Savva Pistolas

AI as a detector of work that needn't be

2026-03-08T00:00:00Z

Artificial Intelligence is the provision of an omni-capable tool that can be deployed seemingly anywhere in your life to produce instant, accurate, competent satisfaction of any requirement. Whether it’s anxiety quelling email drafts to reply to a complex ‘multi-stakeholder’ situation at work, or full-scale automation of your entire University degree - from labs, to reporting to reflection. AI fulfils requirement without fatigue, and without need for much affective input on your part. You can produce artefacts that fit the shape of ‘output’ for near-any system in work or study. Often this is labelled a productivity enhancer - enabling us to spin additional plates and optimise to the moon and back. As with the fundamental dialectical tradition where ‘progress’ and creation is inextricably linked with decay and destruction, let us reflect on what the contrary of our new era of AI productivity might be.

In our days, everything seems pregnant with its contrary: Machinery, gifted with the wonderful power of shortening and fructifying human labour, we behold starving and overworking it; The newfangled sources of wealth, by some strange weird spell, are turned into sources of want; The victories of art seem bought by the loss of character.

Large language models accomplish any task that can be ‘reduced’ to pattern discovery and subsequent exploration, so they absolutely smash coding, maths, chess, DNA, law, etc. Generally speaking, our species does well to produce machines that automate procedures, and AI is the most sophisticated iteration of this goal so far. Where AI succeeds at producing an effective artefact, the observer would do well to ask whether such an artefact was ever appropriate for a human being to produce in the first place. This piece explores whether AI can serve as our quiet advocate for rooting out poorly designed systems that sideline human experience and outcomes in favour of performative artefacts that allude to ‘productivity’ without any meaningful impact on our world.

Academia

Let us first look at academia in the UK up to at least MSc level for our assessment of pro or anti-human design; what was once an earnest commitment to development of knowledge derived from intrinsic motivation has become a hyper-marketised, cynical, and un-provenanced set of institutions that treat near-solely for profit. International students mill in and out of the country on restrictive visas, paying exorbitant fees to attend poorly planned and atomistic courses that are fulfilled by teaching assistants and professors who barely have the time to populate their material with the love and attention that good teaching needs. The focus is purely on an ‘output’ of degrees that can be leveraged in less economically developed nations, hung entirely on the walking-dead reputation of institutions that no longer have the capacity to separate their knowledge production from their profit production.

In such institutions the discretion, discussion, and initiative that come with true learning are inconveniences to be innovated away. What is really desirable and effective is for students to perform learning, and for faculty to perform teaching. Enter AI; the perfect companion to the ‘performance of academia’.

The faculty who work in good faith: the ‘good hearts in sick bodies’, are working hard to deal with the inundation of submissions that have been augmented or entirely produced by AI tooling. They wonder if there’s any way ‘back’ to a world where students are authentically engaged with material. The elephant in the staff room is that AI is just the whistleblower for the underlying and devastating reality that complex academic institutions removed authentic markers for student development from their feedback loops long ago. We’ve just now reached a stage where tech is available to ensure everyone can present as ‘up-to-speed’ instead of dropping out - which used to be conveniently leveraged to produce an appearance of quality and excellence as evidenced through completion rates and diverse student outcomes. Now of course, everyone gets a 2:1.

Using this particular lens, AI is not a hurdle for higher education to jump, but an assessment for it to improve in response to. Work that can be done without authentic, interpersonal, and embodied engagement with students is unlikely to be pro-human design in the first place! Systems that measure skill and competence without any relational or intersubjective artefacts at all are guaranteed to be atomised, alienating, and ultimately ineffective. The fact that robots can ace the courses from start to finish is the smoking gun.

No such automation is available for mentor-mentee (or master-apprentice) arrangements, where development is sewn into a lasting relationship that is reflected in work-objects that are all at once an opportunity, an assessment, and a reward; an embodied artefact of development and refinement over time. AI screams at us that we must urgently reform higher education (starting at assessment processes and working backwards!) to identify relational consensus from collaborative groups, fuelled by intrinsic motivation as the desirable output of university - and that this output is the precious input for knowledge-production that makes the world a better, safer, civil place to be.

Writing hard or hardly writing?

Take another example - writing. AI can easily produce a prosaic estimation of any particular subject matter, and inflate it to fit a style of your choosing. These words are the well-dressed zombies of the human corpus of text-gone-by: conjured to walk and dutifully attend to our inboxes, but without any soul! AI prose is for applications of the written word that require nothing but the utilitarian conveyance of data from box to box.

This is why it’s perfectly normal to use AI to write your emails, but utterly absurd to use it to write your reflective journal. Writing for outcomes is easily replaced by the bot, but writing for reflection, insight, and knowledge-production is not. So for most folks working day-to-day, the use of AI is just the technical actualisation of the scratch at the back of our brain when we write our press releases, our marketing copy, or our emoji-laden internal weekly-wins roundup newsletter for the team. We do of course know that buy-and-large the words we write at work are not a viable contribution to any great or meaningful human project - but instead the dutiful population of the working day with a performance of productivity; Our AI tools once again attend as exhibit-A in the trial that asks whether the system we’re producing these artefacts for is a humane one, or a machine that obviates human benefit for a performance of productivity.

Ask not what you can do with AI, but what AI can stop us doing at all.

Taken in aggregate, how much of our collective time do we waste on the production of artefacts that serve no purpose but to allude to the effectiveness of complex systems that don’t authentically serve any great human interest? How often do we reflect on our work in school or business, and realise that we are pretending to try while other pretend to listen?

When we ask what the place of this AI tooling in academia, work, and life is, we must make sure we do so circling the right systems as our scope of assessment, and with the right outcomes in mind! It ought never be a reflection about whether or not we need to be using AI for these varied applications, but whether we should be undertaking such ventures as human beings in the first place! And no, this is not an AI booster blog that suggests we’re mere moments away from ‘automating’ these tasks and flying to the moon in our open-claw productivity spaceships… Instead, it’s an earnest suggestion that AI (among it’s many fantastic uses) can be used as an effective mechanism for assessing the prevalence of anti-human design in complex systems.

The system is what the system does. The machine that counts beans also functions to tell us we are destined for greater things than just counting beans, provided we are wise enough to see how easily beans can be counted by machines, kind enough to share the bean counter, and brave enough to decide if we want to count the beans at all.

We got offered $10,000 to build a property management app in Hong Kong, here's why we said no.

2026-03-01T00:00:00Z

Working closely with my good friend and colleague Jacob we’ve built and launched a bunch of awesome projects this year. The proudest of our paired output this year has been Flatm8, which deserves it’s own post eventually. However, we have carved out some space here to reflect on the start, fast burning development, and then shuttering of, our vertical community development app EstateM8, shared here in the spirit of building in public.

In response to a call for entrants via the University of Warwick for a competition in Hong Kong, we ideated something that follows the ethos of software design I’ve decided to commit to, and submitted it for consideration. Excitingly, we won! We were offered a week long trip to Hong Kong to experience the business ecosystem and pitch our ideas to investors. We were also granted a 10,000 USD ideation grant to develop MVP and further explore launch in HK - all with no equity asks from the funders - a pure blue sky grant! After careful consideration, we decided to turn down the offer and focus on our existing projects. A few years ago this would have been a decision I’d have let change the direction of my life, but now I feel ready to say no to such an opportunity. The dollar sum attached to this decision demands reflection!

The Idea

EstateM8 was billed as ‘A platform that brings together building management and residents, transforming high-rise apartments into genuine communities’. It aimed to simultaneously provide low friction management tooling for high rise building managers as well as a suite of community development tools to de-alienate and socially connect residents by providing ‘official’ resident services like pet walking, parcel collection, grocery-carrying-up-stairs-pairing, and other simple things. We had appetite for letting people who lived in the same high rise bargain collectively for buying staples like rice at bulk discounts, or organise lending libraries to share luxury goods that got little use.

The big heart of the idea was that we could tackle the loneliness and isolation epidemic in HK by producing a vehicle for connection as a second-stream of a platform that could be parcelled up to enhance the experience of high rises who used it; management won based on a refined digitalised approach to building management, and residents won by being programmatically introduced to each other in high-impact, high-trust ways that would have social compounding effects. The full value prop is still on the website now, and we’ll likely leave it up until the domain expires next year.

The competition and it’s outcome

Being completely honest, we only began to ideate in response to the competition, with no real aspirations to such an app before this. We were asked to produce something that would fit the HK market. Jacob plays neighbour to a lot of Hong Kongers, and my brother-in-law lives in HK too, so we felt at least acquainted with the culture. We built the idea into a site and shot off a 5 minute pitch video to the judges. We were emailed a few months later with an invitation to HK for a week, and an application form for the ideation grant.

We came home with an offer of 10,000 USD for ideation over the next year, where we’d meet industry experts and HK-specialised teams for incubation. It truly was an excellent offer from a very welcoming and energised team.

So why did we say no?

After the trip to Hong Kong, we realised that only the prop-tech half of the app was getting interest. The real estate management market definitely did seem to be available to lean platforms that will help cut management costs, but the novelty of a dual-focus platform that also provides social connection opportunities for residents was hard to digest for the investors we spoke to. At best it was a marketing gimmick, and at worst it was a liability.

