On thin ice

Image from Unsplash

Freezing rain had been forecast. On the radar you could see a mighty precipitation area rolling in from the south. Like many colleagues, I decided to go home early. I got home dry and, more importantly, without slipping, and spent the rest of the afternoon watching how, in this region, things didn’t get nearly as bad as expected.

After work I was supposed to go for a run. However, the threat of freezing rain still lingered in the air (even though I hadn’t seen anyone slip in my street). So I decided not to run outside and instead put my treadmill into action. Safely exercising indoors. Added bonus: inside it was about twenty degrees (36 °F) warmer. Shorts and a light shirt would do just fine.

After twelve minutes and fifty seconds my athletic ambitions came to an abrupt end. I made a misstep: my right foot didn’t land on the belt but on the edge of the machine. The entire right side of my body suddenly stopped, while the next step – with the left foot – was already underway. You can imagine this didn’t end well. First my left knee hit the moving belt, then the right one. My left foot had meanwhile planted itself on the ground behind the treadmill. Which meant I stood still. While the belt kept running underneath me. With my knees still on it. It burned quite a bit.

Treadmills have a safety cord. One end has a clip you attach to your clothing, the other end a plug you stick into the control panel. If you fall, the plug should be pulled out by the cord so the belt stops. The cord turned out to be slightly too long for the position I had ended up in – the safety plug stayed in place. The belt kept spinning until I pulled the cord by hand.

My wife and daughter rushed in, worried, and a bit dazed I asked for two wet washcloths to cool my knees. Three days later, the left one is almost healed, but on the right one I’m currently missing about four centimeters (1.5”) of skin. Nothing dramatic, it’s just the occasional sting and the healing wound pulling a bit.

I learned two things. First: organizational measures can backfire. I chose not to go outside because I didn’t want to fall. And that is exactly what happened. Of course I try to project this onto my work (this is still the Security (b)log, right). Do we sometimes make decisions there that ultimately cause the very thing we tried to prevent? Those decisions are usually well thought-out, thoroughly discussed, and we’ve slept on them. We’re currently revising our password requirements. Obviously with the intention of making our employees’ accounts more secure. But we must be careful not to make things so difficult that people get ‘creative’. Communication and support are crucial when implementing changes that affect everyone personally.

Second: if technical security measures are not implemented well, they won’t work in every situation. The safety cord works perfectly if you fall straight backward off the belt, but not if your fall stops halfway. You have to be very clear about the purpose of a measure, and you must examine all possible scenarios. Only then may you expect the measure to do what you intended. Example: we’ve been encrypting our data and communications for years. But if you don’t take the coming of the quantum computer into account – one that can crack today’s encryption with ease – you remain vulnerable. Maybe not today, but certainly when the data you send now can be decrypted by unauthorized parties a few years from now.

Our daughter is celebrating her eighteenth birthday today and wants to drive to school*. We’ve taken all kinds of measures: she got her driver’s license, we practiced extensively with her, we agreed on rules. The car was recently checked. And we have expressed our trust in her. And yet, as parents, you’re relieved when she gets home safely. Because you know that measures don’t always work.

*: In the Netherlands, you can take driving lessons from the age of 16.5. Once you get your license, until your 18^th birthday you have to be accompanied by a registered driver who must be no younger than 27 years.

And in the big bad world…

• Banning ransom payments is being reconsidered as a measure that may have unintended consequences.
• The Netherlands is exploring the French alternative for video conferencing.  [DUTCH]
• Your notepad turns out to be hacked.
• AI worms are on the way.
• Azure is (finally) discontinuing outdated TLS versions.
• Nearly a third of ads in Meta apps are malicious.
• State‑sponsored hackers are exploiting vulnerabilities faster than ever.
• The Netherlands won’t have a minister for digital affairs, but we’ll have a ‘cyber ranger’.  [DUTCH]
• Even Vatican media express concern about the lack of transparency in the use of AI.

 

Raccoon

 

Image from Unsplash

Talking about “Laundry Bear” may make you think I’m trying to invent a new English word — perhaps a literal translation of the Dutch wasbeer, the animal we call a raccoon. Sadly, “bear that does laundry” is not an official species. And we’re not in the zoological domain anyway. We’re in the world of organized hacking groups.

