Do it yourself

 

Image via flightaware.com (some parts of the flight are missing)

Our son will soon start his training as a commercial pilot. We still owed him a gift for obtaining his pre-university education diploma and we turned it into a airy outing.

Teuge Airport is just around the corner (officially called International Airport Teuge, but that name might be a tad over the top). A company on the airfield offers trial flying lessons. And it may seem a bit odd to have someone who will start professional pilot training next month make an amateur flight, but we would all like to experience a little of what he will soon be up to. The only problem was that there are four of us at home and the Cessna 172 they are flying is a four-seater. And we definitely wanted to have someone on board who had already completed their pilot training. To ensure that no one was left out, we have arranged not one, but two planes. And in that second plane I sat in the front right seat yesterday.

That was a very interesting experience. I enjoyed it, and my son did too – he was already super motivated and that fire has only been fueled further. As always, I was in security mode during this outing. As you might expect, safety is a central theme in aviation, and general aviation is no different. However, it is interpreted differently there: it is mainly a matter of do-it-yourself. There is no traffic control. Each pilot talks into the radio about what they are going to do, so that other traffic is aware of it. And at the airport someone is also listening to the radio, but that isn’t an official air traffic controller.

On the way to runway 08, pilot Tommy parked his 1970s Cessna in a 45 degree angle on the taxiway, so he could get a good look in the direction incoming traffic might be coming from. A plane was indeed coming, and Tommy had to judge for himself whether he could take off before that plane. He also had to take into account that another plane was just taking off. It didn't fit, so we had to wait a while. Once in the air, the pilot had to be constantly alert for any other air traffic. Other than that, it's not all that complicated – a bit like driving a car, but in 3D, because you can also go up and down. Moreover, time passes faster: one moment we were flying above Het Loo Palace on the north side of Apeldoorn, a few minutes later we were already above our neighborhood on the other side of the city, where we flew an extra round in order to spot our house (which was quite difficult).

Because there are rules about the flight route to Teuge, landing is quite orderly. You arrive from the south, make a left turn, followed by a right turn twice and then you are neatly aligned with runway 08. The unofficial air traffic controller requested another plane to make a longer run because parachutists were about to jump, but we could still land straight away. Tommy was shocked for a moment when he slammed the brake pedals, because the wheels of the plane locked up. He had to apply the brakes a little softer, the runway was long enough anyway. And so everyone was safely back on the ground (well, the ladies in the back had gotten a little nauseous).

In information security, we do have a kind of traffic control to some extent. This consists of all kinds of systems that ensure that we do not end up in 'turbulence', for example on suspicious websites. Still other systems provide a secure 'flight path' by encrypting connections. And the virus scanner somewhat compares to the security checks at the airport (I wrote about that recently): like the virus scanner keeps bad software out, those checks keep bad passengers on the ground.

But indeed, that all only works to some extent. Up from there, we also start with a bit of DIY. Pay close attention to everything that flies by, don't be eager to land just anywhere and don't accept sweets from strangers. You are that pilot who has to pay close attention behind your keyboard or mobile screen. You can rely on various safety systems, but you must also realize that your behavior partly determines how the flight proceeds. And in case you feel insecure: there is always a co-pilot next to you with whom you can discuss. This could be a teammate, your manager, the service desk or a security officer. Together we ensure a safe flight through the digital airspace.

And as the Germans put it so nicely when they have just experienced something wonderful: nur fliegen ist schöner (only flying is more fun). My son is indeed going to learn a fantastic profession.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• This story fits perfectly with the above.
• Basic security must be better organized. [DUTCH]
• Commercial aviation has to deal with cybercrime (of course).
• You can also make a lot of money at casinos.
• the Dutch Football Association had itself extorted. [DUTCH]
• the White House wants other governments to speak out against paying ransoms.
• even int the official app stores you have to carefully select the right apps.
• there are currently many vulnerabilities in all kinds of applications.
• This information sheet from the US government provides insight into the threat of deepfakes.
• Better security in a free product also comes at a price.