Great - so let’s gut the community building and build a prop-tech platform right? Half the features for the same funding… We decided against that too. EstateM8 is parented by Turtledove.dev, which is mine and Jacob’s digital agency. We founded turtledove as a vehicle for pro-social software and digital solutions that served to effect change; primarily by producing platforms that serve as ‘digital twins of an alternative present’. It’s a hobby project that spends most of it’s time pre-populating grant applications for social groups we want to uplift with funding - ourselves placed as the enablement partners. We want to build platforms and products that empower and inform as a byproduct of convenience in the day-to-day. Lopping off the community features to make a palatable prop-tech platform wouldn’t meet this spec at all. Turtledove has emerged from our belief in the social function of technology, so it tumbled into a feeling of mis-alignment with our overarching goals for these projects.

Lastly - and honestly most importantly, we are busy doing good work already! I run a cybersecurity consultancy, Jacob is a full time consultant and developer, and we both work on side projects we’re enjoying greatly; A new project would be a huge time cost to us, so it had to line up with our ethos perfectly to be squeezed in around the rest of our lives. When we couldn’t find that alignment we (admittedly feeling quite confused) decided to shelve EstateM8.

Lessons learned

All-in-all it was an affirming experience. Even a few years ago I was so hungry for opportunity that I would have contorted myself and my life to accommodate a chance like this. Now I do work every day that I feel proud of, and so this experience helped me (and maybe Jake, who will agree or disagree when he reads this) identify how much respect I have finally been able to place on my own time. That has been a very valuable lesson indeed.

P.S. - Shelve not archive! Drop me a line if anyone wants to pick this up, or open source the MVP we built — it’s essentially NextDoor but for people in the same building with scaffolding to err towards meet-ups, swaps, and services. It works and it looks good.

Wage slaves: the Neo way

2025-11-02T00:00:00Z

The new neo robot premiered this week, showcasing the $500 a month subscription that sees customers gain access to a general purpose home robot. The thrust of the proposition is that the hardware is attached to a smart AI that can both carry out autonomous problem-solving tasks such as cleaning up the house, loading the dishwasher, and folding clothes. You have access to an app that allows you to schedule certain tasks, and the bot even has a ‘companion’ mode so that isolated but monied old folks have access to an embodied computation process to differentiate between cayenne and paprika.

Watch the video for some context on the presentation of the thing - I think there’s something so interesting about the approach taken for this. It’s quite a nostalgia driven advert that positions the main speaker as explaining the robot to his grandma - effectively placing the robot in the established present as something to be caught up with, rather than a new proposition to be thought over or weighed up. It was an impressive pitch.

New hardware for an old enemy

The issue of course is that this is yet another massive smash and grab attempt on digital privacy in the global north, coupled with exploitation of the global south. First and foremost, all the popular media circulating of the bot shows the robot moving around home spaces inoffensively, inhuman in affect, but human in effect. The robot is however being teleoperated by someone using a virtual reality headset and controllers in almost all of the demonstrative media. While certain tasks (that are traditionally very easy for a human being to complete, but hard for a robot) can be given over to a problem solving AI, a lot of the activity that requires critical thinking and planning - such as cleaning an entire house, identifying and then taking out trash is actually intended to be handed over to a remote operator in India.

The clear and obvious definition of a fixed rate for unlimited human labour.

This means you have access to unlimited human labour for $500 a month. This economy is deliverable only by providing a physical actuator for human labour in another country. Of course it would be illegal to ship over these workers and pay them their local domestic salaries in the global north to complete unlimited labour in the home day and night. Here then is one of the brazen value propositions of the Neo bot: We will make your domestic workers as fungible in form as you treat them to be in your mind’s eye. Interchangeable, dismissible, and inhuman. Abstraction of relational and eye-to-eye accountability is a key part of economies of scale in complex systems reliant on human labour, and this is no different.

In addition to presenting a complex challenge to labour law, this open approach is an evolution on the history of AI-centred organisations; historically, we have many examples of modern ‘mechanical Turks’ - that is, dressing up human labour as an AI application (Like Amazon’s ‘just walk out’ store which was actually staffed remotely by hundreds of Indian workers). Neo does away with the cloak and dagger, the system is open and indeed proud of its value proposition to the customer. Having produced a mechanism where instead of utilising the sustained efforts of one person, you instead tap into a managed pool of labour that can access the same physical actuation in your living room - Neo intends to sell wage slavery by the back door, abstracting your enjoyment of domestic bliss from the fleet of workers who provide it to you.

Generally, when people become wealthy enough that they own a space they cannot possibly maintain by themselves, they employ domestic workers. This is a complicated affair because domestic workers are people with souls and material needs, and likely exist in material conditions very different to that of the person wealthy enough to pay someone to tend to their home. This means that the wealthy are inherently suspicious and distrusting of their domestic workers, they think they will steal from them or live in resentment of their employer. The wealthy have to witness the worker, and worse than this - they have to witness the worker witness them. Neo is a sanitising solution; finally, we have access to the effects of domestic workers, without the human inputs or considerations.

Best of all for the rich and suspicious: the sense organs afforded to the domestic worker to carry out their daily labour is a surveillance mechanism of their effectiveness and honesty. No more discretion, no more relationship, no more trust.

Data nightmare on legs

The box-tee baseball-cap surfer-dude tech-bro who runs the wage labourer laundering company identifies a gender essentialising data model he calls ‘big sister’, which is where you admit that you’re a ‘big brother’ company but promise that you’re using the data to do good. It seems like the company has made it to a working teleoperational robot that can do a few things well, and aims to capture data from it’s first commercial user base to train it’s model over time.

In addition to training off the manual labourers who perform domestic work via teleoperation (and building an incredibly valuable model most likely), this also means that your Neo bot is a data ingestion point, sucking up thousands of images of your home each day. The mind boggles at a future where law enforcement can get a floor plan of your house, or be let in at 2am by issuing a warrant to your domestic robot.

Conclusion

AI has a central thrust of trading obscene amounts of compute that have clear and irreversible impacts on the climate - disproportionately effecting the global south. We have a rich and long standing tradition of exploiting the economic positioning of the people who live in poorer countries, which was leveraged as society digitalised to conduct labour at a distance - Indian call centres became a meme out of this frequency.

The last 10 years of efforts in the AI space have built a vehicle for ramping up efforts to sell consumer conveniences in the global north that are thinly veiled and mechanically abstracted outsourcing of thinking and doing to people in other countries - largely the global south. All of this incarnate and refreshed in Neo: The robot that proves that the venn diagram of people who like to brush wage slavery under the rug and think that doing the dishes is below them is a circle.

Agency claims from subjects in closed systems - Legalposting on social media

2025-09-29T00:00:00Z

Context

I wrote this about two years ago, and have been cleaning up my Obsidian vault in anticipation of a new academic venture that will require a lot of note taking… I came across this old self-blog and thought I’d host it here.

Stimulus

~~I was recently delivering a security awareness training session for a client~~ I was delivering a Security Awareness Training for a client in 2023, and was hit with a question that took me back to about 2015; "Sometimes you see those facebook posts that declare that you don’t give them permission to use your data and things like that - does that hold any water?"It blasted me back to when I would sit at my laptop as a 15 year old facebook user and see these armchair solicitors - in very good faith, copy and paste viral statements regarding the new exploitation of your information by facebook or twitter, and attempt to opt-out of it with a legalese-ridden post.

Other examples I could remember were just simple acts of attempting to withdraw consent to data capture:

My answer to this question at the training was that there is no granularity in your consent when you use digital platforms that provide social media services, and if you have signed the EULA (Which is going to have been a requirement for you to access the platform), then the platform owner and team are the only ones who have a say in the exploitation of the information you provide them.

Of course there are settings that can be configured to alter or modify your privacy settings, but these almost entirely relate to how your data can be used or viewed by other third parties - the owner-operator of the platform has free reign with your data for the most part. There are currently some options to supposedly opt-out of the use of your data in training the AI models of certain platforms. When looking into this, I found that there was a new example of the legal-post phenomenon relating specifically to revoking access to your data for AI training:

Reflection

Users who feel that there is any chance of being able to directly modify the data relationship the given platform has to them by posting something are declaring something quite important; They declare that they believe they are able to use the bounded system provided by the platform to modify or escape the system itself. This signals a belief in the agency the user thinks they have to express themselves on the platform, and that they think this digitally enabled speech is equivalent to a public announcement or legal declaration. Quite confusingly, it really rather does declare that the user ought not to have their data exploited by the platform - because they can’t have made an informed decision to use the platform in the first place if they expect such a post to have any sort of impact.

It also exposes that for the most part - we (as in people) still don’t understand the nuts and bolts of social media as a common-sense, and tend to treat it like a public commons or political sphere. Facebook is intuited by many as a digitisation of your persona for use with your professional and personal peer group. It is used to plan events, buy and sell, and make groups that mirror or imitate real world counterparts of such processes. These processes - in the real world, are defined by people’s participation, not by the platform of facilitation. We assume too readily that their digital and artificial counterparts provide the same core ‘features’ or ‘freedoms’. They do not. They are designed as a data service, and have no ‘social mandate’ outside of the fact that they’re being used.

The perceived experience from service users of social media that you are acting as your authentic ‘digital self’ on these platforms instead of accessing a locked-down and for-profit business platform shows how much educational work is needed to correct the ongoing social-media cultural campaign to convince users that they are “expressing themselves authentically” on their platform.

