Toilet roll

 

Image from Pixabay

After two years we are slowly returning to the office. There, a change has taken place that you never saw coming. New toilet roll holders were installed.

For readers without an office: such a holder is not the simple thing you’ll find in our homes, but a closed box with a slot at the front bottom. In the box there are two rolls on top of each other and the paper comes out through the slot. Well, that’s how it’s meant to be. And that's exactly what goes wrong with these new things. The rolls suffer too much friction. If you pull on the paper, it will tear - inside the holder. Which means you have to search for the beginning every time by sticking your finger into the holder and twisting the roll around – often several times – until you get hold of the end of the paper. And then pull carefully, because before you know it it will tear off again. Sometimes you get hold of the ends of both rolls and then you experience the luxury of double-layer toilet paper.

There is a manufacturer that makes these things. Not just out of the blue, but according to a design. They first make one, or a handful: the prototypes. They are tested, a few teething troubles come to light, the design is adjusted, there is a new prototype and eventually (after maybe a few more iterations) the holder is ready for production.

What went so wrong with this product? Did they only test under lab conditions? Has anyone come up with the idea to screw a prototype to the wall, put two rolls of toilet paper in it, sit on the pot and use paper according to some European standard or according to need? In short, didn’t they perform a field test?

But things also went wrong on our side. It must have been a government-wide tender. In such a tender, it is decided which offer, meeting the business requirements, offers the cheapest solution. Perhaps the buyers forgot to include a requirement that the paper should come out smoothly. And I wonder how the acceptance test was done.

Years ago we purchased a software package to manage our information security management system (ISMS) . It seemed like a great product and we went on a course with the manufacturer with a few people. We saw a product with a clear structure and we were able to carry out all the practice assignments smoothly. And then we had to implement the product in our organization. We were unable to reconcile our layout with that of the product. At that time I even reverse-engineered the data model of the product*, in other words: I drew out how the product was put together. We then tried to plot our organization and our working methods on this. We called in the manufacturer a few times and after each consultation we thought we understood how to do it. In the end we gave up and to this day we work with the old, trusted spreadsheets.

There is nothing wrong with that, by the way. At a conference, a speaker once asked the audience who was using Excel for this sort of thing. Numerous hands went up and there was a lot of laughter. At the same time, a sense of relief rippled through the room, because it suddenly became clear that it was not at all unusual to work in this way. Sometimes you simply have functional needs that you cannot express well in requirements and for which you cannot start a purchasing process for that reason. You then go tinkering yourself or you borrow something from another organization. In terms of management, this is a nightmare: if such a self-made tool becomes established and its maker is no longer available, then you have a problem.

I've put something like this together myself. And so as not to leave my colleagues in a bind in case of mishap strikes me, I made a technical manual for it, which describes exactly how things work under the hood of my spreadsheet. Whether it will be of any use to them, remains to be seen. Of course we are way too busy to test something like this. Besides, nobody knows where the manual is. So there’s room for improvement. How about you? Is the continuity of your team's important resources guaranteed?

*) Reverse engineering involves looking at how something works and deducing from that how it was designed.

 This blog post has been translated from Dutch to English by Google and edited by the author.

 And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• This article offers a rare insight into the negotiations between Mediamarkt and the criminals who took the chain's systems hostage. [IN DUTCH]
• ransomware takes very little time to encrypt many files. [IN DUTCH]
• LAPSUS$ extortion group recruits employees of large companies to get access to the company network.
• a teenager may be the LAPSUS$ mastermind.
• the London police have rounded up (part of) this hacker gang. [IN DUTCH]
• The FBI estimates the damage from cybercrime at more than $6.9 billion.
• you should encourage your kids (and yourself if necessary) to adjust a few settings in TikTok.
• President Biden calls on US companies to protect themselves against Russian cyber attacks.
• British soldiers are no longer allowed to use WhatsApp, for fear of Russian hackers.
• the NCSC in the Netherlands deems it possible that the Dutch digital resilience will be put to the test as a result of the war in Ukraine. [IN DUTCH]
• banks are often lenient if customers have been defrauded through phishing, but there are limits. [IN DUTCH]
• Fortunately, not everyone falls for the tricks of criminals. [IN DUTCH]
• British NCSC helps programmers with a toolkit to program safely.

