Flying carpet

 

Image from Pixabay

On a drizzly Friday afternoon, one of those we've had so much of lately, the carpet ordered would be delivered. A showpiece for his new house, with a modern motif, no less than three by four meters in size. Just a little too big to take with you in the car, but luckily Ikea offered home delivery. And you don't have to count the screws this time, sir, and there is no Allen key either.

But in the course of that afternoon an email came in from “Post”. Subject: delivery issues. Content: “The product you ordered is still in our distribution center. You must first pay € 3.95 for customs duties. Click the button below to reschedule the delivery.” Payment had to be made by credit card. That was the point where our carpet enthusiast dropped out - if he could have paid with iDeal (a well-known payment system in the Netherlands), he would have done it, just to get rid of it quickly.

Now, however, he was going to call Ikea. There they told him that the message had not come from them and that the carpet would be delivered as scheduled. Exactly during that conversation, in which both sides quickly concluded that it must be phishing, another email arrived. This time it also mentioned an order number, which did not match the number of the carpet ordered.

The next day, both emails had miraculously disappeared. An unpleasant feeling came over our Ikea customer: had someone hacked his email account, seen the order and acted on it cleverly? Or was the retail chain perhaps hacked, or was there even a mole at the Swedish company who sold order data to cyber criminals? We'll probably never know - unless there are a ton of reports like that and the email provider or the store investigates and publishes the findings. But companies still tend to be quite introverted about such things.

I don't think any of these scenarios played out. Because that's how phishing works: you have ordered something and at exactly the right moment you receive a message that could very well apply to that order. Had you received that same message a few days earlier or later, you would have shrugged and ignored it. They use the shotgun approach, because it costs nothing anyway. And they always hit a few people for whom their message does have meaning entirely by chance.

What were the red flags, the signals that this could or should be phishing? To start with, the sender: not Ikea, not even PostNL (the Dutch postal service), but Post. I don't know a parcel delivery service by that name. Then Ikea was not mentioned in the entire post; usually the name of the sender is always mentioned in communication from a delivery service. And why customs duties? The carpet had been ordered in the Netherlands and there had never been any question that it would be sent directly from a carpet-making country. And then of course that order number, which had nothing to do with the rug. Plenty of red flags, I'd say.

After hearing this account, I started asking questions. First of all: have you already changed your email password? That is always the first thing you do if you have the slightest suspicion that someone has access to your mail. Your mail account is your most important account, because almost all “I forgot my password” procedures go through your mail. In other words: whoever has access to your mail can gain access to many other accounts. Next question: both emails have disappeared, but do you still have the web page in the browser? It wasn't there anymore, but it was still in the browser history: onlinecamp[.]top. The e.Veritas URL checker classifies this site as unsafe, and that “.top”, the so-called top-level domain (such as .com and .net) is special. In the internet administration, the target market is “general” and it is registered to Jiangsu Bangning Science & technology Co. Ltd., a Chinese domain registrar – a company where you can register your own internet domain. You can therefore reasonably assume that a link that ends with .top (possibly with “/abracadabra/xyz/etc”) will take you to a Chinese website. Ask yourself if you really want to go there.

So much effort to collect € 3.95? No. Payment had to be made by credit card. If you enter your details on their fake site, the criminals have your credit card details, which they can use to make a multiple of that amount disappear. Fortunately, that did not work out this time and the carpet looks nice.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• phishing does not always contain a link or an attachment nowadays.
• a British supplier of tools for criminals goes behind bars for a long time.
• this legitimate app suddenly got a new function.
• a poorly tested update can wreck your device.
• Chinese state hackers hack Kenya, presumably in relation to debt.
• you can’t share your Netflix password anymore.
• a British IT worker hijacked a ransomware attack on his employer.
• US authorities have published an update to their StopRansomware Guide.
• Facebook’s parent company Meta has to pay a huge fine for sending data from European users to the US. [DUTCH]
• Fingerprints can also be brute-forced.
• ransomware for charity is a new thing.
• Spain wants to ban the provision of end-to-end encryption in Europe. [DUTCH]

 

Misjudged

 

On October 22, 1895, the train you see in the photo left Granville on the Normandy coast at a quarter to nine in the morning with destination Paris. As the crow flies, that is about three hundred kilometers (186 miles), which takes a modern train three and a half hours. At the time, the journey took an entire day.

