Brilliant failure

 

Image from Pixabay

No, I wasn't giving another presentation this week. This week I took a warm bath in the presentations of others, during the Love for your Trade week, organized by passionate colleagues. For three days there were stories and workshops from and by mainly colleagues. And a small number of external speakers (plus the great Lucas de Man as host).

In the program, one external speaker immediately caught my attention: Prof. Dr. Paul Iske , CFO (Chief Failure Officer) of the Institute for Brilliant Failures (IvBM). I was curious what that could be, a brilliant failure. And I expected some humor. That was certainly there, but prof. Iske's message was deadly serious: some things simply don't turn out as intended, while the people who worked diligently on them cannot be blamed. And there is a lot to learn from that. Failures are normal, Iske taught us.

Live on stage, our organization was the twentieth to sign the Universal Declaration of the Right to Fail Brilliantly. That declaration has five articles, the first two of which regulate reputation, psychological safety and the right to personal evolution. The next two give you the right to try and to be forgiven, to put things into perspective and to learn if an attempt to make something happen should fail. The final article gives shape to the universality of the statement: anyone is allowed to fail brilliantly, no matter who and what you are. The statement defines a brilliant failure as “an attempt to create value where no avoidable or culpable mistakes have been made and yet the originally desired outcome has not been achieved: learning has taken place and the learning experiences are shared.” The aim of the declaration is to “promote appreciation for these rights and freedoms and, through progressive measures, to ensure that these rights are generally and effectively recognized and applied”.

It seemed like such a brilliant idea, but for some reason it failed. The IvBM gives us sixteen tools to learn from our mistakes, the so-called archetypes (“universal lessons, patterns or learning moments”). I'll mention a few. When you deal with 'the light bulb', you are experimenting, working towards the solution through trial and error, just like making the very first viable light bulb. With “the banana peel” you have to deal with accidents that will happen. Like the AEG microwaves, which after an update thought they were steam ovens. And with “the empty place at the table” you have not involved all relevant parties in your project. This happened on the singing road in the province of Friesland, where a ribbed pattern on the road surface was intended to ensure that motorists adhered to the maximum speed, by playing the Frisian national anthem as a reward. Here they forgot that local residents might not take this well.

A presentation like this makes you wonder whether there exist brilliant failures in your own environments. I can neither confirm nor deny – for, uh, security reasons – that I encounter them in my daily work. But I can have a closer look at my own work, and that is quite exciting. Especially to write about it. But hey, we signed that declaration, so nothing can happen to me.

The Security (b)log has been around for thirteen years now; the five hundredth instalment will soon be published. In all modesty I can say that it is a success, and management shares that opinion. Statistics, comments and spontaneous pats on the back at the coffee machine support this. In 2016 we thought it was a shame to keep all this beauty to ourselves and the blog went external (on Blogspot and LinkedIn). Moreover, there has also been this English-language version for two years now – we have more and more non-Dutch-speaking colleagues and the whole world can enjoy it, right? If the figures from Google Analytics and LinkedIn are anything to go by, the reach of external publications lags far behind the internal version. I must say that these figures are a bit difficult to interpret: on Blogspot (a Google service) I sometimes see unlikely numbers of readers from distant countries (even for the Dutch version), and LinkedIn gives figures for 'impressions' and 'views' that are far apart. A handful of regular readers give it a thumbs up every week (thanks!), supplemented by a changing but modest audience. Now, I'm not someone who expresses appreciation for everything myself, but if you're on the receiving end, it's nice to get some feedback. But only if you really like the piece, right?

In the IvBM learning environment, BriMis, you can check your own project against the archetypes. If I run my external blog through them, three pop up. First, 'the right half of the brain': “Some people are unpredictable and/or inconsistent in their reactions and decisions and that introduces an extra degree of uncertainty.” Those are the silent readers. The second, 'the skin of the bear', indicates, among other things, that your approach must also work in other circumstances. This refers to the external publication. And finally there is 'the junk': “the inability or unwillingness to stop syndrome”. That's me. And maybe I also have to deal with 'the empty place at the table', because I barely have a clue of my external audience. Moreover, that audience probably consists mainly of colleagues, while my actual target group is 'ordinary people’. Help me move forward, dear reader, by giving me feedback and by drawing the attention of people around you to the Security (b)log. Thank you in advance!

