 |
| Image by author |
As tradition dictates, we built a Christmas village in our living room this year. It took four days and about five square meters (54 sq ft) of space, it required a structured approach and the necessary flexibility of the body. But the result is worth it, we think. From the beginning of December until mid-January we enjoy the warm appearance of this winter scene.
I
look at it with completely different eyes than visitors. Because I know what
lies beneath the surface. How all those lights get their power, how the rock
formations were made, how meters of tape and numerous staples were
incorporated. I know how the differences in height were created and I know all
the parts of the railway tunnel, which I built myself – just like the ski
slope. I laid out the street and know which cables lie under the asphalt. I
also see straight through the snow and know exactly what it hides. And I know
what is not quite right in this scene.
The
age-old metaphor of the iceberg presents itself. What you see towering
majestically above the water is only a fraction of the total lump of frozen
water. Now, the proportions of our Christmas village are not so dramatic, but
even here you should not underestimate what is hidden beneath the surface.
The
internet is also like that. Above the surface there’s the internet where you
and I do our daily things and where the Googles of this world rule. Below the
surface, invisible to most of us, is the realm of the dark web. No Google here,
but criminals who call the shots. You can go there for all kinds of services
and products, from DDoS attacks to drugs. I have never been there, but I have
seen enough presentations by law enforcement agencies from home and abroad to
know what it is like there. It is actually not very different from the regular
internet - except that you buy completely different things there and that it is
not so easy to get there. Of course you can ask at the top of the iceberg how
to get to the bottom, and when you find a site with serious explanations, you
soon realize that your computer needs protective clothing before you descend to
the dark bottom. And the URLs you visit there don't look like, for example,
bbc.com, but look like this:
zqktlwiuavvvqqtxxxvgvi7tyo4hjl5xgfuvxxx6otjiycgwqbym2qad.onion. As an honest
citizen you have no business being there, but you can be saddled with a lot of
trouble. Because as I said, these are the caverns of the internet that are
populated by scum from the deep end. And by wandering around there, you could easily
attract their attention.
Information
security professionals, in many ways the opposites of those sneaky criminals,
also like to keep a few secrets from time to time. We even have a slick term
for it: security by obscurity. This is considered a reviled method of
operation, because in the strict sense it means that your security is based on
secrecy and the hope that your little secret does not leak. Hiding your house
key under the doormat is an example of this - one that also makes it clear that
it is not very likely that no one will ever discover your secret.
I
don't want to see it that black and white. Let me put it this way: security by
Obscurity is never enough as a single security measure, but it does help. For
example: we prefer not to broadcast to the world which systems we have running,
and which version. Because malicious people can use that information. It is a
piece of the puzzle, and if they can gather enough pieces, they will see the
whole picture. By hiding puzzle pieces, we prevent that. But because you can
never trust that they won't find those pieces anyway, we must of course secure
all those systems anyway, and in doing so assume that intruders are much further
in than we hope. That is the assume breach principle: assume that you
have already been hacked, and adjust your security accordingly. If your house
key is indeed under the doormat, then you would do well to install an alarm
system, to make sure that someone who has discovered your secret is still
confronted with an additional barrier.
In
the meantime I try to enjoy our Christmas village as if I have no knowledge of
its construction. I call that delight by ignorance.
The Security (b)log will return after the Christmas holidays.
And in the big bad world…
- You could
also replace your house key with an app.
[DUTCH]
- China became better.
- SpongeBob knows how to jailbreak AI.
- U.S. government agencies must implement mandatory security measures for cloud services, starting with M365.
- Cybercriminals are at least as sophisticated as state actors.
- Tinder
reveals the location of hundreds of Dutch soldiers. [DUTCH]
- The US DoD is also struggling with the security of its phones.
- AI will continue to depend on human intelligence for its security for some time to come.
- the
security of Dutch government domains leaves much to be desired. [DUTCH]
- phishing
can be expensive. [DUTCH]
- Criminals use captchas to break into your account.
.jpg)
No comments:
Post a Comment