This Laundry Bear is ‘highly likely’ a ‘Russian state‑sponsored cyber actor’, according to the intelligence services in a publication from May 2025. In plain English: a group that conducts cyberattacks with the blessing — and probably the funding — of the Russian government. You can find such groups in various countries, and once they are identified, they get a label. That does not follow a universally agreed naming convention, but a common practice is that everything (presumably) from Russia is a bear, China has the panda, Iran the kitten, and North Korea the chollima (a mythical horse from Korean folklore). And those are exactly the countries that keep reappearing when we talk about state hackers. Which, in turn, does not mean that other countries keep their hands neatly to themselves.

In this particular animal kingdom we find the Fancy Bear, the Wicked Panda, the Charming Kitten and the Stardust Chollima, to name just a few. Each of them is a group that organizations may encounter if they have something that could be of interest to the sponsors behind the groups. Often that is information, but it may also be about money; North Korea in particular targets Western currencies and nowadays especially cryptocurrency.

Laundry Bear collects information from government organizations and companies worldwide, with special interest in the EU and NATO. They break into cloud‑based mail environments. Besides the emails themselves, they are also interested in the internal address book. They focus on everything related to the war in Ukraine. In addition, they find companies interesting that produce high‑end technology that Russia can no longer buy due to sanctions.

It is very difficult to attribute a particular activity to the correct actor. These actors are masters at laying false trails. But sometimes it is possible to establish this so‑called attribution (although you will usually still see the word ‘likely’ somewhere). The Dutch intelligence services attribute the 2024 attack on the Dutch police, in which contact details of all police employees were stolen, to Laundry Bear. They suspect that other Dutch organizations have also fallen victim to this actor. Until the police hack investigation, Laundry Bear had not been known yet. The services recognized that they were dealing with a new group.

All this substantive information was shared publicly last year in a Cybersecurity Advisory. In that advisory, they also list which ‘resilience‑enhancing measures’ organizations can take. These are fairly obvious measures. You must give people and computers the minimal privileges they need to perform their tasks. If such an account is hacked, the attacker’s options are limited to those privileges. Accounts with high privileges must be issued in a controlled way and used only when those privileges are actually required; administrators should therefore not work under their admin accounts by default. Outdated accounts must be cleaned up. And you must encrypt your network traffic. The list is much longer, but this gives you an idea.

As obvious as these measures are, some organizations still struggle to implement them. They cost time and money, and the knowledge, skills and willingness to take these necessary measures are not present everywhere. It works no differently than at home. You know your house needs painting, but you don’t get around to it or the painter is too expensive. It is also a matter of setting priorities.

Intelligence services are usually not so generous in making their information public. So why this public advisory? Because they know a lot, but not nearly everything about Laundry Bear. It is important for the country as a whole that organizations are resilient against such groups. But to be resilient, they first need to be aware of the threat. Moreover, the publication raises awareness that such groups exist in the first place. Most of the measures mentioned also help in the fight against Laundry Bear’s colleagues. Let’s hope the advisory reached its intended audience.

And in the big bad world…

• Some actors go much further than merely collecting information.
• Russians are also occasionally hit by a cyberattack.
• This article explains well what digital sovereignty means for you as a citizen.
• The foreign press reports on a current Dutch sovereignty issue.
• France is also working on its digital sovereignty.
• Even security chiefs sometimes get it wrong.
• WhatsApp is getting a lockdown mode.
• AI agents built into operating systems undermine the principles of end‑to‑end security.
• There are some misconceptions about data protection.
• This article is supposedly about leaky AI toys, but it is in fact an Internet‑of‑Things failure.
• Life in an Asian scam compound is harsh.

 

Going up

Image from Unsplash

In 1981, we went on holiday to the Costa del Sol. We rented a distant cousin’s apartment for a friendly price, in a building right on the beach of Torre del Mar. That building had an elevator, and that elevator is what I want to talk about. Because it was quite special.

It had no memory. If you wanted to ride it, you pressed a button like with any elevator. But if the elevator was already on its way to another floor, it simply ignored you. You had to press the button again once the ride was finished, and then hope that no one else beat you to it. It could take quite a while before you managed to catch the elevator. And I don’t remember exactly, but I think the buttons inside the elevator had priority over the ones on the floors. Otherwise you might never reach your destination.