At 3:55 p.m., the train rumbled into Paris, but it was several minutes late. The very experienced driver, Guillaume-Marie Pellerin , thought that he could partly make up for this delay by braking only at the last moment. But this time, the brakes failed and the train crashed through the buffer and glass facade of Paris-Montparnasse station, where it came to a stop, as the photo shows, in an unreal position. There was one fatality to regret. Marie Augustine Aguillard wasn't even a passenger on this train – no, she was minding her husband's kiosk at the Place de Rennes for a while; he had gone to get the evening papers. She was killed by falling debris.

The American George Westinghouse had invented a brake based on compressed air some twenty-five years earlier. The brake engages when the air lines are deflated and will not release until a compressor has repressurized the lines. Because each carriage has its own brake, the entire train is braked. That system seems inherently safe: if something breaks, the pressure drops and the brakes kick in. However, on this train the Westinghouse brake failed anyway, and the brakes of the locomotive alone could not stop the train in time.

Engineer Pellerin took a risk. Has he thought carefully about what could go wrong and what the consequences could be – precisely at this location, a terminus? His train's inherently safe brakes gave Pellerin enough confidence to brake a little later than usual. If he had looked just a little further, he might have thought that if the brakes failed, it could have disastrous consequences in this very spot.

Risk is often expressed with the simple formula Risk = Likelihood x Severity. We often do not calculate with numbers, but with estimates: small, medium, large – both left and right possibly flanked by 'very'. The formula shows that an event, which is unlikely to occur (Westinghouse brake failure), can nevertheless lead to a high risk, because the expected consequences are very serious (deaths and injuries). The limits of the risks you want to take are determined by your risk appetite. Adventurous people have a greater risk appetite than cautious people, and manufacturers of hip technology products take greater risks than a government organization, just to name a few extremes.

You yourself also perform risk analyses every day, for example when you cross the road. You make an assessment of whether you will make it before that car reaches you, and you mainly look at the distance and speed of the car, and how well you are on your feet. But do you also consider the possibility of tripping? Do you still have enough time to get away, or does the driver have sufficient reaction time and is his braking distance long enough? We usually don't think about such a scenario, probably because it usually goes well. And that was precisely Pellerin's problem. It cost him a fine of fifty francs and two months of suspended prison.

Do me a favor and take care crossing the street when you go out later.

There will be no Security (b)log next week.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• the FBI hacked Russian state hackers.
• this security company is very open about an attack on their systems.
• the British plead for more transparency in cyber attacks.
• Rian van Rijbroek's husband seems to be quite confused himself.  [DUTCH]
• you should watch out for fake windows updates. 
• you should also watch out for malicious QR codes.
• the emergence of AI and the possibility of cloning on the fly may lead to additional legal protection for individuals.  [DUTCH]
• YouTube is experimenting with banning ad blockers.
• many Dutch people can protect themselves better than they do now.  [DUTCH]
• phishing is the main form of cybercrime that citizens have to deal with.  [DUTCH]

Half a payment

 

Image from author

A beautiful ring with the well-known Greek blue eye and a bracelet. That was my daughter's loot in that nice little shop in Neos Marmaras. When paying with her card, the shop lady noticed that the payment had not been successful. Well then, good old cash to the rescue. A little later, the transaction was actually visible in the bank's app. That was the beginning of a curious series of events.

We were still in that village and of course we went back to the store. The shopkeeper was visibly shocked and immediately went to check both her PoS terminals. Look, she said, nothing. I saw some Greek letters on the displays, which could mean anything, but her words and facial expressions were convincing. Moreover, as we only noticed then, the ING app stated 'reservation' with the amount. We came to the conclusion that it would be fine.

A day later, the transaction was still in the app, but now without 'reservation' added to it – the money was now really gone. Oh dear. What now? I called the bank and explained the situation. The gentleman who spoke to me could see what had happened, but he couldn't help me. I would have to go back to the store and explain it there and ask for my cash. Well yes, I protested, that shop is not in our village, I would have to drive all the way there again. Then maybe call them? The telephone costs could be higher than the amount in question. Anyway, the ING gentleman couldn't do anything for me.

Wait a minute, I said; a bank transaction must either succeed or fail, but not something in between. Isn’t it unthinkable that a PoS says that the payment has failed, and that the payment is then made anyway? No, he agreed with me. But he still couldn't do anything for me. I mentioned that I wanted to make a complaint about this and asked him what would happen next. He could only write down the complaint and pass it on, otherwise it was out of his sight.

