2026-02-13

Receipt required

Photo from author

Do you ever find yourself in Germany? And have you ever taken a close look at a receipt there? Well, I have. And what immediately caught my eye was the cryptographic information printed on it.

To be clear: when I talk about crypto, I mean cryptography, not digital money like bitcoin. Cryptography is the mathematical art of securing data, as someone at a conference recently put it. But what exactly was on that receipt, and more importantly: why?

There were long strings of letters and numbers, as you can see in the photo. My attention went straight to the ‘PublicKey’ line at the very bottom of the receipt. Behind it: a blob of 132 characters. The receipt also contains a similar string representing a digital signature. You don’t often see information about digital signatures printed on an analogue medium (the paper slip).

The reason lies in German law: the Kassensicherungsverordnung (Cash Register Security Ordinance, or oddly abbreviated KassenSichV). It requires electronic tills to be equipped with a Technische Sicherheitseinrichtung (TSE – Technical Security Module). The TSE prevents tampering with the till: every transaction is logged in order, assigned a sequential number, and digitally signed. This allows the Finanzamt (tax administration) to check for irregularities, such as missing receipts. A shopkeeper using a till without a certified TSE can be fined up to € 25,000 (almost US$ 30,000).

All that cryptographic work happens inside the register. But why print that information on the receipt? Because the receipt itself must also be verifiable. You as a customer won’t do anything with it – you may consider the fact that I noticed it a case of professional deformation. But the tax administration can run spot checks, for instance by sending in a mystery shopper who later has their receipt verified. In the past, retailers could hand the customer a perfectly decent-looking receipt while deleting or altering the transaction inside the system. That’s no longer possible: the digital signature would expose it immediately.

On more modern receipts, the printed TSE information has been replaced by a QR code. That makes the life of inspectors easier (even though it’s marketed as a paper-saving measure). Even more eco-friendly is the digital receipt which, very un‑German, is called a fiskaly receipt (they actually use the English word receipt). The customer scans a QR code on the till. But it can be even simpler: at the supermarket we visit from time to time to buy things they don’t have here or that are much cheaper there, you can receive the receipt directly in the store’s app.

That digitalisation is great, but I do see one problem. When I buy something with a warranty, I scan the receipt and store it under a meaningful filename on my computer. I do this for two reasons: printed receipts fade, and my computer can search for me. Digitally issued receipts, however, I never find back. Once you realise that, you then need to remember which shop sold you the product, so you can search the relevant app or website. To work around this, I now store a small file in my records noting where the product was purchased. Another tip for fellow administrative nerds: since clothing tends to break or fray, I store a photo of the garment alongside the scanned receipt. Then you always know which receipt belongs to which pair of trousers.

One more thing that stood out on the receipt from Shawarma Al‑Zaiem: the line ‘Es bediente Sie: LPADMIN’ (“You were served by”). The administrator was logged in at the till. Now, Al‑Zaiem is a small place where only two people were working, but still: using an admin account for routine operations is never a good idea.

Send me photos of your bewildered travel companions the next time you find yourself attentively studying your receipt in Germany (-;

And in the big bad world…

 

2026-02-06

On thin ice

Image from Unsplash

Freezing rain had been forecast. On the radar you could see a mighty precipitation area rolling in from the south. Like many colleagues, I decided to go home early. I got home dry and, more importantly, without slipping, and spent the rest of the afternoon watching how, in this region, things didn’t get nearly as bad as expected.

After work I was supposed to go for a run. However, the threat of freezing rain still lingered in the air (even though I hadn’t seen anyone slip in my street). So I decided not to run outside and instead put my treadmill into action. Safely exercising indoors. Added bonus: inside it was about twenty degrees (36 °F) warmer. Shorts and a light shirt would do just fine.

After twelve minutes and fifty seconds my athletic ambitions came to an abrupt end. I made a misstep: my right foot didn’t land on the belt but on the edge of the machine. The entire right side of my body suddenly stopped, while the next stepwith the left footwas already underway. You can imagine this didn’t end well. First my left knee hit the moving belt, then the right one. My left foot had meanwhile planted itself on the ground behind the treadmill. Which meant I stood still. While the belt kept running underneath me. With my knees still on it. It burned quite a bit.

Treadmills have a safety cord. One end has a clip you attach to your clothing, the other end a plug you stick into the control panel. If you fall, the plug should be pulled out by the cord so the belt stops. The cord turned out to be slightly too long for the position I had ended up inthe safety plug stayed in place. The belt kept spinning until I pulled the cord by hand.