So this was an elevator for which it actually made sense to keep pressing the button. But with all modern elevators, ladies and gentlemen, that is completely pointless. Your request is registered, and sooner or later an elevator will come. Repeated pressing only leads to wear on the button. And, perhaps needless to say: only press the button for the direction you want to go, so press the down arrow if you want to go down. If you press the other arrow as well, there’s a good chance you’ll be taken in the wrong direction – to your own annoyance.

Waiting is rarely enjoyable, so we try to shorten waiting times. Sometimes we do things we know won’t help. The same is true when you’re sitting impatiently behind your computer. It doesn’t respond quickly enough, so you try again. That doesn’t help. In fact, it works against you: the computer has to spend attention on your repeated actions, and that costs capacity (though nowadays you barely notice it; in the past, that was quite different).

The power of advertising lies in repetition, according to an old marketing maxim. That’s why you see and hear some ads over and over until they become annoying. But in my field, they’re also quite good at it. At conferences and conventions, we’ve been told for years that we all need to collaborate to create a safer world. Occasionally you’ll see a good example of such cooperation at an event, but in my view, it often remains empty rhetoric. But yes, no one can oppose defeating the common enemy together, so the theme is pulled out of the closet year after year. As far as I’m concerned, a conference only needs a name; a theme is optional. But it doesn’t really matter – as long as the content is good, and fortunately that is often the case.

This week, I attended yet another together-we-can-do-it conference. And once again, the theme fortunately didn’t get in the way of the content. The head of the Dutch Military Intelligence and Security Service came to tell us that we cannot trust the Russians, and the CISO of Hema showed an AI-generated picture of chains of smoked sausages hanging in the store*, to illustrate the weakest-link mantra; I’ve forgotten most of the content of her talk, but what made an impression on the audience was that in her previous role – because of that role – she had been threatened both physically and digitally. That’s something you don’t even want to imagine.

The best talk came from my cyber hero Mikko Hyppönen from Finland. After a career spanning decades in cybersecurity – he started out as a virus analyst – he recently and to his own surprise made a switch to the defense industry. He no longer analyzes computer viruses but military drones. The war in Ukraine – ‘in the heart of Europe,’ as Mikko put it – pushed him in that direction. Because these drones cause so many casualties, he has made it his mission to help bring these weapons down. And just like with malware, this is a cat-and-mouse game. Classic drones can be tackled via the radio signals used to control them. Five percent of the drones now seen on the battlefield trail a fiber-optic cable of up to twenty kilometers (twelve miles) behind them, meaning no radio signals are needed. And more modern drones aren’t controlled by humans at all anymore, but by AI. And how do you fight that? Exactly: with AI-driven drones.

There are elevators where you don’t press an arrow, but instead enter the floor you want to go to. The computer then calculates which passengers can best be grouped together and assigns everyone an elevator. Then no one ever has to doubt whether the elevator knows they want to ride along.

*: Hema is a Dutch department store. They’re famous for their smoked sausages.

And in the big bad world…

• This list shows Dutch organizations that are completely dependent on American cloud providers. [DUTCH]
• There was another outage at one of those cloud providers.
• The British are suffering from Russian hacktivists.
• CEOs and CISOs disagree on the top three threats.
• This new IoT botnet often appears in corporate and government networks.
• The European Space Agency is struggling with cybersecurity.
• You can now see whether a doorbell video has been tampered with.
• Teams will soon warn users about impersonators.
• AI is clicking on malicious advertisements.
• LastPass users need to watch out for phishing.
• We’ll just keep using the red pencil to vote. (In the Netherlands, voters mark their choice on a paper ballot by coloring a single oval next to a candidate’s name using the traditional red pencil.)

 

Sigh

Image from Unsplash

Pssst… Can you keep a secret? I hand you a sealed envelope with a name on it. The secret is inside. You are not allowed to look into the envelope yourself. When the person whose name is on it shows up, you give them the envelope. They look inside, seal it again, and hand it back to you. You keep it until next time. And you do absolutely nothing else with it.

This is roughly how things work when two computer systems communicate in many cases. For example because one system runs a program that needs data stored on another system. System A must then log in to system B, because of course not everyone is allowed to retrieve those data – another computer system included. In the first paragraph, you stored an envelope; system A has a digital equivalent: a digital vault. It stores the password in encrypted form. When A needs to retrieve data from B, it takes the password from the vault, decrypts it, and uses it to log in to B.

