Apple pie & solar power

 

Image from Pixabay

You’re going to bake an apple pie. The ingredients are lined up in battle order on the counter, eager with impatience. The mixer is shining in pride of place, ready to mix everything together nicely. You pour the first ingredients into the mixing bowl and set the switch to position one, for starters. Nothing happens. Oh, stupid, you realize with relief, of course you have to plug it in first. But still nothing happens. It slowly dawns on you: the pie is being delayed. Your once faithful mixer no longer works.

Since the invention of the light bulb, we know that electrical appliances break down over time. A few decades ago you could still assume that expensive appliances, such as a TV or washing machine, would last about ten years. If there was something wrong with them in the meantime, you had it repaired. Nowadays we often don't make it to ten years, and repairing has also gone out of fashion. But hey, things do break.

With us it was not the food processor, but a solar panel. Unlike with a food processor, this is not so easy to find out. Yes, we regularly check the solar power harvest of that day in the app, but then we see the total yield of all panels. In our colorful weather it is normal for these values to differ from day to day; so you can't tell that one panel doesn't contribute. Fortunately, there is another screen that shows the daily yield per panel. If there is a zero there, you know there’s a problem. But we didn't look at that screen that often. A reconstruction showed that the panel had been out of service for about two weeks. So I quickly called the installer. He concluded that the electronics box of that panel needed to be replaced. The technicians have been on the roof and we are fully operational again. Just turn up the sun.

We discovered this defect by chance. I talked about this with the technicians, who said that our supplier is also monitoring. But because we do not have a maintenance contract, there is no permanent monitoring. In other words: the data indicating that something is wrong is there, but no one is looking at it.

It works the same way in IT. Tons of data is logged, but not all of it is analyzed. You can think of all kinds of things when it comes to logging: a user logs in to his laptop, a printer runs dry, someone reads sensitive data, and much more. But yes, if no one is watching, error situations can survive for quite a long time. Fortunately, it is not all manual work. Smart software receives instructions as to which notifications are really important and brings them to the attention of specialized teams. The software acts as a sieve, meaning that only a fraction of all events need to be further investigated by employees.

There is also log data that is never looked at, unless there is reason to do so. Someone may have done something that is contrary to the rules. Most organizations couldn’t care less about an employee logging in to their laptop. Unless a manager has signals that the employee is going off the rails. Then he might want to know at what times the employee will start work. Things become more intense if someone is suspected of passing on internal data to criminals. In such a case, investigative authorities want to know, for example, who looked up a certain license plate and the associated details of the vehicle owner. That kind of information is not always available at the push of a button, sometimes it requires a lot of digging. Unfortunately, sometimes that is necessary, because in an organization as large as ours, statistically speaking, you are entitled to a certain percentage of black sheep. That is why I would like to see the logging of data required for this type of forensic investigation expanded - so that you can answer certain questions at the push of a button. You only know to a certain extent in advance what data you will need in an investigation. The fact is that events that you do not log now will not be available for analysis later. Another fact is that logging costs money. A good assessment is therefore necessary.

We have had a second set of solar panels for a few months now. Recently I had to be on the flat roof where they are located, and on that occasion I cleaned them. In doing so, I discovered that each of those panels showed several white spots. Not on the material, but in it. A few photos and an email later, the installer informed me that this problem was known to the manufacturer and that the panels would be replaced under warranty. Some things you really have to keep an eye on yourself.

 

And in the big bad world...

• three million hotel doors worldwide will open for these researchers.
• certain Apple chips have a serious crypto vulnerability.
• the aerospace sector has become a prime target for cybercriminals.
• there is now coincidentally an investigation into security and privacy at American airlines.
• a quantum computer can do jigsaw puzzles very quickly.
• cloud configuration is still very difficult.
• the internet lawyer is annoyed by a ruling by the Supreme Court.
• AI checks the programmer's work.
• it is still quite a job to investigate whether a data breach is real.
• the Spa Grand Prix has been hacked.