My wife and daughter rushed in, worried, and a bit dazed I asked for two wet washcloths to cool my knees. Three days later, the left one is almost healed, but on the right one I’m currently missing about four centimeters (1.5”) of skin. Nothing dramatic, it’s just the occasional sting and the healing wound pulling a bit.

I learned two things. First: organizational measures can backfire. I chose not to go outside because I didn’t want to fall. And that is exactly what happened. Of course I try to project this onto my work (this is still the Security (b)log, right). Do we sometimes make decisions there that ultimately cause the very thing we tried to prevent? Those decisions are usually well thought-out, thoroughly discussed, and we’ve slept on them. We’re currently revising our password requirements. Obviously with the intention of making our employees’ accounts more secure. But we must be careful not to make things so difficult that people get ‘creative’. Communication and support are crucial when implementing changes that affect everyone personally.

Second: if technical security measures are not implemented well, they won’t work in every situation. The safety cord works perfectly if you fall straight backward off the belt, but not if your fall stops halfway. You have to be very clear about the purpose of a measure, and you must examine all possible scenarios. Only then may you expect the measure to do what you intended. Example: we’ve been encrypting our data and communications for years. But if you don’t take the coming of the quantum computer into accountone that can crack today’s encryption with easeyou remain vulnerable. Maybe not today, but certainly when the data you send now can be decrypted by unauthorized parties a few years from now.

Our daughter is celebrating her eighteenth birthday today and wants to drive to school*. We’ve taken all kinds of measures: she got her driver’s license, we practiced extensively with her, we agreed on rules. The car was recently checked. And we have expressed our trust in her. And yet, as parents, you’re relieved when she gets home safely. Because you know that measures don’t always work.

*: In the Netherlands, you can take driving lessons from the age of 16.5. Once you get your license, until your 18th birthday you have to be accompanied by a registered driver who must be no younger than 27 years.


And in the big bad world…

 

2026-01-30

Raccoon

 

Image from Unsplash

Talking about “Laundry Bear” may make you think I’m trying to invent a new English word — perhaps a literal translation of the Dutch wasbeer, the animal we call a raccoon. Sadly, “bear that does laundry” is not an official species. And we’re not in the zoological domain anyway. We’re in the world of organized hacking groups.

This Laundry Bear is ‘highly likely’ a ‘Russian state‑sponsored cyber actor’, according to the intelligence services in a publication from May 2025. In plain English: a group that conducts cyberattacks with the blessing — and probably the funding — of the Russian government. You can find such groups in various countries, and once they are identified, they get a label. That does not follow a universally agreed naming convention, but a common practice is that everything (presumably) from Russia is a bear, China has the panda, Iran the kitten, and North Korea the chollima (a mythical horse from Korean folklore). And those are exactly the countries that keep reappearing when we talk about state hackers. Which, in turn, does not mean that other countries keep their hands neatly to themselves.

In this particular animal kingdom we find the Fancy Bear, the Wicked Panda, the Charming Kitten and the Stardust Chollima, to name just a few. Each of them is a group that organizations may encounter if they have something that could be of interest to the sponsors behind the groups. Often that is information, but it may also be about money; North Korea in particular targets Western currencies and nowadays especially cryptocurrency.

Laundry Bear collects information from government organizations and companies worldwide, with special interest in the EU and NATO. They break into cloud‑based mail environments. Besides the emails themselves, they are also interested in the internal address book. They focus on everything related to the war in Ukraine. In addition, they find companies interesting that produce high‑end technology that Russia can no longer buy due to sanctions.

It is very difficult to attribute a particular activity to the correct actor. These actors are masters at laying false trails. But sometimes it is possible to establish this so‑called attribution (although you will usually still see the word ‘likely’ somewhere). The Dutch intelligence services attribute the 2024 attack on the Dutch police, in which contact details of all police employees were stolen, to Laundry Bear. They suspect that other Dutch organizations have also fallen victim to this actor. Until the police hack investigation, Laundry Bear had not been known yet. The services recognized that they were dealing with a new group.

All this substantive information was shared publicly last year in a Cybersecurity Advisory. In that advisory, they also list which ‘resilience‑enhancing measures’ organizations can take. These are fairly obvious measures. You must give people and computers the minimal privileges they need to perform their tasks. If such an account is hacked, the attacker’s options are limited to those privileges. Accounts with high privileges must be issued in a controlled way and used only when those privileges are actually required; administrators should therefore not work under their admin accounts by default. Outdated accounts must be cleaned up. And you must encrypt your network traffic. The list is much longer, but this gives you an idea.