The key idea is that no human is involved. And that no human ever sees the password. Which means nobody can misuse A’s account. Just like you didn’t peek into the envelope, no one ever sees the decrypted password. At least, that’s the idea. Some time ago a colleague sent me an email with the subject line: SIGH… He had discovered that someone secretly looked inside the envelope – or its digital equivalent: manually decrypted the password. And then tried to manually log in with that account ‘just to see if it works’. While such an account is really a machine-to-machine account: meaning it is intended for one machine (A) to log in to another (B).

That sigh on the subject line meant something like: do they still not get it? Mind you, we are talking about administrators and developers doing this. You would expect them to understand how it works. That opening an envelope addressed to someone else is simply not allowed. And that manually logging in with a machine account is also not allowed. The sigh was also because this was certainly not an isolated incident. It happens far too often. And that undermines our security. You might ask why this is even possible. But that’s not the point here. Of course, it shouldn’t be possible, but right now it simply is.

If you see a bench in the park with a sign saying WET PAINT, do you touch it to check if it really is? Why would you? You risk getting paint on your fingers and the bench won’t look any better. Most people understand that you're not supposed to touch it. The same goes for those encrypted passwords. That something is possible does not mean it is allowed to do, or wise.

Deep down you know that. But just to be safe, another call to everyone who sometimes takes things a bit too lightly: don’t do it. If only because my sighing colleague is getting grey hairs from it, and because I end up writing in astonishment about something I thought you would understand by now. And of course I’m grateful for all those colleagues who simply do things right <3

*: There are alternatives, but I leave those aside here.

And in the big bad world…

• Cybersecurity vacancies are shifting from technology to governance.
• The United States is seeking new allies.
• Researchers discovered a highly advanced malware framework for Linux.
• Even earbuds and speakers sometimes need an update.
• Police and prosecutors in the Netherlands want more funding for IT.
• Privacy‑friendly AI also exists.
• ENISA had a document drafted by AI—and it didn’t go well. [GERMAN]

 

Boom

Image from Unsplash

Surely no one thought: come on, it’s the last time it’s allowed, let’s do something extra dangerous with fireworks. This blog is not the place for a debate for or against fireworks, but from my perspective there are a few interesting observations to be made. So here we go, blasting our way into the new year once again!

Even though it will not have been intentional, this time it was worse. Let’s start with some figures. There were 1,239 fireworks-related injuries in the Netherlands – no less than 7% more than during the previous New Year’s Eve. More than half of the victims were under the age of twenty. Many children were seriously injured when they tried to relight unexploded fireworks. About half of all victims did not even set off the fireworks themselves; they were merely bystanders. Emergency departments were 29% busier, treating 474 people. GP out-of-hours services were slightly quieter; with 765 patients, they saw 4% fewer cases than last year. One third of the injuries involved eye damage. Fourteen children lost a hand or finger(s), almost all due to illegal fireworks, which accounted for just under half of all injuries. And then there were those two fatalities, too.

All this suffering could, of course, have been easily prevented. All it would have taken is a low risk appetite. That term is very common in my profession, but not so much in daily life. Why is that? Because in a business environment you can usually reason quite rationally about the risks you are prepared to accept, whereas people who set off fireworks do not. They do not think in terms of degrees of risk; caught up in their enthusiasm, they think only about the intended effect. A child certainly does not think: oof, this is a Cobra with a short fuse, what is the likelihood I’ll lose a hand if I light it? Adults do not think in percentages either. At best, they judge it to be too dangerous and refrain from doing it. And if they do light the fireworks, they are implicitly convinced that all will go well. In that way, it is reduced to a binary decision, whereas in reality setting off fireworks still involves a very significant risk.

And what about public information campaigns? In the past, we had a slogan which translates into You’re a fool if you fool around with fireworks. It was witty (even more in Dutch) and it carried a message. Nowadays the message has to be more forceful, and we see mutilated hands on television. But if there are so many young victims, you would also expect information campaigns specifically aimed at this target group. Were there any? Yes, partially. Primary schools could order a free lesson package. That required them to take action themselves, and only about a quarter of all primary schools did so. You might also expect campaigners to use the media where young people actually are, such as TikTok and Instagram. However, there were no specific actions on those platforms. Municipalities and police forces were active there, but honestly — which teenager follows those kinds of accounts?

In my own profession, awareness is difficult as well. After all, you are conveying a message people would rather not hear. Just look at it: fireworks are beautiful and links are there to be clicked. And then along you come, telling them to be careful. Come on, it can’t be that bad, everyone does it.

