Wrong turns and right moves

 

Image from Unsplash

They had been to the Christmas market in Germany. Just half a minute from their school, the bus turned right. We cycled behind it, eyebrows raised. Why was that huge coach driving into this narrow street in the dark, with cars parked on both sides of the bend?

It soon became clear that this was indeed not a good idea. The left side of the slowly moving bus grazed a parked car. The next car was even dragged along a bit. The bus driver seemed unaware, because he kept going, inch by inch. This had to stop. I worked my way over the sidewalk to the front of the bus, making sure I didn’t end up wedged between two parked cars. I gestured and shouted at the driver. Hesitantly, he rolled down his window. ‘You’ve hit two cars,’ I said. ‘I’m completely clear,’ he replied, surprised. ‘No, you’ve hit two cars!’ Meanwhile, voices from the back of the bus chimed in: ‘Driver, you’ve hit something!’ Eventually, the driver put on the handbrake and came to take a look.

He couldn’t deny it: there wasn’t a molecule of air between his bus and that second car. I told him we already thought it was odd that a bus drove into that street. You know what he said? ‘I checked Google Maps, it showed cars parked on only one side.’ As if those satellite images are live!

Meanwhile, my wife rang the bell at someone she knew nearby, and soon the owners of the damaged cars were tracked down. A very young couple came out to inspect the damage: both cars were theirs. At least the insurance claim could now be sorted. But another problem arose: the bus was seriously stuck. The only solution was to move some parked cars. The students, whose school trip ended two hundred meters before their destination, had already been sent home. One of them, with a giant teddy bear on the back of his bike, we passed later.

We all take a wrong turn sometimes. Where there’s chopping, there are chips; mistakes are human. What really matters is how you deal with them. Do you flat-out deny the error (‘I’m completely clear’), try to shift the blame, or take responsibility?

If a crew member on an aircraft carrier loses a tool, the consequences can be huge: it can get sucked into a jet engine, and those don’t take kindly to that. A lost screwdriver can cost lives. If someone misplaces something, they must report it immediately, and everything grinds to a halt. The missing item is searched for urgently. And most importantly: the person who caused the incident is praised for reporting it. Not punished! That’s how you encourage error reporting. Punishment would only drastically reduce the willingness to report mistakes.

We’re all on a kind of aircraft carrier. A single employee’s mistake can have disastrous consequences. Think of an admin making a configuration error, or an employee who clicks that phishing link after all. Because our carrier is so big, there are even more ‘opportunities’ to make mistakes. In risk analyses, we pay a lot of attention to these kinds of errors, which aren’t caused by a malicious actor but by a colleague acting in good faith. We call these mistakes ‘oopsies.’

Sometimes a technical glitch can lead to an awkward conversation. A report landed on my desk about an employee who tried to do something that set off alarm bells. I asked him to explain. He came up with a rather strange story, but I managed to get it confirmed. The error was known, and a fix was in the works. It just goes to show you should always be open to unlikely outcomes. So you don’t end up making a mistake yourself.

Made a mistake? Report it. So worse can be prevented and we can learn from it.

Happy holidays! The next Security (b)log will appear next year.

And in the big bad world…

• Urban VPN Proxy’s browser extension reads all your AI chats.
• You can send a fake message via the government’s Phishkraam. [DUTCH]
• Even Notepad can be dangerous. [DUTCH]
• DigiD is now officially vulnerable to American curiosity. [DUTCH]
• The same applies to Zivver. [DUTCH]
• You can also just upload files with sensitive personal data to AI websites yourself. [DUTCH]
• Millions of people face a hot Christmas.
• Cisco is struggling with a vulnerability.
• Your robot vacuum might spy for China.
• Attackers can gain access to your WhatsApp account (if you unwittingly help them).

 

Urgency en priority

Image from Unsplash 

Many of my colleagues are named Erik, and one of them came to me with something he thought might make a good blog topic. People sometimes assume I can turn anything into a story. Occasionally such ideas remain untouched, but Erik’s remark kept nagging at me.

