Keep practicing, Donald!

 

Image from Pixabay

The blog from two weeks ago, about Gyro Gearloose, resulted in a question from a loyal reader: I have downloaded the manual for my new car, but I still don't understand what all the buttons and lights are for. Am I more of a Gyro Gearloose or a Donald Duck? Genius or klutz?

An interesting question. In my argument I indicated that from a security perspective it is extremely useful to read manuals. This of course also applies to a car: if you don't know how to turn on the lights, things start to get dangerous around dusk. And if the red engine management light comes on, it is useful to know that you shouldn’t continue driving home. But of course there are also less important buttons and lights. Moreover, it is quite difficult to learn all that stuff from a book. You miss the look and feel of the dashboard.

The more complex the machine, the more difficult this becomes. My son is currently in pilot training. Before he was allowed to take to the air, he received a few months of theory lessons. There the students learn, for example, what happens when you turn or pull the yoke: a flap goes up on one wing, down on the other, the rudder does something and the elevator may also come to action. If you have to learn something like this from a book, it is difficult because you do not see the instruments in front of you and you do not experience the consequences of your actions. In theory exams, students must demonstrate that they know how a flying machine works. As if you have to explain, before your first driving lesson, that the left and right wheels move synchronously when you turn the steering wheel, but that the turning speeds of the left and right wheels differ.

An important learning principle is training on the job: learning to deal with something while you are doing it. Driving lessons work like this, and fortunately aspiring pilots actually take to the air eventually, for example to experience first-hand what happens if you fly too slowly (the plane will fall out of the sky) and of course, to learn what to do. For the same reason I once took an antiskid course; reading what to do if your car skids is completely different from experiencing and feeling it. I remember an exercise where a moving plate in the ground whipped the rear of the car, causing the car to veer off course. Before the exercise, the instructor taught us not not brake. And what do you do the first time? You hit the brakes. Which causes the car to spin. After this experience you know what to expect and you can deal with the situation much more rationally: do not brake, but instead release the accelerator, press the clutch and steer in the right direction.

Information security also needs practice. It is easier to recognize a phishing email or text message if you have seen a few of them, along with hints that could have helped you unmask the message. But should we also practice something as big and drastic as a ransomware attack? Of course! Obviously, you don't have to organize a real infection for this; you can do a table top exercise, with the right people at the table. Our business continuity management colleagues have often organized similar exercises, helping crisis managers and other stakeholders to understand what to do in a crisis.

Am I more of a Gyro or more of a Donald, Angela wondered. I replied that most of us are a Gynald or a Doro: hopefully not as clumsy as Donald Duck and probably not as brilliant as Gyro Gearloose, but somewhere in between. Because as Gynald or Doro you cannot take in everything at a glance, it is important that you realize that you have to prioritize: in the car it is more important to know how to operate your headlights than to know how to replace the bulbs. By the way, I did that last weekend and I can report that you almost have to be a Gyro to do that. But usually I am a Gynald. And you, dear Angela, probably go through life like a Doro. But rest assured: practice makes perfect.

 

And in the big bad world...

• you should restart your phone once a week.
• the Dutch NIS2 law has been delayed by at least six months. [DUTCH]
• an internet provider had to replace the routers of hundreds of thousands of customers due to a malware attack.
• it is wise to check with the police whether your data has been stolen. [DUTCH]
• an international police coalition is working together against cybercrime in Operation Endgame.
• This article from Europol gives a little more information about Operation Endgame.
• the largest botnet of all time has been rolled up.
• the Dutch Data Protection Authority will supervise the Tax Administration. [DUTCH]
• This ransomware makes good use of BitLocker.
• you’d better stay away from this pirated version of MS Office.
• a VPN is not a panacea.

 

The silly emperor

 

Image from Pixabay

Every now and then the weekly blogging day coincides with my birthday. I don't need any more reason to look for a fun topic. And so I went looking for a fairy tale, because we tell them to children and so they have to be pleasant. Right?