With cybersecurity, things are slowly moving in the right direction. People understand that they have to be careful; they realise that criminals are lurking, ready to cause digital harm. Hmm, could the difference with fireworks safety have something to do with that? With the presence of a malicious actor? That element is missing when it comes to fireworks. That risk has just two components: the fireworks and the lighting. There is no other party, no enemy. Yes, that almost certainly has to play a role.

From the next New Year’s Eve onwards, a nationwide fireworks ban will apply in the Netherlands. I have serious doubts about whether it will work, because enforcing the ban will be difficult. Border checks in December will not stop the true fanatic, who has already stocked up much earlier. Responding whenever a bang or rocket is detected will rarely work either – how do you determine the exact location? No, if we truly want to reduce the number of victims, we will have to make sure (if necessary via TikTok!) that people – especially children – start to understand that risk management also plays an important role in our daily lives. From that perspective, the message becomes: hands off fireworks — or hands lost because of fireworks.

 

And in the big bad world…

• non-human colleagues need our attention as well.
• HTML-defined QR codes are misleading malware scanners.
• distrust of Chinese AI is growing.
• we are losing our online privacy.
• keeping AI chatbots secure is not easy.
• of course, you can also hack a wheelchair.
• the Dutch NCSC is now also serving SMEs. [DUTCH]

 

Wrong turns and right moves

 

Image from Unsplash

They had been to the Christmas market in Germany. Just half a minute from their school, the bus turned right. We cycled behind it, eyebrows raised. Why was that huge coach driving into this narrow street in the dark, with cars parked on both sides of the bend?

It soon became clear that this was indeed not a good idea. The left side of the slowly moving bus grazed a parked car. The next car was even dragged along a bit. The bus driver seemed unaware, because he kept going, inch by inch. This had to stop. I worked my way over the sidewalk to the front of the bus, making sure I didn’t end up wedged between two parked cars. I gestured and shouted at the driver. Hesitantly, he rolled down his window. ‘You’ve hit two cars,’ I said. ‘I’m completely clear,’ he replied, surprised. ‘No, you’ve hit two cars!’ Meanwhile, voices from the back of the bus chimed in: ‘Driver, you’ve hit something!’ Eventually, the driver put on the handbrake and came to take a look.

He couldn’t deny it: there wasn’t a molecule of air between his bus and that second car. I told him we already thought it was odd that a bus drove into that street. You know what he said? ‘I checked Google Maps, it showed cars parked on only one side.’ As if those satellite images are live!

Meanwhile, my wife rang the bell at someone she knew nearby, and soon the owners of the damaged cars were tracked down. A very young couple came out to inspect the damage: both cars were theirs. At least the insurance claim could now be sorted. But another problem arose: the bus was seriously stuck. The only solution was to move some parked cars. The students, whose school trip ended two hundred meters before their destination, had already been sent home. One of them, with a giant teddy bear on the back of his bike, we passed later.

We all take a wrong turn sometimes. Where there’s chopping, there are chips; mistakes are human. What really matters is how you deal with them. Do you flat-out deny the error (‘I’m completely clear’), try to shift the blame, or take responsibility?

If a crew member on an aircraft carrier loses a tool, the consequences can be huge: it can get sucked into a jet engine, and those don’t take kindly to that. A lost screwdriver can cost lives. If someone misplaces something, they must report it immediately, and everything grinds to a halt. The missing item is searched for urgently. And most importantly: the person who caused the incident is praised for reporting it. Not punished! That’s how you encourage error reporting. Punishment would only drastically reduce the willingness to report mistakes.

We’re all on a kind of aircraft carrier. A single employee’s mistake can have disastrous consequences. Think of an admin making a configuration error, or an employee who clicks that phishing link after all. Because our carrier is so big, there are even more ‘opportunities’ to make mistakes. In risk analyses, we pay a lot of attention to these kinds of errors, which aren’t caused by a malicious actor but by a colleague acting in good faith. We call these mistakes ‘oopsies.’

Sometimes a technical glitch can lead to an awkward conversation. A report landed on my desk about an employee who tried to do something that set off alarm bells. I asked him to explain. He came up with a rather strange story, but I managed to get it confirmed. The error was known, and a fix was in the works. It just goes to show you should always be open to unlikely outcomes. So you don’t end up making a mistake yourself.

Made a mistake? Report it. So worse can be prevented and we can learn from it.