It’s tempting to quietly categorise the type of user who would post a “just to be safe” pseudo-legal notice as an older user, less understanding of technology and it’s mechanics - but of course this would be inaccurate. Younger users who have grown up in a post-explanatory consumer electronic landscape are using social media as a primary communication platform in their peer groups. Instagram and Snapchat are generally held in mind as ‘identity communication’ toolkits. While the campaigns to inform users of the impact of social media tends towards the social impacts, it may also be worth starting to look at educating users on how harmful it is to spend a majority of your social time on for-profit, data-driven platforms that seek to produce a service user that entirely understands their political or personal identity as a set of declarations, hosted (sponsored/mandated/permitted) by a tech company, with trips to the TikTok shop to make purchases acting as proof-of-identity.

Average users are conditioned from the outset to build or produce a digital identity that relies on declaration - declarations of hobbies, interests, and ‘hot takes’. It may well be this hyper focus on the individuation of politicking in digital spaces that put such a focus on identity politics over materialism amongst onliners when they get into the real world. The whole shtick of social media is that you have been given permission to identify and express yourself on the platform, and need only declare who you are (the louder and more frequently the better) in order to successfully ‘be yourself’. The platform becomes the observer and mediator of identity claims in this case. Is it any wonder that this class of digital-first service users get a nasty shock when they discover the gilded cage they’ve found themselves in can’t be opened with the very same positivist identity claims the platform tells them they’re made up of?

The new apple advert wants you to stop thinking about other people

2025-03-04T00:00:00Z

This article is six months old

I wrote this in September 2024, and simply never published it. It refers to an Apple ad campaign from September 2024. The focus still holds up as we continue to be served AI-driven features, so I decided to share it.

Introduction

The shiny new Apple adverts work with Bella Ramsey to promote the ‘just-in-time’ wonder features made possible by ‘Apple Intelligence’, whereby the iPhone can utilise access to Ramsey’s data (her calendar, her email inbox, and her photo library) to avoid the realisation of an awkward or imperfect social moment. The best thing to do would be to go and watch the three examples before reading this, so here’s a link with each summary:

Bella is at a party and sees someone across the room who she met at a meeting a few weeks ago but forgets his name; luckily, Bella can ask siri who she “went to that meeting with a couple of weeks ago” at a certain cafe. Siri reminds Bella who that meeting was scheduled with, and can greet Zach by his name as he sidles over.
Bella is lunching with an agent who asks what she thought of the pitch she emailed over. Bella hasn’t read it and checks her phone, using the new “Summarise with AI” feature to read off a summary of the email and improvise a reaction. The agent reacts positively to this.
Bella is outside with her family; her mother, father, and younger sister (Kristy) stand surrounding the kid’s fresh grave for her pet fish. The father struggles awkwardly to improvise a eulogy. Luckily, Bella can ask her AI-assisted photo album to produce a custom photo album to music - using the prompt “Kristy with her fish, sad vibes”.

Besides the fact that Bella is rudely checking her phone in these interactions (or ducking behind a wall to avoid the gaze of Zach) - somewhat undermining the authenticity the ad is trying to sell us, the ad shines a light on the soft power campaigns I think we’ll see more of as AI continues to try and brand itself as a consumer solution, not a data nightmare.

The Apple Way

The Apple ecosystem is infamous for producing consumer electronics that work together with a continuity and convenience that improves in quality the more of their devices you add; similarly, Apple devices don’t play well with outsider devices, and it can be quite frustrating to use Android or Windows devices once you have become accustomed to “The Apple Way” of doing things. This design language teaches users that Apple sorts out the technicalities of computation, and that you get to experience the benefits of technology without any of the mechanics. This new advert takes these benefits into interpersonal interactions, and should be held in the same light as we examine what apple are trying to convince us is the line between the benefits of the social world and the cumbersome mechanics we must endure only until they can be automated.

All three adverts centre on the idea that there was a failing of some sort that has led to this moment, whether it’s the normal experience of forgetting someone’s name, or the absenteeism of modern tech-bro fathers everywhere in not paying attention to their children. Apple make clear that these moments are undesirable and ought to be done away with if at all possible. The premise is of course disagreeable; it is normal to find yourself forgetting someones name, it is equally as normal to be unprepared for a meeting. It is (sadly) normal for a parent to forget the things that their child find most interesting and engaging. With exception to the latter example, it is well understood that you just muddle through these moments best that you can, confronting the mild and impermanent anxiety that comes with this. You come out the other end a little sheepish, but otherwise unharmed. If you find those moments truly difficult, you pursue some behavioural or communicative improvement or strategy.

Of course the advert shows the opposite of this, that the need - or indeed the opportunity, for reflection is nerve-wracking, and is about to thankfully be made irrelevant. This AI feature is an augmentation of what we already behaviourally use smartphones for: quelling anxiety. Dead space and time is filled with scrolling of social media, you are never left alone or unoccupied, the thoughts or feelings of where you are and how you regulate that can be numbed immediately. There is no longer any need to be unstimulated. These social faux pas were a holdout against this flattened and flattening state of affairs - in the real world you can be pulled back into yourself and forced to confront your own understanding of reality when someone is brushing up against it in a way that isn’t immediately compartpentaliseable. The ad is communicating quite clearly that you can avoid these impure moments of a real and proper life from occurring if you take a bite of the apple, and they promise to make those twinging cringing moments melt away. In the case of the family - we are told that we can simply outsource these difficult moments to Apple (What are the priorities of this family that the nurturing of Kristy in a moment of sadness and learning ought to be outsourced to a consumer electronic? What a dismal and undesirable way of life; at the beginning of the advert Kristy had an inattentive father, by the end of it we had a demonstration that she had an inattentive family).

What then is the price of these features? Apple need to be able to make a sufficient enough digital twin of you that they can use it to feed actionable information back to you. This demands data. Data for the “you-machine”.

Here’s the deal

Apple will facilitate this data-driven avoidant omnipotence if you ensure that you use an apple calendar, an apple mailbox, an apple phone, and apple storage. If you buy-in totally, then Apple can do the thinking and processing for you. This is very similar to the aforementioned design language of apple, save for one key difference: The scope. As mentioned, traditionally apple was focused on building an ecosystem of connected devices and services that don’t meaningfully interoperate with outsiders - shunning or disincentivising devices outside of their private ecosystem. This new AI approach ‘innovates’ on this and asks you to buy-in totally to an apple facilitated ‘lifestyle system’, shunning non-apple means of planning, chatting, photographing, calendaring, and beyond. If you decide to meet a friend next Tuesday, you ought to pop it into your iCalendar using a descriptive title (one that includes your friend’s name to tie them to the event), and don’t forget to include the name of the place you’re meeting. This voluntary reporting gives a copy of your plans to your iPhone so that is can use it to answer future queries and questions you may have.

This is the opt-in that gives the phone sufficient data to produce and maintain a digital twin of you - one that contains live access to your plans, events, geo-tagged photos, notes, messages, etc. It is this that is probed in those moments to provide an unerring account of everything that you’ve ever done, everyone that you’ve ever seen, every message ever read. Where possible, these applications and services must all be Apple’s, the data must belong to them.

You’ll be able to make better decisions about birthday presents for friends if you ensure the device has access to your entire conversation history, so you better make sure it’s on iMessage and not on Signal or WhatsApp. And don’t forget to sign in to your emails with Mail on Mac OS to ensure you never need to read another email properly again. Apple’s native journalling app can summarise your mood last week far more concisely than if you needed to leaf through your physical diary, so perhaps just commit to using that.

This is the trade: Give them everything about you, so you don’t have to feel anxious about being yourself anymore.

What future is this advertising?

I was reminded of an awesome article written by Sam Kriss back in April - where he reflects on a month spent without his phone. He observed what came back to him when he stopped relying on his phone so much - the different shapes of the nerves and the thoughts that bubble up when you don’t have a constant reality escape hatch in the form of a connected device, and how this felt fruitful and whole for him:

A phone is a device for muting the anxieties proper to being alive. This is what all its functions and features ultimately achieve: cameras deliver you from time, GPS abstracts you out of space, and an all-consuming screen that keeps you a constant safe distance from yourself. If there’s something you’re worried or upset about, you can simply hide behind your phone and it will all go away. One third of adults say they’re on their phones almost constantly. Their entire waking lives are spent filling time, plastering over the gaps, burning up one day after another, waiting for something to happen, and it never does.

The full piece is well worth the read. This AI facilitated socialising is an extension of this muting of the anxieties proper to being alive - AI intelligence will deliver us from interrelation with others as and when we see fit - expand that escape hatch to include our immediate interactions with others; I wonder about a future where this technology is completely metabolised into common use and what this means for us. Is it going to become rude or taboo when those of us who don’t adopt the technology continue to make human errors? Are 16 year olds going to do ‘networking prep’ on their mobile phones before going to parties, making sure that they’ve got suitable talking points and social contexts set straight with their device before rocking up to a house party? Exploring fully the impact this will have in peer groups, the problem scales quite quickly.

Building on this, the system invites you to turn your friends into data-subjects; Zach doesn’t know that his whereabouts are being processed by some random device from inferred metadata, nor does young Kristy arguably even have the ability to offer informed consent to allow her likeness to be processed and collated by an AI - because she is a child. We’re being invited to literally capture more of our friends and relatives, to build a machine that ensures we know them and ourselves less and less. AI providers continue to cast these ethical questions by the wayside in an attempt to throw us irreversibly into a post-privacy world.