What to do? We are talking about an amount of just over two tenners – money from my teenage daughter, so a relatively large amount. That shop was about a twenty-minute drive from our stay, which was doable. And so we went there again that evening. Fortunately, the same lady was in the shop and she asked what was wrong right away. She called in her boss (from the store across the street), who let me take pictures of the PoS's printouts, which showed that no transaction had taken place for that amount. She even let me take photos of her banking app, which also showed no sign of my daughter’s payment. The attitude and helpfulness of this lady convinced me that she was in good faith.

That was Friday night. On Monday she would immediately call her bank to inquire, and then she would contact me by email. But on Saturday morning, when we were already on our way home, we noticed a strange entry in my daughter's account: 'PoS reversal payment'. The money was back! But how? Did an automated process take place here, whereby the Greek bank and our ING together established that there was 'half' a transaction? Or did someone from our bank get to work in response to my complaint? I can hardly imagine the latter, especially because of the timeframe (weekend). But I have not (yet?) received any feedback on my complaint.

In information security we talk a lot about the aspect of integrity. In our context, this concerns the correctness and completeness of data and processes. Nothing may change unjustly and everything must be complete. In the above story, that integrity was violated: money had disappeared from my daughter's bank account and that money had not arrived anywhere. Such a transaction should be binary: right or wrong. It can't be half. I hope someone from the bank will explain to me how this could have happened. Or maybe someone from the banking industry in my network (are you reading along, Oscar?).

The blue eye, which is on the purchased jewelry, is a symbol in Greece to avert disaster. That eventually worked. Not that I'm superstitious, though.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• many victims of ransomware are attacked again.
• malware masquerades as ChatGPT.
• not only the cloud, but also AI is just someone else's computer.
• you can now log in to Google more easily and more securely.
• you will receive security patches for your Apple equipment faster from now on.
• T-Mobile in the US recorded the second data breach of this year.
• earphones can also have a security vulnerability. [DUTCH]
• the Dutch police will remain active on TikTok, but on dedicated equipment. [DUTCH]
• In the fight against phishing/smishing, the Dutch Tax Administration now sends text messages to entrepreneurs themselves (without a link, of course). [DUTCH]

 

On the backside

 

Image from Pixabay

Alarm! Nine viruses were found on a user's laptop! The virus scanner actually had too little information about a few of those infected files, but about several others it reported: we have already seen this file with hundreds of customers and we are pretty sure that the file is unreliable. Fortunately, the scanner has quarantined the files and they can no longer do any harm. The fire was extinguished before it could really break out.

We usually do not lose sleep over these types of reports; we see them dozens of times a week and they are neatly handled automatically. Exactly as a virus scanner should do. 'Virus scanner' is a somewhat old-fashioned name, which I only use here because it is commonplace. 'Malware scanner' is already better, because the term encompasses more than just viruses: malware is the contraction of 'malicious' and 'software'. In addition to computer viruses, the term malware also includes keyloggers (which secretly record your keystrokes), spyware (collects information about you), and backdoors (allow a hacker to illegally access your system), to name a few. Vendors nowadays like to talk about an 'endpoint protection platform' and by that they mean the protection of all end-user equipment in an organization – not just laptops, but also tablets, smartphones and printers, for example. The computer industry likes old wine in new bottles.

Anyway, for one reason or another, those nine reports caught the attention of a colleague, who decided to call the user in question. The reports implied that the infected files were on a USB device, but the user claimed, hand on heart, that he did not have a USB stick in his laptop. After some further questioning, it turned out that he had connected the laptop to a screen at home via a KVM switch (with a KVM switch (Keyboard, Video, Mouse) you can connect several computers to one screen, keyboard and mouse; you can easily switch between the different computers). But there was no USB stick in that KVM switch either. Finally, after some research, it turned out that the screen itself also had a USB port, and there the virus-infested USB stick was sitting.

The incident nicely illustrates that the truth is not always on the surface. If you were to rely solely on the information provided by the scanner, you would conclude that there is a USB stick with infected files in the laptop. And if the user says that's not true, you don't believe him. Whereas in this case the user was in good faith and patiently cooperated to assist my tenacious colleague. Unfortunately, we don't know how that infected USB stick got into the monitor.

There is one other thing that needs attention here. There are quite a few devices that have USB ports. Traditionally we know them from computers, but screens can also be equipped with them, and our TV, which is connected to the Wi-Fi network, also has a few. With these types of devices, they are usually located at the back and are therefore out of sight. This offers opportunities for people with less good intentions: in an unguarded moment they can simply insert a USB stick that contains software that you would rather not have at home. Now the employee in question was not authorized to use USB sticks, but the USB stick was seen by Windows.