 

Copy keys

 

Photo by author

Do you remember Mister Minit? In my memory, they were those kiosks in department stores where you could have shoes repaired and spare keys made. In that same memory I see the logo, a man in a red jacket, making an inviting gesture. To my surprise, Mister Minit still exists. Nowadays he wears a blue polo and has only three stores in the Netherlands. It is much larger to the south and east of our country. And he has learned something new – he now also repairs your watch and engraves your name on a pen or nameplate.

In Australia and New Zealand Mister Minit is really big, but I don't know if he ever made it to the US. Anyway, the Americans have another solution for copying keys: vending machines. The company Minutekeys (hey, I see a similarity!) has kiosks in the entrance of large supermarkets, such as Walmart. These machines can copy home, office and padlock keys. Keys marked 'Do Not Duplicate’, school buildings keys or other keys subject to a restriction will not be copied.

It is of course my professional deformation that makes me immediately wonder what could possibly go wrong here. When I first saw such an automaton, I jumped into that mode right away. A machine where you can have a key copied completely anonymously - you can even pay with cash - offers prospects for malicious parties. Of course, that's not what those machines are intended for at all; they are there to let you copy keys to locks that belong to you. But is it so far-fetched that someone 'borrows' a key, has it quickly copied and puts the original back? You are at the gym, someone visits the locker room, picks up your home key and stops by one of those machines. He was observing the gym beforehand, so he knows who the bag in which the key was belongs to. After your workout, he follows you home. Now he knows where you live and he already has the keys to your house. He just has to wait for a good moment to empty the place. Other scenarios are welcome (for research purposes only).

As loyal readers know, this blog often starts with a real life situation, which I then twist towards information security. That's not always easy; sometimes I start writing and meanwhile wonder how on earth I can divert that situation into my field of expertise. That also bothered me a bit today, but eating an apple solved it. I can't write while eating, but I can read. And so I started reading some articles for the section And in the big bad world… So it turned out that an article appeared two days ago about someone from Boskoop, who had bought keys to the password vaults (password managers) of over a thousand people on the dark web. This granted him access to the passwords of all the accounts that someone had in there: e-mail, online stores, you name it. He could order stuff and remove the order confirmations from the email, so that no one would notice. Only the victim's bank account showed the orders.

Does that mean that password managers are not safe after all? Well no. The passwords of those vaults were stolen using malware. If you have a computer or mobile device without a good virus scanner, you run the risk of infection. Criminals can then install malware that captures the your password manager’s master password when you open the vault yourself. So it is not the vault itself that is not safe - the vault is alone in an unsafe environment. If you place a real safe in the public space, you shouldn't be surprised if some people look over your shoulder when you enter the code.

Here's my periodic call to ensure good protection against malware. That doesn't even have to cost you money. For example, the virus scanner built into Windows (Microsoft Defender Antivirus) performs well - but only if you have not turned it off. There are also excellent free and paid apps available for Android devices (which you will of course only install from Google Play). I definitely recommend securing your Android device with it. iPhone and iPad users still have to rely on the inherently secure ecosystem that Apple believes it has for these devices; there are no virus scanners in the App Store (but there are numerous other security apps).

Accessing your password manager with your fingerprint instead of with your master password also helps preventing illegal access. Mister Minit and the Minutekeys vending machines cannot yet copy that.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• digital keys can indeed be copied unnoticed. [DUTCH]
• you can read more about how that worked here.
• it appears that LastPass vaults that were stolen last year have been cracked.
• This exploit works for Apple products without any user interaction.
• your new car is a privacy nightmare on wheels.
• Chrome presents ads based on your browsing history.
• Agreements have been made (temporarily) regarding the transfer of personal data from Europe to the US. [DUTCH]
• a smart chastity belt might not be such a good idea after all.
• the Dutch government is working on a vision on the use of artificial intelligence. [DUTCH]
• This article underlines the importance of security by design.

