Kafka upside down

 

Image from Pixabay

Last summer I visited countries where I do not speak the language. In some countries I couldn't even read the writing. In one of those countries I bought a backpack with a card attached to it. “ATTENTION!” it said on the front. But the back was printed with characters that I wasn’t able to interpret.

Thanks to the wonderful technology of Google Lens, I was able to find out what was so urgently requiring my attention. It says that the backpack may become discolored, that I should avoid washing and ironing, that I should use “accessories such as closures, hooks, buttons, metal fittings, belt straps, buckles and rings” properly or they may break, and finally, that the product does not protect the contents in the event of a fall or impact; the manufacturer is especially concerned about my precision instruments, precious metals and fragile objects.

A couple of months ago, I asked you in the Security (b)log whether you know Franz Kafka's novel Der Prozess (The Trial). I assume you've read it by now. And then you may recognize a Kafkaesque trait in the text of that backpack card: you have to use the backpack accessories correctly, but it does not say what the correct way is. For me,  backpacks leave me sometimes wonder what that strap or loop is for, let alone whether I know how to use the thing properly. And it also strikes me as rather vague that I should 'avoid' something – what if I do it anyway? Admittedly, I wouldn't have thought of ironing a backpack, but my previous backpack regularly ended up in the washing machine (and it survived).

I'm not going to lecture you further about Kafka now. No, I'm going to turn Kafka upside down. In his novel you have to adhere to rules that you do not know and if you break those rules, you are punished. Kafka upside down is when you know the rules all too well and at the same time you know that if you stick to them, sooner or later something will happen that is very detrimental to you. What would you do if a law were introduced that required you to drive a car at a minimum speed of 100 km/h (62 mph) in built-up areas (and 50 km/h in a residential area)? Are you going to stick to this, even though you know for sure that in the best case scenario you will end up in the hospital, or will you accept,  for the sake of self-preservation, that you will be fined?

Earlier this week, intelligence services in the Netherlands revealed that Chinese state hackers hacked into a Defense network. They were able to enter through a known (!) vulnerability in American-made security equipment. Continuing to use something with a known vulnerability is like knowing that the left headlight of your car is not working, but still driving in the dark - because replacing the light yourself is no longer possible in many modern cars, the garage is already closed and you really have to go somewhere. And you continue to use that network equipment the same way, because, well, you need that network anyway and you can't easily replace it. Regardless of the question of whether another product is completely safe.

I don't know how they figured out that China is the culprit; attribution of cyber attacks is a difficult matter. Anyway, the report states that the intelligence services determined “with high confidence ” that it must have been China – spy talk for “we actually know for sure”. And it is not the first time that the West has pointed the finger at China in such cases. So we are more or less certain that China is spying on us.

If a Dutch government institution wants to purchase a service or product, it must follow the Public Procurement Act 2012: if the value of the contract exceeds a certain amount, a European tender must be carried out. So you cannot just go to a supplier and place your order. You must describe in a thick document what you need and what requirements you set for it. You cannot “target” that document to a specific product by including requirements that you know only your favorite product meets. Companies from all over the EU may register for such a tender.

Suppose you are a government service and you want to, say, purchase cell phones. There are Chinese mobile phones on the market that meet all your requirements and they are cheaper than the competition's products. There is a good chance that European companies will offer those Chinese mobile phones. The competitive pricing forces you to do business with that company. The contractor may be little more than a box pusher who outsources technical support to the manufacturer. And before you know it, you not only have Chinese equipment in your organisation, but also the accompanying Chinese personnel. Both the equipment and the maintenance technician may do things that were not included in your package of requirements, but are included in those of the Chinese government.

You dutifully complied with all the rules, but in doing so you brought in the Trojan horse with full consciousness. That's Kafka, upside down.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• there are concerns about the Chinese scanners used by Dutch Customs. [DUTCH]
• Here is the news item about the DoD hack. [DUTCH]
• listen to a radio fragment about the DoD hack. [DUTCH]
• deepfakes pose a problem for remote identification.
• deepfake crime will not skip the Netherlands. [DUTCH]
• you can of course hack a bicycle helmet.
• a Swiss newspaper and an American security company (coincidentally the same one from the hacked DoD equipment) are arguing about a DDoS attack with toothbrushes.
• Every now and then a fake app slips through Apple's strict controls.
• BitLocker is easy to crack on some computers if no PIN has been set. [DUTCH]
• Rich countries suffer more from ransomware. [DUTCH; linked paper in English]
• the Dutch tax administration are not yet GDPR ready. [DUTCH]
• it is better not to use a separate app for scanning QR codes. [DUTCH]
• security researchers from all over the world have reservations about a UN treaty on cybercrime.
• Dutch plumbers are no longer allowed to advertise with Google. [DUTCH]

Tiktoking civil servants

 

Image from tweedekamer.nl

While we are dealing with a nationwide network outage, strangely enough the sound of the internet radio can still be heard from my speakers. In the news bulletin I hear the following message: the House of Representatives no longer allows civil servants to use TikTok on their work phone.