 

Garbage

 

Image from Pixabay

A while ago we had Corrie, Dudley and Eunice over. They were uninvited guests who beat the big drum. Eunice even killed four people in the Netherlands alone. Along with Dudley, this storm killed even more people in neighboring countries.

On one of these windy days, the orange wheelie bin was scheduled for collection. This is where PMD waste goes: plastic and metal packaging and drinking cartons. The garbage truck has an arm on the side that can lift two bins at once and then hold them upside down over an opening on top of the truck. In normal weather conditions, the waste falls neatly into the truck. But this time numerous pieces of plastic, over which the wind had more power than gravity, were blowing through the street.

We also have a blue wheelie bin. Paper waste goes in there and it is emptied in the same way as the orange container. What if the blue bin had been on the waste calendar? Would all kinds of documents with my name on them have been whirling around? Not such a nice thought. We may have nothing to hide, in the sense of: we don't do things that are inappropriate, but there are plenty of things that are none of other people’s business.

We used to feed everything that contained personal data into the paper shredder. That device broke down at some point and at the same time the stream of paper documents dried up considerably. The mailman visited our house only sporadically; his work was largely taken over by email and download portals. In short, the paper shredder was not replaced and the paper waste – now rather scarce – with our data on it 'just' goes in the wheelie bin. And I think that always goes well. Unless some Dudley comes along. Or someone is looking for information about us and does some dumpster diving.

As an information processing organization you cannot afford to put your paper waste on the street. Sooner or later that would cause trouble, if only because of the fact that there is paper with personal data among your waste – the rest of the leaked information does not even have to be flashy to make it into the newspapers. Such organizations have contracts with companies that dispose of and destroy the waste paper in a responsible manner.

What applies to paper, applies to computer files to an even greater extent. A colleague recently sent me a newspaper clipping from 1983, in which a commentator of the Leeuwarder Courant sighed under the heading 'Privacy talk' that it is remarkable “how that concept of privacy crops up time and again when it comes to computer files on personal numbers and never when it comes to card indexes with the same data in alphabetical order”. But this writer had understood it well early on: “In practice it may be different, because it is possible to transfer computer data quickly”. And in large quantities, you can safely add to that.

In 2004, public prosecutor Joost Tonino put his old computer, which no longer worked due to a virus infection, on the street for the waste collection. And of course someone took that device before the garbage truck came along and he just got the device working. The computer was full of confidential information, which found its way to Peter R. de Vries, a well-known crime reporter (who was murdered last year). A scandal was born. Newspaper Trouw wrote about this: “Rarely has a civil servant – even better, a magistrate – been so spanked by politics in public as yesterday's Amsterdam public prosecutor Joost Tonino.” If only he had read that Leeuwarder Courant… (Tonino was about 17 when the article appeared, so he just might have read it.)

As a good citizen you will rarely have to deal with dumpster diving. However, if you did something terribly wrong, the police might become very interested in your blue wheelie bin. But, depending on what you've been up to, your computer is probably much more interesting to them. The newspaper clipping also stated: “Anyone who has nothing to hide need not be afraid that he will appear in such a computer file, and that data from one file will be superimposed on that of another.” It doesn’t work like that anymore: everyone has something to hide, everyone is in countless files and if there’s one thing computers can do well, it is to connect data. That piece appeared one year too early in the newspaper.

This blog post has been translated from Dutch to English by Google and edited by the author.

  

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• Two men have been arrested for trading personal data of thousands of people. [IN DUTCH]
• the government gives insight into the sharing of personal data. [IN DUTCH]
• leaked Samsung source code contained thousands of secret keys and passwords.
• Ukraine believes that Russian state hackers are overrated.
• the German government is now also done with the antivirus software from the Russian company Kaspersky. [IN DUTCH]
• a report on the (un)safety of mobile equipment in 2021 was published.
• this businessman lost a lot of money because of an e-mail from the 'tax authorities'. [IN DUTCH]
• the FBI provides tips against help desk fraud. [IN DUTCH]
• Zoom has addressed several important privacy risks. [IN DUTCH]
• the government is investigating to what extent it can and should tap into chat services. [IN DUTCH]
• your microwave thinks it's a steam oven after a software update. [IN DUTCH]

