Internet-free days

Photo by author

Our solar panels have the structure of potato gratin on this cold morning. I don't know what nature intends with this, but it looks like the work of an ice artist. Meanwhile, the sun is stretching; it woke up ten minutes ago, I see its red glow reflecting in the windows of houses a street away. Soon its rays will melt the solar panels (well, the ice on them) and then production can begin.

Recently I fitted the smart meter with a box that sends the current measurements to an app on my phone. This allows me to see (almost) in real time how much electricity is being used in our home. We are already practicing hard to use as much of our own solar power as possible: “Can the washing machine be turned on yet?”, is a question that rings through the house often. We then look at the current yield, but also at the short-term sun forecast. Because if the washing machine is turned on now and a thick dark cloud moves in front of the sun in five minutes, you still pay the bill. You do have to keep in mind that appliances like that do not use a lot of power continuously, but mainly when heating the water. With a bit of luck, I can break even on a sunny winter day. That bodes well for the summer.

So, for the energy management of our house, things look rosy. However, if you zoom out to the level of the nation, there’s a much more pessimistic picture: we are in a real energy crisis. There are reports of companies that cannot be connected to the electricity grid. Not because insufficient electricity is being generated, but because the network is congested. Strangely enough, this phenomenon has two contradictory causes: on the one hand, the high demand for electricity, for example because companies are switching from natural gas to electricity, and on the other hand, the high supply due to all those solar panels and wind farms. Think of it as an overcrowded highway: if there is a traffic jam on it, you cannot get on or off.

Our data center has a sturdy emergency power supply. If the mains power fails, batteries seamlessly take over, long enough for the diesel generator to get up to speed. As long as there is diesel, the data center will continue to operate. Grid operators predict that the power will fail more often in the future. So we are lucky to have our own energy building. But of course this facility is not intended as a remedy for grid congestion. In the trinity of information security – confidentiality, integrity, availability – this is a measure to ensure the availability of the service, but it was never intended as a power plant for permanent use.

Data centers are notorious for their power consumption. Pounding computer chips consume power and produce heat, and have to be cooled down because they don't like to get too hot. Even though most computer equipment in a data center has no moving parts, you need earplugs when you go inside. Every device has a fan, and then of course there is a large installation to dissipate all that blown-out heat. Especially the mega data centers of the tech giants, such as Google and Apple, are known for their enormous energy bills. We no longer store our photos on our phones, but in the cloud; in those data centers, that is. And all those millions of photos of the entire world population consume a lot of energy.

Artificial intelligence is a fairly new energy guzzler. With some embarrassment I asked ChatGPT the following question: “How much energy did answering this question cost?” Because it was a simple question, it estimated the consumption between 0.1 and 1 Wh (watt hour). Because it also understands* that I have no idea what that means, it gave a few examples: with 0.1 Wh you can light a 10 W LED lamp for 36 seconds, and 1 Wh is enough for 1 minute of YouTube on your phone. If the questions get more complicated than mine, the energy consumption increases tenfold, ChatGPT estimates. For a difficult question you have to give up ten minutes of YouTube if you want to keep it somewhat energy neutral.

I still remember the car-free Sundays from my youth. Because of the oil crisis, the streets were quiet on ten Sundays. Just imagine that, because of the grid congestion, you cannot use the internet at certain times, for example because the nearby industrial estate needs that power more urgently than you do. Or that the grid operator encourages you at certain times to turn on the washing machine, the tumble dryer and the dishwasher all at the same time because otherwise they cannot dissipate the generated energy. Or imagine that they take care of it themselves remotely.

The solar panels have now thawed and are supplying only a modest amount of electricity. The washing machine is running, so we are still buying electricity at the moment. We are not yet at the point where we can fully adjust our household to the weather, and it won’t be possible in the Netherlands. Not as long as there are no efficient, affordable batteries.

*) ChatGPT and its colleagues don't “understand” anything they say, but you get my drift.