 

Passkeys to replace passwords

 

Image from Pixabay

As early as the time of Asterix and Obelix, passwords have been around, and they have been used in computers since time immemorial (Wikipedia mentions 1961 as the year in which they were used in a system at MIT). And now, some two thousand years after our Gallic friends, we are tired of them. There are too many of them, they are inconvenient and they are unsafe – even long, complex passwords are unsafe if someone phishes them. But there is hope: the passkey is coming!

Passkeys are not yet widely available, but the word is popping up more and more and that is enough reason to take a closer look. Passkeys are fundamentally different from passwords, with the biggest advantage being that they are many times more secure. And they are easy to handle. Who would not want that?

To explain the difference, I'll start with the ancient password. Its operation is based on what is called a shared secret: both you and the site/app/application/computer know the password. About the only difference with the way the ancient Romans worked is that computer passwords, are not stored on a server as they are, but in the form of a hash value (a mathematically calculated 'distortion' of the original). On the other hand, the others must be able to check whether the combination of username and password entered matches with their data on file, so the credentials of all users are stored in a large file. That's gold for hackers if it isn’t protected. And that is why hashing is so important. Hashing is irreversible; the password 'badexample' becomes ‘833f25dab798cb9b3ff1952ccb461751’ and there is no way back: you cannot recover the original password from the hash value. When you enter your password, it is hashed again and if the result matches the stored hash value, you are allowed to enter. Just like anyone else who knows your password. Moreover, a patient hacker who stole a password file can try passwords all day long and if the calculated hash value eventually matches the value in the file, he knows your password.

Enter the passkey. It doesn’t involve a shared secret, but serious cryptography. The ancient Romans already did that. At that time it was mainly a matter of using different symbols, or shifting (a becomes d, b becomes e and so on). This involves a key: when using other characters you use a kind of legend, when shifting it’s a number (in the example the key is +3). Modern cryptography is much more complex, especially the kind used for passkeys: asymmetric cryptography. Characteristic of this is that it doesn’t use a single key (which must be shared between the parties involved, just like a password), but two keys. Those keys have a mathematical relationship. One is called the public key, the other is the secret key. The gist of the story is that the secret key remains on your device and the public key goes to the other party. If you do something with your secret key on your device, the other side can check whether it was you, using the corresponding public key. That public key does not need to be secured, as its name suggests.

Suppose you want to log in on your laptop to a site that works with passkeys. That passkey can be on your smartphone, for example. Your laptop and your phone know via Bluetooth that they are in close proximity and therefore, that no one is trying to log in remotely. You unlock the requested passkey on your phone with your fingerprint, facial scan or a code. And hey, you're logged in to that site.

Because the passkey does not leave the device, you as a user cannot leak credentials - so you are not susceptible to phishing. In my opinion, that is the big advantage of passkeys: an attacker simply cannot get in between. You can synchronize your passkeys with different devices and have them at hand on your laptop, tablet and smartphone. This synchronization is encrypted (end-to-end, so no one can break into it).

Passkeys are currently supported by major tech companies (Google, Apple, Microsoft). But some password managers, such as Bitwarden, can also handle them.

Are you curious yet? Log in to your Google account (create one if necessary), go to Settings > Security > Access keys and Security keys and create your access key here. A Bitwarden plugin runs in the browser on my PC, and it asked if I wanted to store the passkey there. From now on, when I want to log in to Google on my PC, the password manager asks whether I want to use the passkey. So it actually works the same as before, but without any secrets involved. Let's hope that passkeys become popular and we’ll familiarize ourselves with them and will soon - for the next two millennia or so - not know any better.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• hackers can often read your chats with AI bots, despite encryption.
• Some entrepreneurs have two faces.
• Google pays attention to Post Quantum Cryptography.
• some physical electronic locks have a secret backdoor.
• Meta previously had to pay a privacy fine of five billion dollar, but the same lawsuit has now been reopened. [DUTCH]
• criminals appear to be unreliable after all.
• Europe will have relatively strong AI legislation.
• In France, they no longer find it logical to periodically change all passwords. [DUTCH]
• the European Commission was reprimanded for the use of Microsoft 365.
• the Dutch police increase the cyber resilience of youth with a game. [DUTCH]
• Dutch people are becoming increasingly critical of their privacy. [DUTCH]

RITA

 

Image from Pixabay

Recently, RITA came into my life. She just fluttered in during a risk analysis, and I listened with fascination to what a colleague had to say about her (thank you Henk!). Later I Googled her and was impressed by her engaging personality. Her image is a bit less flattering, but I still prefer to judge RITA on her character rather than her appearance.