It has been a long time since I was read fairy tales, and we largely ignored fairy tales with our own children. So I had to look some things up. Fortunately, Wikipedia has an overview of fairy tales and they are conveniently summarized there in grown-up language. I have been reading several fairy tales this morning. My wife noticed it and asked scornfully: “Is that even work?” Yes, for me even fairy tales are useful!

Ultimately, my eye fell on The Emperor's New Clothes by Hans Christian Andersen from 1837. For those who no longer have a clear memory of the story, I will provide a brief summary. The vain emperor is tired of his robes and orders his tailors to make a robe from the material that does not exist. (False) tailors appear who claim to have a fabric that is only visible to smart people. The emperor walks in a parade in the new clothes - in the nude, because a fabric that only smart people can see is of course a fantasy. No one dares to say anything until a child shouts: "Hey, look, the emperor is naked!" The audience holds their breath at first, but soon they are roaring with laughter. The emperor still plays dumb, even though he can see that he is naked. When they return to the castle, the now wealthy impostors are already far beyond the horizon.

I have titled this blog The Silly Emperor because this monarch was very easily fooled. If he had simply trusted his own observations, and not believed the implausible claims of strangers (!), he would not have been embarrassed. As far as I know, the story does not tell whether the incident had any consequences for the administrative career of this reluctant streaker.

I always feel a bit lost at trade fairs (and I only go there if I visit a conference that also has a trade fair linked to it). Afraid that exhibitors want to get me excited about a product that looks great on paper, but does nothing innovative or useful in practice. Fortunately, I can always hide behind the fact that I am not in charge of purchasing things. And I hardly do anything with those types of products myself; I leave that to technicians, who then report using all those great tools.

Sometimes everyone is convinced that you really need certain products. Take a VPN (Virtual Private Network; it ensures that you still have a secure connection even over an unsecured network). I also have one in use on mobile devices, because those sometimes accompany me to hotels, restaurants and airports, in short, in places where you cannot necessarily trust the free WiFi. But a while ago a colleague said on Twitter: public WiFi is safe enough for almost everyone, even without a VPN - even for banking. A few months later, a handy decision tree followed for the question: do I need a VPN? That tree offers three outcomes: (a) host your own VPN server; (b) fine to use a free or paid VPN service if you're comfortable with your data being sold or viewed; and finally: (c) you shouldn't do illegal things, for which you can also use a VPN, because, well, it’s illegal.

The emperor thought he was wearing a grand robe, and we all think we're completely safe with a VPN. But that is not necessarily the case. By using a VPN, you shift your trust from the provider of the network to the provider of your VPN: the network provider can no longer watch you because your connection is secured, but the VPN supplier can watch you because they have the security key in their hands. This means that a VPN only has added value if it does not do anything but what is advertised. In extreme cases, a VPN could even be less secure than hotel WiFi. For example, if you are in a hotel where they leave your traffic undisturbed, while you use a VPN from a bad provider that watches what comes along and who may sell your data to advertisers or others. That chance is probably higher with free VPNs , because hey, if something is free, then you are the product, remember?

Only if you host your own VPN - be it as an organization or as a private individual - you can be sure that no one else is secretly watching. And I think the crux of the first tweet is “safe enough for almost everyone”. The underlying idea is that most people are not important enough to be targeted with an eavesdropping operation. The only threat that remains is that a WiFi provider, who is not so fussy, sells data about you. But Google, Apple and the other major advertising companies already do that.

Hmm, the story ends even less pleasantly than I had in mind. That professional deformation again.

 

And in the big bad world...

• a Google chaos specialist advocates a refreshing way of phishing testing.
• independent phone repairers must pass on customer data to Samsung and destroy devices containing non-original parts.
• a hacker ‘ratted' a fake call center to its customers.
• malicious parties make sophisticated use of open source. [Dutch]
• researchers outsmarted even Tesla's latest security protocol.
• Maps of China are incorrect.
• iPhones share data about all Wi-Fi networks they see with Apple.
• I am going to eat birthday cake now (-;

Gyro Gearloose

 

Image from Pixabay

Gyro Gearloose is a crane after my own heart. He can invent a genius device to order, or he has something lying around that just happens to come in handy in one of the many comic book adventures in which he appears. They always excel in both simplicity and effectiveness and all inventions have one thing in common: they could not exist in the real world.