 

And in the big bad world…

 

• the Chinese AI DeepSeek was poorly secured.
• DeepSeek is under fire from European privacy authorities. [DUTCH]
• you could fool ChatGPT with a historical perspective.
• AI literacy is now mandatory if you develop AI or use it in your organization. [DUTCH]
• Insider threat also plays a role in museums.
• This article calculates how serious the ransomware problem was last year.
• a police officer wrote a dissertation about ransomware. [DUTCH, with link to English dissertation]
• only a small percentage of all European privacy complaints lead to a fine.
• once again an international police coalition was successful.

 

Rope-skipping

Image by Royal Netherlands Navy

Across from me sat a lieutenant commander of the Royal Dutch Navy. Now in the vast majority of cases it is of no importance who is on the same train as me, but this time it is worth mentioning. In that train I was preparing this blog, in which I take you to sea, and even to the bottom of it. What a funny coincidence that this unsuspecting naval officer was sitting there.

There are more and more reports lately about submarine internet cables that get damaged. And not by accident, but as a deliberate action of the Russian shadow fleet. For example, an oil tanker makes a detour and drops its anchor right above one of those cables. In doing so, it tears that cable apart.

That is quite a heavy-handedly way to destroy internet connections. Very different from what we have been used to see from the Russians, because they also have masses of smart hackers in government service, who are perfectly capable of disrupting our connections digitally. That is cheaper and easier. Western navies and coast guards now keep a close eye on ships that veer off course and have their anchors in the water. So why this approach?

Well, the damage is greater, in three ways. It takes longer to repair the damage done, the repair costs many times more and the number of victims is greater. After all, a specialized ship has to be sent to physically repair the cable. And because of the greater, physical damage, the disruption is also greater – if you manage to hit the right cable, it can have major consequences for internet users at both ends of that cable, far into their hinterlands. And as we know, disruption is one of the tools that Russia likes to use in this Second Cold War. That disruption goes much further than your children not being able to play their online game for a while or TikTok being down. International payment transactions can be disrupted, the economy takes a hit and fear grows among the population – if the Russians can do this, what else can they destroy?

Wait a minute, you might be thinking, I'm on wifi, why should I care about those cables on the bottom of the sea? Well look, that wifi network that you use, ends somewhere at a wifi router: that box at home in your meter cupboard. Offices, shops, restaurants, airports, hotels and all other wifi providers also have a device somewhere that is the beginning and end of that network. From there, in the other direction, everything goes with cables. From your meter cupboard, a cable goes underground to your internet provider, and from there on to the internet and to nodes. These nodes are also connected to each other, and so there is a whole network of cables across the globe. And because the earth consists largely of seas, many of those cables run over the seabed. When you are on the internet, your searches zoom through the seas and oceans at dizzying speed. So yes, you too can experience problems if they manage to hit the right cable.

What about Starlink, Elon Musk’s network, which consists of thousands of satellites? Starlink customers have their own antenna, which picks up the signal from space. But ultimately these radio signals come together in Musk 's meter cupboard, which has a cabled connection to the internet. In that respect, Starlink is nothing more than a kind of overgrown wifi network. (Of course, Musk's meter cupboard is a joke. In reality, there are ground stations that listen to the signals from space with large antennas). By the way, this interactive map nicely shows how immense the Starlink network is, and it makes you also understand why the satellites have to be able to perform maneuvers to avoid collisions with their peers.

No matter how you look at it, we depend on those cables for the internet. A dozen of them come ashore in the Netherlands. Most of them connect us to England and from there to the US, a few to Scandinavia; one, with a stopover at the westernmost point of England, continues to the US. A single cable break will not immediately isolate us from the rest of the world, but it is always disruptive.

This blog started with a coincidence, and maybe another coincidence will follow. It is not unthinkable that the lieutenant commander also reads this blog and thinks: hey, opposite me sat a man typing away on his iPad. Could this be about me? And it would be even more coincidental if that officer is involved in the protection of our submarine cables.

