 |
| Image from Pixabay |
Last
summer I visited countries where I do not speak the language. In some countries
I couldn't even read the writing. In one of those countries I bought a backpack
with a card attached to it. “ATTENTION!” it said on the front. But the back was
printed with characters that I wasn’t able to interpret.
Thanks
to the wonderful technology of Google Lens, I was able to find out what was so
urgently requiring my attention. It says that the backpack may become
discolored, that I should avoid washing and ironing, that I should use
“accessories such as closures, hooks, buttons, metal fittings, belt straps,
buckles and rings” properly or they may break, and finally, that the product
does not protect the contents in the event of a fall or impact; the manufacturer
is especially concerned about my precision instruments, precious metals and
fragile objects.
A couple of months ago, I asked you in the
Security (b)log whether you know Franz Kafka's novel Der Prozess (The
Trial). I assume you've read it by now. And then you may
recognize a Kafkaesque trait in the text of that backpack card: you have to use
the backpack accessories correctly, but it does not say what the correct way
is. For me, backpacks leave me sometimes
wonder what that strap or loop is for, let alone whether I know how to use the
thing properly. And it also strikes me as rather vague that I should 'avoid'
something – what if I do it anyway? Admittedly, I wouldn't have thought of
ironing a backpack, but my previous backpack regularly ended up in the washing
machine (and it survived).
I'm not going to lecture you further about Kafka now. No,
I'm going to turn Kafka upside down. In his novel you have to adhere to rules
that you do not know and if you break those rules, you are punished. Kafka
upside down is when you know the rules all too well and at the same time you know
that if you stick to them, sooner or later something will happen that is very
detrimental to you. What would you do if a law were introduced that required
you to drive a car at a minimum speed of 100 km/h (62 mph) in built-up areas (and
50 km/h in a residential area)? Are you going to stick to this, even though you
know for sure that in the best case scenario you will end up in the hospital,
or will you accept, for the sake of self-preservation,
that you will be fined?
Earlier
this week, intelligence services in the Netherlands revealed that Chinese state
hackers hacked into a Defense network. They were able to enter through a known
(!) vulnerability in American-made security equipment. Continuing to use
something with a known vulnerability is like knowing that the left headlight of
your car is not working, but still driving in the dark - because replacing the
light yourself is no longer possible in many modern cars, the garage is already
closed and you really have to go somewhere. And you continue to use that
network equipment the same way, because, well, you need that network anyway and
you can't easily replace it. Regardless of the question of whether another
product is completely safe.
I
don't know how they figured out that China is the culprit; attribution of cyber
attacks is a difficult matter. Anyway, the report states that the intelligence services
determined “with high confidence ” that it must have been China – spy talk for
“we actually know for sure”. And it is not the first time that the West has
pointed the finger at China in such cases. So we are more or less certain that
China is spying on us.
If a Dutch
government institution wants to purchase a service or product, it must follow
the Public Procurement Act 2012: if the value of the contract exceeds a certain
amount, a European tender must be carried out. So you cannot just go to a
supplier and place your order. You must describe in a thick document what you
need and what requirements you set for it. You cannot “target” that document to
a specific product by including requirements that you know only your favorite
product meets. Companies from all over the EU may register for such a tender.
Suppose
you are a government service and you want to, say, purchase cell phones. There
are Chinese mobile phones on the market that meet all your requirements and they
are cheaper than the competition's products. There is a good chance that
European companies will offer those Chinese mobile phones. The competitive
pricing forces you to do business with that company. The contractor may be
little more than a box pusher who outsources technical support to the
manufacturer. And before you know it, you not only have Chinese equipment in
your organisation, but also the accompanying Chinese personnel. Both the
equipment and the maintenance technician may do things that were not included
in your package of requirements, but are included in those of the Chinese
government.
You
dutifully complied with all the rules, but in doing so you brought in the
Trojan horse with full consciousness. That's Kafka, upside down.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- there are concerns about the Chinese scanners used by Dutch Customs. [DUTCH]
- Here is the news item about the DoD hack. [DUTCH]
- listen to a radio fragment about the DoD hack. [DUTCH]
- deepfakes pose a problem for remote identification.
- deepfake crime will not skip the Netherlands. [DUTCH]
- you can of course hack a bicycle helmet.
- a Swiss newspaper and an American security company (coincidentally the same one from the hacked DoD equipment) are arguing about a DDoS attack with toothbrushes.
- Every now and then a fake app slips through Apple's strict controls.
- BitLocker is easy to crack on some computers if no PIN has been set. [DUTCH]
- Rich countries suffer more from ransomware. [DUTCH; linked paper in English]
- the Dutch tax administration are not yet GDPR ready. [DUTCH]
- it is better not to use a separate app for scanning QR codes. [DUTCH]
- security researchers from all over the world have reservations about a UN treaty on cybercrime.
- Dutch plumbers are no longer allowed to advertise with Google. [DUTCH]
.jpg)
No comments:
Post a Comment