The phone isn't working

Image from Pixabay

My grandparents' phone number was 1331. Those four digits were all you needed to reach them. If you called from further away, there was also the area code 04454.

In those days you knew the numbers of family and friends by heart. Other numbers were kept in a special telephone directory: you set a slider to the first letter of the surname, pressed a button and the thing popped open and showed a card with all the names and numbers that belonged to that letter. Handwritten.

At home we didn't have a telephone at all for a long time. You could live with that in the seventies. And the one time you really had to call someone, you knocked on the neighbours' door and gave them a quarter (of the old Dutch currency, the guilder). Or you went to the telephone box in the village. You needed quarters there too. Those were important coins. Too bad they don't exist anymore.

When we finally got a phone, four digits were still enough. Ours were 4006. PTT was the monopolist and everyone had the same device: the T65, with a rotary dial and a curly cord. It sat in the living room and if you were busy in the kitchen, with the door closed, you would sometimes miss a call. And you only knew that when the caller tried again later ("Weren’t you at home?"). That's why my parents had that same PTT install an extra bell in the hall. You paid rent for that, just like for the T65.

Many years later I bought – hesitantly – my first mobile phone. A Panasonic, with an antenna that stuck out about two centimeters above the device. The device had a small LCD display and physical keys. You could call and text with it. Compared to the T65, the number of functions was doubled. Wow!

Look where we are now. Almost everyone walks around all day with a computer in their pocket, which you also happen to be able to make phone calls with. This can be done in various ways. Via your SIM card (the old-fashioned way of calling, with a phone number of ten digits nowadays), but also – with or without live video – via other apps. You can even use it to hold meetings, as we know since the covid pandemic – if necessary with people in all corners of the world. Most people have thrown their landline out the door. Or never had one.

But what if all of that suddenly stops working? No one is reachable anymore, at least not by phone. You can only communicate with each other indirectly. By email or via chat apps. What impact would that have on our social and professional existence? Many subjects benefit from live interaction; if they have to be done via email, the 'conversation' can easily go the wrong way because one person misunderstands the other.

If telephony and video conferencing were to fail for a long time, we would undoubtedly go back to the office more often. Then it would be like it used to be: working from home for a maximum of one day. Everyone has their own personal preference, but I cherish working from home. One day a week in the pandemonium (and, admittedly, also joining in the chatter) is enough for me.

What do we do to prevent a company-wide blackout? Diversity plays a key role. In the Netherlands, there are three mobile networks (Vodafone, Odido (elsewhere still known as T Mobile) and KPN (the heir to PTT!)). All other providers piggyback on these networks. It is financially and from a management perspective attractive for organizations to place their telephony with one provider. But if something goes seriously wrong there, the entire organization immediately has a blackout. So it would be better to spread your chances. You should even make sure that the employees of a team are not all with the same provider. I see a nice administrative challenge…

But is it worth it? We never have long-term failures, do we? In the current climate, I no longer dare blindly assume that it will remain that way. There are strange forces at work in the world. At some point, those forces could benefit from a country becoming paralyzed. We would rather not think about that. And that is precisely why we have to do it.

 

And in the big bad world…

• The Atlantic 's editor-in-chief was invited to join a US government Signal group.
• This is the original article from The Atlantic about US plans to bomb the Houthis.
• Lower-ranking officials cannot afford to make mistakes like this one.
• SignalGate is not about Signal.
• Signal is benefiting from SignalGate.
• One of the SignalGate participants also leaked information on Venmo.
• Signal has a handy feature to prevent you from adding the wrong person.
• you can check if your online accounts have been hacked.
• An airport under attack can always switch to whiteboards.
• ChatGPT is addictive.
• Troy ‘Havibeenpwned’ Hunt is also not safe from phishing.
• the Dutch Government Cloud is one step closer. [DUTCH]

 

Number 2

Image from Pixabay

“Up for number 2? Please do it at home, because our toilet gets clogged quickly.”

On our way home from a short vacation we stopped at a cafeteria close to home, because we had no food in the house. And there, on the otherwise neat toilet, I spotted that note. The text reminded me of Belgian roads. Instead of repairing the sometimes abominable road surface, they put a sign next to it: degraded road.

Of course, placing a sign is much cheaper than fixing the problem. At least, at first glance. Perhaps hungry guests will avoid this cafeteria in the future, because after a long walk in the area they still have to go somewhere with their number 2 before they eat their fries. That means loss of turnover. And in Belgium, cars wear out faster. Moreover, I can imagine that a bad road surface causes more accidents: you lose control of the steering wheel when you drive through a pothole, or you try to avoid the pothole and collide with another car. All of that causes extra costs, and perhaps even human suffering.

And if our southern neighbours were to halve the excessive lighting of the country's roads, wouldn't they have any money left to repair those same roads? That's a bit more complicated. My physics teacher from a long time ago once explained why the Belgians have so many street lamps. That was due to the construction of nuclear power stations. They gave the country overcapacity. You have to go somewhere with that electricity, and that's why all those lamps were planted. Even then, there was already talk of grid congestion; the generated electricity had to be used up immediately. By the way, I have no idea whether that argument still holds true decades later, but I always liked this fascinating - because unexpected - connection.

If you have a problem, you want to solve it. For example, by removing the cause. If that isn’t possible, because you have no influence on it, you can take measures to compensate for the negative consequences. And if that isn’t possible either, for example because you do not have the money for it, then… Well, then you can always put up warning signs.