 

And in the big bad world…

• In order to use the Internet, we also need to properly protect the electricity network.
• The exchange of personal data between Europe and the US is once again in jeopardy.
• Someone developed a weapon against AI bots that want to get  information from websites
• the hack at TU Eindhoven started with stolen login details. [DUTCH]
• AI can harm end -to -end encryption
• another brand of cars got hacked (via starlink , but that is something completely different from the Starlink in this blog). [DUTCH]
• of course you can also hack a charging station. [DUTCH]
• Cybersecurity is taking a beating under Trump.

 

The invisible king

Image from Pixabay

His Majesty the King has been pleased to honor us with a visit. Although I myself had a meeting at the office yesterday, I didn’t see him. The traces of the royal visit were visible though: I was awaited by many security guards in the morning and in the afternoon there were almost no seats in the canteen because most chairs were still arranged in theater style. But most importantly, the theme of the visit was indeed digital security.

The king followed more or less the same program that all dignitaries are presented with: the printing line, the data center and the Security Operations Center (SOC). Because, well, those are the only tangible things we can show - the rest consists of knowledge and offices. I wasn’t there myself, but luckily some tv shows were present so we can watch some footage of the visit.

Our printing line is quite impressive (the enthusiastic team manager has also shown me around once). Large rolls of blank paper are printed with all kinds of documents. At the back of the meter-long machine, they come out of the printer as individual letters, to then be pushed into blue envelopes at dizzying speed in the envelope inserter. Mainly because of that speed, it is important that the equipment monitors the smooth running of things. The letters are weighed – not to determine how many stamps should be on them, but to check whether there is accidentally one sheet too many or too few in an envelope somewhere. Each letter has an optically readable code, so the letter itself knows how many sheets of paper long it is.

The data center is another place that you as a normal mortal cannot enter. You only enter if you have business there. The king was on a working visit and was therefore allowed in (at least, that is what I assume – I have not seen any images of it). Hopefully they kept royal earplugs available, because if they really did enter the corridors where hundreds of servers are blowing, then they certainly came in handy. It is well outside my area of expertise, but this form of safelty is also important. And for the rest, as I said, it is mainly a matter of keeping out everyone who has no business being there. We have various physical security measures for that.

On the other hand, there are the logical security measures, which ensure that employees can only do the things they are authorized to do, that potential intruders are kept out and that attackers who want to make our lives miserable are disappointed. But these measures are not visible, so why did the king visit the SOC anyway? Well, the SOC is not a normal space. The workstations are arranged in battle order, each with no fewer than four screens. A large video wall draws everybody’s attention and SOC employees notice immediately if a value goes into the red somewhere. There really is something to see at the SOC, even if you hardly understand what you are seeing.

When the king goes somewhere, he is surrounded by visible and invisible security measures. We also have to deal with this in information security. The security of the print line and the data center comprises, just like the space of the SOC, visible components. But in addition to that, we have many more things and especially people who ensure that not only our information security, but also our continuity and privacy are guaranteed. There is little to see in such a system, even for a layman of royal blood, and those many colleagues who deal with these matters on a daily basis – well, they are also just ordinary, hardly worth seeing people. And that is why the king did not join our team for tea.

Therefore, here is a generous shout-out to all those colleagues who, when managing their system or creating their application, are not only concerned with the actual functionality, but also take into account all the security requirements that are set (I know how difficult that can be). And also to all colleagues who realize in their daily work that adequate security is a matter for all of us. And, last but not least, to the colleagues in my own team, who do their best every day to make the rest of the organization color within the lines. All that work is invisible, no king comes to look at it. But that doesn’t make it any less important.

 

And in the big bad world…

• the press reported on the royal visit. [DUTCH]
• the Dutch General Audit Office delivered a harsh judgment on cloud use by the central government. [DUTCH]
• the United Nations Security Council met to discuss spyware.
• The UK government is considering a ban on ransomware payments across the public sector.
• Chinese companies have been charged with sending user data to China.
• President Biden gave cybersecurity a last-minute boost.
• The FBI cleverly exploits a self-destruct function in certain malware.
• From a legal perspective, you don't have to worry that your company data in the cloud will end up in the US anyway. [DUTCH]

Enlightened minds

Picture by author

Did you know that no less than 78% of people between the ages of 18 and 65 use a password manager? And that even more than eighty percent of youngsters use one? The vast majority of people are sensible and use a different, strong password for all their accounts, and they allow themselves the convenience of automatic login. Are you already participating?

