frameworks you use. A key suggestion is to use as many related metrics as possible in your CV and in your presentations.

Finally, the books ends up with some useful (and common sense based) tips on career planning and online identity.

Thanks to the author of How to be a modern scientist!

Happy revealing!

Economics Book review: Bad Samaritans by Ha-Joon Chang - Reality vs hearsay - Similar in Infosec?

noreply@blogger.com (Unknown) — Mon, 01 Aug 2016 22:30:00 +0000

I am convinced that Information Security professionals can benefit from reading, not only Information Security books like this one or that one, but also books that would shed some light on key business areas. Areas to which, ultimately, Information Security and IT Security provides services to. This is why I propose a series of book reviews outside the Information Security realm. Economics is certainly one of those. Understanding key points on Economics would enable security professionals to understand and assess system and data criticality and to better aim at providing added value to their customers.

In this occasion I present some learning points extracted from the book titled Bad Samaritans by Ha-Joon Chang. Certainly this list does not replace the reading of the book. I do recommend its careful reading.

However, for those with little time, maybe these points can be of help to you:

In two thoughts:

- There is a tendency in rich countries to request developing countries to follow economic policies that are, in many occasions, the opposite of what the rich countries did to reach where they are in economic terms.
- Care, reflection, attention to detail and a sense of fairness should be applied in this politically-driven field named economics.

In more than two thoughts:

On Chapter 0

- South Korea as a country greatly improved in about 50 years. Similarly to Haiti becoming Switzerland. This happened thanks to a mix of economic policies that, during most of those years, from the 1960s to today, by no means could be considered free-trade based.
- This economic development was not only linked to periods of democracy.
- The Korean government was extra careful controlling imports and their influence in their national economy.
- Intellectual property piracy has played an important role in countries that did protect their industries.
- This chapter argues clearly against neo-liberal economics.
- It is interesting to see that today's rich countries used protectionism and subsidies to reach their current state.
- All this has been summarised as "climbing and kicking away the ladder".
- So, it seems that a careful, selective and gradual opening of countries' economies is key to make progress in this matter.

On Chapter 1

- Fewer than 50 years ago, it was unthinkable to see Japan as a high-quality car maker country.
- Democracy in Hong-Kong only started in 1994. Three years before the handover to China. And 152 years after the start of the British ruling.
- Before free trade, there was protectionism.
- Globalisation was not always hand in hand with free trade.
- Interesting thought: Something purely driven by politics is evitable.
- The role of the IMF, the World Bank and the WTO is biased towards the benefit of the rich countries.

On Chapter 2

- How did rich countries become rich? In a nutshell, by protecting their markets.
- How did rich countries protect their markets? Basically by:

Applying tariff rates.
Keeping industries in their local markets
Supporting local industries via governmental decisions (and budget).
Keeping primary commodities production in the colonies.

In a way, while reading this chapter, one can grasp the confusion that, throughout History, economic theories had between limiting parameters during a specific period of time and new limiting parameters after having applied a specific economic policy in terms of development or industrialisation, or even after benefiting from a specific technological breakthrough.

On Chapter 3

Very succinctly, this chapter suggests the need to find the right pace and timeline for a country to adopt free trade or, even, the right balance between protected and free trade. Done very quickly, it could mean a lack of growth. Done very slowly, it could mean losing growth opportunities.

On Chapter 4

Today's rich countries regulated foreign direct investment when they were at the receiving end. Foreign direct investment needs to be regulated.

On Chapter 5

There is a fine line defining which (and whether) some specific enterprises need to be owned by the State and when they need to be sold and to whom.

On Chapter 6

Equally, it is also very complex to get the right balance on Intellectual Property Rights and when ideas need to be protected by patents.

On Chapter 7

Economics is driven by politics. This is the reason why a balanced and prudent government is so decisive.

On Chapter 8

The trouble of corruption and how it damages the economy. Interestingly, economic prosperity and democracy are not so compulsorily linked.

On Chapter 9

Culture in all countries can evolve with the right political measures.

On a Final Chapter

There was at least an example in History when the "Bad Samaritans" (as so called by this book) behaved as "Good Samaritans": The Marshall Plan.

Enjoy the reading!

Enjoy the future!

Papers on Blockchain and Bitcoin: Student notes

noreply@blogger.com (Unknown) — Thu, 30 Jun 2016 23:00:00 +0000

Lots of time devoted to this post. The reader will find it useful to get an initial idea of both concepts: Bitcoin and blockchain.

As usual, a disclaimer note: This summary is not comprehensive and it reflects mostly literal extracts from the mentioned papers and article.

Let's start summarising a classic paper, the paper on bitcoin, written by Satoshi Nakamoto.

Paper 1
Bitcoin: A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto

This paper appeared on 2008. The first Bitcoins were exchanged in 2009. By June 2011 there were around 10000 users and 6.5 million Bitcoins [Info coming from this paper].

Bitcoins (BTC) are generated at a predictable rate. The eventual total number of BTC will 21 million [Info coming from this paper].

This is a proposal of a peer-to-peer electronic cash version. The novelty here is that there is no need for a trusted third party to tackle the double spending challenge. The key for the functioning of this peer-to-peer network is that the majority of CPU power is not controlled by an attacker.