Zooming out

There’s a lot of current media focus on the ecological and social impact that AI is having on the material world around us - ranging from the overuse of purified water to keep data centres cool, to the AI-enabled production and distribution of synthetic child sexual abuse material. AI also needs a lot of data to chew on to work effectively, and this data comes from our organic and semi-voluntary use of platforms that don’t give us a functional means to opt-out. This is combined with the flurry of boosterism from AI magnates such as Sam Altman who suggest that all we need to do to solve these problems is offer up more computational power, energy, and data until the AI itself proffers a solution. It’s a brazen strategy that asks us to step deeper into the flames to find the water - solve the data problem by giving it more data, solve the climate crisis by burning more of our fuel.

Apples new ad is an early example of what we’re bound to see more of; We’ll be offered consumer conveniences at cost to our data sovereignty, privacy, and authenticity of self. Apple are asking if we can be bought off while the VC-funded sprint to end the world the fastest carries on unchecked and unregulated.

Pointing at the mushrooms - Identifying our own digital colonisation

2025-03-04T00:00:00Z

Far and away the most popular misconception I have heard about the way digital advertising works is that our phones listen to us and create tailored advertising based on this. It is a very accessible point of conversation for people who maybe don’t know the workings of the mechanisms that make their technology work but can use pattern recognition to identify their interests being presented back to them on their devices.

The classic story is always that someone was having a conversation with a friend (That was just incredibly specific and unrelated to what we would normally talk about) and then shortly after that the person received adverts that were tailored around the subject of conversation so specifically that the only logical conclusion is that the phone was listening to their conversation.

While social media is objectively consuming your usage data to produce tailored advertisements - up to and including your message content, what you’re viewing, how you scroll, and who you’re talking to, it is not recording your voice in the background.

Aside from being an incredibly resource-intensive and impractical way to gather data that would be mostly pocket-noise, any recordings taken would be an observable action taken by software on your phone. Applications like facebook and instagram are constantly being researched and probed by security conscious researchers and hobbyists who are working to identify new ways that the social media giants are recording data on us. General audio recordings on your phone that capture conversation are not on these lists.

What then is happening? The answer is very much explainable by taking a left turn to talk about mycelium and mushrooms for a moment. Mycelium is the vegetative part of a fungus, consisting of a network of thread-like structures called hyphae. When a spore lands on a suitable ‘substrate’ they germinate and produce hyphae to ‘colonise the substrate’. This is where the hyphae consume the organic matter it’s attached to until the nutrient levels are completely depleted and the host is ‘saturated’ with the hyphae and mycelium. Once the substrate has been entirely drained of resources the fruiting body of the mycelium will form. The caps and stems we recognise as mushrooms are the fruiting bodies of these networks.

The final and triumphant mushroom is our evidence that the substrate it sits in has been fully consumed by the underground mycelium. The mushroom is the output of an invisible process.

Similarly, when we suggest that our phone ‘has to be listening to us’ to know our interests so well, we are only pointing at the mushroom. We have successfully identified the fruiting body of our total digital colonisation - but do not yet understand that the mycelium has taken root. We are the substrate and the fungus has successfully mapped and identified us, creating an accurate data profile.

This data profile (devastatingly) is sophisticated enough to begin predicting the conversations we may have, and who we may be having them with. Pointing at these adverts and suggesting that the phones are recording us is akin to pointing at a mushroom and suggesting we save the substrate. The substrate has been consumed, you are only observing the outcome.

People (myself included) have a tendency to think they are exempt from the workings of the machine, and that we are engaging sustainably with social media at a healthy distance. Sudden and unexpected accuracy of targeted advertising is a jarring reminder that this simply isn’t true. The moment of bafflement we experience when we look down and see such a precise marketisation of our own interests should always serve as a warning; We are the substrate! We have been successfully digitally colonised, the mushroom has bloomed.

It would be so much less worrisome if social media privacy abuse was as simple as recording you and spitting adverts back at you, but it is far more sophisticated and resource efficient than that. We are correct to assume that our phones ‘observe us’. It’s not using the microphone though, it’s certainly not ‘interacting’ with you, it’s just accepting everything that you’re offering up to it.

This observation is not a dialogic process, and not one that mimics a human conversation: you are simply being consumed. If you find that uncomfortable then you need to stop feeding the fungus.

Anxiety alleviation rituals are not knowledge production

2024-11-04T00:00:00Z

Short reflection after reading: For my son, I’ve ceased to be the font of all useful knowledge from the Grauniad.

Do some research

The term ‘research’ is always misused as to refer to ‘the collection of information to make or inform a decision or action’. When I am asked to put together a business case for a new tool at work, or decide where we ought to go for dinner next Tuesday, I suggest that “I do some research on the subject”. Of course this is not what research is; Research is the systematised work that aims to contribute to the stock of human knowledge.

When we say “The stock of human knowledge”, we certainly don’t mean the bits of it you or I have experiential access to, we mean holistically and totally, totting up the knowledge that anybody and everybody has access too. If somebody knows about it already, then you are not doing research to find that information, you are just retrieving that information and making it known to yourself - further to the ‘research’ that produced it as knowledge.

Research is the process for a system of knowledge production, not the mechanism by which we make knowledge that exists available to ourselves. The use of the term research interchangeably with the action of information retrieval is symptomatic of a society that has a mostly individualised and individualising relationship with their information systems, where you equate what is known and knowable with what you (as an individual) know and can know.

Digitalising how to know, providing what to know

The constant mix up on the term research is an insight into the lack of clear demarcation of research and information-retrieval in what we could consider the ‘common sense’. In truth, the processes of research and the scientific method are our socio-cultural machine for ‘How to know’ something, with the resultant information produced being ‘What to know’.

Consumer electronics such as our kitchen-listener friend Alexa invite us to hand over our ownership of access to that mechanism of ‘How to know’ something to the Amazon Web Service; “Doing your own research” is now the act of submitting an information request to one of any number of monopolists who aggregate and present data (selectively and in order of what is best for their advertising partners), and presenting that process as the effective mechanism for ‘How to know something’.

Further still the AI ‘revolution’ changes the landscape for users, with AI-powered summaries now ingesting multiple sources to produce an approximate summary of results (Google’s new Generative AI search results and Notebook LLM as relevant examples). What remnants there may have been of the behaviour to investigate and fully explore various sites or perspectives (Which is still not a true research method, but is designed to approximate one) is disincentivised - with your review of resources now automated, you get the information you need and a list of “sources” to the right. ‘How to know’ is obsolete, all praise ‘What to know’.

The true mechanism of critical engagement and integrity of due process melt away into an anxious state of being for any participant of this new way of being and knowing; where knowing is not a habit of reflection or commitment to a process, but instead the perceived ability to - at any time, dip into the resource bank and access the offered information. Equally, to not know - is now simply to not be able to check your understanding of things against the relevant tool - a phone, a smart speaker, a search engine. Behaviourally, this leaves us with access to what we want to know, but no sense of authorship over the process that produced our understanding. Our relationship to this type of knowledge is an anxious one, where we defer from our faculties for learning and understanding, and foster a faith-based relationship to information.

These are the digital information systems that people will use by default if subjected to broken-by-design devices that work to commodify knowledge and it’s access as data. It is profitable for providers to produce a relationship to knowledge that is owned and tended to by the devices they market as the true mechanism for how to know something.

The jettison of the need to have an explanatory, critical relationship with information is underway. It is systematised as normal and efficient to prioritise finding out “What you need to know”, with any process obsolete and time-consuming. Is it surprising that in this new world, a curious six year old may decide that it’s easier to skip the back-and-forth questioning with Dad, and simply get what he “needs to know” from the apparently superior source and digital childminder - Amazon.com Inc?

smartphones and children

2024-09-25T00:00:00Z

reflections after reading ‘Only 3% of UK 12-year-olds don’t have a smartphone. Here is how four of them feel about it’ on the Grauniad.

Whenever we talk about smartphones and their impact we discuss the situation forgetting that “It is what it is” is actually “It is what the tech monopolists have spent billions making sure it is”. The smartphone itself is a wonderful tool that uses radio waves to send signals between endpoints in a rather vast network. The issue of course is going to be what is sent back and forth, and any mediums that exist in those spaces that have incentives outside of communication that mirrors or assists communication in the physical world.