RITA is an acronym that stands for Reliable Internetwork Troubleshooting Agent. It's an April Fool's joke from 1998, presented as an RFC. That abbreviation stands for Request for Comments. An RFC is literally a request to comment on something. That ‘something’ are protocols and other documents that describe the operation of the internet. Ultimately, an RFC becomes a standard, but strangely enough it’s still called an RFC.

RFC 2321 describes “usage of Nondeterministic Troubleshooting and Diagnostic Methodologies as applied to today’s complex nondeterministic networks and environments”. The difficult word, which appears twice in the previous sentence, means that outcomes are variable even when the conditions are the same. I put aside the common assumption among laymen that computers always produce the same output in identical situations - especially with identical input - at the very beginning of my career. At the time, I was responsible for the COBOL software that took care of the nightly processing of income tax data. One evening an operator (hello Oscar!) called me because the processing had stalled. I told him to just restart the processing. Never heard anything about it again.

RITA is charmingly simple, and the way she makes her diagnosis is equally so. Moreover, the outcome is easy to understand because it is binary: it is right or wrong, there is no in between. RITA's primary area of use is hardware and software, but I think RITA can also be successfully used in countless other environments, even outside IT.

RITA is a rubber chicken with a length of 51.25 cm (20 3/16”) and its operation is very simple. You place it on the device to be analyzed or, in the case of software, on a still packaged copy of the software, or if necessary on a printout of the source code (that old COBOL software of mine was easily a decimetre (4”) thick). And here’s the punchline: if RITA flies away, then the object to be analyzed is error-free. If, on the other hand, RITA remains down, then something is wrong. You get the idea: rubber chickens don't fly – unless they're thrown, of course.

Moral of the story: hardware and software always contain errors, because they are incredibly complex. And, I always add, some of those errors have bad consequences for the security of the object, and possibly even for the security of the wider environment in which it is active (a hacked baby monitor is not only annoying because the hacker is in your home, but also because the device can be misused in a DDoS attack on an organization on the other side of the world).

In our risk analyses, we always ask how vulnerable a particular object is to errors in software, broken down into self-built and purchased software. Vulnerability is determined by the measures you have taken to address a threat. The application of the DTAP model is invariably mentioned as a measure: the development, testing, acceptance and finally running of the software in production takes place in separate environments, the intention being that an error will come to light in one of these phases. Attack & penetration testing is often used to determine whether an attacker can gain access to the object. And vulnerability scanning regularly checks whether a product contains known vulnerabilities. What remains after all this good work are the mistakes that have still been overlooked. And believe me: RITA will never take to the skies. The only question is who will discover a risky error first: a crook or an honest person.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Laxity is a factor that few take into account.
• Signal now protects your privacy even better.
• cloud computing is sucking in government. [DUTCH]
• This American newspaper article predicts a positive effect on the US of a ruling by the European Court of Human Rights.
• there is still something to be gained in the high ranks of the Luftwaffe in the field of security awareness. [DUTCH]
• the US government is leaning toward banning ransom payments.
• Ivanti 's problems keep the NSA busy.
• the NSA also gives tips about security in the cloud.
• the beer supply will not be in danger for the time being.
• the man in the middle takes off in your Tesla.
• sometimes the opponent is in your own organization.
• many Dutch passports are for sale on the dark web. [DUTCH]

 

 

Security (b)log: Updates

 

Image from Pixabay

Two weeks ago I promised here, as an incentive to myself, to give my smart equipment some attention. I was to investigate if they needed a software update and do so if necessary. This week I will report on my search. I also mention company and brand names; not as an advertisement or to criticize them, but because it's nice in case you have those things yourself.