The proposal is to replace the need of trust, an element that make transaction costs higher by a cryptographic (and distributed) proof. More specifically, via a peer-to-peer distributed timestamp server that generates computational proof of the chronological order of transactions.

Interestingly, an electronic coin is a chain of digital signatures. The main challenge in an electronic payment system is double spending avoidance. A digital mint would solve this, however this means that the entire scheme would depend on the mint.

The participants of the peer-to-peer network form a collective consensus regarding the validity of this transaction by appending it to the public history of previously agreed transactions (the blockchain) using a hashing function and their keypair. A transaction can have multiple inputs and multiple outputs [Info coming from this paper].

The only way to confirm the absence of a transaction is to be aware of all transactions. Without the role of a central party, this translates into two requirements:
- All transactions must be publicly announced.
- All market participants should agree on a single payment history. In practical terms, this means the majority of market participants.

The first technical element requiring this electronic payment proposal is a timestamp server. Each timestamp includes all previous timestamps. A timestamp consists of a published hash of a block of items.

How do we consider the distributed nature of the system in the case of the timestamp servers? The authors (or author) propose a proof-of-work system. In this case, the proof-of-work means one CPU-one vote. The majority decision is represented by the longest chain. This longest chain will have the greatest proof of work effort invested in it.

Technically, the proof-of-work involves scanning for a value that when hashed, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

The reader can start grasping the great degree of CPU-intensity that this electronic payment system requires.

Nodes always consider the longest chain to be the correct one and they will keep working on extending it.

Incentives come both from the creation of a new coin and from transaction fees. The first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. Potential attackers will find much more benefitial to them to devote their CPU cycles and electricity to create new coins rather than to re-do existing blocks and to control enough consensus for theirs.

Transactions are hashed in a Merkle Tree way. This makes payment verification possible without running a full network node. This verification helps as long as honest nodes control the network.

The authors state that there is never the need to extract a complete standalone copy of a transaction history.

As all transactions need to be published, the way to obtain privacy in this system is to de-couple identities from public keys. However, privacy is only partially guaranteed. An additional recommendation is to use a new keypair for each new transaction.

An attacker can only try to change one of their own transactions to take back money that they recently spent.

Paper 2
An Analysis of Anonymity in the Bitcoin System by Fergal Reid and Martin Harrigan

This paper provides further input, probably the first paper, on the topic we mentioned earlier in this post regarding Bitcoin and the limits of user anonymity.

The decentralised nature of the BTC system and the lack of a central authority brings along the need to make all transaction history publicly available.

Users in Bitcoin are identified by public keys. Bitcoin maps a public key with a user only in the user's node and it allows users to issue as many public keys as wished. Users can also make use of third-party mixers (or laundry).

The interesting element of this paper is the description of the topological structure of two networks derived from Bitcoin's public transaction history: The transaction network and the user network. This is doable thanks to the transaction history being publicly available. After joining Bitcoin's peer-to-peer network, a client can freely request the entire history of Bitcoin transactions. This enables the possibility of performing passive identification analysis.

The authors of this paper studied BTC transactions from January 2009 to July 2011. 1019486 transactions and 12530564 public keys.

The authors of this paper are not aware of network structure studies of electronic currencies. However, this was done in a physical currency based on gift certificates named Tomamae-cho that existed in Japan during 3 months in 2004-2005.

The flow of that currency showed that the cumulative degree distribution followed a power-law distribution and the network showed small-world properties (high average clustering coefficient and low average path length.

Many papers maintain the difficulty to keep anonymity in networks in which user behaviour data is available. The main postulate of the authors of this paper is that Bitcoin does not anonymise user activity.

The transaction network
It represents the flow of BTCs between transactions over time. Each node represents a transaction and each directed edge represents an output of the transaction corresponding to the source node that is an input to the transaction corresponding to the target node. Each edge includes a timestamp and a BTC value.

There is no preferential attachment in this network.

The user network
It represents the flow of BTCs between users over time. Each node represents a user and each directed edge represents an input-output pair of a single transaction. Each directed edge also includes a timestamp and a BTC value.

As a user can use many different public keys, the authors of the paper construct an ancillary network in which each vertex represents a public key. They connect nodes with undirected edges where each edge joins a pair of public keys that are both inputs to the same transaction and then are controlled by the same user.

The contraction of public keys into users generates a network that is a proxy for the social network of BTC users.

Disassembling anonymity
A first source to decrease anonymity consists of integrating off-network information. Some BTC related organisations relate public keys with personally identifiable information. SOme BTC users disclose voluntarily their public keys in fora.

Bitcoin public keys are strings with about 33 characters in length and starting with the digit one.

A second source of information is IP addressing. Unless they are using anonymising proxy technology such as Tor, it is relatively true that the first IP address informing of a transaction is the source of it.

A third source is based in egocentric analysis and visualisation e.g. WIkileaks published its public key to request donations. The analysis of transactions having as destination that particular public key can also provide input on identities.

A fourth source will be context discovery e.g. identifying nodes that correspond to BTC brokers.