 

 

Virtual Confidence

 

Image from Pixabay

Information security is a matter of trust. That may sound strange, because you are used to the fact that in the digital world we have to distrust everything and everyone (we even use the term 'zero trust') and that we base our security on what can go wrong. But ultimately you have to rely on the people, procedures and products that together build your security. It is sad when that trust is betrayed.

If you use the internet, you don't want snoopers around. At home, most of us rely on our ISP to behave properly. When you are away from home, however, you suddenly have to deal with all kinds of other parties that offer you internet access: shops, restaurants, hotels, airports, you name it. You have no idea who is behind it and whether those parties can be trusted. Fortunately, there is a technical solution for this, called VPN: Virtual Private Network. A VPN creates a secure 'tunnel' through which only your internet traffic passes – hence the name: it seems as if the internet has become a private network, just for you.

In effect, you are transferring your trust from the internet provider to the VPN provider. Without a VPN, the person who offers you access could watch; with a VPN, the VPN supplier could watch. Because the latter provides a security service, which you may even pay for, you trust that your internet traffic is in safe hands with them. Incidentally, you can usually choose not to use the WiFi of that restaurant or hotel, but your mobile data connection (4G/5G). This summer, however, we went on a trip outside Europe. Internet via our SIM cards would have been costly and that is why we wanted to be able to make good use of free WiFi. That's why I took out a VPN subscription for all the devices we took with us. That worked perfectly: no noticeable delay and a safe feeling everywhere. My less technical family members have not noticed anything and that is a good sign.

The trouble started when we got home. Two weeks ago I happened to notice that the VPN was off on my phone. Their app even claimed I didn't have a subscription. I checked it, just to be sure: I had really paid for two years. So I sent a message to the VPN supplier. Despite it being Sunday, a message quickly came back from the company: my subscription had been suspended due to suspicious behavior - their systems had detected that my account was being used for web scraping, which is against their terms of use. Web scraping is the automated ‘absorbing’ of websites in order to retrieve all the information there at once. This is interesting, for example, for a company that wants to know what its competitors are doing. And you may also collect information that is not actually intended for the public, such as a customer base.

I was quite angry about that response. They suspended me, a paying customer, without notice. Moreover, our devices were no longer protected and I didn't even know since when. And I was falsely accused. I asked for clarification and made it clear that I was not happy. This time the response didn't come until the next day, and it completely ignored my displeasure. They did not want to share more information about the incident, because that kind of information could benefit malicious parties. But they did give practical tips. My account password must have been leaked, they told me, and I was summoned to change my e-mail password as well. They also gave tips on strong passwords and how I could check if my credentials had been leaked (via haveibeenpwned.com, where I have been registered for years). But well, they had looked into my case once more and they were willing to restore my account.

In a new e-mail I once again told that I do not understand that they had not informed me about the suspension. And that I understand that they can't share information, but that they should be able to see for themselves that I didn't do anything wrong. And I also asked for compensation for the time they left us unprotected.

Again they had me waiting for a full day. Then they were sorry I was dissatisfied, and thanked me for taking the time to provide feedback. They declined to share further information. My account was reactivated, but if this ever happens again, my account will be suspended forever, they threatened.

There are messages on Twitter from people with exactly the same story: after two months they were kicked out on suspicion of web scraping. Maybe this Panama company (that’s where NordVPN lives) should adjust their tools. In the meantime, my confidence in this security service has taken a big hit.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the Dutch land register had to deal with a serious security breach, as a result of which everybody’s data was exposed. [DUTCH]
• you only need a credit card number to view someone's New York subway trips.
• committing cybercrime is super cheap.
• the leaders of one of the world's largest cybercrime gangs have been exposed.
• cleaning up after a ransomware attack will cost you dearly.
• law enforcement agencies from seven countries have jointly taken down a large botnet.
• Scotland Yard is facing a supply chain attack.
• bias in AI algorithms can be a threat to cloud security.
• the Tax and Customs Administration in the Netherlands is further tightening its thumb drives policy. [DUTCH]

 

 

 

Resistance is futile

 

Starship of James T. Kirk, Jean-Luc Picard's predecessor.
Image from Pixabay

“We are the Borg. You will be assimilated. Resistance is futile.” These three sentences gave the crew of the USS Enterprise starship, led by Captain Jean-Luc Picard, a lot of headaches. No, don't drop out now if you don't like Star Trek! As so often, my blog is ultimately about something completely different.