An example where it is difficult to remove the cause is cybercrime. Sure, these criminals are arrested with some regularity – just like their analogue colleagues – but there are simply too many of them and they often operate from safe foreign countries, where the Dutch strong arm has little control over them (although there are rare cases known in which the Russian justice system cooperated with foreign requests for assistance, for example in the case in which a meter-long file, translated into Russian, was delivered to Moscow).

Because eliminating the cause is so difficult, we have all kinds of measures to detect and neutralize malicious actions. Think of virus scanners, mail filters and people who keep an eye on things. But because all that is not enough, we have to ask everyone to be alert. Phishing is the number 1 point of attention, because one wrong mouse click can ruin an entire organization. That sounds dramatic, but it’s still true. And there are more subjects that all users need to know something about to ensure healthy business operations.

Fortunately, there is a hunger for information about this. In the coming period, I will again be a guest speaker at various organizational units that have asked me to treat their employees to a presentation. I always ask the organizers what is on their minds, what they want to hear about. Such a conversation sometimes provides surprising insights into the success of awareness efforts. Like earlier this week, when I spoke to a colleague about a presentation in their team. The team members are loyal readers of the Security (b)log. Nevertheless, even there, very occasionally someone forgets to lock their workstation when they walk away for a moment. And then their colleagues shout: “Oh, if Patrick sees this…!” It is nice to see that the message is getting across.

 

And in the big bad world…

• a phishing campaign is going around targeting crypto investors.
• hallucinating artificial intelligence can be very harmful.
• the British appear to have pushed back the timeline for quantum-safe cryptography.
• North Korea is going to adopt AI-enabled hacking.
• Others will also abuse AI.
• hackers can easily exploit old vulnerabilities.
• we trust our colleagues, until proven otherwise.
• the American press is realizing that Europe is working on digital sovereignty.
• Athletic soldiers should get off Strava. [DUTCH]
• For the time being, European data may still be sent to the US. [DUTCH]

 

Ouch!

 

Image from Pixabay

Snap. The sound of a withered twig giving way under the footsteps of a forest walker. Only this time it wasn’t in the forest. And it certainly wasn’t a twig.

We’ve lived in this house for exactly ten years now, and the bed has been in the same spot for just as long. But when I walked into the bedroom recently, the bed must have taken a step forward. Snap. The leg of the bed showed no damage. That could only mean one thing: the sound came from my little toe. Most accidents happen in a small corner, we say here. Or in a small toe, I now know. Oh well, that bone will grow back together. (But it’s annoying.)

A day later, Maarten van Rossem, the always cheerfully grumbling Dutch tv personality, had an unfortunate fall. The historian had tripped over a curb in Utrecht, right in front of the building that served as the headquarters of the fascist National Socialist Movement during the war and which now houses a childcare centre. He was lost in historical and ironic reflections on the fate of the building. Consequences: a black and blue face and a hurt knee. So I was in good company that week, in terms of being a victim of one’s own carelessness.

Shouldn't we have been more careful? Absolutely! But one does a lot of things on autopilot. As I said, nothing has changed in the layout of our bedroom for ten years. And that curb has probably been there for a long time too. You can blindly walk a route like these a thousand times without any accidents. And on that one day you put your foot down just a little differently. There’s no footage, I can't analyze it. But there was a deviation, that's for sure.

I once heard someone say: walking is like fall in a controlled way. You lean slightly forward and prevent a fall by putting one leg forward. Seen in this light, walking is a rather clumsy activity for bipeds. Does it surprise you that we sometimes take a misstep? No doubt, thick books have been written about this that may or may not be worth reading, but this is not a blog about kinematics, so I will leave this subject alone for now.

In presentations I have sometimes made my audience think about the way they cross a road. If you see a car approaching, you make an assessment of whether you can still cross. You base this on the distance to the car and on its and your speed. If you give yourself a green light, you start walking. But now we are going to do this risk analysis again – because that is what it is – but in more detail. You not only consider distance and speed, but you also take into account the possibility that you stumble. Does the driver have enough time to brake? Can he see you at all, or is he hindered by darkness or the low sun? Or is he perhaps fiddling with his phone while driving?

If you include those factors in your analysis, you will probably increase the minimum distance that the car must have at a certain speed, in order to be able to cross the road in confidence. But who does something like that? I can tell you: people who have just had an accident. Because they have personally experienced how things can go wrong and what the consequences are. And after a while, that increased vigilance wanes again, and with that the chance of accidents increases again.

In information security, it is no different. If nothing ever happens, attention lapses. And then it becomes easier for malicious actors – our standard term for anyone who deliberately wants to do something with our systems and data that we do not agree with – to do their thing. Practicing helps against lapses in attention. Developing scenarios also helps. You have a certain interest that you want to protect and you try to think of how a malicious actor would carry out an attack on it. This can lead to surprising insights and solutions.

My bed was not malicious. Bad (!) luck, most people would say. For the time being, I walk past it with increased respect. I also put my feet down much more consciously in other places. That takes quite a bit of energy. Actually, I am already looking forward to my attention slackening a bit. Although I sincerely hope the bed will stay where it is.

 

And in the big bad world…

• AI surprisingly often misses the mark.
• the US government no longer considers Russia a cyber threat.
• Your Pokémon Go location data may be flowing to Saudi Arabia.
• Twitter/X poses a threat to countries outside the US according to this Australian article.
• The new Dutch government workstations only store metadata in the cloud. [DUTCH]
• Apple is protesting the British backdoor.
• Signal’s CEO warns of AI agents.
• Apple seems to have implemented a good idea in a messy way.
• Many Chromecasts have an expired certificate, which means the device will no longer work.
• Instagram's teenage accounts offer only a false sense of security. [DUTCH]