As obvious as these measures are, some organizations still struggle to implement them. They cost time and money, and the knowledge, skills and willingness to take these necessary measures are not present everywhere. It works no differently than at home. You know your house needs painting, but you don’t get around to it or the painter is too expensive. It is also a matter of setting priorities.

Intelligence services are usually not so generous in making their information public. So why this public advisory? Because they know a lot, but not nearly everything about Laundry Bear. It is important for the country as a whole that organizations are resilient against such groups. But to be resilient, they first need to be aware of the threat. Moreover, the publication raises awareness that such groups exist in the first place. Most of the measures mentioned also help in the fight against Laundry Bear’s colleagues. Let’s hope the advisory reached its intended audience.

And in the big bad world…

 

2026-01-23

Going up

Image from Unsplash

In 1981, we went on holiday to the Costa del Sol. We rented a distant cousin’s apartment for a friendly price, in a building right on the beach of Torre del Mar. That building had an elevator, and that elevator is what I want to talk about. Because it was quite special.

It had no memory. If you wanted to ride it, you pressed a button like with any elevator. But if the elevator was already on its way to another floor, it simply ignored you. You had to press the button again once the ride was finished, and then hope that no one else beat you to it. It could take quite a while before you managed to catch the elevator. And I don’t remember exactly, but I think the buttons inside the elevator had priority over the ones on the floors. Otherwise you might never reach your destination.

So this was an elevator for which it actually made sense to keep pressing the button. But with all modern elevators, ladies and gentlemen, that is completely pointless. Your request is registered, and sooner or later an elevator will come. Repeated pressing only leads to wear on the button. And, perhaps needless to say: only press the button for the direction you want to go, so press the down arrow if you want to go down. If you press the other arrow as well, there’s a good chance you’ll be taken in the wrong direction – to your own annoyance.

Waiting is rarely enjoyable, so we try to shorten waiting times. Sometimes we do things we know won’t help. The same is true when you’re sitting impatiently behind your computer. It doesn’t respond quickly enough, so you try again. That doesn’t help. In fact, it works against you: the computer has to spend attention on your repeated actions, and that costs capacity (though nowadays you barely notice it; in the past, that was quite different).

The power of advertising lies in repetition, according to an old marketing maxim. That’s why you see and hear some ads over and over until they become annoying. But in my field, they’re also quite good at it. At conferences and conventions, we’ve been told for years that we all need to collaborate to create a safer world. Occasionally you’ll see a good example of such cooperation at an event, but in my view, it often remains empty rhetoric. But yes, no one can oppose defeating the common enemy together, so the theme is pulled out of the closet year after year. As far as I’m concerned, a conference only needs a name; a theme is optional. But it doesn’t really matter – as long as the content is good, and fortunately that is often the case.

This week, I attended yet another together-we-can-do-it conference. And once again, the theme fortunately didn’t get in the way of the content. The head of the Dutch Military Intelligence and Security Service came to tell us that we cannot trust the Russians, and the CISO of Hema showed an AI-generated picture of chains of smoked sausages hanging in the store*, to illustrate the weakest-link mantra; I’ve forgotten most of the content of her talk, but what made an impression on the audience was that in her previous role – because of that role – she had been threatened both physically and digitally. That’s something you don’t even want to imagine.

The best talk came from my cyber hero Mikko Hyppönen from Finland. After a career spanning decades in cybersecurity – he started out as a virus analyst – he recently and to his own surprise made a switch to the defense industry. He no longer analyzes computer viruses but military drones. The war in Ukraine – ‘in the heart of Europe,’ as Mikko put it – pushed him in that direction. Because these drones cause so many casualties, he has made it his mission to help bring these weapons down. And just like with malware, this is a cat-and-mouse game. Classic drones can be tackled via the radio signals used to control them. Five percent of the drones now seen on the battlefield trail a fiber-optic cable of up to twenty kilometers (twelve miles) behind them, meaning no radio signals are needed. And more modern drones aren’t controlled by humans at all anymore, but by AI. And how do you fight that? Exactly: with AI-driven drones.

There are elevators where you don’t press an arrow, but instead enter the floor you want to go to. The computer then calculates which passengers can best be grouped together and assigns everyone an elevator. Then no one ever has to doubt whether the elevator knows they want to ride along.

*: Hema is a Dutch department store. They’re famous for their smoked sausages.