The Borg are a collective life form, consisting of many beings who share one consciousness and therefore no longer have a will or personality of their own. They move through the universe and violently assimilate everyone who can contribute to their pursuit of perfection into their collective. They are very powerful; that is why they tell you right away that it is useless to oppose them. The Borg grow in power as the biological and technological characteristics of their subjects are added to the collective. All Borg are equipped with various technological implants - they must of course be recognizable to the viewer. When they have nothing to do, the Borg are stowed away in a regeneration alcove. While the body is in a kind of sleep, the brain is used for collective tasks.

That's all nice on TV, but in real life living in such a society would be horrible. Although sometimes I wish certain people had a little more collective intelligence and decency. But yes, certainly in Western society we value individuality above everything else, and that includes differences in intelligence and behavior. To some extent that diversity is great; if it becomes willfully extreme, it can hinder a pleasant society.

Artificial intelligence (AI) is on the rise. As a kind of consumer version of AI, ChatGPT has quickly established itself in our society. Many people understand that such a tool can greatly facilitate their lives. Just think of pupils and students, who eagerly use it – often to the sorrow of their teachers. Incidentally, AI detection tools are also being developed, enabling them to check whether someone is submitting work that originated from biological or artificial intelligence. ChatGPT is a 'large language model', which I find difficult to understand. But things got a little clearer earlier this week when a colleague asked me what the term is for a particular phenomenon. I didn’t know that off the top of my head either, so I consulted Google, which also yielded nothing. A language model is much better in understanding what you actually mean to say than a search engine, and ChatGPT came up with the right term.

AI is like dynamite: invented with the best of intentions, often used maliciously. We still got the Nobel Prizes from that. ChatGPT and its ilk follow the same path. You can ask them to look for a security hole so you can close it, but you can also use that to break in. And so lately we often get asked whether we should limit the use of ChatGPT in our organization.

Maybe you shouldn't put such a question to an information security officer. We will perform a risk analysis and, by definition, look at it from the starting point: what could go wrong? Well, I assure you AI is going to come out of that as a major threat. Subsequently, you have to do something with all those identified risks. You may be able to mitigate some of them, and management may accept other risks. With all that, however, we are looking into the bad side, while AI can also be a blessing. I don't want to be the one who stops the introduction of the steam train because it can travel so terribly fast.

A wise long-retired colleague used to say: “A measure without control is no measure.” I may have control over which websites you are allowed to visit with your work laptop and keep you away from ChatGPT, but I can't prevent you from using private devices to do so. At least, not technically; we have all sorts of rules for this from an organizational point of view. And then I can only hope that you know them and that you stick to them.

We need a policy for applying artificial intelligence to our work. From a security perspective, the leakage of information must be taken into account if (too) specific questions are asked of an AI tool. By the way, you can just as easily leak information via search engines. Perhaps AI is not so special for information security officers after all. In any case, it is pointless to resist it: it is there and it will not go away. But it is important that we know what is real and what comes from the collective brain of the computer.

 

And in the big bad world…

• According to this author, AI is mainly used for evil.
• the Dutch cabinet wil come up with a position on ChatGPT cs
• you can now train ChatGPT with your company documents (and there are probably risks involved).
• the customers of a Danish cloud provider can whistle for their data.
• North Korea made a fortune with its summer cybercrime.
• companies cannnot ask you for a copy of your passport when you make a GDPR access request.
• this phone hacking company asks law enforcement not to talk about their stuff.
• Ransomware is discovered more quickly these days.
• this malware traces its location through Wi-Fi routers.
• this smart lamp isn't so clear-headed after all.