These techniques help investigating BTC thefts. For example, a very quick transfer of BTCs between public keys (most of them not yet known to the network of already done transactions) can be an indication to generate a theft hypothesis.

There are other analysis paths involving tainted BTCs, order books from BTC exchanges, client implementations, time analysis and the like.

Mitigation strategies
The official BTC client could be patched to prevent the linking of public keys with user information, a service that would use dummy public keys could be implemented (certainly, this would increase transaction fees). Even the BTC protocol could be modified to allow for BTC mixing at protocol level.

For the time being, the authors of this paper state that physical cash payments still represent a competitive and anonymous payment system.

The final statement from the authors of this paper: "Strong anonymity is not a prominent design goal of the BTC system".

Paper 3
Bitcoin: Economics, Technology and Governance by Rainer Boehme, Nicolas Christin, Benjamin Edelman and Tyler Moore

This paper defines Bitcoin (BTC) as an online communication protocol facilitating the use of a virtual currency. It states that BTc is the first widely adopted mechanism to provide absolute scarcity of a money supply. Inflation does not have a place in this system.

Public keys serve as account numbers. Every new transaction published to the BTC network is periodically grouped in a block of recent transactions. A new block is added to the chain of blocks every ten minutes.

In some cases, a transaction batch will be added to the block chain but then a few minutes later it will be altered because a majority of miners reached a different solution.

When listing a transaction, the buyer and the seller can also offer to pay a "transaction fee", normally 0.0001 which is a bonus payment to whatever miner solves the computationally difficult puzzle that verifies the transaction.

The paper reviews four key categories of intermediaries: Currency exchanges, digital wallet services, mixers and mining pools.

Currency exchanges
They exchange BTCs for traditional currencies or other virtual currencies. Most operate double auctions with bids and asks and charge a commission (from to 0.2. to 2 percent). Today BTC resembles more a payment platform rather than a real currency.

There are significant regulatory requirements (including expensive certification fees) to establish a exchange. In addition to that, they require considerable security measures. So the number of them is relatively limited.

Digital wallet services
They are data files that include BTC accounts, recorded transactions and keys necessary to spend or transfer the stored value. In practice, digital wallet services tend to increase centralisation (and online availability with high security requirements also).

The loss of a private key, if not backed up, would mean the loss of the possibility to trade with those owned (i.e. digitally signed) BTCs.

The entire blockchain reached 30GB in March 2015.

Mixers
Mixers ensure that timing does not yield clues about money flows. They let users pool sets of transactions in unpredictable combinations. Mixers charge 1 to 3 percent of the amount sent. Mixer protocols are usually not public.

Mining pools
BTCs are created when a miner solves a mathematical puzzle. Mining pools now combine resources from numerous miners. Oversized mining pools threaten the decentralisation that underpins BTC's trustworthiness.

Uses of Bitcoin
Initially it seems illicit activities use BTC given its openness and distributed nature. Every Bitcoin transaction must be copied into all future versions of the block chain. Updating the block chain entails an undesirable delay, making BTC too slow for many in-person retail payments.

Some scientists stress the importance of BTC for its ability to create a decentralised record of almost anything.

Risks in BTC
Market risk due to the fluctuation in the exchange rate between BTC and other currencies. It has also the shallow market problem: a person trading quickly a large amount would affect the market price.
Counterparty risk: Of the exchanges that closed (either due to a security breach or to low-volume business), 46% of them did not reimburse their customers after shutting down.

The BTC system offers no possibility to un-do a transaction, creating then transaction risk (and affecting end consumer protection).

There is certainly some operational risk coming from the technical infrastructure and the already mentioned 51 percent attack.

Finally, BTC faces also privacy, legal and regulatory risks.

Crime
Three types, BTC-specific crime, BTC-facilitated crime and money laundering.

Regulation
The authors suggest that longstanding reporting requirements can provide a level of compliance for virtual currencies similar to what has been achieved for traditional currencies. However, they recommend to consider regulations in the broader context of a global market for virtual currencies services.

Social science lab
Interestingly, most users treat their bitcoin investments as speculative assets rather than as means of payment.

Incentives
A so far theoretical concern: Larger blocks are less likely to win a block race than a smaller one.

Privacy and anonymity
Some authors claim that almost have of BTC users can be identified.

An open question posed by the authors
What happens if the BTC economy grows faster than the supply of bitcoins?

A final thought by the authors of this paper: BTC may be able to accommodate a community of experimentation built on its foundations.

Paper 4
Bitcoin-NG: A scalable blockchain protocol by Ittay Eyal, Adem Efe Gencer, Emin Gun Sirer, and Robert van Renesse (Cornell Univesity)

This paper proposes a new blockchain protocol designed to scale. Original bitcoin-derived blockchain protocols have inherent scalability limits. To improve efficiency, one has to trade off throughput for latency. BTC currently targets a conservative 10-minute slot between blocks, yielding 10 minute expected latencies for transactions to be encoded in the blockchain.

Bitcoin-NG achieves a performance improvement by decoupling Bitcoin's blockchain operation into two planes: leader election and transaction serialisation.

Some generic descriptions of the blockchain protocol
An output is spent if it is the input of another transaction. A client owns x Bitcoins at time t if the aggregate of unspent outputs to its address is x. The miners commit the transactions into a global append-only log called the blockchain.