No more often is this evident than in the conversations had by adults about how children use technology. In these conversations, the smartphone is inseparable from the services it enables. You can’t fault people for bundling the two into one, as for most the former is simply the physical prerequisite for the latter. I am always struck by just how much compromise we have to make with these devices; if you want your child to be able to call for an ambulance, keep in touch with their friends digitally, be able to call you to let you know to come and pick them up, then you must also expect to fork over the right to access a large swathe of their developmental years to a digital monopolist who has a direct profit incentive to make them miserable, insecure, alienated, and unhealthy.

internal behaviour between peers

These internal social behaviours and the digital spaces they occur in are not essential characteristics of the social lives of children, but instead the consequences of anti-social design. Snapchat and Instagram game-ify every single facet of communication, with scoring systems on every interaction, and a lack of accountability built into the platforms. This allows and encourages hit-and-run dopamine hits on your peers without suitable mechanisms for recognising harm, facilitating apologies and return to group wellbeing. They are systems that produce individuated and individuating young people, with no infrastructure for responsibility or collectivism in the software that enables the majority of their communication. In person communication then becomes a byproduct of their digital life, a reaction to the conversations spun up in broken-by-design apps.

external influences on children

Equally as egregious is the allowance for a child to be bombarded by consumerist forces as soon as they are given a device that facilitates the development of a digital identity. Advertisements baked into every single platform dictate to the child who they will fail to be until they look or act a certain way. Swamped in the individuating infrastructure of the modern internet, the only economy of change is in what you and yours buy, and how you and yours present it online. Influencers and other forms of soft-power serving global economic commercial interests spend more deep engaged, face-to-face time with children than their parents, embedding rhetoric that is not subject to accountability from fully developed adults, while ensuring a faith-like commitment to a set of ideals or ideas that are realised online but devoid of all authorship or critical thinking.

soft problems, hard solutions

The issues with devices are not in their capabilities, but in the realisation of a technology that could be designed to enable and enhance the very best parts of childhood, subduing or challenging those difficult components that we wrestle with today. It is trivial to limit devices at the hardware level such that applications like snapchat and instagram are not usable without meaningful evasion and alteration from the user. Even then, a suitable logging mechanism can ensure accountability for such efforts. These apps and the men who make them have sat at our children’s table without asking, and they should be told to leave - quite as they would in the physical world. When we discuss ‘analogue’ parenting with our communities, we arrive at a consensus and make changes to our physical world to protect and empower our kids, and the same can be true for the digital world.

We ought to produce a mandate for the sanctity of childhood, and not let a commercial market for consumer electronics be metabolised as an unchangeable facet of the modern world that children must at some point be fed in to. It is quite possible to produce child-friendly electronics, and the project of doing so does not need to be one where snapchat gets to sit at the table.

The Launch of ISO27001.zip

2024-05-28T00:00:00Z

On Thursday I launched my new project website iso27001.zip, a website containing a collection of notes on the International Organisation for Standardisations’ management systems standard on Information Security Management Systems (ISMS) - ISO/IEC 27001:2022.

It’s a non-commercial venture that’s aiming to make documentation and exploratory content about ISO 27001 more accessible and engaging for both veteran users and newcomers alike, in the hopes that more people will engage with this standard as the cybernetic masterpiece that it is. In this brief reflection, I chat over my experiences with this standard, and how they led me to want to build the site…

If this subject matter is new to you - check this out.

😀 TL;DR - I love this thing, I’m hoping to build something that makes more people love this thing.

First eyes on ISO

The standard is not unique amongst it’s neighbours in the management systems standard world, following the same harmonised structure that most others do; it is instead my specific experiences that drew me to the standard and eventually developed my desire to write about it. My first exposure to the standard was many years ago in University, when my Applied Cyber Security BSc introduced it to us in our governance and risk management module. I was originally baffled by it, but soon became enamoured by the battle-tested tapestry of mutual dependencies that made up this document. Clearly, some thinking had gone into this! I enjoyed it primarily as an exercise of theory and was taught that the standard was an ideal match for larger organisations that could provide discretionary funding and make dedicated recruitment and staffing decisions.

My output at University challenged this assertion that the standard only had usability in the world of big enterprise - I had found that the Information Assurance for SME Consortium (IASME) had mapped the standard roughly across to some of the efforts it was taking to make accessible cyber security frameworks in the SME space. Further, I myself had used the standard to successfully conduct a gap analysis on both a real SME and a business component of the University - successful enough that both could make impactful changes to their body of policy based on my feedback. It was the first time I had been able to practically translate some best practice guidance to meaningful, context-informed advice, and to do so in an explanatory and justified way. It was very rewarding.

ISO had clearly made efforts to try and make sure that the standard was vendor agnostic, and some very friendly, knowledgable people in industry had informed me that it was more than possible to use 27001 for improvement within SME, and so It was clear to me at this stage in my pre-career that the inaccessibility wasn’t in the design of the body of the standard but in the accessibility to the means by which its learning could be applied. I had been able to act as the interpreter of the best practice guidance, and provide meaningful guidance with unquestionable provenance, but clearly I had added value - It wasn’t simply transliteration from standard to direction.

I had received some fantastic education on the context of the standard itself, where and how it has been useful, and what a practical application of it actually looks like. This was my induction. From here it was an easy move to start to develop the information security risk management version of ‘common sense’. This part of my experience wasn’t a component of the standard itself; it wasn’t required reading. It came as my network and experience grew (let me say here that it is certainly still developing! I continue to be humbled by the fantastic experiences I encounter), and I believe the development of this ‘common sense’ is also the development of a blind spot if we do not pay careful attention to it. To those who don’t have ready access to the language or understanding that comes with these interactions and experiences, the standard can feel like a very alien thing to ‘work’.

The problem

The seemingly ethereal nature of the standard that exists when you don’t have a practical base to build it on (or someone to point at it and explain it) resonates with a lot of friends’ understanding of ISO management system standards (MSS) such as 27001. They are instruction manuals that aren’t attached to anything - an ever undecipherable IKEA step-by-step for something that doesn’t tangibly exist. I understood this position: building systems of work involve trying to capture and document interpersonal relationships and expectations (or as the management theorists who don’t do hugs would like to call them: Psychological Contracts). If your organisation isn’t one of coercive control and you find value in working with people who share your strategic objectives (vital in the not-for-profit space) then it’s necessary to find meaningful ways to share goals and objectives at the institutional level and derive our operation from this common understanding.

If that first olive branch of teaching and understanding isn’t extended to help you explore the standard in practical terms and then work back towards the theory with a well-developed common sense, then you’re unlikely to see the potential of the standard and relegate it to the whopping great pile of boring insurance-satiating box ticking exercises that cause arguments in all-hands meetings.

Heading to work

What little doubts I had of the practicality of the standard were dashed as soon as I hit industry - we successfully and frequently used ISO 27001 and its sibling for business continuity management systems: ISO 22301:2019, to assess whether the body of policy for smaller organisations actually met up with the processes and procedures that informed their normal operations.

Time and again we would be met with policy that was utterly disconnected from the purpose it was supposed to serve and had no clear connection between expectations/responsibilities placed on workers at all levels, and the strategic objective of the organisation. I derived immense satisfaction and engagement from identifying clunky or broken policy, stripping back the corporate jargon, comparing with the relevant clausal requirements - adjusting for context, and then preparing considerations for our client to take home with them. We had 100 percent positive feedback, and without fail we provided value. The system worked.

Badged up

Under the watchful guidance of my seniors at the time, I picked through dozens of these case studies, it became clear to me that I wanted to formally concretise the knowledge base. I was supported to become an ISO 27001 Lead Implementer - attending a week long training course followed by an examination which I passed. It was a very hands-on course, and I was attending alongside people who weren’t here to learn for the sake of learning (as I must admit I was), I was joined by people who needed practical understanding of the standard to take home. We had workers from internet service providers, freelance consultants, taciturn defence contractors, and middle management six-sigma black belts.

Putting aside the awesome industry stories we got to hear from all in attendance, and the outstanding trainer we had, I was left hoping for more of a nuts-and-bolts approach to decompose the standard and understand it from a theoretical perspective.

This was the inception of the idea of the website - if hands-on expertise in application and implementation (which comes in many shapes and sizes) is a requirement to understanding the standard, then those who are not directed to use the standard or have access to a colleague who can successfully inspire, are unlikely to naturally stumble into it and find it of interest. I had experienced a unique blend of academic exploration followed by attentive outcome-focused industry application, all under the watchful eyes of some very impressive people who had been doing the work since before I was born - and were applying this expertise in the not-for-profit space. An avid notetaker, I decided to keep track of my efforts and try to write accessibly and without stripping away when I was excited about a certain area, hoping that I would have enough of a body of interest in the subject to produce something at some point.

And so…

I then proceeded to completely forget about the idea. I slowly accrued notes and made supportive diagrams in my own time that consolidated my understanding and satisfied my interest in the standard, wrote a few blog posts, and a service methodology for our ISO informed gap analyses at work. There was no meaningful catalyst that pushed me to structure and publish the site, it was the spring-cleaning of my Obsidian vault where I stumbled across the initial idea in a note and took stock of what I had to share. I had enough to launch it as a public facing work-in-progress!

And here we are. I’m only currently sharing about 30% of the total content and notes I hold on the 27001 standard (and a lot of this bleeds into other areas). This is because a lot of what I have is only really useful to me because it jogs my memory - it isn’t useful standalone. My list of content to add to the site is long, and I am looking forward to watching it organically grow in the coming months and years. I love being busy when it’s with work I care about, and the most enjoyable part of launching a project is that it isn’t the end, it is the beginning!

If you’ve gotten this far, and you enjoy the site - why not contribute? Make the standard more accessible and get a writing credit by sending me the body of your contribution!

A Lapsus$ in judgement - The sacrifice of Arion Kurtaj

2024-01-31T00:00:00Z

As always, this website plays host to my opinions which are informed by my understanding of the facts available to me and the wisdom of the people around me. This article may be updated or amended in the event that new information comes to light.

Introduction

With a roster of attacks against Microsoft, Uber, Samsung, Nvidia, Ubisoft, and Rockstar Games, the Lapsus$ hacker group has become infamous for it’s outrageous smash and grab tactics that have impacted industry giants across the globe.

The group’s members were, for a time, exclusively minors. They worked together on many majorly covered cyber offensives. The end of the story seems to be the indefinite hospital order placed on Arion Kurtaj - now turned 18, after he hacked Rockstar Games from within police protection at a Travelodge using an Amazon Firestick, a mobile phone, and the hotel TV.