No Security (b)log will appear for the next two weeks.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• someone here describes passkeys as a brilliant failure.
• you don't necessarily have to use a Microsoft account in Windows 11.
• a ransomware gang is also playing with the street lamps of the attacked municipality for fun.
• there is now also simple, cheap ransomware on the market, aimed at SME victims.
• Apps that allow you to share your location with others may of course also contain an error.
• We have been reading something about actions by state actors every week lately.
• these state actors are increasingly focusing on edge tools. [DUTCH]
• the Chinese were able to snoop around Volkswagen for five years. [DUTCH]
• you will hear with this tool when your computer sends data to Google.

 

Crime

 

Image from Pixabay

Last week, as you could read in the previous Security (b)log, I stood in front of a group of girls from high school. This week I was invited by the next generation: the Tax and Customs Administration’s Young IT Auditors, whose annual YIA day was themed cybersecurity. The “young” turned out not to refer so much to the age of the participants, but to how long they have been in the auditor profession. And let me put it this way: this audience was still familiar with Facebook. Fortunately, I had not tailored my presentation to an overly young audience (-;

In this Utrecht conference room I talked about current developments, among other things. Lately I have been reading more and more worrying stories from the US about sickening criminal activities. Like this story. A woman receives a call from her son, who tells her that he has had a traffic accident and that he will hand over the phone to a police officer, who will tell her more. The officer tells her that her son caused the accident, which injured a pregnant woman, and that he is taken into custody. He announces that a lawyer will call her to discuss further proceedings.

A little later the lawyer calls. The son is in deep trouble, but it is possible to get him released on bail. If the mother gives $15,000 in cash to a courier arranged by the lawyer, her boy will not have to spend the night in jail. And she shouldn't tell the bank what the money is for, because then they would ask questions. No sooner said than done.

In reality, that mother did not receive a call from her son at all. It was a deepfake, in which artificial intelligence was used to create a new text with the same voice based on an existing sound recording (thanks to social media). So the mother did hear her son's voice, but he had never spoken those words himself. It was necessary to quickly hand over the phone to the officer to prevent a conversation between mother and son. And that lawyer, who called a little later, was of course not a lawyer at all, but just as much of a criminal as the fake cop.

In the above story we see a number of elements from the theories of Robert Cialdini and Ian Mann*. Cialdini says people obey authorities. Now I wonder to what extent this is true in the Netherlands, but in many countries people will indeed quickly believe that they are really dealing with an authority figure, even if it is only on the telephone. It’s just a matter of striking the right tone. Mann tells us that people are gullible. That can work both ways. On the one hand you would like to receive the reward that an African prince promises you if you help him free up a particularly well-filled bank account, on the other hand you naturally become stressed if it your child seems to be in trouble and you eagerly believe what all kinds of people tell you. Moreover, Mann says, being consciously incompetent also makes you docile: if you know that you have no knowledge of certain matters (such as an arrest), you will easily follow someone who at least radiates that he is an expert in that area.

In another story, someone received a call from the FBI saying she had been a victim of identity theft. Because fraud had been committed under her name, her bank assets would be frozen. To ensure that she could move on for a while, the helpful officer offered to put a large part of her savings in a safe bank account that would remain outside the confiscation. That money also had to be delivered in cash and you guessed it right: the money disappeared. And there was no case of identity theft whatsoever.

IT played no role at all in this case, but the criminal did act as if that was the source of the misery, because that’s how identity goes. The following case also had no IT background, but that could easily have been the case: an 81-year-old American was extorted, and when the Uber ordered by the criminal drove up to pick up “a package” (with the money), he shot the driver dead, under the assumption that she was part of the plot.

If you ever find yourself in such an unreal situation, try not to act on your emotions. Ignore instructions not to involve anyone, but ask someone you trust for help. Be alert if it suddenly becomes about money; try calling your son first to check whether he really has had an accident. Some may find it a bit scary, but in our family we can, by mutual consent, see where everyone is in an app. That would be of great help in such a scary situation.