Donald Duck is a completely different bird. The duck would rather be lazy than tired and is impulsive, short-tempered. Not exactly someone who reads the manual first when he buys a new TV or something else. Donald often seeks Gyro’s help. And while Gyro patiently tries to explain how his gadget works, Donald is already flying through the door with it, because he knows it all. Sometimes Gyro shouts after him that the device is not completely finished yet, or that it has side effects. Later in the comic strip, Donald invariably pays the price for his stubbornness.

I personally don't like it when people just press buttons without knowing what they are for, hoping that the device will do what they want. The more complex the device is, the more can go wrong, or the further you sink into the swamp of incorrect settings. So I'm one of those people who still read manuals. Admittedly, not with every device; I was able to get our new juicer working without first consulting the manual. That booklet was still included, by the way; Nowadays, because no one reads the manual anyway and all that printing costs a lot of money, you only get a quick start guide and a QR code for the extensive manual.

Computers, apps and the internet don't have manuals. These have been replaced by help functions. If you realize that you cannot find a solution, you can consult those. Sometimes you can call them up by pressing F1, sometimes you have to consult an FAQ, and otherwise you just have to google. But you will be using all those things before you have read a letter about them. On the one hand it is nice that many things work so intuitively that this is possible, but on the other hand it is difficult for someone who wants something more than the basic settings.

Donald shows time and time again that it is often not safe to just turn something on or turn all the controls to maximum. Instead of saving the world, he often brings it to the brink of destruction. Fortunately, the wise cousins Huey, Dewey and Louie always manage to turn the tide in the nick of time. They do have a manual: the Junior Woodchucks' Guidebook, the pocket book that knows everything.

In a safe world, everyone has read the manual before starting anything. I know that this is a utopia. But that does mean that people drive cars without knowing how to turn on the lights, that an air conditioner somewhere heats instead of cools or that you get frustrated because you cannot get your smart speaker to work. And that makes the world less safe: traffic accidents, heat strokes and hackers are lurking. You may think that's a bit far-fetched, but hey, I get paid to be a doomsayer so I'm always looking for what could possibly go wrong. Putting things into perspective will come later, when others speak out their hope that it couldn’t be that bad.

Ducks regularly stroll along the local cycle paths – real ducks, not cartoon characters. When you cycle along, they invariably waddle in the wrong direction: they cross the path in the direction you cycle past a few seconds later. I just want to say: they are not the smartest animals. I have no experience with cranes, but if we take Gyro as an example, it looks like they are a lot smarter. Maybe that's why I've never come across one on the cycle path.

Moral of the story: if you're more of a Donald Duck yourself, listen to what the Gyro Gearlooses around you have to say. If, on the other hand, you are a Gyro Gearloose yourself, take a good look at what the Donald Ducks of this world really need and offer an (obviously safe) solution for that.

You just read the five hundredth Security (b)log.

 

And in the big bad world...

• Two-factor authentication is only safe if you don't let yourself be fooled.
• a criminal allegedly stole information from Europol.
• a South Korean goes to prison for hacking into 400,000 households and selling CCTV footage from those homes.
• the police arrested three men on suspicion of bank helpdesk fraud and friend-in-need fraud.  [DUTCH]
• your Android phone protects itself if it thinks it's stolen.
• the new Dutch cabinet will tackle cybercrime more stringently.  [DUTCH]
• the British NSCS has published guidelines for paying ransoms.
• Google has to pay a million-dollar fine for using French news reports to train their AI.  [DUTCH]
• some car models disappear from the market due to cybersecurity regulations.  [DUTCH]