It calls for vigilance. Do you always know exactly where you connect your laptop? And what's behind that, and what's on the backside? What do your housemates do with equipment that you also use for work? It can do no harm to make them aware that USB sticks can contain malicious files and that they should always be scanned before opening the files. This is not only in the interest of you and your housemates as private users, but also in the interest of your employers in the case of shared use of equipment. Everyone in the house should take that into account.

There will be no Security (b)log next week.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• Of course there is also malware for your Mac.
• a supply chain chain reaction has taken place.
• China spies on us on a large scale, including digitally. [DUTCH]
• the British fear spyware and hacking mercenaries.
• the Dutch Football Association is struggling with a ransomware attack. [DUTCH]
• routers also need to be cleaned before they are scrapped.
• cybercriminals trade in stolen accounts for ChatGPT.
• employees put confidential company information in ChatGPT.

 

A year without internet

 

Image from Pixabay

It was a pleasant spring day, that April 14, 2022. Sunny, light wind, twenty degrees (68 °F). But the day started foggy. Not only from a meteorological point of view, also digitally. At 7:53 am the internet started to malfunction. An hour later all screens were black. Worldwide. That was a year ago. The internet is still broken, despite all the smart cyberheads who have weighed in on this. We've been thrown back, cyber-wise, to the floppy era.

Could such a horror scenario ever materialize? At the risk of the wish being father to the thought: I don't think so. After all, the internet is designed to survive the failure of part of the network. It has no all-important component that, if it fails, shuts down the entire Internet. The design has a military background, where availability was of the utmost importance, and this mechanism is of course also very useful in civilian society. Despite the improbable nature of this figment of my imagination, I would like to pretend that the first paragraph actually happened for the duration of this blog. In terms of information security, you could say dryly that there is an availability problem. That's nice, but that observation won't help you much if you can't pull out a recovery plan that lives up to its title.

I try to comprehend what the prolonged absence of the internet would mean. Let me take a look at myself first. For starters, I wouldn't be sitting at my desk at home right now, but in the office. Five days a week. Because working from home without internet is not possible. Well, of course I could write a blog or a memo, save it on my laptop and put it on the intranet at the office (sorry external readers, no blog for you). But that online meeting that I had this morning, that really couldn't have been done. I would have cycled to the office through the cold spring sun. Speaking of cold: without the internet I really wouldn't have known what the weather was like a year ago, and I couldn't have started this blog with the weather report from then.

It's fifteen minutes by bike for me and I find my office blindly, but suppose I had to go to an unknown destination. Would my navigation have worked? Yes and no. GPS is separate from the internet; it comprises a bunch of satellites in orbit and an antenna in my navigation device that picks up the signal from those satellites. So I know where I am and which way I'm going. However, without internet I have no current maps. If I'm lucky, the necessary maps will be in the system. If not, I have to provide the coordinates to tell the system where I want to go. But how do I find out? And I miss up-to-date traffic information anyway, so I may end up in a big traffic jam and arrive too late at my destination.

Well, I still have some old paper road maps lying around somewhere and the signposts haven't been abolished yet either; I would find my way completely without electronics. For digital natives – young people who were born with a smartphone in their hands, who don't even realize there was ever an internet-free era – analogue navigation could be a big challenge. They don't even know how to unfold a map, so to speak, and they see right through signposts.

The demand for many types of personnel would explode. Webshops no longer work - you have to go to the store for everything, which means that they need more staff. Fortunately, there are suddenly many redundant people at the distribution centers of large webshops. The tax return has to be on paper like in the old days, and all that paperwork has to be processed manually. Where do you get so many well-trained tax officials? If I want an appointment at the dentist, the barber or a restaurant, I have to call – fortunately we have not yet shut down our telephone networks under the guise of “there’s Skype and WhatsApp, who needs POTS?” (Plain Old Telephone System).

Travel agencies would shoot up like mushrooms. Because we can no longer book a nice holiday from our easy chair. You have to plan your holiday well in advance, because the travel agency has to send a paper application to the tour operator and in the meantime you have to keep your fingers crossed, because the travel agency cannot check availability online either.

And my work? That continues. Because luckily we have our own large data center, in which the systems run that our own army of IT specialists makes and maintains. We have years of work to do on that. Because security is a process, right? We throw all our energy into this job, without distraction from external emails and social media. And we only hear the news of the day in the evening, when we watch the news via the hastily restored analogue cable TV.