My search started at the front door: at the modem/router. That is from my internet provider Ziggo and is called Connectbox Giga (a rebranded Arris TG3492). If you log in to the modem's management page, you can find out which software version it is running. It just doesn't say from when that software is, or it must be hidden in the very long version number (AR01.04.092.09_ 071423 _7248.SIP.10.LG.X2). I asked the Ziggo community how you can find out which is the current version. They say that this is the correct one, but I’m afraid that if you want to check it yourself you will probably have to get that information from the manufacturer.

Then the LG dryer. The accompanying app displays the version of four pieces of software under device information, and says: “Software is up to date”. Apparently the app checks this online itself. I just can't tell from when those updates are. I mean: if that software has never been updated after it was released - years ago - then my software is indeed up to date, but there is probably quite a bit of room for improvement in the meantime. And perhaps such a necessary improvement was related to the security of the device. But that remains guesswork. I want to act as a normal user here and will therefore not go all the way as to find out exactly from when version SAA39935009.0000B455 of 'Firmware 0' is. They could easily add that to the already provided information.

The Bosch dishwasher lets you choose between automatically downloading software (including installation, I hope) and confirming the individual steps (download/installation). It also shows a version number somewhere, but it is not clear whether this concerns software or the device itself, and from when that version is. There is also something that I have not seen before on a device: the validity period of a certificate. You know certificates from websites, from the lock that indicates that the site is secured, and from the s in https. I am positively surprised that this device apparently uses a certificate for communications security.

Next candidate: Philips Hue smart lamps. The accompanying app says: “Everything is updated”. The automatic updates option is turned on and you can even choose the time at which the updates should be performed. Furthermore, each device has a version number, but here too it is not clear from when that version is.

The stereo system also has a few components that are connected to the WiFi network: the Yamaha receiver and, since last week, two wireless surround speakers from the same brand. The latter's installation manual states that you must ensure that all components have the latest firmware version. During the installation of the speakers, the app indeed indicated that a new version had to be installed, which then happened. The app says about the receiver: “Firmware is up to date”. Unfortunately, again without a date, only - in a different place in the app - a version number.

Finally, there are the solar panels. We have two different installations: the first works via the SolarEdge app, the second uses Enlighten/Enphase. SolarEdge does not provide a version number, but – yes, finally! – the date of the last update. That was February 18 of this year, so very recently. It also means that the updates are done automatically, because I didn't do anything. Enlighten provides information about two types of devices. The gateway, which communicates with me, shows a firmware version number and a date when it was last connected to the Enphase cloud. It is not clear whether updates are checked. The micro inverters (each panel has one, rather than a central inverter) all have two firmware version numbers and a communication date, and again it is not clear whether they are related.

Conclusion of this operation: it seems as if everything is fine, but it is not certain, except for the SolarEdge panels and (to a slightly lesser degree of certainty) the modem. Manufacturers still have some work to do to provide consumers with real information and to take away the bad feeling that I am being lulled to sleep with the meaningless term 'up to date'.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the FBI handles updates for your router.
• you can hack this doorbell by ringing the doorbell.
• Clingendael advocates European sovereignty in the cloud.
• We simply put our important e-mail in the American cloud. [DUTCH]
• Russia runs a misinformation campaign against Navalny's widow.
• 2FA codes have been leaked due to an error by an SMS company.
• gas stations in New Zealand were unable to cope with the leap year.
• the Dutch government has launched the NIS2 Quickscan. [DUTCH]
• GitHub is full of malicious repositories.
• the Dutch police advertise on Google to prevent cybercrime. [DUTCH]
• you can also be infected through your agenda.
• the White House promotes the use of memory safe programming languages.
• young people think that anyone can become a victim of cybercrime, except themselves. [DUTCH]
• the LockBit ransomware gang is back.

Pension

 

Image from Pixabay

Despite the fact that, all being well and regulations unchanged, I should be enjoying my retirementa for already more than six months in ten years' time, I still feel so young that I unemotionally archive mail from the pension fund. There is a vague realization that I should be more interested in my financial future, but at the same time there’s also resignation; On the one hand, based on the general feeling that everything has been well arranged for me, and on the other hand, because it is probably too late to take additional measures, should I want to do so.