 

Surprising security

 

Photo by author

If you're going on a long trip, you can't pack clean underpants for every day. We did not seriously consider the option of turning a pair inside out after use and wearing it again the next day. No, really.

Fortunately, many hotels have a guest laundry. That is always a hassle. For starters, you usually need coins in the local currency. I had the ambition to make this a cashless trip. At our hotel in Seattle, I miraculously got away with this: the front desk manager asked how much we needed, pulled out his purse, and gave us the quarters we needed. In another hotel we could pay with a credit card. But most of the time we really needed coins. It left me with a colorful collection of international change.

But tumble dryers are also a hassle. Usually you have three options, which do not match the options in my mother tongue: cold, permanent press and hot. The first does little to help, while with the latter one might expect ending up with gnome clothes; at home we only throw towels in the dryer, which makes that option extra scary when you are traveling. That word "permanent" in the middle option also sounds pretty definitive, but since it's the middle option, it must be okay. At least, that’s what we thought. The laundry still came out clammy. Even after one more round. And that all takes time that you actually wanted to spend on tourist activities. And you can’t just leave: you keep the machines occupied, or you’ll find your laundry in a corner somewhere upon your return, while you have no idea who and what touched it. Ugh.

A hotel in Tokyo tackles this mild form of fear of contamination in a striking way. Their combined machines (washing and drying, already a godsend for tourists anyway) are equipped with a code lock. When you start your laundry you have to think up a code, and you will only get your laundry back after entering that same code. This way you are assured that nothing and no one can access your belongings. Of you are not supposed to keep the machine occupied all day long. But at least your laundry is safe.

That ‘s security where you do not expect it, but are happy with it. Do we have something similar in ICT? I thought about it for a long time, but I couldn't come up with anything. This is probably because in ICT we expect a lot from security and we would be surprised if this was not implemented these days. Even in situations where you find security a nuisance, you resign yourself to it – it's normal.

There are still plenty of opportunities. IoT equipment (the Internet of Things) still too often lacks proper security. We now have quite a few of those things at home. The dishwasher, the dryer, the solar panels, the air conditioning and the sound system: they all talk to our phones. But once installed, none of those devices ever ask: who are you? The solar panels only provide data, but I can instruct the other devices via my smartphone to do something or to stop doing so. And a hacker can do damage with that. Turn the stereo to max volume when no one is home and you're bound to have a neighborly fight. Dishwashers and tumble dryers may overheat or leak water if operated inappropriately. Fortunately, we don't have a smart kettle or toaster, because overheating is much easier to achieve with such devices.

IoT device manufacturers need to do better. “The letter S in IoT stands for security”. Yes exactly, that letter is not in the abbreviation at all. What also doesn't help, is the absence of a security section in the manual for devices that want to connect to my home network. The inner workings of security is explained nowhere, and I'm afraid that I already know why that information is missing. Meanwhile, all those devices know the password of my network.

What can you do yourself? If a "progressive" device has a password, change it immediately upon installation - otherwise the entire world will know your password. You could also place IoT devices in a separate network, for example your guest network. This prevents an intruder from accessing your data. Then again, many devices only communicate with your phone if they are on the same network. But with that phone I want to be on the trusted network, not on the untrusted network on which I allow everyone.

There is still a lot to be done in the field of IoT security. Surprise me.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you can read more about IoT security here.
• LinkedIn is under attack.
• this cybercrime gang has a problem with its own infrastructure.
• computer clocks sometimes run wild.
• Meta is diligently looking for a way to color within the lines of the GDPR. [DUTCH]
• shame for mistakes sometimes harms security. [DUTCH]
• identity orchestration helps in the transition to cloud services.
• this short course makes you aware of manipulation by social media. [DUTCH]
• your iPhone is a willing victim for spoofing.
• China is just as afraid of us as we are of them.
• attacks via QR codes are not just theoretical.
• most ransomware attacks start with a phishing attack. [DUTCH]

 

Airport Security

 

Image from Unsplash

At Schiphol Airport, you can happily bring your water bottle through security. In Houston you have to take off your shoes. In Vancouver, you must remove the liquids bag from your hand luggage, and in Honolulu, all your electronics must also be removed from your carry-on bag. Unlike elsewhere, in Tokyo your trolley doesn’t travel through the X-ray in a tray. In Singapore you can go to the faster line with your EU passport, with do-it-yourself passport control. And in Dubai you even have to take off your watch. And the iron smoked sausage - well, that's a special case.