Well, I'm going to drop this blog in de pillar-box.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• smaller pieces of internet regularly fail for shorter or longer periods of time. [2 different articles.]
• you can see at a glance what is broken, and for how long, here.
• things are not so good for phishers in the Netherlands. [DUTCH]
• the impact of encryption on policing cannot be determined. [DUTCH]
• DdoS criminals have already had enough of IoT devices, they are moving to cloud servers.
• criminal service providers put your rogue app in Google Play for a few thousand dollars.
• you should hope that you never have to have a computer or smartphone repaired. [Ignore the commercial message at the end of the article; the story itself is relevant.]
• Artificial intelligence poses a threat to digital security.
• long passwords are more important than ever in the AI era. [Please note: I disagree with advice No. 2 in this article, and No. 3 is shaky.]

DPSTAP

Image from Pixabay

Every ICT specialist knows that, if you have made or changed something, you first have to test whether everything (everything!) still works. In a professional environment we have a multi-stage mechanism for this, which we cherish under the abbreviation DTAP: Development, Testing, Acceptance, Production. This week I heard a variation on this abbreviation that first made my ears pop and then put a big grin on my face.

That variant is DPSTAP and that stands for: Development, Production, Shit it doesn't work, Test anyway, Acceptance, Production. I heard this during a risk analysis. In a session like that we discuss what can go wrong and how bad that is, and one of the regular topics is: someone makes a mistake, what measures have been taken to ensure that this is discovered in time and therefore can cause no damage? In all the risk analyses that I have supervised so far – and there are quite a few – those present triumphantly shouted in unison on this point: DTAP!

And that was really all said. We develop something, we do a thorough test, the customer does an acceptance test and only when everyone is satisfied the new system or new version can go into production. If errors still come to light, the product goes back to the development phase. A solid working method that is in the DNA of all IT professionals and that is so self-evident that we rarely ask ourselves whether a team really works in this way all the time. Or whether shortcuts are taken, once in a while or perhaps even structurally.

That is, until this week. After all these years someone finally dared to say that apparently sometimes a makeshift path is followed – and not even necessarily with himself, I think. It couldn't be any other way, really. I do realize that the pressure to deliver on time can sometimes be so great that you have to make a choice between being ready on time or following the official route. If you opt for the former, as a conscientious employee you will then have to wait a few days or weeks to see if everything continues to go well, biting your nails.

The more you use such a shortcut, the easier it may become. And then it could become risky. You might find yourself on a slippery slope to heedlessness, perhaps even indifference. In an organization as large as ours, I cannot rule out the possibility that there may be some colleagues who have never been at the top of a slippery slope, who naturally always choose the easiest path. I know a lot of colleagues, and I haven't met one yet who made me think: there's one of those. But statistically I can't rule out that they are around. Perhaps they are kept in the lee of their team and, for example, are not appointed to participate in risk assessments and other activities in which I am involved. To these people – and to their managers – I want to say: straighten your back, stand by your craftsmanship and make sure that you do not become a risk to our business operations yourself. You may need a (refresher) course. Or – be honest with yourself – different work.

I also learned from this. I'm getting stricter. Even more than now I will go on asking questions, even when I speak to colleagues who I know for sure are very committed to security. Do you really always do it this way, or do you occasionally do DPSTAP? If you dare to admit that, you will earn bonus points. Because you then state that there might be a risk somewhere, and we can only do something about it if we know it. It also marks the difference between running risks (which happens unconsciously) and taking risks (consciously and based on trade-offs).

Finally, a special greeting from this place to one of my most loyal readers: my mother. She turned ninety today. Congratulations!

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• you may be a victim of a global cybercrime case.
• a Dutchman lost a considerable amount of money because of this matter. [DUTCH]
• you can't afford to remain silent after a major data breach, the judge says. [DUTCH]
• April is Seniors and Safety Month, with a dedicated campaign website. [DUTCH]
• you should not use security tools for criminal purposes.
• Tesla employees shared footage your car took, and they joked about it.
• IoT device manufacturer Nexx has not understood the importance of security, making it easy to open garage doors anywhere in the world, for example.
• the government now has a toolbox for red teaming. [DUTCH]
• another toolbox steals credentials for eighteen cloud services.
• a hacked phone system steals passwords from browsers.
• Telegram is a marketplace for phishing tools.
• biometrics is not automatically safe a safe technology. 