The news cycle has enjoyed sharing headlines expressing awe that a teenager could hack a huge organisation using such unorthodox and limited hardware. I would like to make some space to critically reflect on the veracity of these claims, and explore whether this hack really is the MacGyver mastermind hack that it’s being lauded as. Underlying this exploration will be considerations of the various structural and personal interests that might seek to oversell or ‘sex up’ this series of attacks from the group.

The group

If you haven’t heard of Lapsus$, here is a quick briefing on their activities: Lapsus$ was a hackergroup based out of Brazil and the UK that was known for 11 major cyber attacks, all of which revolved around a similar modus operandi of gaining access to a corporate network by acquiring credentials from employees.

Once credentials were acquired, the group could begin accessing the network. Having gained access, the attack was as simple as downloading whatever they could get their hands on; deleting the files on the client-side; declaring their triumph in a 50,000 member telegram group channel; and stipulating the terms of the extortion attempts against the organisation they had successfully targeted. That’s it. The reason the account of their methodology is so short is that it is simple and repeated. Lapsus$ don’t really know how to pick locks, they tend to just buy the key.

The group was comprised of seven people aged between 16 - 21, with the generally recognised leader being Arion Kurtaj - who was 16 when acting most prominently in the group. Arion has since been arrested and is currently on an indefinite hospital order. An additional 7 other members have been arrested by the City of London Police. A Brazilian citizen has also been arrested under the accusation of being a member of the group.

The process

When the group was on their first major spree in 2022, I remember learning about the straight-forward nature of their attacks. Their process of accessing, exploiting, and extorting is actually quite a simple one. Despite the simplicity of the process, it nonetheless successfully attacked global giants like Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, and Uber.

Described by Krebs as “Low tech, high impact”, the Lapsus$ group employ solutions such as SIM swapping - where the attacker convinces a phone service carrier to switch a target SIM over to a new physical SIM to provide the ability to do text based multi-factor authentication. This, combined with an employees password, grants Lapsus$ access to their target network.

They’ll also happily just buy access to networks, purchasing access credentials from the internet, and also engage in plain old open recruitment on their telegram - saying they’re ready to pay employees to give them access to their corporate accounts:

(Figure 1. Screenshot of an ad recruiting employees to give out access to their employer’s network from Microsoft’s “DEV-0537 criminal actor targeting organisations for data exfiltration and destruction”)

The revenue stream to fund the acquisition of these access credentials is drawn from employing the same strategy on individual accounts at cryptocurrency exchanges. The group likely use the SIM-swap method to access accounts and then drain holdings, in addition to any extortion payments made by their victims.

When access is acquired, the group don’t deploy malware or ransomware - which is what sophisticated threat actors might do to secure persistent access to the network for later use. Lapsus$ instead opt for what Microsoft classifies as “Exfiltration, destruction, and extortion”. This is simply downloading everything that they can get their hands on and deleting it after the download completes. This dataset then forms the basis of their extortion attempts.

Microsoft, in their debrief on the tactics, techniques and procedures of Lapsus$, provide some interesting insights that involve light analysis on the strategy and behaviour of the group; one such insight is that there is a clear streak of apathy towards operational security or secrecy in Lapsus’ ranks, with very little effort made to protect the identities or ongoing operations of the group.

Indeed, Microsoft was actually able to stop the group from downloading source code during a live incident because Lapsus announced it to their telegram channel prematurely while the attack was ongoing.

The group also enjoyed ‘embellishing’ the impact of their hacks to their channels. During their attack of security service provider Okta the group created and circulated strategic screenshots to lie about the extent of the systems they’ve compromised.

This was the clearest indicator that the perpetrators were young and excitable, and not an advanced threat actor like a financially driven criminal organisation or state actor. The group are motivated by impressing and awing their audience, sometimes to the extent that they sabotage the entire operation by announcing it to 50,000 people halfway through it.

The intelligence was quite unanimous quite early on that Lapsus$ were a group of teenagers utilising simple methods to conduct high-impact attacks, that manage to end up sabotaging themselves with their juvenile excitement. Furthermore, they argued with one another, as teenagers tend to - with the results being that Arion had his name and address leaked by one of his peers in his cyber circles. This is the behaviour being grandiosely characterised by Microsoft, one of their prominent targets, as a “unique blend of tradecraft”.

The response

Microsoft produced a 4,000 word incident response and threat intelligence report on the group in the wake of their hack on the company, naming Lapsus$ as the ‘DEV-0537 criminal actor’ or ‘Strawberry Tempest’ using their new weather themed threat intelligence taxonomy. They explored the group’s behaviour and threats, and did their best to take Lapsus’ claims to pieces. The main success for Lapsus$ came as Microsoft still allowed telephony-based MFA (recieving a text message to authenticate yourself instead of using an app like Microsoft Authenticator or Authy) and so it was with great ease that the group could exploit this using SIM swapping.

The recommendation of avoiding using text messages for MFA was performatively publicised as guidance in the wake of the incident by Microsoft. This is a clear effort to make it appear as though we as a community are not already aware of this being best practice guidance that the giant was simply not following. Both the National Cyber Security Centre and the USA’s National Institute of Standards and Technology agree that telephony based MFA is inferior to other forms of MFA, and have done for quite a while.

It’s always important to remember that anyone debriefing an incident response on their own organisation has a conflict of interest and is incentivised to make an incident appear as sophisticated as possible. To do any less is to admit the failure to prevent a simple attack succeeding.

For clients and share holders, it’s never going to be very reassuring to read a press release from a multinational conglomerate computing giant simply saying: “We still use text messages for MFA, and a 17 year old called up our SIM provider and convinced them to move one of our secure phone numbers over to a new SIM so he could log in”. Instead, the profit motive will have exerted a large amount of downward pressure on Microsoft’s editorialising of their debrief. To this end, the release is packed with melodramatic language and focuses on the impact of the devastating blow leveraged by the ‘Strawberry Tempest’ threat actor in the wake of their social engineering efforts to collect “intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships”.

The last stand

Now we’re equipped with insight on the simplicity of the M.O. of Lapsus, and how their targets have been responding to their successful attempts to access their networks, we need to understand precisely how Arion conducted his infamous Rockstar Games hack. This will position us to assess how impressive it may or may not be and whether these Hollywood-esque headlines are being disingenuous.

Firstly, Arion had access to a mobile phone - this is already enough to conduct the hack. Phones are just small computers, anything he had in addition to this will have been a bonus, but not a necessity.

If we remember the Lapsus$ calling card of purchasing or engineering access using employee credentials, Arion may have simply used existing credentials he had procured ahead of time. Alternatively, perhaps he needed to buy some and so hopped onto an access broker forum or telegram page and paid $40 for some user credentials using stolen cryptocurrency. When he did leverage his access to the network he began to download files, which is usually accomplished by right clicking and pressing download - not by ‘hacking the mainframe’. When he was happy with what he had acquired, he deleted the files on Rockstar’s side. Finally, Arion entered the Rockstar Slack channels to announce his hack and make his demands. It appears that no effort whatsoever was made to hide that it was him conducting the attack, or to secure the devices he was using. It’s worth remembering that he was committing these digitally enabled crimes whilst in police protection and supervision.

Let’s play with another theoretical - perhaps the police disabled the internet of Arion’s phone and so he was left without internet in the hotel room. The Amazon Firestick is another computer left in the room with him, it’s just got more controls and restrictions placed on it by Amazon. How difficult do we think it would be to remove these restrictions? This is called Jailbreaking or Rooting. It’s easy.

Thanks YouTube, looks like anywhere between 5 and 15 minutes if you don’t know what you’re doing. A Firestick is just running the mobile operating system Android, and reverting it back to this state allows us to install web browsers, and other tools. Perhaps Arion connected his phone via bluetooth to the Firestick to use it as a keyboard and mouse.

There are a lot of potential ways that this final outcome of Arion being digitally empowered to conduct this hack could have occurred, and none of them are particularly outlandish in terms of raw technical skill.

The duty

I am left wondering why the police who have charge over a vulnerable young autistic man, who they deem to be an ongoing threat to the digital security of UK plc and it’s international friends, have left him alone in a hotel room with the exact hardware he needs to perpetrate another attack. We can see the lack of interest in operational security from Arion, we can also see Arion’s complete disinterest in the economic impact his hacks will have. Indeed, it is the intentions borne from this mental state that informed the decision to hold Arion in protection in a hotel. Why on earth did the police give a computer to the guy who said that he’ll hack again if given access to a computer?

Arion was actually deemed unfit to stand trial due to his severe autism, and it was this same mental health assessment that determined that he ‘continued to express the intent to return to cyber-crime as soon as possible’. His condition was legally recognised as affecting his decision making, to the extent that the court was directed not to assess his intentions when committing these offences, but simply whether or not he conducted the attacks. Arion has demonstrated time and time again that he may be unable to conceptualise the relationship between the actions that he is taking and the full impact of the legal consequences.

With each hack, Arion must have been releasing a huge amount of dopamine, the neurotransmitter in our brain that relates to motivation and pleasure. It is precisely this identification of the dysregulation of dopamine that is observable in autistic patients and is currently being explored by some in the neuroscience community as a corresponding trait of Autism(1, and 2).