And in the big bad world…

 

2026-01-16

Sigh

Image from Unsplash

Pssst… Can you keep a secret? I hand you a sealed envelope with a name on it. The secret is inside. You are not allowed to look into the envelope yourself. When the person whose name is on it shows up, you give them the envelope. They look inside, seal it again, and hand it back to you. You keep it until next time. And you do absolutely nothing else with it.

This is roughly how things work when two computer systems communicate in many cases. For example because one system runs a program that needs data stored on another system. System A must then log in to system B, because of course not everyone is allowed to retrieve those data – another computer system included. In the first paragraph, you stored an envelope; system A has a digital equivalent: a digital vault. It stores the password in encrypted form. When A needs to retrieve data from B, it takes the password from the vault, decrypts it, and uses it to log in to B.

The key idea is that no human is involved. And that no human ever sees the password. Which means nobody can misuse A’s account. Just like you didn’t peek into the envelope, no one ever sees the decrypted password. At least, that’s the idea. Some time ago a colleague sent me an email with the subject line: SIGH… He had discovered that someone secretly looked inside the envelope – or its digital equivalent: manually decrypted the password. And then tried to manually log in with that account ‘just to see if it works’. While such an account is really a machine-to-machine account: meaning it is intended for one machine (A) to log in to another (B).

That sigh on the subject line meant something like: do they still not get it? Mind you, we are talking about administrators and developers doing this. You would expect them to understand how it works. That opening an envelope addressed to someone else is simply not allowed. And that manually logging in with a machine account is also not allowed. The sigh was also because this was certainly not an isolated incident. It happens far too often. And that undermines our security. You might ask why this is even possible. But that’s not the point here. Of course, it shouldn’t be possible, but right now it simply is.

If you see a bench in the park with a sign saying WET PAINT, do you touch it to check if it really is? Why would you? You risk getting paint on your fingers and the bench won’t look any better. Most people understand that you're not supposed to touch it. The same goes for those encrypted passwords. That something is possible does not mean it is allowed to do, or wise.

Deep down you know that. But just to be safe, another call to everyone who sometimes takes things a bit too lightly: don’t do it. If only because my sighing colleague is getting grey hairs from it, and because I end up writing in astonishment about something I thought you would understand by now. And of course I’m grateful for all those colleagues who simply do things right <3

*: There are alternatives, but I leave those aside here.

And in the big bad world…

 

2026-01-09

Boom

Image from Unsplash

Surely no one thought: come on, it’s the last time it’s allowed, let’s do something extra dangerous with fireworks. This blog is not the place for a debate for or against fireworks, but from my perspective there are a few interesting observations to be made. So here we go, blasting our way into the new year once again!

Even though it will not have been intentional, this time it was worse. Let’s start with some figures. There were 1,239 fireworks-related injuries in the Netherlands – no less than 7% more than during the previous New Year’s Eve. More than half of the victims were under the age of twenty. Many children were seriously injured when they tried to relight unexploded fireworks. About half of all victims did not even set off the fireworks themselves; they were merely bystanders. Emergency departments were 29% busier, treating 474 people. GP out-of-hours services were slightly quieter; with 765 patients, they saw 4% fewer cases than last year. One third of the injuries involved eye damage. Fourteen children lost a hand or finger(s), almost all due to illegal fireworks, which accounted for just under half of all injuries. And then there were those two fatalities, too.

All this suffering could, of course, have been easily prevented. All it would have taken is a low risk appetite. That term is very common in my profession, but not so much in daily life. Why is that? Because in a business environment you can usually reason quite rationally about the risks you are prepared to accept, whereas people who set off fireworks do not. They do not think in terms of degrees of risk; caught up in their enthusiasm, they think only about the intended effect. A child certainly does not think: oof, this is a Cobra with a short fuse, what is the likelihood I’ll lose a hand if I light it? Adults do not think in percentages either. At best, they judge it to be too dangerous and refrain from doing it. And if they do light the fireworks, they are implicitly convinced that all will go well. In that way, it is reduced to a binary decision, whereas in reality setting off fireworks still involves a very significant risk.

And what about public information campaigns? In the past, we had a slogan which translates into You’re a fool if you fool around with fireworks. It was witty (even more in Dutch) and it carried a message. Nowadays the message has to be more forceful, and we see mutilated hands on television. But if there are so many young victims, you would also expect information campaigns specifically aimed at this target group. Were there any? Yes, partially. Primary schools could order a free lesson package. That required them to take action themselves, and only about a quarter of all primary schools did so. You might also expect campaigners to use the media where young people actually are, such as TikTok and Instagram. However, there were no specific actions on those platforms. Municipalities and police forces were active there, but honestly — which teenager follows those kinds of accounts?

