Archives for posts with tag: security

A few years ago I was approached by someone with an intriguing question: would it be possible to restrict access to a website based on your current location? The person who asked me was busy with a project in a neighbourhood close to where I grew up. Part of it is a national monument. The neighbourhood association wanted to revive the history of the neighbourhood by creating a web page for every house in the neighbourhood. To also restore some of the community spirit they didn’t want to just set up a universally accessible website. Instead they wanted to create a page you could only visit if you were actually standing in front of the house. This would invite people to walk around in (their own) neighbourhood, visit web pages linked to certain houses, and in the process get in contact with the current inhabitants. The reason I blog about it is that they are officially launched the project (and corresponding website, last Friday. And unfortunately I couldn’t be there…

Read the rest of this entry »

I was interviewed on Dutch national radio this weekend, to talk about the upcoming NCSC One and GCCS conferences. Both deal with cybersecurity (and a little privacy as well). During the interview, after talking about how complex the world has become, how increasingly dependent we have become on computers and the internet, and how hard it is to make systems secure, they asked me whether the situation wasn’t basically hopeless. I answered that it depends who you ask, and on the mood the person is in. And this got me thinking…

Read the rest of this entry »

There is a new version of Signal out for iOS, that now includes the TextSecure messaging protocol. This means there finally is a free, open source, messaging system that allows users on both Android and iPhone to exchange messages securely (and also make secure phone calls, by the way). This is a big deal, and I am really happy about it. What I am really upset about though is the horrible user interface of Signal on iOS.

Read the rest of this entry »

De Nederlandse overheid werkt al een aantal jaren aan een nieuw eID stelsel (een elektronische vorm van identificatie online) ter vervanginging van DigiD. Dat is ook wel nodig, want DigiD is kwetsbaar, wat tot grote schade kan leiden. Onder deze druk, en vanwege het feit dat marktpartijen de oorspronkelijke plannen voor het eID stelsel niet zagen zitten, heeft de overheid er onlangs voor gekozen een andere koers te varen. Het eID stelsel wordt een uitbreiding van eHerkenning (een systeem voor online identificatie voor bedrijven), en gaat Idensys heten. Dat is wat mij betreft niet alleen een stap terug (eHerkenning is gebaseerd op verouderde en relatief onveilige concepten), maar zelfs een stap in de verkeerde richting.

De oorspronkelijke plannen voor een eID stelsel

Read the rest of this entry »

The other day I bought something in an Apple store. They used an iPhone with a special case that included a barcode scanner as cash register. When I gave the cashier my PIN-and-chip debit card, she inserted it in the card reader slot of the case. She then handed the phone over to me to approve the transaction. For a moment I was afraid I had to enter my PIN code on the iPhone screen (that would have been totally insecure). But she turned the phone upside down, which revealed a PIN pad and small LCD display on the back of the case. I was surprised, suspicious even, and wondered: was this really any more secure?

Read the rest of this entry »

The Heartbleed bug in a software library (called OpenSSL) used to secure many websites allows an attacker to trick these websites to send an arbitrary memory block of 64 kilobytes back to him. In this blog post I will argue that the way this bug was disclosed has greatly increased the damage it causes.

Read the rest of this entry »

Afgelopen donderdag stond er een mooi artikel van Maurits Martijn op de Correspondent. Over hoe je simpelweg gebruikers van openbare draadloze netwerken kunt hacken. En er zo achter kunt komen welke websites ze bezoeken, met welke andere draadloze netwerken ze eerder contact hebben gezocht (en dus waar ze eerder zijn geweest), en zelfs hun wachtwoorden kunt achterhalen. Het erge is: ik weet dit eigenlijk al jaren, maar had het me de ernst daarvan nooit echt gerealiseerd. (Soms zit je zo dicht op de materie, dat je essentie ervan even niet meer ziet.) En het is eerlijk gezegd behoorlijk ernstig…

Read the rest of this entry »