In this conception, dopamine may be a substance to which Arion had a dysregulated relationship - and the safeguarding effort should have protected him from the medium by which he could suffer further from that dysregulation. In effect, the failure to remove digital technology from his room is akin to leaving a harmful substance proximate and accessible to a dependant user.

If the police did leave an internet-enabled computer in the room of a soon-to-be convicted cyber criminal, despite having a duty to prevent exactly that, then perhaps they might also see the benefit in avoiding commenting on the mundane simplicity of the hack and allowing the media to present it as the improvised miracle outcome of the machinations of a savant mastermind hell-bent on causing chaos and destruction.

There would be a very clear benefit in avoiding the conversations about whether they checked the back of the hotel telly for a Firestick, or even whether they knew that this device counted as an internet-enabled device. That would raise all sorts of questions about whether the one safeguarding job they had was carried out properly in order to protect both the potential targets from being impacted, and the perpetrator from reoffending and hurting his chances of reform.

There is additional public interest in questioning if the training for safeguard assessments on these hotel rooms is sufficient, as not all digitally enabled crime is property damage. Police protection may apply to those engaged in harmful or violent imagery or communication, are these offenders offered the same opportunity to utilise internet enabled devices to further harm and be harmed by their behaviour? Perhaps this constitutes another reason to communicate that this incident could only occur if a technological whizz was at the helm of the event.

The Incentive

The police haven’t released the details on the hardware used in the Rockstar hack. Frankly they don’t need to, we have enough information based on the modus operandi of Lapsus$. All computers are still computers - regardless of their shape or size. Anything with internet access can be used to enter a username and a password, or browse the internet to buy illegal access credentials. That really is all there is to this.

It is very clearly possible to explain - with both brevity and the use of accessible language, that this was a security incident caused by a technically competent 18 year old who was using computers left in his possession to conduct a simple but high-impact attack. A considered approach, which journalists aiming to cover this story could utilise, would be to decompose the attack and contextualise it against the attackers history, as above.

Arion is now also a legal adult and so the press are permitted to print his name in their coverage. I don’t believe that the press coverage was at all informed by the investigative desire to understand or explain what happened, and this is clear in the absolute lack of technical detail or historical context shared by the press on Lapsus$’ behaviour. Outfits such as The Guardian have instead clearly opted for shock value, aiming to drive traffic to their sites and generate yet more noise.

The conclusion

This triple coincidence of wants amongst the private sector targets, the police, and the media shouldn’t go unarticulated. The private sector targets need to classify the attack as sophisticated so as to minimise impact on share prices or profit. The police maintain their credibility and public image by conveying the perpetrator as a mastermind. The media stand to benefit hugely from the exposure and traffic coming from a report on the latest Hollywood-esque hack coming from a minor. Allowing these organisations to benefit from and feed on the coincidence of these interests is an obfuscation of the moral duties at hand. We need to ask what the consequences will be for this young man’s life, and conclude that it is important to deconstruct these narratives when they emerge as an act of protection for people like Arion.

I hope this has adequately teased open a conversation about the finer points that may have been lost in the coverage

Huge international organisations such as Microsoft and Rockstar that fail to take adequate steps to secure their systems against simple attacks can expect similar future incidents. Rockstar claims that the GTA 6 leak cost them $5 Million and “thousands of hours of staff time”, this was almost certainly about the voluntarily incurred marketing shift they launched to reexamine their strategy after the video game clips were leaked. It’s also worth mentioning that Rockstar’s notorious ‘crunch culture’ in which employees are culturally expected to work overtime 5 days a week means that Rockstar won’t be paying for hundreds of those extra hours anyway.

If we are certain then, that this is not the last teenager who will successfully break into a large organisation in this way (Arion is certainly not the first), we must make a decision. Do we engage with these incidents like has been done with Lapsus$, or do we accept our moral responsibility to people like Arion who are vulnerable and need cultural and social support.

We would do well to understand that minors are only exercising the digital skills that come as a symptom of the world built around them by the very same organisations. A holistic and informed approach to the treatment of vulnerable people, who reach out and pluck the low hanging fruits of the digital world, would prioritise helping those individuals to avoid doing so in the future.

I am personally not bothered about bemoaning the impact of the damages to the brand of a game that lets you execute prostitutes and renames it’s likeness of a Vespa to a ‘Faggio’. Instead we would be better served by focusing on how we can assist the health and wellbeing of young netizens like Arion Kurtaj. Coverage of these incidents as anything other than this phenomenon is disingenuous and strips them of the advocacy and compassion that they are entitled to.

You can subscribe to my blog via email or RSS feed.

Thank you to Eulalia Saurin, Androula Pistolas, and Elaine Haigh for your expertise, insights, and time spent on helping me produce this blog post.

Considerations when getting started with InfoSec policy.

2023-08-31T00:00:00Z

Policy work is one of the most reliably ‘second-hat’ pieces of work that I’ve come across in industry for smaller organisations. I’ve spent countless hours with people who have very little interest in policy who have clearly been saddled with the job of getting org policies sorted out. I’ve seen the populated templates that they work very hard to get across the line and signed off by the board, and I know the line of questioning that can very quickly unearth whether a policy is anything other than ‘shelf-ware’.

This speaks to a few conversations; where should policy sit in the emergent or organic growth of smaller, modern businesses? How have we developed a common sense relationship to policy that limits our understanding to be purely about the ticking of legal boxes? Is there any way to develop meaningful, useful policy that doesn’t get you absolutely lost in SEO-engineered advertorials along the way?

I want to cover some of this here, and provide a meaningful conversation that I truly believe will enhance whatever policy drive your org is on right now. Thinking about these things for the sake of thinking about them certainly guarantees a superior design, and hopefully might even change the relationship you have with the process.

Policy work can feel like nothing less than the articulation of the complex social and procedural relationships between members of the org, but this requires a renewed focus on policy as a social toolkit, not a punitive or legally mitigating collection of rules.

Who is this for?

Anybody who has taken on (or been handed) the responsibility to sit down and assess, rework, develop, or otherwise work with the body of policy of their organisation. Business Continuity, Information Security, Acceptable Use, BYOD are in-exhaustive examples of what may be on your plate at the minute.

Why am I positioned to contribute to this?

I have run Gap Analysis projects for many organisations across many disciplines. I review bodies of Information Security and Business Continuity Policy in accordance with internationally recognised standards ISO 27001 and ISO 22301 - providing considerations for orgs to take to their future discussions to enhance their policy. I’m also an accredited ISO 27001:2022 Lead Implementer under the British Standards Institute.

I am not sitting down here to tell you how to run your business or what requirements you categorically need - Context is the precursor to knowledge and I don’t know yours. I am collecting my (ongoing and developing) personal experience of this side of InfoSec and sharing it in the belief that it will be useful to someone.

What is to be covered?

What policy is, and what policy isn’t
How to get started on your policy
Signposting resources for your consideration (UK)

📑 What is policy?

I’ve written using the term ‘policy’ as a broad classification of the work that may be coming as part of (in-exhaustive):

Implementing Information Security policies/ Cyber Security Policies
Documenting or building out your Business Continuity Policy or plan
Building an ISMS, or a BCMS
A drive to put knowledge into organisational ownership that currently sits in people’s heads, or in the ‘common sense’ of the org.

Looking at the commonalities between these examples (or indeed your unmentioned but incredibly relevant example) is useful in helping us define what ‘policy work’ should look like.

At its most simple, Policy refers to a system of guidelines that are used to achieve desired outcomes. People build these systems when they work in collaboration with other people so that they can be consistent over time and meet shared objectives. If people work collaboratively for a shared output of some kind, it’s important that they agree on a process. Processes are the efforts we take to meet objectives or goals. We determine what processes are by using ‘inputs’. Inputs can be things such as conversations, shared objectives, or requirements.

Examples of inputs could be the marking scheme for a group project, or the mission statement of a charity. We need these to figure out what we want to achieve (Outputs), and how we want to achieve it (Processes).

When we follow through with our efforts and create something based on our shared goals, we have produced an output. We can then assess whether our output is useful by comparing it against our intentions when we determined our inputs.

While this process can be done in a conversation for a group project of three people, it gets harder to ensure that processes are agreed upon if you bring more people to the conversation. When a project between two people turns into a collaboration between ten, it starts to become easier for different people to have diverse opinions and priorities on our inputs, our processes, and what our objectives are.

Policy helps us to collaborate at larger scales by documenting what our objectives are, what inputs inform those objectives, and what processes need to be followed to make sure those outcomes happen.

Our body of policy needs to accurately map the relationships between people, and provide an accurate signpost to the resources that mark out subsequent roles and responsibilities. These must be justified in a way that can be walked all the way back to the strategic objectives of the organisation, which themselves can be justified as considered and informed.

🗺️ TL;DR - Policy cannot be used simply to mitigate risk or answer to regulators. Policy should be used to map the relationships between people, and the subsequent agreed (and existing) processes that create and describe how business objectives are used to make decisions on risk and controls in your business. Policy is a map to processes.

👁️ ➡️ 🧠 Make the descriptive explanatory.

Further to the previous point - if you are developing a management system of any kind and intend to map or articulate that system through a body of policy, it is vital that the system is explanatory, and not just descriptive.

Description is the account of traits or features of a given object that can be used to identify it. Explanation is the ability to decompose and identify the mechanisms by which the describable actually comes to be and operate.