Blockchain
The blockchain records transactions in units of blocks. A valid block contains a solution to a cryptopuzzle involving the hash of the previous block, the hash (the Merkle root) of the transactions in the current block, which have to be valid and a special transaction (the coinbase) crediting the miner with the reward for solving the cryptopuzzle. The cryptopuzzle is a double hash of the block header whose result has to be smaller than a set value. The difficulty of the problem, set by this value, is dynamically adjusted such that blocks are generated at an average rate of one every ten minutes.

Bitcoin-NG
It is a blockchain protocol that serialises transactions allowing for better latency and bandwidth than BTC.

The protocol divides into time epochs. In each epoch, a single leader is in charge of serialising state machine transitions. To facilitate state propagation, leaders generate blocks. The protocol introduces two types of blocks: key blocks for leader election and microblocks that contain the ledger entries.

Leader election is already taking place in BTC. But in BTC the leader is in charge of serialising history, making the entire duration of time between leader elections a long system freeze. Leader election in BTC-NG is forward-looking and ensures that the system is able to continually process transactions.

Resilience
Bitcoin-NG is resilient to selfish mining against attackers with less than 1/4 of the mining power.

Bitcoin-NG shows that it is possible to improve the scalability of blockchain protocols to the point where the network diameter limits consensus latency and the individual node processing power is the throughput bottleneck.

Paper 5
A Protocol for Interledger Payments by Stefan Thomas and Evan Schwartz

This paper deals with the complexity to move money between different payment systems. The authors of the paper propose a way to connect different blockchain implementations. It uses ledger-provided escrow (conditional locking of funds) to allow secure payments through untrusted connectors.

This is a protocol for secure interledger payments across an arbitrary chain of ledgers and connectors. It uses ledger-provided escrow based on cryptographic conditions to remove the need to trust connectors between different ledgers. Payments can be as fast and cheap as the participating ledgers and connectors allow and transaction details are private to their participants.

The focus of this summary is not the deep description of this protocol but the introduction to the BAR (Byzantine, Altruistic, Rational model.

Byzantine actors may deviate from the protocol for any reason, ranging from technical failure to deliberate attempts to harm other parties or simply impede the protocol.

Altruistic actors follow the protocol exactly.

Rational actors are self-interested and will follow or deviate from the protocol to maximize their short and long-term benefits.

The authors of the paper assume that all actors in the payment are either Rational or Byzantine. Any participant in a payment may attempt to overload or defraud any other actors involved. Thus, escrow is needed to make secure interledger payments.

This protocol proposes two working modes: The atomic mode and the universal mode.

In the atomic mode, transfers are coordinated by a group of notaries that serve as the source of truth regarding the success or failure of the payment. The atomic mode only guarantees atomicity when notaries N act honestly. Rational actors can be incentivised to participate with a fee.

The universal mode relies on the incentives of rational participants to eliminate the need for external coordination.

Paper 6
A Next-Generation Smart Contract and Decentralized Application Platform from Ethereum's GitHub repository

This white paper presents a blockchain implementation alternative to BTC and, initiallly, more generic.It presents blockchain technology as a tool of distributed consensus. It is not only cryptocurrencies but also financial instruments, non-fungible assets such as domain names or any other digital asset being controlled by a script i.e. a piece of code implementing arbitrary rules (e.g. smart contracts).

Ethereum provides a blockchain with a built-in fully fledged Turing-complete programming language.

A recap on BTC

As already mention in the summary of Paper 1 in this post, BTC is a decentralised currency managing ownership through public key cryptography with a consensus algorithm named "proof of work". It achieves two main goals: It allows nodes in the network to collectively agree on the state of the BTC ledger and it allows free entry into the consensus process. How does it do this last point? By replacing the need to use a central register by an economic barrier.

The ledger of a cryptocurrency can be thought of as a state transition system. The "state" in BTC is the collection of all coins (unspent transaction outputs, UTXO) and their owners.

BTC decentralised consensus process requires nodes in the network to continuously attempt to produce packages of transactions called blocks. The network is intended to create a block every ten minutes. Each block contains a timestamp, a nonce, a hash of the previous block and a list of all transactions that took place in the previous block.

Requirement for the "proof of work": The double SHA256 hash of every block - a 256-bit number - must be less than a dynamically adjusted target (e.g. 2 to the power of 187).

The miner of every block is entitled to include a transaction giving themselves 25 BTC out of nowhere.

In the event of a malicious attacker, they will target the order of transactions, not protected by cryptography.

The rule is that in a fork the longest blockchain prevails. In order for an attacker to make his blockchain the longest, he would need to have more computational power than the rest of the network (51% attack).

Merkle Trees
A Merkle Tree is a type of binary tree. Each node is the hash of its two children. As hashes propagate upwards. This way, a client, by downloading the header of a block, would know whether the block has been tampered.

A "simplified payment verification" protocol allows for light nodes to exist. They download only block headers and branches related to their transactions.

Alternative blockchain applications

Namecoin: A decentralised name registration database.
Colored coins and metacoins: A customised digital currency on top of BTC.