Big numbers

 

Image from Pixabay

I love numbers. My watch shows my heart rate and how fast I'm running, the cycling computer knows where and how fast I'm going and the weather station not only shows the indoor and outdoor temperature, but also air pressure, precipitation amount, humidity and wind speed. I keep track of my sporting and financial performance in Excel sheets. For your reassurance: I will not let all these numbers rule me (except for the finances, that is); the numbers are there for me – not the other way around.

Sometimes you are presented with figures that shock you. For example, I have had a tracker blocker running on my phone for a while now. If any app or website attempts to collect my data, this app will block it. As my phone sits here and I do nothing with it, I see the number of blocked tracking attempts in the last seven days counting up. There are currently 63,849 attempts and they come from 31 apps. Do you why I’m shocked? By the way, there are already 63,855 attempts. While I do nothing.

What worries me even more is the list of apps trying to track me. The Ziggo* GO app is one of the busiest apps that want to know something from me. It's made 1,409 attempts so far – and that's for today alone (and it's just past 9am). The point is, I hardly ever use that app, and I certainly haven't used it in the last week. When I click through, I see that all those attempts in the Ziggo app come from Adobe. You know, that company of PDF files and Photoshop. But they are also active in the field of mobile app analytics. They explain what they do as follows: “Adobe Analytics delivers comprehensive analytics for mobile, web, and apps, plus unprecedented visualization and reporting capabilities, so product teams can quickly and easily drive optimal interest on mobile devices. Whether it's improving retention or increasing conversion, we provide the predictive insights to help you get the most out of your mobile investments.”

So Ziggo uses Adobe's services to track its customers. But what does all that tracking entail? I see a list of twenty items they would like to see. For example, my email address, zip code, GPS coordinates, various information about my phone and even the orientation of the phone (portrait or landscape). Another app I barely use is Reddit , and that app has, through Branch Metrics , already 431 attempts to its name today. And my calendar app DigiCal , which I do use often, has made "only" 243 attempts, but uses the services of two companies: Google and Facebook. I don't have a Facebook account myself, but Facebook does have an account about me. They want to track as many as 31 items, including sound volume, my gender, how much memory my phone has, accelerometer data (apparently they want to see if I'm on the move) and where I am. Google also wants to know how full my battery is. I can go on like this for a while. Nu.nl** uses no fewer than four trackers, all of which largely request the same information. PostNL*** attacks me with three trackers and they are just as busy as Ziggo.

And why all this? Adobe already revealed it: a lot of money can be made through advertisements, and the more targeted the advertisement, the greater the response. Don't bombard me with ads for diapers, instead hit me with gadgets. And in order to know what I like, you need as extensive a profile of me as possible.

On my phone, all of these tracking attempts are blocked by a feature in my browser, the DuckDuckGo Private Browser. DuckDuckGo is already known as a privacy-friendly search engine, but they also have their own browser on both Android and iOS. The protection against app trackers is still in the testing phase. Incidentally, the browser itself also has a few quirks and that currently makes it less suitable for near-computer illiterate people (real computer illiterate people do not have a smartphone). Numerous other blockers are available. As with all apps, you have to be careful not to get a Trojan horse: you don't want an app that promises to protect your privacy and then creates the biggest leak itself. I always look at the number of downloads and the reviews.

Recently angry farmers blocked our highways with their tractors and politicians and police apparently found it difficult to act against this. On the digital highway, you as a user have the option to block trackers****. My weekly counter is now at 64,159 and it feels good to have blocked all these attempts.

 -------------

* Ziggo is an internet, tv and phone company.
** Nu.nl is a Dutch news outlet.
*** PostNL is a Dutch postal company.
**** In the Dutch language, there’s a pun in this: a tractor is also called ‘trekker’, which has the same pronunciation as ‘tracker’ (if the latter is pronounced the Dutch way). I’m sorry that I couldn’t make the pun work in English.

 

And in the big bad world…

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• we should not stare blindly at TikTok , because other apps also want to track us.
• French civil servants are no longer allowed to have 'recreational apps' on their work phones at all.
• the FBI simply buys tracking data from a company.
• the leaked Vulkan files provide insight into Russia's cyberwar plans.
• this EU report forecasts which cyber threats await us in 2030.
• it’s never wise to remain silent after a data breach. [DUTCH]
• medical equipment must finally be properly secured – at least, in the US.
• a fake Tor browser steals your bitcoins.
• British police have set up fake sites to catch cybercriminals.