It is not enough to create controls that are only descriptive, it is important to show the provenance of any responsibilities or controls and draw a silver thread back to the underlying mechanisms and processes that justify and explain this final output. This can be seen as an explanatory relationship.

🐦 The Stress Canary

Policy work should not by its nature cause stress. The concerted effort to capture and document the relationships between different operations and staff is a project that will make life easier. Each stage should bring relief and clarity to your mind about the state of the business, and the opportunities for further development. But the scale - or the information, that you uncover about the readiness of your organisation - alongside improper resourcing or support, can leave you feeling like you’re clutching at straws or doomed to fail.

Stress should be seen as a Miner’s Canary for the methodology of your project. Ensuring you are following a process that has been informed and approved by top management means you cannot feel lost, and should not feel stressful. If you do catch yourself feeling stressed, you need to remember that:

You are not taking on ownership of the risks you are identifying, and they exist with or without your knowledge of them.
Policy work can only arise to document what organisational objectives and goals have been determined, it is not your job to create as you document. These are separate work streams (More on this later).
If you are a risk owner also completing the policy drive (likely a micro or small business owner), then make sure you’re separating the creation of new processes/goals from the documentation of them in policy. That degree of separation will stop you going mad.

🍰 Working guidance for development of policy - The short version

The main takeaway from what has been said so far is that policy must serve to articulate existing decisions and processes, not create them from nothing. In practice, it is almost universally applicable advice that:

Any body of policy that creates obligations should be based on a risk assessment and impact analysis.
Risk assessments and impact analysis should consider the strategic goals and objectives of an organisation.
Strategic goals and objectives are set by top management.

You can take this waterfall of responsibility to the bank and stop reading now if you like. The reason policy is so vital to any management system is because it serves to articulate an explanatory relationship between these key features. Policy is the output of a management system, not an input.

Consequently, some of the best policies I have ever reviewed have been 1-2 pages long, and some of the worst I have ever seen have been long, arduous, and control-centric.

A note on inputs and outputs in the context of continual improvement: Cycles of iterative and continuous improvement eventually do mean that policies become an input for a process seeking to refine and enhance the management system of your choice, but it’s not always useful to begin with this mentality, and it may in fact hinder the important appreciation of policies being the documentation of processes that exist, instead of the conjuring of new processes as they are written.

Some Reflections on good practice for policy projects

👍 Identify the work-object and get buy-in

The first step on any high-level/organisational project should be to secure buy-in from top management. This is the acknowledgement and resourcing to commence your project. Traditionally we’re thinking about the board or the C-levels here - but realistically it’s likely to be the person who pays for things to happen, and goes to prison if they violate the companies act. As we are looking to create a body of policy that derives from strategic objectives we need to get authorisation for those responsible for setting them. If a project such as this doesn’t have meaningful and well-resourced buy in then it’s a non-starter.

What does buy-in need to be for? It cannot simply be for the development of our policies in house, as policies develop as a by-product of meaningful decisions that lead to new processes or management systems.

So the real work that is being proposed is for the development of:

Mechanisms to identify what processes are necessary for our ISMS
Commitment to the refinement of the processes we already have in place
Resourcing and support for the new processes or procedures that are required
Effective documentation of this work in a body of policy.

Let’s now discuss setting information security objectives. We derive IS objectives from common information security goals that are considered to protect or develop the overall strategic objectives of the organisation. These let us focus on how we technically assure information security using policy, processes and procedures. We also use them as a unit of measurement in the establishment of our risk appetite - as we can ask whether certain actions support or damage our information security objectives.

Another way I have tried to visualise this is seen below, where we place our Information Security Objectives within our strategic objectives. The respective objectives are our measures of whether we have enacted our day-to-day processes (such as the mentioned ad campaign or awareness program) in accordance with our overarching objective.

Either way, the essential concept being communicated is that we have specific goals we set using our IS Objectives, which themselves are set as supporting concepts for meeting our overarching strategic objectives.

🧱 Design Information Security Objectives based on the CIA Triad. These are your ‘raw materials’

Information Security objectives are very easy to set and tend to be similar for different organisations. They get more specific or convoluted mainly when we need to take on certain levels of risk that change how we protect information. For the most part, we create Information Security Objectives as a means to focus on how we technically assure the information security of an organisation to better support the overall strategic objectives

you can safely use the following guidance:

Information Security objectives can almost always derive from the CIA Triad - Which is the confidentiality, integrity, and availability of data. When we set out these objectives we create the mechanism by which we justify new roles, responsibilities, and processes. These IS objectives can be as simple as:

The organisation appreciates that the maintenance of Confidentiality, Integrity, and availability as pertaining to information and information systems is integral to the support of the strategic objectives of the organisation. we therefore create the following Information Security Objectives:

To implement, maintain, and continually improve our information security to better protect the confidentiality of our information, including but not limited to sensitive information.
To implement, maintain, and continually improve our information security and design to ensure that the integrity of our information and information systems remains unquestionable.
To implement, maintain, and continually improve our information security and design to ensure that the data that we rely on - and the people that rely on us, are able to access the data they need in a timely and reliable manner.

With these three core aspects of the CIA triad folded into the objectives of the organisation, you have created the means by which controls and responsibilities can be explained and justified. These are the raw materials from which we can build more precise or granular controls and processes.

✅ Figure out what you care about - Start with a risk assessment

When we tell users to use MFA or a password manager, or what is expected of them when taking care of a company owned laptop, we are supposed to be making an informed decision in response to a risk.

We should theoretically only be able to take these precautionary actions after qualifying the actual risk we are treating. In the ‘real world’ we don’t need to fully qualify the likelihood or impact of risk when we decide not to throw ourselves from great heights or ingest unknown berries, so it can slip our mind to qualify risk when we are building systems of work.

Building management systems are very different to the rough and ready risk calculations we conduct when regarding our own physical safety - we are creating a system by which we must justify the obligations we place on other members of our organisation, and a system whereby these obligations support loftier and further reaching strategic objectives. We therefore need a mechanism to assess risks before treating them. This is what a risk assessment is.

A risk assessment consists of identifying what may interrupt the successful ongoing enactment of strategic objectives, and then weighing up the likelihood that this incident may occur, against the impact that this incident would have if it did occur. Once we identify and qualify the major and minor risks facing the business, we are able to make an informed decision about what we can do to treat these risks and protect our strategic objectives.

Conversely, if we try to build out a set of controls or requirements without a risk assessment, we do not have any underlying structure to justify or measure the success of the control. This is not a suggestion to create measurement and performance tracking where there is no need to, only to create a relationship with risk whereby we need to be able to articulate it fully in order to say with certainty that we have treated or addressed it.

🗺️ Figure out who cares about you - Look at your context

Management Systems place a lot of focus on ‘understanding the organisation and its context’. This refers to the need to be able to place your organisation within the landscape that it acts and behaves in. The interconnected nature of different economic and social forces is one of the requirements for an organisation to even be possible to run and exist; It makes sense that we can’t abandon the consideration of these factors when it comes to securing and protecting our organisation.

The two points of interest for considering context are to:

Understand your ‘context’ using a focus on internal and external issues that may affect your information security management system
Understand the needs and expectations of people or organisations that you are connected with

I’ll attach a table with some examples of internal and external factors for consideration, but the best rule of thumb is to find and categorise issues, individuals, and institutions into either internal or external factors, and run a thought exercise where you identify how these things may impact your strategic objectives.

Internal Issue	External Issue
Organisational Structure of your business	Political landscape of the country you are in
Information Systems	Legal obligations and responsibilities
Staff awareness and understanding of your objectives	Relationships with external stake holders or members of your supply chain
Culture of your organisation	Contractual relationships

A note on the scope of consideration: It’s not just legal/good faith actors you should consider as a part of your context. Criminals or those who would see harm to your organisation should also be considered in this process. Any ‘Issue, Individual, or Institution’ really does mean anyone and everyone.

🏠 Build the house before you live in it (Even if you live in it already)

Any structured management system/body of policy project should have clear demarcation between the planning and operating phases. Planning is the process by which we determine and begin measuring objectives, whilst ascertaining what risks we are identifying and what our approach to treating them are. Operation is actualising our plans, and can only ever be done properly if we are working to a good and thorough plan.

This may seem like common sense - but I feel I must make this point as I have seen a very common approach whereby the project owner (who is unfortunately likely doing the work because they have been told to, not because they want to) will put together a set of boxes to tick and processes to change or conjure into being, and work from the operation of the organisation backwards, and create documentation of processes as a byproduct of the unjustified sets of controls they just ‘feel’ should be in place.

I can’t emphasise enough the ongoing help that a thorough planning phase will provide.

💭 Closing thoughts

I hope you’ve enjoyed this collection of thoughts on policy and management systems, and I hope someone finds it useful. It is of course in-exhaustive and there is plenty more to talk about - Which I hope to do. This feels like a good portion for thought however, so I will leave it here for the moment.

The main takeaway I hope to provide is that it’s worth digging into thinking about this stuff from an architectural point of view, and giving yourself as much breathing room as you possibly can to discuss and design the process for your policy work. If you have ended up using this piece of writing as a contributing factor in your project and you’d like to chat further about it’s application in your specific business context then let me know (savva@pistolas.co.uk). You can also subscribe to my blog via email or RSS feed.

The internet forest

2023-08-09T00:00:00Z

Reflections on the radiowaves - TETRA:BURST and secure software in CNI.

2023-07-28T00:00:00Z