Basic scripting
UTXO in BTC can be owned also by a script expressed in a simple stack-based programming language. However, this language has some drawbacks:

- Lack of Turing completeness. Loops are not supported.
- Value-blindness: UTXO are all or nothing.
- No opportunity to consider multi-stage contracts.
- UTXOs are blockchain-blind.

Ethereum builds an alternative framework with a built-in Turing-complete programming language.

Ethereum
An Ethereum account contains four fields: The nonce (a counter that guarantees that each transaction can only be processed once), the ether balance, the contract code and the account's storage.

Ether is the crypto-fuel of Ethereum. Externally owned accounts are controlled by private keys and contract accounts are controlled by their contract code.

Contracts are autonomous agents living inside the Ethereum execution environment. Contracts have the ability to send message to other contracts. A message is a transaction produced by a contract. A transaction refers to the signed data package that stores a message to be sent from an externally owned account. Each transaction sets a limit to how many computational steps of code execution it can use.

Ethereum is also based on blockchain. Ethereum blocks contain a copy of both the transaction and the most recent state.

Ethereum applications
Token systems, financial derivatives (financial contracts mostly require reference to an external price ticker), identity and reputation systems, decentralised file storage and decentralised autonomous organisations.

Other potential uses are saving wallets, a decentralised data feed, smart multisignature escrow, cloud computing, peer-to-peer gambling and prediction markets.

GHOST
Blockchains with fast confirmation times suffer from reduced security due to blocks taking a long time to propagate through the network. Ethereum implements a simplified version of GHOST (Greedy Heaviest Observed Subtree) which only goes down seven levels.

Currency issuance
Ether is released in a currency sale at the price of 1000-2000 ether per BTC. Ether has an endowment pool and a permanently growing linear supply.

The linear supply reduces the risk of an excessive wealth concentration and gives users a fair chance to acquire ether.

Mining
BTC mining is no longer a decentralised and egalitarian task. It requires high investments. Most BTC miners rely on a centralised mining pool to provide block headers. Ethereum will use a mining algorithm where miners are required to fetch random data from the state. This white paper states that this model is untested.
Ethereum full nodes need to store just the state instead of the entire blockchain history. Every miner will be forced to be a full node, creating a lower bound on the number of full nodes and an intermediate state tree root after processing each transaction will be included in the blockchain.

The question now is ... will it work?

Article 1
Technology: Banks Seek the Key to Blockchain by Jane Wild, Martin Arnold and Philip Stafford - FT.com

This FT.com article on blockchain can be found here. The authors mention an internal blockchain implementation and remember that a blockchain is a shared database technology that connects consumers and suppliers creating online networks with no need for middlemen or a central authority. Applications are endless and supporters claim that trust is created by the participating parties.

The authors of this article mention the use of blockchain, also named distributed ledger, as a back-office new implementation and even new governmental implementations such as land registers.

There are two types of blockchains in terms of accessibility: invitation-only (private) and public (open). UBS and Microsoft are working with blockchain start-up Ethereum (running an open source technology). Other banks are going the private blockchain way.

The authors of this article also mention that this technology has in front of it key challenges such as robustness, security, regulation.

The ledger of BTC weighs already more than 45 GB.


Bits and pieces

Using Networks To Make Predictions - A lecture (3 of 3) by Mark Newman

noreply@blogger.com (Unknown) — Tue, 31 May 2016 23:30:00 +0000

For those willing to get introduced to the world of complex networks, the three lectures given by Mark Newman, a British physicist, at the Santa Fe Institute on 14,15 and 16 September 2010 are a great way to get to know a little bit about this field.

The first lecture introduced the concept of networks. The second lecture talked about network characteristics (centrality, degree, transitivity, homophily and modularity). Let's continue with the third lecture. You can find it here. This time on the impact of network science.

In this post I summarise (certainly in a very personal fashion, although some points are directly extracted from his slides) the learning points I extracted from the lecture.

Dynamics in networks
- For example, how does a rumor spread in a network?
- This aspect is much more controversial than the point touched in lectures 1 and 2.
- An example: Citation networks (e.g. the network of legal opinions or the network of scientific papers).
- "Price observed that the distribution of the number of citations a paper gets follows a power law or Pareto distribution - a fat-tailed distribution in which most papers get few citations and a few get many".
- This power law is somehow surprising.

Power laws
- In comparison to a normal distribution, the power law shows that there are some nodes with a number of links that is several orders of magnitude higher. This does not happen in normal distributions.
- Examples of cases that follow a Pareto law (power law) are word counts in books, web hits, wealth distribution, family names, city populations, etc.
- Power law - the 80/20 rule. E.g. "the top 20% own 86% of the wealth. 10% of the cities have 60% of the people. 75% of people have surnames in the top 1%.
- Power laws are a very study area in complex systems.

Where do power laws come from? Preferential attachment
- The importance of getting an early lead e.g. with an excellent product, or by good marketing.
- A plausible theory is preferential attachment. Interestingly enough, this theory does ignore the content of the papers. It only uses the number of links the nodes have.
- First mover advantage: In citations, if you are one of the first ones writing on a topic, your paper will be cited anyway, regardless of the content. They are the early lead in that specific field.
- How many you have depends on how many you already have.
- In conclusion, it is much more effective, according to this theory, to write a mediocre paper on tomorrow's field rather than a superb paper in today's field.
- The long tail effect: A small number of nodes with lots of connections.