 

Canvassing

 

Image from Pixabay

Colporteur is, at least in Dutch, such a nice old-fashioned word that, if you don't know it, could easily let you think of criminal activities. At least, that's how it sounds to me. But no: in principle, canvassing (as it’s known in a broader sense) is a venerable activity, in which the practitioner visits houses to sell a product or service. The Dutch dictionary cites the encyclopedia colporteur and the vacuum cleaner colporteur as (probably extinct) examples. The energy salesperson mentioned there, however, is very much alive and doesn’t always adhere to high standards. Once such a person presented himself as a representative of 'the energy company', thus suggesting that I was already a customer of his company.

At our doorbell, there is a modest sign that reads: “TIP – We only buy things and services that we have asked for ourselves.” That stops most canvassers from ringing the doorbell. And sellers, who have the audacity to do so anyway, will be kindly asked if they may have missed the sign. A few will lie that they don't want to sell anything at all, but most of them drop off while stammering apologies.

In the past – before the pandemic – in the weeks after participating in a conference or visiting a trade fair you were often called by companies that tried to monetize your visit. Today, that activity seems to be disconnected from any event. What is particularly striking is that I receive calls from Dutch landlines by English-speaking employees of  companies in my industry, who want to pitch their products or services or organize an informative meeting. I always brush them off saying that I am not the one who deals with suppliers and that they are wasting their and my time talking to me. And when they ask who they should contact, they are told that I am not allowed to provide that information.

Come on, if you really work for that company (they're always companies I've at least heard of), then you're also able to find the right point of entrance . You don't have to scour LinkedIn profiles looking for interesting prey. Because in some of these contact attempts, which also often take place via e-mail, I clearly recognize elements from my LinkedIn profile. I just tightened that profile. For years now it said that you can only become friends if you have met me before in real life or if you are a colleague. Now I have explicitly added that I will decline the invitation if I don’t know you, and the reason for this is also stated: LinkedIn is often used for phishing. Those people first want to make a connection, and then they subtly hear you out. They may not even be interested in you, but in your contacts. Or they use the connection with you to make a good impression with their real target: if someone sends you an invitation, LinkedIn very usefully lists which contacts you have in common with the newcomer. That can give you the (sometimes false) feeling that someone is trustworthy.

Often I receive contact attempts like this: “Hi Patrick, I'm working with Senior IT leaders on a Private Online Roundtable surrounding Security, IoT and Transformation to name a couple of topics. Our directors would love your expertise, I would like to offer you a complimentary invitation to join us in June! Can I send the agenda please?” The message is intended to make you feel important: Senior IT leaders, Private Roundtable, our directors. The young lady who sent me this invitation from London has this position mentioned in her profile: Connecting IT Leaders together across the Benelux region. Invitations like “You and I both work in information security, shall we link?” are also very common. And a very good 90 percent of all these contact attempts will just be legitimate, I have no doubt about that. But in order to keep that faction of possible wrong contacts out, and because I have little to gain from them, I reject those. With this I not only protect myself, but also my contacts. And more people should do that.

A few people have just received a contact request from me. Because while I was looking at the incoming contact requests, LinkedIn also showed a lot of people “that you may know”. When you scroll through that, you sometimes involuntarily think: “Hey, are we not connected yet?”

This blog post has been translated from Dutch to English by Google and edited by the author.

 

 And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• malware can now be detected using electromagnetic waves.
• a researcher discovered a serious vulnerability in Linux, which also affects Android.
• the police arrested eight (!) young people for defrauding an elderly person through bank help desk fraud. [IN DUTCH]
• Ukrainian hackers only attack military targets in Russia, they say.
• smart speakers can, of course, be hacked, which also makes other devices and services vulnerable.
• the government wants to issue digital passports once again. [IN DUTCH]
• new cars get a few mandatory gadgets that come with privacy concerns. [IN DUTCH]
• Parliamentary questions are also asked in response to the privacy report on Microsoft Teams, OneDrive and SharePoint. [IN DUTCH]
• Many websites follow you without using cookies. [IN DUTCH]
• You can now read why the antivirus software from the Russian company Kaspersky Lab was banned by the Dutch government in 2018. [IN DUTCH]