Happy holidays! The next Security (b)log will appear next year.

And in the big bad world…

• Urban VPN Proxy’s browser extension reads all your AI chats.
• You can send a fake message via the government’s Phishkraam. [DUTCH]
• Even Notepad can be dangerous. [DUTCH]
• DigiD is now officially vulnerable to American curiosity. [DUTCH]
• The same applies to Zivver. [DUTCH]
• You can also just upload files with sensitive personal data to AI websites yourself. [DUTCH]
• Millions of people face a hot Christmas.
• Cisco is struggling with a vulnerability.
• Your robot vacuum might spy for China.
• Attackers can gain access to your WhatsApp account (if you unwittingly help them).

 

Urgency en priority

Image from Unsplash 

Many of my colleagues are named Erik, and one of them came to me with something he thought might make a good blog topic. People sometimes assume I can turn anything into a story. Occasionally such ideas remain untouched, but Erik’s remark kept nagging at me.

"If you suddenly feel urgency now, then you didn’t choose the right priority back then," said Erik. That’s a fairly universal statement, not one limited to information security or IT. It applies to your private life too, for example in the Christmas season: if you’re ordering a Christmas gift today and discover it won’t arrive in time, then perhaps you should have left the vacuuming for later last week. The dust would still be there a day later, but that order was time-critical. Of course, there can be complicating factors; maybe you didn’t have the money for a gift last week. Or an important guest was coming and a clean house was a must.
In the past, we security folks often lamented that security only came into view at the very end of a project – if anyone thought of it at all. For years we argued that security should be included from the start. If you want a catchy term: we call this shift left – moving attention to the front of the timeline. Long ago (in the late nineties) we had a great mechanism for this: the ‘aspect meeting’. When a new project started, the project manager had to gather representatives of various aspects and explain what the project was about. Participants could then provide feedback and, most importantly, ensure their aspect got proper attention. For example, by supplying policy documents and explaining how they should be applied in the project. This way, as an aspect representative, you could make sure your interests were considered. That meeting format was one of the best I’ve ever known.
Has much changed since then? Yes and no. There are now far more IT professionals who understand the importance of information security. A lot more. On the other hand, shift left still hasn’t happened everywhere. My colleagues in the Security by Design program are working hard to make it happen. They do this by teaching teams how to do it. Because here too, the old wisdom applies: it’s better to teach someone to fish than to give them a fish – at least if survival is the goal. Furthermore, procurement processes have taken a good turn. As I wrote a few weeks ago, we have a ready-made set of security requirements prepared and, just as importantly, the buyers are aware of the Security Functionals Directive.
It’s not just Erik – there are plenty of Edwins, too. Yesterday I spoke to one, and the conversation was quite interesting. This Edwin had requested an exemption from a certain rule. Because I didn’t understand something in the motivation, I called him. Besides explaining the situation, he shared his view on exemptions. In his opinion, they’re granted far too easily. Teams should make more effort to stay within the lines, Edwin thought. I wholeheartedly agree, and that’s why we always scrutinize deviations carefully. However, we also deal with a multitude of systems and platforms, from cutting-edge to legacy. And especially in that latter category, we sometimes hear: what you want simply isn’t possible for us.
Sometimes that’s too easy. What they really mean is: we assume it won’t work. But if you bring together people from different disciplines, something beautiful can happen. Like: "Oh, but if you can set it up that way for us, then we can do this and that on our side, and then it fits within policy!" We try to help people take that extra step. But feel free to beat us to it. For example, by not just assuming something can’t be done.
Back to Erik. He teaches us that good planning prevents later trouble. Because when something becomes urgent, you often depend on others, who may think: poor planning on your part does not constitute an emergency on ours. Or it simply doesn’t fit into their own workload to help you out immediately.
Avoid urgency, plan well. Order that gift now.

And in the big bad world…

• Email security in iCloud should be better.
• You can sign up with this American telecom provider using nothing but your ZIP code.
• The German government conducted extensive research on password managers. [GERMAN]
• Here’s a Dutch summary of that research. [DUTCH]
• One of those password managers received a hefty fine.
• AI can also be used to spread malware.
• There’s ransomware for Android devices too.
• The new Christmas puzzle from the Dutch intelligence service is online. [DUTCH]
• There’s political unrest over the Dutch tax administration’s move to Microsoft 365. [DUTCH]