The spread of a disease over a network
- Percolation model. In a specific network, I colour some of the edges and with those I have a different network starting from my initial network.
- How does the structure of the network influence the spread of a disease?
- Degree is the number of connections you have.
- Hubs are extremely effective of passing diseases along.
- What about if we vaccinate hubs? Targeted vaccination.
- Herd immunisation.
- Targeted attacks are much more effective (clear link with information security)
- We can use the network itself to find the hubs.
- People who should be vaccinated are the most mentioned friends.

Network robustness
- Can we tell that a network is robust by looking at its structure? Let's go back to the concept of homophily (mentioned in Part 2 or 3 of this series of lectures).
- Homophily by degree: Party people hanging out with party people (positive correlation coefficient in social networks- high degree nodes connect with high degree nodes).
- You get a very dense core and very clean borders. Social networks are then very robust networks. This is exactly the opposite we would like in terms of disease spread.
- Social networks are very robust and easy to vaccinate against diseases.
- Internet is fragile however. The high degree nodes connect with the low degree nodes. The highly dense nodes connect with scarcely connected nodes. The high degree nodes are spread out all over the network. Those networks are not so robust. They are fragile. If you knock down nodes with high degree, you knock down the network very quickly.
- Number of connections (x axis) is the degree.
- The crucial factor in the spread of disease is airplanes.

Future directions
- Great slide: This is very very new field. "We need to
- Improve the measurement of networks.
- Understand how networks change over time.
- Understand how changing a network can change its performance, and perhaps improve it.
- Get better at predicting network phenomena.
- Predict how society will react or evolve based on social networks.
- Prevent disease outbreaks before they happen.
- And..?"
- Sometimes you engineer a network and sometimes it works!

Networking city

Book Review: Intentional Risk Management Through Complex Networks Analysis - Innovation for Infosec

noreply@blogger.com (Unknown) — Sat, 30 Apr 2016 23:00:00 +0000

This post provides a non-comprehensive summary of a multi-author book published in 2015 titled "Intentional Risk Management Through Complex Networks Analysis".
I recommend this book to those looking for real science-based Information Security innovations. This statement is not a forced marketing slogan. It is a reality.
The authors of this book are, in alphabetic order Victor Chapela, Regino Criado, Santiago Moral and Miguel Romance.

In this post I present some of the interesting points proposed by the authors. The ideas mentioned here are coming from the book. Certainly this summary is a clear invitation to read the book, digest its innovative proposals and start innovating in this demanding field of IT Security.

Chapter 1. Intentional Risk and Cyber-Security: A Motivating Introduction

The authors start distinguishing between Static Risk and Dynamic Risk. Static Risk is opportunistic risk (e.g. identity theft). Dynamic Risk is directed intentional risk that attempts to use potentially existing but unauthorised paths (e.g. using a vulnerability).

Static Risk is based on the probability that a user with authorised access to a specific application abuse his access for personal gain. This risk can be deterred by reducing anonymity.

In Dynamic Risk the attacker tries to get the most valuable node via the least number of hops via authorised or unauthorised accesses.

Currently the main driver for a cyber-attack is the expected profit for the attacker. The book also links Intentionality Management with Game Theory, specifically with the stability analysis of John Nash's equilibrium. The book uses Complex Network Theory (both in terms of structure and dynamics) to provide a physical and logical structure of where the game is played.

The authors consider intentionality as the backbone for cyber-risk management. They mention a figure, coming from a security provider, of around USD 400 billion as the latest annual cost of cyber-crime.

The authors make a distinction between:
- Accidental risk management, a field in which there is a cause that leads to an effect and attacks are prevented mostly with redundancy (e.g. in data centres) and
- Intentional risk management, in which we have to analyse the end goal of the attackers.

To prevent these attacks we can:

- Reduce the value of the asset.
- Increase the risk the attacker runs.
- Increase the cost for the attacker.

Traditionally the risk management methodologies are based on an actuarial approach, using the typical probability x impact. Being the probability based on observation of the frequency of past events.

We need to assess which assets are the most valuable assets for the attackers.

Using network theory, whose foundations can also be found in this blog in summaries posted in October 2015, November 2015, December 2015, January 2016, February 2016 and March 2016, the more connected a node is (or the more accessibility a computer system has), the greater is the risk for it to be hackable.

A key point proposed by this book: Calculated risk values should be intrinsic to the attributes of the network and require no expert estimates. The authors break down attackers' expected profit into these three elements:

- Expected income i.e. the value for them.
- The expense they run (depending on the accessibility both via a technical user access or a non-technical user access).
- Risk to the attacker (related to anonymity and some deterrent legal, economic and social consequences.

An attacker prefers busy applications that are highly accessible, admin access privileges and critical remote execution vulnerabilities. The main driver for attackers is value for them. Attackers in the dynamic risk arena are not deterred by anonymity.

The authors relate anonymity to the number of users who have access to the same application.

Chapter 2. Mathematical Foundations: Complex Networks and Graphs (A Review)
Complex network model the structure and non-linear non-linear dynamics of discrete complex systems.

