Showing the flag

 

Photograph by author

Do you know National Geographic's Science of Stupid program? That's a kind of Funniest Home Videos, but with a scientific explanation of why someone hit the ground in such a painful way. It’s an educational/entertaining program, so to speak.

I thought of that program when I saw the scene shown above yesterday. A local hotel, where our team had retreated to discuss the way forward, has erected a flagpole atop a gabled roof. It’s cool to have a flag at the highest point of your building, but did they also think about the hoisting and lowering of the flag? Or did they only think of that afterwards? And then they bought a ladder, which turned out to be too short?

The top ladder appears to hang from one hook, which extends through the roof. That hook is slightly above the middle of the ladder, which could make it a nice pivot point when someone is at the top. But luckily the ladder at the top is still tied with a rope. Or no, it isn’t: that is the rope of the flag. Because that ladder is too short, they bought another one and, as it were, pushed it into the other one. Beautiful: when one moves, the other moves with it. The bottom ladder also hangs on a hook, and - if that is the only attachment point, which I don't know - then this ladder can also tip over when there’s someone at the top. All in all, I would not like to be responsible for this flag. By the way, I doubt whether it is hoisted with military precision every day at sunrise and lowered again at sunset.

Are there any Science or Stupid­-worthy events in our profession? Of course there are. It is not always cyber criminals that cause us problems. We can do that to ourselves, too. How many times have we heard about data breaches caused by organizations not having their cloud configuration in order, allowing everyone to access the data? And you may occasionally have sent an email, realizing two seconds later that the wrong name was in the to field. We all make mistakes from time to time, and depending on the nature of the mistake, it impacts our security, the privacy of our data or even business continuity.

There are all kinds of measures to prevent such errors. For example, changes are not immediately implemented in the production environment, but first in the test environment. There you can observe whether that change does exactly what it is supposed to do – no more and no less. Automated deployment then ensures that the change is sent to production exactly as it is, and is not messed up due to a human error (checkbox placed incorrectly, typo made). You can also leverage the four-eye principle and have someone watch what you’re doing. We even do that when we write notes, but then it's called a review. If I write down something that touches on technology, I like to have some technical people check whether I have written any nonsense. Just because I can come up with something doesn't mean it's feasible. I don't want to live in an ivory tower.

In that TV show you see people who have built a jumping ramp themselves and then rush towards it with their bicycles, only to find that the landing is less graceful than they expected. The voice-over, in a slightly mocking tone, provides a discussion about centers of gravity, Newton's laws and why this operation was doomed from the beginning. The message is invariably: first study the laws of nature you are dealing with and adjust your design and movement accordingly. By the way, the result depends on your skills; not everyone, once in the air, is able to obediently keep their center of gravity directly above the bicycle.

Translated into my profession, I would say: first look at rules and regulations, and take them into account during design and construction (security/continuity/privacy by design). If the system needs maintenance, check what you have to take into account and act accordingly. That may take some practice, just like a bicycle stunt. But luckily we have test environments – unlike all those unfortunate stunters.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. Actually, this week there aren’t any Dutch articles, but there’s one in German.

• Outlook shares information about you with hundreds of partners (note: this article is on the site of an Outlook competitor and advertises its own product at the end, but the content still seems worthwhile to me).
• Microsoft is also being criticized in an American government report.
• Microsoft Copilot can reveal a lot of confidential information (you can skip the commercials here too).
• A ransomware attack becomes much more expensive if the backups are also affected (again with advertising, but okay).
• the hacker who single-handedly shut down North Korea tells his story here .
• criminals pose as lawyers and confront companies about allegedly violated copyrights.
• the German government gives tips for purchasing and using smart devices. [GERMAN]
• there was a commotion about a backdoor in a popular piece of open source software.

Pension

 

Image from Pixabay

Despite the fact that, all being well and regulations unchanged, I should be enjoying my retirementa for already more than six months in ten years' time, I still feel so young that I unemotionally archive mail from the pension fund. There is a vague realization that I should be more interested in my financial future, but at the same time there’s also resignation; On the one hand, based on the general feeling that everything has been well arranged for me, and on the other hand, because it is probably too late to take additional measures, should I want to do so.

A while ago I spoke with a colleague about the involvement of non-peers in the subject of information security. Or rather: about the lack of involvement. He made a striking comparison (thanks Hugo!): would you listen with interest to a pension advisor, or would you rather think: here's my money, do the right things with it?

Oh, there you caught me. I've never talked to a pension advisor before. From the age of 25, pension contributions are deducted from my salary and the pension fund regularly lets me know how I am doing. If I retire at the normal age, I will receive this amount of money every month, and if I die, my surviving relatives will also receive something; that kind of information. I take a quick glance at it and at most think: “Well well!” and proceed to the order of the day. So I'm quite literally saying: here's my money, do the right things with it.

Do pension advisors ever complain that people show far too little interest in their pensions? That it would be in their own interest to look into it and take the right measures? And that few people have the sense to worry about this at a young age? If I had to arrange a supplement to my pension now, it would probably be unaffordable. However, if you start in your early years, you can spread your investment over many years.

In any case, information security professionals regularly complain that people show too little interest in their security. They live in the vague hope that everything will be more or less well arranged. The internet connection at home costs money, so the provider must have supplied a secure modem, right? And that WiFi connection of your dishwasher, dryer and air conditioning from a renowned brand, isn’t that just fine? The apps on your phone and the websites you visit all have a privacy policy, so you don't have to worry about that, do you? These are all assumptions that appease our conscience, if we think of them at all.

Reality is more stubborn. A device is relatively safe if it has had the latest update in which the manufacturer has fixed the known errors. If you do not have that update, your device carries vulnerabilities that can be exploited by attackers. You can easily ensure that you always have the latest updates on your laptop and phone by having everything happen automatically. Of course, if a program or app asks you to do something to effect the update, you still have to actually do it.

There are also people at work who think that the people from the security team will take care of things. That is true to a certain extent: we write down what you should do and not do to keep things safe. We call that policies, standards, regulations – whatever the name. After that, however, it is up to those who are responsible for their part of the equation to also take responsibility for the information security aspect (and privacy, and continuity). And so they have to think at an early stage about what all these regulations mean for their field of work and actually do something with them.

I know, this is easier said than done. My devices at home also feel neglected. It is quite a job to do something about it, which makes it easy to hide behind the argument “not right now, it takes too much time”. But sometimes you just have to make that time. You know what? I have next week off, but we're not going away. I hereby promise our smart devices that I will check whether there is anything to update (which remains to be seen) and if so, that I will do so.

It would be so much easier if many more devices did an automatic update. Then you don't have to figure out where to get your updates from and how to install them. I think many non-ICT professionals shy away from the latter in particular. Hopefully manufacturers will do more to help us with this. And the European Cyber Resilience Act will force them into this. We want security by design: take all this into account from the start and pay attention to it throughout the entire lifespan of the product.

Still wanted: pension by design …

There will be no fresh Security (b)log next week.

 

And in the big bad world...

• manufacturers can have their products cyber certified.
• manufacturers of security equipment also sometimes have difficulties updating.
• this long but fascinating story about how scammers framed the author is really worth reading.
• Americans paid a total of ten billion dollars to scammers last year.
• BMW does not understand the consequences of a data breach very well.
• it is not wise to use your private email for work.
• advertising without tracking is no longer possible.
• as a company, you are responsible for what your chatbot says.
• phishing can also take place as a two-stage rocket.
• naughty countries are no longer allowed to use ChatGPT.
• this battery factory is currently under stress.
• twenty percent of British children are cyber criminals.
• the European Court prohibits the weakening of end-to-end encryption.