Fatbike brakes

 

Image from bol.com

Fatbikes. Even the word gives me the creeps. I'll stay away from the broad discussion about this young phenomenon on the road (see here why this is a problem in the Netherlands). But I do want to talk about something that I see associated with riding one of these things: braking à la Fred Flintstone.

You know how Fred slows down his car, don’t you. Literally by digging his heels in. And lately I see more and more young fatbikers trying to stop their two-wheeler just like Fred by putting both feet on the ground. Often they swing back and forth dangerously. Eventually they come to a stop just in time.

Is there anyone in the audience who has experience riding one of these things? Are the brakes really so bad that you have to do like Fred to stop in time? Or are we talking about tuned-up models, where the brakes, which barely meet the regulations, fall short as soon as the bike goes faster than intended and allowed?

Something else now; you'll soon understand why I'm bringing this up. Earlier this week I was passing through Gouda by train. At the station my eye was caught by the open-air bike parking place. On either side of the place – which is only two bike lengths plus an aisle wide – there were security cameras set up about every ten meters (roughly 30 ft). I didn't count them, but there were an absurd number of them. You'd almost think the cameras were myopic.

Here are two examples of security measures that are taken in situations where the actual measures – brakes and locks – have proven insufficient in practice. We also have measures like these in information security. Usually, this involves technology that does not fully deliver what you hope for. For example, a virus scanner that still lets that very latest virus through, or that mail scanner that does not recognize a particular phishing mail. In these situations, the problem becomes an end user thing.

And that is why we need your commitment, dear reader. You are the brake shoe that can intervene at the last moment, when all else has failed. You are our last line of defense. And that is exactly why I put so much energy into keeping your knowledge of my field up to date. You don’t have to know all the ins and outs, but you do need to know the things that can be – literally – of vital importance to the organization, such as recognizing phishing email.

I know, it can be difficult. I can't ask more of you than alertness. Help us to bring our fatbike to a stop in time.

There will be no Security (b)log for the next two weeks.

 

And in the big bad world…

• Not all awareness campaigns are equally effective. [DUTCH]
• Now your Android phone will also reboot if you don't touch it for three days.
• Ahold Delhaize suffered a major data leak last year due to a cyber attack.
• Google blocked over five billion ads last year, many of which were AI-generated.
• The end of CVEs was near.
• a facial scan will determine if you are old enough for Discord.
• the Dutch police did a bad redacting job for fourteen years. [DUTCH]
• It is better not to download cracked computer programs.
• the CISO Mindmap 2025 has been published.

On deaf ears

Image from Pixabay

“Have you ever written a blog about the tension between security and usability?”, a colleague asked. “Probably,” I replied, “but what’s your reason for asking about it?” “My wife.”

I understood what he meant straight away. Not that my family doesn’t understand it all, mind you. But we recently had some people over, including a couple whose ages sum up to my age. She asked for the wifi password, and I told her our guest network password. That is easy to remember and therefore not very complicated (something like bicycle3oven) – it is just the guest network and you can’t access our data with it. To my surprise, she responded with: “ Wow, that’s a complex password!” And she spontaneously mentioned their own wifi password, which I would classify as “20^th century”.

I couldn’t avoid a disapproving look, but then I made a cautious, extremely friendly attempt to explain that a password like theirs is not a good choice. And I’m really not inexperienced or clumsy in explaining those things. But in this case, my explanation fell on deaf ears. “Oh, nothing ever happens to us anyway,” said the young lady. But it was her look that spoke volumes: what is this man so worried about? I took another run-up and started talking about passwords for other, perhaps more important accounts – knowing that people who act unwisely on the left side, usually do so on the right side as well. However, the wall of incomprehension was so high that, despite all my experience, I couldn’t tear it down. And I realized that I had to leave it at that; these people were here for fun & family, not to be lectured.

My wife and daughter, who had witnessed all this, didn’t know where to look. Apart from the fact that teenagers can't stand it when their father does something like that, the two ladies had realized much faster than I had that I was on a mission impossible. Their relief was great when I dropped the subject and we switched to small talk.

Security and ease of use are at odds with each other. Just think: if you lock your house, you will be standing in the rain a little longer when you get home. However, everyone understands that this measure is intended to keep outsiders out – there’s a reason they’re called that. It works the same way with information security: you don’t want to put any obstacles in the way of legitimate users, but because most systems are simply not intended for everyone, there has to be a lock on the door.

Some of these locks are more annoying than others, and sometimes they can be downright annoying, for example because they lock often. When it becomes annoying, people tend to circumvent security measures. It should be clear that the organization does not appreciate such creativity. That is it is important to me that people understand why a certain measure is in place. And so I have made inquiries for two measures I was wondering about.

In both cases the answer was: it shouldn’t be like that. Followed by technical explanations stating that there is no security measure at all in play, or at least: no measure that explains what I experience. There is probably just something wrong. That’s always a possibility: you think that something is a crooked security measure, but meanwhile something else is going on.

Hopefully that colleague can convince his wife that some measures are important. And hopefully he recognizes situations where something is simply broken and the behavior is not on security.

 

And in the big bad world…

• Some high-ranking officials don't understand that they shouldn't use personal email for work.
• Gmail's end-to-end encryption is not true E2EE.
• Counterfeit phones with malware are around. [DUTCH]
• Last year's major disruption to the Dutch Defense network was inevitable. [DUTCH]
• Crisis communication is a profession in its own right.
• The Swedish Tax Authority is summoned to court for selling citizens' data.
• someone really wants to hack Chinese domains.