* Robert Cialdini, Influence: The psychology of Persuasion, 1984; Ian Mann, Hacking the human: Social Engineering Techniques and Security Countermeasures, 2008

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• deepfake detection tools do not always work accurately.
• criminals threaten to publish a database containing criminals.
• the Russians attack Western infrastructure.
• of course you have to choose the right target.
• Traffic lights also infringe on your privacy. [DUTCH]
• Telecom employees are offered money to participate in SIM swapping.
• a British computer divorced the wrong couple.
• a Dutch ID wallet is being developed. [DUTCH]

 

Girls Day

 

Image from Pixabay

It was one of those rainy Thursday mornings where you have to provide the bright spots yourself. Well, I got a chance to do just that, because I was on my way to give a special presentation. Our HR people held the annual Girls Day, for 14 and 15 year old girls from the highschool next door. I was the first male (and perhaps the oldest) speaker in the history of Girls Day. One thing was clear: I shouldn't come here with a story about how we do security. My story had to be about those girls.

I wanted to show the students something about their digital footprint. And so a few weeks ago I requested the list of participants and googled the names. You should have seen their faces when I told them! Wide-eyed, exchanging anxious looks with their friends. I told them that I was not going to mention any names and that I would not put anything recognizable on the screen. That reassured them somewhat. But I did have their full attention.

My search initially yielded a fairly innocent harvest: there were quite a few sporty girls, ranging from gymnasts to horse riders (including the horse’s names). More than half of the girls didn’t show up on Google at all. However, one particular girl revealed more. She had - probably unintentionally - made her presentations for the triangular meetings public (triangular meetings are the modern form of the parents' evening, where the tutor, the parents and the student get together and the student explains how things are going). I now know that this student sometimes lacks motivation (well, who doesn't), has attended different primary schools (someone at the back of the room breathed a sigh of relief: this isn't me!), likes teacher X but has trouble with their subject and enjoys the school parties. And a few more things that I left out because they are too personal.

This student probably didn't want to give the usual PowerPoint presentation, but something flashier. Instead she used Prezi, which allows you to create a very dynamic story. However, all your presentations are public if you use the free version. Oops. And oh yes, I was able to make the match between teacher X and the difficult subject because there is a list of all teachers on the school's website.

Instagram let me demonstrate that other people also (often unintentionally) reveal information about you. I looked up the names there too. For one name, there were three accounts. Which account belonged to the student on my list? The second account had a follower that was also on my list of names. Bingo! Then I took a closer look at the followers of that account. There was a company name in there, which also contained the girl's surname (fictional example: Balloon King Johnson). It’s a safe bet that this is the student's father or mother. The bio of that company account also included the street and city name. But no house number. It was the kind of business you could imagine being based at home. If I could find that company, I would know where this girl lived.

With Google Streetview you can virtually walk through a street. And look at the houses. When I walked through that street mentioned in the account for the second time and took a good look around me, I found what I was looking for: at one house, I saw something that was a clear reference to the company (in the fictional example there would have been a balloon arch at the front door). I told my audience: “If the letters in your zip code are AL, then this is about you.” You could have heard a pin drop.

So what, you might think. But remember: I'm one of the good ones guys. There’s plenty of scum around who would love to know where a girl like that lives. With my little finger exercise I demonstrated that the solution often consists of several puzzle pieces, which you can find in different places. I also told my audience that I am only an amateur in this field, and with this video I showed how others, who approach this with a bit of professionalism, can find out much more about you.

Of course I threw away the list of names. What remains is the memory of a special morning in which I hopefully made a number of young people think.