A while ago I spoke with a colleague about the involvement of non-peers in the subject of information security. Or rather: about the lack of involvement. He made a striking comparison (thanks Hugo!): would you listen with interest to a pension advisor, or would you rather think: here's my money, do the right things with it?

Oh, there you caught me. I've never talked to a pension advisor before. From the age of 25, pension contributions are deducted from my salary and the pension fund regularly lets me know how I am doing. If I retire at the normal age, I will receive this amount of money every month, and if I die, my surviving relatives will also receive something; that kind of information. I take a quick glance at it and at most think: “Well well!” and proceed to the order of the day. So I'm quite literally saying: here's my money, do the right things with it.

Do pension advisors ever complain that people show far too little interest in their pensions? That it would be in their own interest to look into it and take the right measures? And that few people have the sense to worry about this at a young age? If I had to arrange a supplement to my pension now, it would probably be unaffordable. However, if you start in your early years, you can spread your investment over many years.

In any case, information security professionals regularly complain that people show too little interest in their security. They live in the vague hope that everything will be more or less well arranged. The internet connection at home costs money, so the provider must have supplied a secure modem, right? And that WiFi connection of your dishwasher, dryer and air conditioning from a renowned brand, isn’t that just fine? The apps on your phone and the websites you visit all have a privacy policy, so you don't have to worry about that, do you? These are all assumptions that appease our conscience, if we think of them at all.

Reality is more stubborn. A device is relatively safe if it has had the latest update in which the manufacturer has fixed the known errors. If you do not have that update, your device carries vulnerabilities that can be exploited by attackers. You can easily ensure that you always have the latest updates on your laptop and phone by having everything happen automatically. Of course, if a program or app asks you to do something to effect the update, you still have to actually do it.

There are also people at work who think that the people from the security team will take care of things. That is true to a certain extent: we write down what you should do and not do to keep things safe. We call that policies, standards, regulations – whatever the name. After that, however, it is up to those who are responsible for their part of the equation to also take responsibility for the information security aspect (and privacy, and continuity). And so they have to think at an early stage about what all these regulations mean for their field of work and actually do something with them.

I know, this is easier said than done. My devices at home also feel neglected. It is quite a job to do something about it, which makes it easy to hide behind the argument “not right now, it takes too much time”. But sometimes you just have to make that time. You know what? I have next week off, but we're not going away. I hereby promise our smart devices that I will check whether there is anything to update (which remains to be seen) and if so, that I will do so.

It would be so much easier if many more devices did an automatic update. Then you don't have to figure out where to get your updates from and how to install them. I think many non-ICT professionals shy away from the latter in particular. Hopefully manufacturers will do more to help us with this. And the European Cyber Resilience Act will force them into this. We want security by design: take all this into account from the start and pay attention to it throughout the entire lifespan of the product.

Still wanted: pension by design …

There will be no fresh Security (b)log next week.

 

And in the big bad world...

• manufacturers can have their products cyber certified.
• manufacturers of security equipment also sometimes have difficulties updating.
• this long but fascinating story about how scammers framed the author is really worth reading.
• Americans paid a total of ten billion dollars to scammers last year.
• BMW does not understand the consequences of a data breach very well.
• it is not wise to use your private email for work.
• advertising without tracking is no longer possible.
• as a company, you are responsible for what your chatbot says.
• phishing can also take place as a two-stage rocket.
• naughty countries are no longer allowed to use ChatGPT.
• this battery factory is currently under stress.
• twenty percent of British children are cyber criminals.
• the European Court prohibits the weakening of end-to-end encryption.

Kafka upside down

 

Image from Pixabay

Last summer I visited countries where I do not speak the language. In some countries I couldn't even read the writing. In one of those countries I bought a backpack with a card attached to it. “ATTENTION!” it said on the front. But the back was printed with characters that I wasn’t able to interpret.