I went on a big trip this summer with my family. That involved going through the hassle of airport checks before reaching our seats a lot. Frankly, I don't know if I've assigned the right rules to the right airports above; only about Schiphol and Singapore I am still sure. The point is that there are quite a few differences. And as a result, as a casual flyer you never know where you stand. What do they want unpacked on the X-ray belt? Can I keep my shoes on? Am I going to forget something on the other side because everything is scattered? And that under the often grumpy looks of security staffers (fortunately there are also exceptions) and the pressure of the travelers behind you, who also want to go through this hell quickly and want to put their shoes back on, suspend their trousers with their belts and want mount their backpack.

How easy would it be if procedures and rules were the same everywhere. If you knew in advance where you stand. I have to show my passport there, they want to inspect the boarding pass there, I don't have to take off my shoes and I don't have to unpack anything. Take off your belt, because a metal buckle sets off the alarm. Such simple rules, which you are already presented with when booking your flight, could improve the flow at many airports and reduce traveler stress. The same also applies to matters that are not related to security, such as exactly how much hand luggage is allowed (right now that differs at least per airline, aircraft type and the class booked), the check-in procedure and the seat allocation: sometimes you choose yourself in advance – which may cost you (dearly) – sometimes you can make adjustments at check-in, sometimes you as a family are apparently deliberately spread over the entire plane (you should have paid for those next-to-each-other seats, you know).

How are we doing in that respect in information security? As a user, do you always know exactly where you stand in advance? Or are you often surprised by other rules? Let me start with myself for convenience. It will not surprise you that I rarely run into unexpected rules. I know the regulations, I have often contributed to them myself. If I don't get what I want, I understand why and I know what to do. But let’s have a look at you now, as an 'ordinary' user (as in: not a security professional). You use several systems. With one you do not have to log in at all, with the next it happens automatically (single sign -on), with yet another system you have to log in with your Windows password and then there are also systems for which you have a separate password. You know how your every day systems work. But if you only use some application or website occasionally, it might seem strange to you when you're asked for your Windows password. Is that okay? Yes, it is, as far as an internal system or an internal application is concerned. Briefly explained: those are connected to the Windows user administration (the so-called Active Directory), which is why they ask for your Windows password. Of course, if an external system asks for your Windows password, that's bad! The tricky thing is that sometimes you don't know whether a system is internal or external. Think of that app that you use for work.

Sometimes you want to go to a website and you are not allowed to go there. Others you can visit freely. There is a system of categories behind it. Our supplier scours the entire internet and puts each website in one or more categories, for example government, education, gambling or pornography. As an organization, you set which categories you want to block. As a normal internet user you will not often encounter blockages; however, for gambling or porn, and a few other categories, you'll need to go elsewhere.

Perhaps there are more situations in which you think: that could be a bit clearer. I'm curious about that.

When scanning my hand luggage at Schiphol, the security guard said: “I have seen something in your luggage that I have never seen before. It looks like an smoked sausage made of iron.” Of course my carry-on had to be opened and the culprit came to light: a phone holder for the dashboard of the rental car. That holder consists of a platform, on which the actual holder is placed with a suction cup. The contraption sits on the dashboard and must of course have sufficient weight not to slide. That's why it has a U-shaped weight, which looked like an iron smoked sausage on the scanner image.

 

And in the big bad world…

• Belarusian hackers have been spying on foreign diplomats for a decade.
• researchers secretly watched over the shoulders of hackers for a hundred hours.
• millions of British voters' data have been hacked.
• the Northern Ireland Police have accidentally put personal data of their entire workforce online.
• most DDoS attacks are nothing.
• James Bond has a new way to spy on you.
• facial recognition works better in TV shows than in real life.