In my own profession, awareness is difficult as well. After all, you are conveying a message people would rather not hear. Just look at it: fireworks are beautiful and links are there to be clicked. And then along you come, telling them to be careful. Come on, it can’t be that bad, everyone does it.

With cybersecurity, things are slowly moving in the right direction. People understand that they have to be careful; they realise that criminals are lurking, ready to cause digital harm. Hmm, could the difference with fireworks safety have something to do with that? With the presence of a malicious actor? That element is missing when it comes to fireworks. That risk has just two components: the fireworks and the lighting. There is no other party, no enemy. Yes, that almost certainly has to play a role.

From the next New Year’s Eve onwards, a nationwide fireworks ban will apply in the Netherlands. I have serious doubts about whether it will work, because enforcing the ban will be difficult. Border checks in December will not stop the true fanatic, who has already stocked up much earlier. Responding whenever a bang or rocket is detected will rarely work either – how do you determine the exact location? No, if we truly want to reduce the number of victims, we will have to make sure (if necessary via TikTok!) that people – especially children – start to understand that risk management also plays an important role in our daily lives. From that perspective, the message becomes: hands off fireworks — or hands lost because of fireworks.

 

And in the big bad world…

 

2025-12-19

Wrong turns and right moves

 

Image from Unsplash

They had been to the Christmas market in Germany. Just half a minute from their school, the bus turned right. We cycled behind it, eyebrows raised. Why was that huge coach driving into this narrow street in the dark, with cars parked on both sides of the bend?

It soon became clear that this was indeed not a good idea. The left side of the slowly moving bus grazed a parked car. The next car was even dragged along a bit. The bus driver seemed unaware, because he kept going, inch by inch. This had to stop. I worked my way over the sidewalk to the front of the bus, making sure I didn’t end up wedged between two parked cars. I gestured and shouted at the driver. Hesitantly, he rolled down his window. ‘You’ve hit two cars,’ I said. ‘I’m completely clear,’ he replied, surprised. ‘No, you’ve hit two cars!’ Meanwhile, voices from the back of the bus chimed in: ‘Driver, you’ve hit something!’ Eventually, the driver put on the handbrake and came to take a look.

He couldn’t deny it: there wasn’t a molecule of air between his bus and that second car. I told him we already thought it was odd that a bus drove into that street. You know what he said? ‘I checked Google Maps, it showed cars parked on only one side.’ As if those satellite images are live!

Meanwhile, my wife rang the bell at someone she knew nearby, and soon the owners of the damaged cars were tracked down. A very young couple came out to inspect the damage: both cars were theirs. At least the insurance claim could now be sorted. But another problem arose: the bus was seriously stuck. The only solution was to move some parked cars. The students, whose school trip ended two hundred meters before their destination, had already been sent home. One of them, with a giant teddy bear on the back of his bike, we passed later.

We all take a wrong turn sometimes. Where there’s chopping, there are chips; mistakes are human. What really matters is how you deal with them. Do you flat-out deny the error (‘I’m completely clear’), try to shift the blame, or take responsibility?

If a crew member on an aircraft carrier loses a tool, the consequences can be huge: it can get sucked into a jet engine, and those don’t take kindly to that. A lost screwdriver can cost lives. If someone misplaces something, they must report it immediately, and everything grinds to a halt. The missing item is searched for urgently. And most importantly: the person who caused the incident is praised for reporting it. Not punished! That’s how you encourage error reporting. Punishment would only drastically reduce the willingness to report mistakes.

We’re all on a kind of aircraft carrier. A single employee’s mistake can have disastrous consequences. Think of an admin making a configuration error, or an employee who clicks that phishing link after all. Because our carrier is so big, there are even more ‘opportunities’ to make mistakes. In risk analyses, we pay a lot of attention to these kinds of errors, which aren’t caused by a malicious actor but by a colleague acting in good faith. We call these mistakes ‘oopsies.’

Sometimes a technical glitch can lead to an awkward conversation. A report landed on my desk about an employee who tried to do something that set off alarm bells. I asked him to explain. He came up with a rather strange story, but I managed to get it confirmed. The error was known, and a fix was in the works. It just goes to show you should always be open to unlikely outcomes. So you don’t end up making a mistake yourself.

Made a mistake? Report it. So worse can be prevented and we can learn from it.

Happy holidays! The next Security (b)log will appear next year.

And in the big bad world…

 

Receipt required

Photo from author Do you ever find yourself in Germany? And have you ever taken a close look at a receipt there? Well, I have. And what imme...