Thanks to the wonderful technology of Google Lens, I was able to find out what was so urgently requiring my attention. It says that the backpack may become discolored, that I should avoid washing and ironing, that I should use “accessories such as closures, hooks, buttons, metal fittings, belt straps, buckles and rings” properly or they may break, and finally, that the product does not protect the contents in the event of a fall or impact; the manufacturer is especially concerned about my precision instruments, precious metals and fragile objects.

A couple of months ago, I asked you in the Security (b)log whether you know Franz Kafka's novel Der Prozess (The Trial). I assume you've read it by now. And then you may recognize a Kafkaesque trait in the text of that backpack card: you have to use the backpack accessories correctly, but it does not say what the correct way is. For me,  backpacks leave me sometimes wonder what that strap or loop is for, let alone whether I know how to use the thing properly. And it also strikes me as rather vague that I should 'avoid' something – what if I do it anyway? Admittedly, I wouldn't have thought of ironing a backpack, but my previous backpack regularly ended up in the washing machine (and it survived).

I'm not going to lecture you further about Kafka now. No, I'm going to turn Kafka upside down. In his novel you have to adhere to rules that you do not know and if you break those rules, you are punished. Kafka upside down is when you know the rules all too well and at the same time you know that if you stick to them, sooner or later something will happen that is very detrimental to you. What would you do if a law were introduced that required you to drive a car at a minimum speed of 100 km/h (62 mph) in built-up areas (and 50 km/h in a residential area)? Are you going to stick to this, even though you know for sure that in the best case scenario you will end up in the hospital, or will you accept,  for the sake of self-preservation, that you will be fined?

Earlier this week, intelligence services in the Netherlands revealed that Chinese state hackers hacked into a Defense network. They were able to enter through a known (!) vulnerability in American-made security equipment. Continuing to use something with a known vulnerability is like knowing that the left headlight of your car is not working, but still driving in the dark - because replacing the light yourself is no longer possible in many modern cars, the garage is already closed and you really have to go somewhere. And you continue to use that network equipment the same way, because, well, you need that network anyway and you can't easily replace it. Regardless of the question of whether another product is completely safe.

I don't know how they figured out that China is the culprit; attribution of cyber attacks is a difficult matter. Anyway, the report states that the intelligence services determined “with high confidence ” that it must have been China – spy talk for “we actually know for sure”. And it is not the first time that the West has pointed the finger at China in such cases. So we are more or less certain that China is spying on us.

If a Dutch government institution wants to purchase a service or product, it must follow the Public Procurement Act 2012: if the value of the contract exceeds a certain amount, a European tender must be carried out. So you cannot just go to a supplier and place your order. You must describe in a thick document what you need and what requirements you set for it. You cannot “target” that document to a specific product by including requirements that you know only your favorite product meets. Companies from all over the EU may register for such a tender.

Suppose you are a government service and you want to, say, purchase cell phones. There are Chinese mobile phones on the market that meet all your requirements and they are cheaper than the competition's products. There is a good chance that European companies will offer those Chinese mobile phones. The competitive pricing forces you to do business with that company. The contractor may be little more than a box pusher who outsources technical support to the manufacturer. And before you know it, you not only have Chinese equipment in your organisation, but also the accompanying Chinese personnel. Both the equipment and the maintenance technician may do things that were not included in your package of requirements, but are included in those of the Chinese government.

You dutifully complied with all the rules, but in doing so you brought in the Trojan horse with full consciousness. That's Kafka, upside down.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• there are concerns about the Chinese scanners used by Dutch Customs. [DUTCH]
• Here is the news item about the DoD hack. [DUTCH]
• listen to a radio fragment about the DoD hack. [DUTCH]
• deepfakes pose a problem for remote identification.
• deepfake crime will not skip the Netherlands. [DUTCH]
• you can of course hack a bicycle helmet.
• a Swiss newspaper and an American security company (coincidentally the same one from the hacked DoD equipment) are arguing about a DDoS attack with toothbrushes.
• Every now and then a fake app slips through Apple's strict controls.
• BitLocker is easy to crack on some computers if no PIN has been set. [DUTCH]
• Rich countries suffer more from ransomware. [DUTCH; linked paper in English]
• the Dutch tax administration are not yet GDPR ready. [DUTCH]
• it is better not to use a separate app for scanning QR codes. [DUTCH]
• security researchers from all over the world have reservations about a UN treaty on cybercrime.
• Dutch plumbers are no longer allowed to advertise with Google. [DUTCH]