 

The King of Doodles

 

Image from author

It was a year ago, in a conference room in Utrecht. A strange room it was, because one of the walls consisted almost entirely of large shutters – on the inside that is. I still don't really know what was hiding behind those shutters. But that's not the point. The point is that I sat next to the King of Doodles. And that I wanted to do something with that in my blog, but couldn't find a link with security. Until now.

A doodle, as explained by Wikipedia, is a drawing made while a person's attention is otherwise occupied. You know, like someone is sitting in a meeting with a writing pad on the table and they’re drawing all kinds of frills on it: doodles. Well, that colleague I was sitting next to at the time, boy was he skilled at that. He scribbled like his life depended on it - that's why I crowned him the King of Doodles for myself. And I watched with fascination. What was also fascinating was that the drawing didn't seem to distract him in the slightest: he just joined the conversation, with a lot of sensible input in fact.

Recently, the same meeting took place again. Again in Utrecht, but now in a different place, without indoor shutters. The King of Doodles was there again, and he was scribbling as usual. We talked about it during a break, and I confessed that I had been wanting to blog about this spectacle for a year, but couldn't find the right hook. And that ate at me, because, as regular readers know, I can usually give the craziest observations such a twist that they suddenly have a connection to my profession. Only those cursed doodles, they resist my urge to write. Until another colleague looked at the drawing and casually said: “That looks like a QR code.” I looked at him in bewilderment: that was it! There is a lot to write about QR codes from my profession.

QR codes can no longer be ignored in everyday life. You come across them everywhere. “Scan me!” they shout to unsuspecting passers-by, “I'll give you information!” They are often featured on pamphlets and advertisements. If you want more information after reading it, you can do so by scanning that QR code. But you sometimes come across QR codes separately. On a sticker that someone just put on a traffic light, for example. Or on a shop window. They are much more mysterious.

The problem with QR codes is that we humans cannot read them. So you have no idea where such a code will take you. It can just contain a link to www.scammers.com (this domain name is still available, by the way). In my memory, it used to work that if you scanned a QR code, you immediately went to the linked website. That is now different (better): a pop-up shows you the destination and then you can still decide whether you want to go there. But then you often don't know much – or do you have any idea if something like s5.productinfo.com is a bona fide site?

Now you don't have to worry immediately that a QR code next to a recipe in your supermarket’s magazine will take you to a rogue site that steals your data or provides your device with a nice virus. However, I'd be a bit more careful with QR codes that you come across in the wild that have no context. Or with codes on advertising posters or shops. They have context, but maybe someone has pasted their own code over them; then you think you are going to fineshop.com but you still end up at scammers.com.

My advice: make conscious use of QR codes. See if you understand where they're going, and if that doesn't seem right, or you don't have a clear context (like with that yummy recipe), better back off. You can always google it by hand to get more information on the subject in question.

At those Utrecht meetings I mentioned, our internal bloggers and the intranet editors met. The editors treated us to lunch and figures that showed that our blogs are important crowd pullers. But for me, the most important thing was that I can finally feature my esteemed fellow blogger, the King of Doodles, in my blog.

The Security (b)log returns after the summer holidays.

 

And in the big bad world…

• it is a bad idea to give everyone the same password
• MITRE has published the latest list of 25 most dangerous vulnerabilities.
• Rian van Rijbroek now officially is a charlatan.
• Android contains a secret browser.
• Russia brags that only 1% of their fake accounts would be discovered.
• artificial intelligence threatens our security.
• the big tech companies are resisting British legislation that wants to weaken cryptography.
• the UK government has a clear goal in mind in this crypto issue.
• this discussion is also raging in the Netherlands.
• this company is better at storing lemonade leak-proof than data.
• you have to take cash with you when you fill up in Canada because of a cyber attack
• Ireland wants to ban criticism of their privacy watchdog and big tech companies.