"If you suddenly feel urgency now, then you didn’t choose the right priority back then," said Erik. That’s a fairly universal statement, not one limited to information security or IT. It applies to your private life too, for example in the Christmas season: if you’re ordering a Christmas gift today and discover it won’t arrive in time, then perhaps you should have left the vacuuming for later last week. The dust would still be there a day later, but that order was time-critical. Of course, there can be complicating factors; maybe you didn’t have the money for a gift last week. Or an important guest was coming and a clean house was a must.
In the past, we security folks often lamented that security only came into view at the very end of a project – if anyone thought of it at all. For years we argued that security should be included from the start. If you want a catchy term: we call this shift left – moving attention to the front of the timeline. Long ago (in the late nineties) we had a great mechanism for this: the ‘aspect meeting’. When a new project started, the project manager had to gather representatives of various aspects and explain what the project was about. Participants could then provide feedback and, most importantly, ensure their aspect got proper attention. For example, by supplying policy documents and explaining how they should be applied in the project. This way, as an aspect representative, you could make sure your interests were considered. That meeting format was one of the best I’ve ever known.
Has much changed since then? Yes and no. There are now far more IT professionals who understand the importance of information security. A lot more. On the other hand, shift left still hasn’t happened everywhere. My colleagues in the Security by Design program are working hard to make it happen. They do this by teaching teams how to do it. Because here too, the old wisdom applies: it’s better to teach someone to fish than to give them a fish – at least if survival is the goal. Furthermore, procurement processes have taken a good turn. As I wrote a few weeks ago, we have a ready-made set of security requirements prepared and, just as importantly, the buyers are aware of the Security Functionals Directive.
It’s not just Erik – there are plenty of Edwins, too. Yesterday I spoke to one, and the conversation was quite interesting. This Edwin had requested an exemption from a certain rule. Because I didn’t understand something in the motivation, I called him. Besides explaining the situation, he shared his view on exemptions. In his opinion, they’re granted far too easily. Teams should make more effort to stay within the lines, Edwin thought. I wholeheartedly agree, and that’s why we always scrutinize deviations carefully. However, we also deal with a multitude of systems and platforms, from cutting-edge to legacy. And especially in that latter category, we sometimes hear: what you want simply isn’t possible for us.
Sometimes that’s too easy. What they really mean is: we assume it won’t work. But if you bring together people from different disciplines, something beautiful can happen. Like: "Oh, but if you can set it up that way for us, then we can do this and that on our side, and then it fits within policy!" We try to help people take that extra step. But feel free to beat us to it. For example, by not just assuming something can’t be done.
Back to Erik. He teaches us that good planning prevents later trouble. Because when something becomes urgent, you often depend on others, who may think: poor planning on your part does not constitute an emergency on ours. Or it simply doesn’t fit into their own workload to help you out immediately.
Avoid urgency, plan well. Order that gift now.

And in the big bad world…

• Email security in iCloud should be better.
• You can sign up with this American telecom provider using nothing but your ZIP code.
• The German government conducted extensive research on password managers. [GERMAN]
• Here’s a Dutch summary of that research. [DUTCH]
• One of those password managers received a hefty fine.
• AI can also be used to spread malware.
• There’s ransomware for Android devices too.
• The new Christmas puzzle from the Dutch intelligence service is online. [DUTCH]
• There’s political unrest over the Dutch tax administration’s move to Microsoft 365. [DUTCH]

 

A Positive Sign

Photo by author

A long time ago, a quiet revolution unfolded on Dutch streets. Traffic signs disappeared – they weren’t stolen, but officially removed and replaced by others that had exactly the same effect.

The new Dutch Traffic Rules and Signs Regulation was introduced 35 years ago. The idea was to get rid of certain prohibition signs and replace them with mandatory ones. So, for example, the sign ‘no right turn’ vanished and was replaced by ‘mandatory straight ahead or left turn.’ The foundation for this was laid back in 1968 by the Vienna Convention on Road Signs, aiming for globally (roughly) the same traffic signs. You can guess why. Within Europe, uniformity is okay-ish, though I wonder if foreigners understand our sign for a narrowed or interrupted emergency lane, just to name one. While we, abroad, have no trouble understanding a simple ‘no right turn.’

Then I stumbled upon this sign in a foreign restaurant. On the trash bin, it says you must not flush paper towels down the toilet. I’ve said it before: don’t tell me what I can’t do – tell me what I should do. But there’s more: the placement of the text is odd. The sign is on the spot where you’re supposed to bring your trash. I’d expect it near the toilet bowl. Better yet, change the text to: “Throw your paper towels in here.”

Since we’re in the sanitary zone: in some places, you’re not even allowed to flush toilet paper. You’re expected to toss used paper into an often open bin, because otherwise the pipes might clog. Sometimes even I struggle with rules.

In my field, we could also be more consistent with positive messaging. So, rather “keep your password secret from everyone” than “don’t share your password.” Or: “If you want this done, then do it this way” instead of “you’re not allowed to do that.” The message isn’t just more positive – it immediately offers a solution. People appreciate that. I’ll pay extra attention to this in the coming weeks. And it’s not just my field: positive messaging helps achieve goals everywhere.

Sadly, you can’t apply this principle everywhere. You can’t just remove every ‘no parking’ sign and replace them with signs showing where you may park. And sometimes you find truly odd signs. Drive along the A73 highway near Swalmen (Netherlands), exit the tunnel, and there’s an emergency bay. There you’ll see a round white sign with a red border, a black P in the middle, and a diagonal red slash. The meaning is clear, but why on earth use a non-existent sign? Did the Dutch road authority have such bad experiences with the regular ‘no parking’ sign that they invented a fantasy version?

Communication isn’t easy. Let’s all stay sharp and improve unclear, question-raising messages. Information security is hard enough. (And yes, so is traffic.)

And in the big bad world…

• You’d never have guessed this exists.
• Apple pushes back against India’s mandate to preload a state-run security app on new phones.
• India withdraws the mandate; ‘thanks to the app’s broad acceptance.’
• Your employer might soon read your work text messages.
• Private users hardly need to worry about public Wi-Fi, QR codes, or charging cables, say eighty experts.
• Check for free if you’re part of a botnet.
• DigiD will definitely remain Dutch, they say. [DUTCH]
• The Dutch Cybersecurity Outlook 2025 has been published. [DUTCH]
• Android will better protect you against phone scams.