Ingredients

 

Image by author

Ingredients: white beans 61%, water, tomato purée 16%, sugar, sea salt, natural vinegar, corn starch, natural herbal flavoring. Thus the back label of the jar, which on the front is called 'white beans in tomato sauce'. Does this product fit into a low-salt diet? I wouldn’t know, because luckily my health doesn't have to worry about that. But if it ever becomes necessary, I would like to read on the label of any product whether it contains salt, and preferably how much.

It's purely a coincidence that I'm back in the canning business just like last week - I'm not considering switching to that industry, nor have I been asked to promote their products (eat fresh vegetables, people!). But I'm a fan of metaphors, and a jar of vegetables turns out to be a rewarding object.

Usually you won't care what else is in a jar of white beans in tomato sauce besides white beans and tomato sauce, unless you have a specific reason, such as a doctor's recommendation. And then you're happy that it's all on the label.

And what turns out? It’s just the same in ICT. As long as everything goes well, no one cares which programming language, which framework and which libraries are used, which open source components are included or which platform the system runs on. But when word starts circulating that a certain, widely used ingredient contains a serious vulnerability, you all of a sudden want to know whether that ingredient is in your systems. Because you want to switch to a low-salt diet if necessary, or you want to replace the sea salt with regular table salt, or perhaps you need to switch - temporarily or permanently - to green beans.

For ICT, what the label is for foodstuffs is the SBOM: the Software Bill of Materials, the list of components that are incorporated into the product. When it was announced in December 2021 that Log4j contained a serious vulnerability, the world was in turmoil. Log4j is like a type of salt that is used in many products. If one day you hear that contaminated salt has been used, as a manufacturer you immediately want to know which of your products contain that salt, so that you can recall the right products from the supermarkets and stop your production process until you have a shipment of clean salt.

I recently learned that the administrators of some systems assume that Security knows which components are in which product and will alert them if something is wrong with one of them. But of course it doesn't work that way. The Food and Consumer Product Safety Authority doesn’t know which canning factory products contain salt either. They can only sound the alarm if a bad batch has been delivered. It is then up to the manufacturer to determine which products the salt may have ended up in and to take the correct measures. It is the same with us, in IT. Security knows if something is wrong, but the administrator needs to know whether his system is affected and whether he needs to take action. Of course, coordination will always take place in major situations, but you remain responsible for your own system.

The attentive reader may have noticed that above I always talked about systems and products, while the s in SBOM stands for software. But why limit an ingredients list to software? Hardware components can also be vulnerable, as Meltdown and Spectre, both vulnerabilities in certain CPUs, made painfully clear in 2018. Of course you want to know whether you have equipment that contains the vulnerable processors. Well, fortunately there is also such a thing as the HBOM: the Hardware Bill of Materials. Ideally, you would like to see all the components in there, down to the smallest chip. I just don't know whether manufacturers would be happy to cooperate, because competitors are of course reading along. That does not necessarily have to be a problem, if you can rely on the manufacturers having  their BOMs in order and also having linked their customer base to them and that communication is well organized. You can agree all this contractually. In your CBOM.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• You can of course use AI to make biological weapons. [DUTCH]
• AI steals AI articles from journalists.
• it's time to stop deepfakes.
• a hack led to the accidental release of a murder suspect.
• large companies fear the AI Act, but Europe is keeping a tight rein. [DUTCH]
• an Indian hacking company is trying to prevent negative publications worldwide through judges.
• there is a risk involved in .lnk files.
• an update sometimes has the opposite effect.
• there is a fuss about verification by LinkedIn (and that leads to discussion in the comments below this
• article). [DUTCH]
• it would be a good idea to agree on a family password in the fight against deepfakes.
• The Netherlands does not meet the deadline for the NIS2. [DUTCH]