The authors mention the difference between holism and reductionism. Reductionism works if the system is linear. Complexity depends on the degrees of freedom that a system has and whether linearity is present.

Networks are composed of vertices and edges. In complex networks small changes may have global consequences.

Euler walk: A path between two nodes for which every link appears exactly once. The degree of a node is the number of links the node shares.

If the number of links with odd degree is greater than 2 then no Euler walk exists.

If the number of links with odd degree equals 0 then there are Euler walks from any node.

If the number of links with odd degree equals 2 then there is only an Euler walk from one of the odd nodes.

A graph is the mathematical representation of a network. The adjacency matrix of a graph is a way to determine the graph completely. A node with a low degree is weakly connected. A regular network is a network whose nodes have exactly the same degree.

In a directed network the adjacency matrix is not necessarily symmetric. Paths do not allow repetition of vertices while walks do. A tree is a connected graph in which any two vertices are connected by exactly one path.

Structural vulnerability: How does the removal of a finite number of links and/or nodes affect the topology of a network?

Two nodes with a common neighbour are likely to connect to each other. The clustering coefficient measures it.

The eigenvector centrality of a node is proportional to the sum of the centrality values of all its neighbouring nodes.

Spectral graph theory studies the eigenvalues of matrices that embody the graph structure.

Betweenness centrality: Edge betweenness of an edge is the fraction of shortest paths between pairs of vertices that run along it. Degree distribution provides the probability of finding a node in G with degree k.

Complex networks models
In random graphs, the probability that 2 neighbours of a node are connected is the probability that two randomly chosen nodes are linked. Large scale random networks have no clustering in general. The average distance in a random network is rather small.

Small world model
Some real networks like the Internet have characteristics which are not explained by uniformly random connectivity. Small world property: The network diameter is much smaller that the number of nodes. Most vertices can be reached from the others through a small number of edges.

Scale-free networks
The degree distribution does not follow a Poisson like distribution but does follow a power law i.e. the majority of nodes have low degree and some nodes, the hubs, have an extremely high connectivity.

Additionally, many systems are strongly clustered with many short paths between the nodes. They obey the small world property.

Scale-free networks emerge in the context of a growing network in which new nodes prefer to connect to highly connected nodes. When there are constraints limiting the addition of new edges, then broad-scale or single-scale networks appear.

Assortative networks
Most edges connect nodes that exhibit similar degrees (the opposite is disassortative networks).

A Hamiltonian cycle in a graph passes through all its nodes exactly once. The line graph is a set of nodes that are the initial set of edges.

Chapter 3. Random Walkers

Two different types of random walkers: Uniform random walkers and random walkers with spectral jump (a personalisation vector).

Statistical mechanics: The frequency of all the nodes will be the same in all the random walkers developed. In any type of random walker the most important element is the frequency with which each node appears.

"If we move on a network in a random way, we will pass more often through the more accessible nodes". This is the idea of the PageRank algorithm used by Google. The difficulty comes to compute the frequency of each node. A random walker on a network can be modelled by a discrete-time Markov chain.

Multiplex networks: The edges of those networks are distributed among several layers. It is useful to model Dynamic Risk.

Intentional risk analysis
Accessibility: Linked to the frequency of a uniform random walker with spectral jump in the weighted network of licit connections. Two types of nodes:

- Connection-generator nodes (e.g. Internet access, effective access of internal staff).
- Non connection-generator node (those nodes through which the communication is processed).

Static intentional risk? (It exists but it is not so key I assume) The accessibility of each connection is zero cost because the accesses have been achieved by using the structure of the network.

In dynamic intentional risk each connection or non-designed access increase entails a cost for the attacker who seeks access to the valuable information (the vaults).

Modelling accessibility
A biased random walker with spectral jumps, going to those nodes with an optimal cost/benefit ratio. The random walker makes movements approaching the vaults. Accessibility in dynamic intentional risk may be modelled using a biased random walker with no spectral jumps in a 3-layered multiplex network.

1. A first layer corresponding to spectral jumps (ending and starting connections).
2. A second layer with the existing connections registered by the sniffing.
3. A third layer with connections due to the existence of both vulnerabilities + affinities.

Chapter 4. The Role of Accessibility in the Static and Dynamic Risk Computation

The anonymity is computed for each edge of the intentionality network. The value and the accessibility are computed for each node. Two ways to calculate the edge's PageRank:

a. via the classic PageRank algorithm (frequency of access to an edge and the PageRank of its nodes).
b. via Line Graph i.e. the nodes are the edges of the original network.

The dumping factor will be the jumping factor.

The outcome will be a weighted and directed network with n nodes and m edges. There are equivalent approaches using the personalization vector.

Chapter 5. Mathematical Model I: Static Intentional Risk

Static Risk: Opportunistic risk. Risk follows authorised paths.
Dynamic Risk: Directed intentional risk. Tendency to follow unauthorised paths. Linked to the use of potentially existing paths but not authorised in the network.

The model is based on the information accessibility, on its value and on the anonymity level of the attacker.