Let this sink in for a moment (I'm still processing it). Parliament feels the need to express its concern about what civil servants do on their telephones. Apparently there are some civil servants who have TikTok on their phones. Why???

For those readers who don't have kids of TikTok age, I'll briefly explain what that is. TikTok is an app in the social media category, intended to make short videos – we're talking seconds – and of course share them. There is often dancing, singing and lip-syncing. The latter then produces, for example, a video of a teenage girl saying something stupid in the voice of Donald Trump. Those kind of things.

I copied the previous paragraph from the Security (b)log of July 24, 2020. At that time there was already (international) hassle around TikTok and in the Netherlands the Dutch Data Protection Authority investigated the privacy aspects of the app. Exactly one year later, the DPA fined TikTok 750,000 euros for violating the privacy of young children. At the time, I already advised not to use TikTok on your business phone.

Now back to my question: why are there civil servants who have TikTok on their government phone? Okay, somewhere in the civil service there will probably be a position where the use of such an app is plausible. Maybe somewhere in communication, because there they have to constantly think about how to reach their target groups. A police officer tiktoking about the importance of decent bicycle lighting might be a good one. But even then, the House of Representatives is right: don't do that on your regular work phone. Because of China.

TikTok is a Chinese product. And we know for sure that country loves espionage (with or without a balloon). Now – just like a little less than three years ago – people are afraid that China will collect information on our phones via TikTok. TikTok recently amended its privacy statement: they feel that TikTok employees in China should have access to data from European users, among others. But our privacy legislation, the GDPR, takes a completely different view: personal data of Europeans should remain in Europe, unless it has been established that another country handles them just as neatly as we do. Such a statement regarding China is expected to be issued around the day when pigs fly. But TikTok's privacy statement simply states that employees in certain countries also have access to your data without such an adequacy decision.

Espionage is serious business. The subject is discussed in detail in the Cyber Security Assessment Netherlands 2022. Some quotes: “Cyber attacks by state actors are the new normal”; “State actors can use the following digital means to this end: (…) Espionage, including economic or political espionage”; “The Netherlands is the target of an offensive cyber program from countries such as Russia and China”; “The Chinese digital espionage actor APT31 has carried out widespread and long-term attacks on political targets in Europe and North America. There were also targets of attacks and reconnaissance activities by this actor in the Netherlands.” The intelligence services define state threats as follows: “Coercive, subversive, misleading or covert activities by or on behalf of state actors, below the threshold of armed conflict, which can harm the national security interests of the Netherlands through a combination of the goals pursued, the means used and the effects." A state actor is just a country that does those kind of things.

So, dear colleagues: if you like TikTok, do your thing. But not with the boss's stuff. Now you may be thinking, well, I don't have any important or confidential information on my phone, this isn't about me. Think again. Your contacts alone can be interesting, and the network you form with them. Spies are puzzlers: they get a few puzzle pieces from you and the rest from others. With all those pieces together, they eventually manage to create an interesting picture.

A colleague told me that his daughter does not mind that the Chinese are watching: "Extra fans." That's one way to look at it. As a citizen. As a civil servant, you have other responsibilities.

  

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English. 

• TikTok 's boss is doing his utmost to convince American politicians of the innocence of his product.
• Hyundai and KIA must provide millions of cars with a software update, courtesy of a TikTok challenge.
• you need to quickly update your iPhone or iPad.
• A US city has declared a state of emergency after a ransomware attack.
• hackers use fake certificates, hoping that error messages will be interpreted as false positives.
• you can seriously derail a password reset campaign for all your customers.
• hundreds of PyPI packages target your crypto coins.
• Internet Explorer is now really a thing of the past.
• ethical hackers in Belgium are allowed to go about their business without permission. [DUTCH]
• the Dutch Data Protection Authority is being sued. [DUTCH]
• parents are liable for the damage caused by their cybercriminal children. [DUTCH]
• the Dutch General Intelligence and Security Service has published a brochure on the safe development of AI systems. [DUTCH]
• hackers hijack Telegram accounts (and that's just another reason to ditch this app).
• you can reduce your digital footprint with these tips.
• Last year, Russian hackers nearly shut down US power plants. [DUTCH]