 

 And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• healthcare has developed a framework for red teaming. [DUTCH]
• Apple warned residents in nearly half of all countries about a sophisticated spyware attack.
• hackers hijacked a TV channel. [DUTCH]
• For a long time, anyone could request the codes of thousands of alarm systems. [DUTCH]
• Russia is waging a major disinformation campaign to undermine US support for Ukraine.
• the Russians also stole email from the American government.
• Meanwhile, China is hacking the American infrastructure.
• Users of multiple types of D-Link NAS run the risk of malicious people breaking in.
• you certainly don't browse privately in a Google incognito mode.
• it’s quite a problem when hardware contains a vulnerability.
• sometimes ransomware is just a game of bluff poker.
• Many data breaches occur due to cyber attacks. [DUTCH]
• you can now easily check whether you really have a bank employee on the phone. [DUTCH]

Showing the flag

 

Photograph by author

Do you know National Geographic's Science of Stupid program? That's a kind of Funniest Home Videos, but with a scientific explanation of why someone hit the ground in such a painful way. It’s an educational/entertaining program, so to speak.

I thought of that program when I saw the scene shown above yesterday. A local hotel, where our team had retreated to discuss the way forward, has erected a flagpole atop a gabled roof. It’s cool to have a flag at the highest point of your building, but did they also think about the hoisting and lowering of the flag? Or did they only think of that afterwards? And then they bought a ladder, which turned out to be too short?

The top ladder appears to hang from one hook, which extends through the roof. That hook is slightly above the middle of the ladder, which could make it a nice pivot point when someone is at the top. But luckily the ladder at the top is still tied with a rope. Or no, it isn’t: that is the rope of the flag. Because that ladder is too short, they bought another one and, as it were, pushed it into the other one. Beautiful: when one moves, the other moves with it. The bottom ladder also hangs on a hook, and - if that is the only attachment point, which I don't know - then this ladder can also tip over when there’s someone at the top. All in all, I would not like to be responsible for this flag. By the way, I doubt whether it is hoisted with military precision every day at sunrise and lowered again at sunset.

Are there any Science or Stupid­-worthy events in our profession? Of course there are. It is not always cyber criminals that cause us problems. We can do that to ourselves, too. How many times have we heard about data breaches caused by organizations not having their cloud configuration in order, allowing everyone to access the data? And you may occasionally have sent an email, realizing two seconds later that the wrong name was in the to field. We all make mistakes from time to time, and depending on the nature of the mistake, it impacts our security, the privacy of our data or even business continuity.

There are all kinds of measures to prevent such errors. For example, changes are not immediately implemented in the production environment, but first in the test environment. There you can observe whether that change does exactly what it is supposed to do – no more and no less. Automated deployment then ensures that the change is sent to production exactly as it is, and is not messed up due to a human error (checkbox placed incorrectly, typo made). You can also leverage the four-eye principle and have someone watch what you’re doing. We even do that when we write notes, but then it's called a review. If I write down something that touches on technology, I like to have some technical people check whether I have written any nonsense. Just because I can come up with something doesn't mean it's feasible. I don't want to live in an ivory tower.

In that TV show you see people who have built a jumping ramp themselves and then rush towards it with their bicycles, only to find that the landing is less graceful than they expected. The voice-over, in a slightly mocking tone, provides a discussion about centers of gravity, Newton's laws and why this operation was doomed from the beginning. The message is invariably: first study the laws of nature you are dealing with and adjust your design and movement accordingly. By the way, the result depends on your skills; not everyone, once in the air, is able to obediently keep their center of gravity directly above the bicycle.

Translated into my profession, I would say: first look at rules and regulations, and take them into account during design and construction (security/continuity/privacy by design). If the system needs maintenance, check what you have to take into account and act accordingly. That may take some practice, just like a bicycle stunt. But luckily we have test environments – unlike all those unfortunate stunters.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. Actually, this week there aren’t any Dutch articles, but there’s one in German.

• Outlook shares information about you with hundreds of partners (note: this article is on the site of an Outlook competitor and advertises its own product at the end, but the content still seems worthwhile to me).
• Microsoft is also being criticized in an American government report.
• Microsoft Copilot can reveal a lot of confidential information (you can skip the commercials here too).
• A ransomware attack becomes much more expensive if the backups are also affected (again with advertising, but okay).
• the hacker who single-handedly shut down North Korea tells his story here .
• criminals pose as lawyers and confront companies about allegedly violated copyrights.
• the German government gives tips for purchasing and using smart devices. [GERMAN]
• there was a commotion about a backdoor in a popular piece of open source software.