Intentionality complex network for static risk. Elements:

- Value: How profitable the attack is.
- Anonymity: How easy the identity of the attacker is determined.
- Accessibility: How easily the attack is carried out.

Every node has a resistance (a measure for an attacker to get access). Value is located at certain nodes of the network called vaults. Different algorithms will be used: Max-path algorithm, value assignment algorithm and accessibility assignment algorithm.

Static risk intentionality network construction method:
1. Network construction from the table of connection catches.
2. Network collapsed and anonymity assignment.
3. Value assignment.
4. Accessibility assignment.

Two networks appear in this study, the users network and the admins network. Network sniffing provides the connections between the nodes IP and the nodes IP:ports. Based on this sniffing, we get the number of users who use each one of the edges. The inverse of that integer number becomes the label for each edge. The max-path algorithm is executed to distribute the value from the vaults to all the nodes of the networks.

The inverse of the number of users in each edge is used as a value reduction factor. The higher the number of users who access a node, the higher value reduction potential attackers will have in that node but, however, the higher anonymity they will have though.

Each edge is labelled with the frequency of access (the number of accesses). The accessibility of a node is linked to the accessibility of the edges connecting it. For each edge, the PageRank algorithm is calculated.

The higher the access frequency, the higher the probability that someone will misuse the information present in that node.

The higher the profit to risk ratio for the attacker, the greater the motivation for the attacker.

The paradigm shift is relevant: From the traditional risk = impact x probability to:

- Attacker income: Value for each element of the network.
- Attacker probability: Directly proportional to accessibility.
- Attacker risk: 1/anonymity.

The value of each element resides in the node. Anonymity resides on the edge.
The profit to risk for the attacker ratio (PAR) =

value x accessibility x (anonymity /k) being k the potential punishment probability for the attacker.

Chapter 6. Mathematical Model II: Dynamic Intentional Risk

Zero-day attacks are not integrated in the model.

In static risk:

- The most important single attribute is Value. The value depends on the percentage of value accessible by the user.
- The attacker uses their authorised access.
- Anonymity is an important incentive. Lack of anonymity is a deterrent.
- Accessibility has no cost (the user is already authorised)
- There is a higher level of personal risk perception.
- The higher the number of users, the higher his perceived anonymity.

In dynamic risk:

- The most important single attribute is accessibility.
- The degree of anonymity is not a deterrent (the user is not already authorised or known).

- The hacker tries to access the entire value.
- Typical values of anynomity: Coming from the Internet anonymity equals 1, from Wireless equals 0.5 and from the Intranet equals 0.

Accessibility in Dynamic Risk
Each jump of a non-authorised user from one element to another element increases the cost for the attacker. The more distance to the value, the more difficult and costly the attack is.

Dynamic risk construction
First step: Performing a vulnerability scanning of the network to get all non-authorised paths (known vulnerabilities, open ports, app fingerprinting, known vulnerabilities and so forth).

The vulnerability scanner used is Nessus.

Two types of potential connections:
- Affinities: Two nodes sharing e.g. OS, configurations and users.
- Vulnerabilities.

A modified version of the PageRank algorithm is used.

Dynamic Risk model

User network + admins network + affinities + vulnerabilities

Anonymity does not play any role in Dynamic Risk but accessibility is the main parameter.

Each edge has an associate weight. The dynamic risk of an element is the potential profit the attacker obtains reaching that element. As anonymity is not relevant in the context of dynamic risk, it is not necessary to collapse its associated network.

The accessibility of an element of the Dynamic Risk Network is the value we get for the relative frequency of a biased random walker through that element.

- Dynamic risk = value x accessibility
- The dynamic risk of a network is the maximum dynamic risk value of its elements (interesting idea - why not the sum?)
- The dynamic risk average = the total value found in the vaults x accessibility average (the root mean square of all accessibility values associated to elements of the network in the context of dynamic risk).

Chapter 7. Towards the Implementation of the Model

Source ports in this model are not important. They are mostly generated randomly.

Access levels. Restricted and unrestricted.
The higher the level of privilege, the more information and functionality an attacker can access. Typically there are two types of accesses, based on different ports:

- Restricted end user access: Always authorised and mostly with low risk.

- Unrestricted technical access: Any access that allows a technical user or an external hacker to have unrestricted access to code, configuration or data. It can be authorised or gained via an exploit. It is a high risk: Using admin access in an application you can in most cases escalate privileges to gain control over the server and the network.

For static risk we need to find which accesses are already authorised and normal. The frequency of connections for each socket (especially for the frequently used sockets) informs about the busiest routes and how many hosts accessed a specific application.

For dynamic risk, we need to model the potential routes that a hacker might find and exploit. For an attacker, sockets that are used normally are desirable since they are more anonymous.

Attackers will select routes where they can obtain the most privileges with the least effort and get the closest to their end goal.

Other unknown risks are out of the scope of this proposal. This is a key point to understand.

To calculate anonymity in the static risk network we need to collapse all the IP sources that connect to the same port destination. It will be the inverse of the number of IP sources collapsed.

Value: How much the data or functionality is worth for the attacker. It needs to be placed manually into those vault nodes.

And the ending point of the book is the great news that the authors are working on a proof of concept.

Innovation in IT Security


Rocky landscape