I made up the above figures. “ Ooooh, shame on you!”, I hear you think. Let me explain how I arrived at that. I feel cheated myself. By an article that appeared in the newspaper the day before yesterday under the headline: ‘The cyclist without lights is now noticeable – Good lighting is the norm thanks to clip-on lights and e-bikes’. A traffic psychologist (I didn’t know this profession existed) explains in the article that people are trend-sensitive herd animals; if it is obvious in your ‘subculture’ to turn on the lights, then you will do so too. According to the psychologist, the general view used to be: frumpy old people have bicycle lights and young people don’t (I prefer to make the distinction between smart and stupid). Moreover, it is becoming increasingly easier to have lights on thanks to cheap, rechargeable lights and the e-bike. Not having lights on would then be a conscious choice.

I disagree with that article on so many points that I hardly know where to begin. Well, to start anyway: where on earth did they investigate this? Certainly not in my city, where I often encounter unlit cyclists who are also wearing dark clothing. When I encounter such a person, I sometimes shout: “Light on!” A boy recently snapped back: “The light is broken, man!” There is also a lot of junk among those loose lights. Some of them barely give more light than a candle – I call them ‘shame lights’, because their only purpose is to be able to triumphantly say: “Look officer, my bike does have lights!” Those people simply don’t understand that good lighting is crucial for their own safety.

The newspaper article got me thinking. How is it possible that I read something in the newspaper that does not match my own experience at all? Okay, I am willing to believe that things are less bad than they used to be, but all this cheering about how great things are these days goes way too far for me. The article itself seems to answer my question: If psychology dictates that we do things to avoid being left out, then you can also use that mechanism to influence people. If you write in the newspaper that most people obediently cycle with lights, then you can use that to encourage dark citizens to turn the corner, because who wants to be left out?

And that's how I arrived at my fake figures about password managers. With the final remark "Are you already participating?" I even pushed you a little more. Because it's pretty important that everyone starts using those tools. It used to be easy: you had one password and no one else was interested in it. Nowadays you have dozens of accounts and there's a cybercriminal on every digital street corner. That's a dangerous combination, and there's another important factor: not all sites and companies where you have an account protect your data equally well. Sometimes user data is stolen during a hack and the criminals manage to crack the passwords. If you use the same password for multiple accounts, they're all at risk. By the way, do you know what your most important account is? No, not your bank. Your email. Because someone who has access to your email can click on "Forgot password" anywhere and, using the emails that result, set a new password. That locks you out and the criminal can do all sorts of things under your name.

An equally important measure is two-factor authentication (2FA), which ensures that you can only log in after you have performed an additional action via another device (for example, entering a code or swiping your finger). This prevents someone who has a password for you from logging in to that account. So turn it on wherever possible. Did you know that more than seventy percent…

You may find it patronizing to shout “Lights on!”. However, I do this out of pity for the motorist who will sooner or later knock an unlit cyclist off their socks. And when I say to you: “Password manager and 2FA on!”, it’s also with the best intentions. And one more thing: watch out for fake messages.

 

And in the big bad world…

• There are also information stealers lurking. [DUTCH]
• This article makes fun of 2FA.
• Of course, a cloud-based password manager can also fail. [DUTCH]
• This ransomware gang presents itself as a company.
• the digital war in Eastern Europe is still raging.
• the European Commission must pay compensation to a citizen for a GDPR violation.
• Telegram shared more information with (Western) law enforcement agencies last year.
• Not all data leaks are handled properly.
• smart consumer devices can get a safety label in the US.
• Passkeys are not yet suitable for the masses.
• The government wants to move to the cloud, but preferably in Europe. [DUTCH]
• of course you can also hack a car charging station. [DUTCH]
• European data protection authorities do not sufficiently protect our privacy.