Stay cautious and know your rights — our advisor Adrianus Warmenhoven speaks

In this interview, Adrianus elaborates on many topical issues and gives handy tips on how to secure your privacy and protect it properly online and in the physical world. He also speaks about the future of passwords, IoT threats, and the risk of oversharing. These are just a few of the topics covered. Read to find out more.

How do you think the role of VPNs will change in the future? And how do you see the development of VPNs in general? VPNs have a tendency to get increasingly multifunctional.

Regarding the role of a VPN, I think VPNs will become a more important part of the personal configuration. People are used to configuring their apps with themes, settings, and similar stuff. The part that hasn’t been catered to a person specifically is the networking part. Most network devices go through whatever users are connected to — 4G, an internet service provider, or a public Wi-Fi. Users have little control over their connections.

VPNs will give them that part of the control. It won’t just provide privacy — it will become part of users’ personal network experience. With NordVPN, we already have Meshnet, where I can connect with my friends, other people, or places. So the VPN will become a truly private network — I will have my network and connections with me. The role of ISPs will go back to transport providers and not so much connection providers, which they are now.

The other thing is the upcoming hard-fought privacy battle. We can already see law-enforcement laws being implemented in the US and Europe. So privacy will clash with law enforcement.

I came upon an article you wrote a few years ago about complexity vs. lethargy. I liked its main idea. The topic is still relevant today. What kind of threats does this consumerist approach introduce to users constantly buying new devices?

The problem is that we have this “time to market” aspect. This aspect decreased the quality of designs of the products we use. Just walk around your room, and you will find cheap items, not of high quality, but you only need them a couple of times.

Yet we also want new features in devices. We don’t even use them after buying them for a couple of euros. And we don’t care about the implications. We don’t care that it needs some upkeep. The hammer doesn’t need much maintenance — it’s a tool that works. A mobile device is also a tool, but it requires a lot of upkeep to keep you safe. And most people just don’t care.

Yes, I strongly agree. I think we’ve got a similar situation with IoT devices.

I have many IoT devices at home and a separate network for them. It gets me back to this “time to market” concept. Many IoT devices now use the cloud because the cloud is easy to develop and update. These devices are selling so much data about my house. For example, my Roomba sells my detailed floor plans to some companies in China. They probably know more about my house now than I do because I don’t go to some corners where my cleaning robot goes.

But we also have the cameras. I did one experiment where I showed that I could see if somebody was at home or what they were doing just by looking at the volume of traffic on their Wi-Fi. You can see if somebody switches on the smart lights, if a television is on and whether it is synced with their Spotify. If burglars professionalize the collection of such data, they won’t even need to check if you’re at home physically — they can check your home’s Wi-Fi and see whether you are at home or if there’s a visitor.

They can even see, and I’ve shown that in my experiment as well, if the neighbors are getting awake from the noise you’re making because mobile phones have a different traffic pattern when they’re in sleep mode, when you put them on their faces next to your bed, or when you’re not using them. One of the patent applications we had at NordSec was about adding a VPN so that no one could see those traffic patterns. So if you use a VPN, a protected device transmits the same type of traffic, and there’s no way to see if somebody is awake or at home.

But with IoT devices, there is a bigger problem because most people buy them as cheaply as possible and don’t update them. They usually give no warnings when you need an update. I only know when to update my Roomba when I pick a special mobile phone I use only for IoT stuff. Most people don’t do that. The same goes with smart doorbells and window shutters, with just about everything you have as IoT in your home. The updates are really bad, and so is their software.

There is also another issue I had with IoT. I have this smart television. And what you do with smart television is linking your Netflix, Spotify, Hulu, or Amazon with it. But my television’s display broke. No problem. I can buy a new one. But I remembered that it is not safe to put the broken TV into a so-called environment station, where you should bring your disused electronic equipment to recycle because it still has all my credentials. And there’s no way for me now to remove them. If criminals start to understand this, they can give people 50 EU for all the credentials they can lift from televisions in recycling stations. A person can easily disassemble a television set and steal credentials from it. I did that myself for my TV set to show how easily it can be done. You need to pull out the SD card to have all the credentials.

Moreover, it should be (I asked the European Government and my state representatives about it) a physical reset button on IoT devices. Many IoT devices don’t have factory reset buttons outside an app or software. It means many credentials are being thrown into landfills, and they will be a goldmine after a couple of years.

Are there any prospects of manufacturers taking responsibility or an increasing awareness of users?

In terms of manufacturers, it is simply getting worse. They do the bare minimum required by law to save costs nowadays.

The younger generation of digital natives understands that all these credentials are part of their digital identity. My generation grew up without the internet, so most people my age view those things as external tools. They don’t identify with their credentials. For them, they are like a key or a card.

The problem is that most of the management and decision-makers are still of the generation that became adults and started working when there wasn’t any internet available. Good things will happen when you get this paradigm change because you will have the younger generation in power. At the moment, we see that most of my generation instead make laws and agreements that are the opposite and still profit-fueled.

What would you suggest for an average user who has many smart devices? Are there any other measures to make your smart environment safer?

You should use a password manager next to a VPN. Also, don’t use one set of credentials for everything. Just use one set of credentials as a master credential for your password manager. And for everything else, create more contact-specific accounts — create more email addresses and login usernames that can be discarded just like the device itself. This is not an ideal solution, but it works. I’m using the same method. For all my devices, I have different credentials. Most IoT devices don’t have malware detection or prevention tools, so the multifunctionality of VPNs helps here.

You’ve already mentioned some of the stuff cybercriminals may be able to do in the future. Considering these aspects and the general cybersecurity landscape, how do you think cybercrime will evolve?

Cybercrime is a return on investment. I always say that these people on the other side have different life goals and objectives from us. But they’re smart people nonetheless. They don’t commit crimes because they want to give everybody the free malware experience. They just want to get something out of it. So as we protect ourselves, they will find another efficient way of breaching our security and still earn money from us. Currently, the easiest way to do that is by using ransomware — you block everything from somebody, they have to pay, and when the payment is made, they get everything back.

But we will see more and more hybrid crimes with physical implications. Because it has a camera and other stuff, my Roomba can probably tell you a lot about me. It can tell you if I have things that are worth stealing. So when ransomware isn’t as profitable, the next step could be physical burglary.

I also think we’ll have a lot of extortion. Just google “how to buy a used laptop,” and you will find out what you shouldn’t have on your laptop or the encrypted hard drive. So everything that somebody can use to pressure others into paying will be used. It’s not hard to imagine that you will get an email with a picture of your kids going to school with text like “Pay me now for protection.” I don’t like all those horrible things, but I can easily imagine what I would do if I were a criminal.

I had a tough discussion with a journalist from Wired 10 years ago. And we were talking about transatlantic internet cables. I told him I imagined cybercriminals would attack these cables in the future. And he was adamant that it was all James Bond stuff. We now see news articles where people are afraid of Russian specialized submarines cutting off internet cables. Everything you can imagine horribly will happen at some point because somebody will make a buck out of it.

The thing with cybercrime is that in Europe, people always think in terms of their ethics. But in other countries, the ethics are different. We can’t say those ethics are wrong — it’s just a different culture. And we must consider that we are pretty well-off, while people don’t have food and money in many countries. But they still have internet access, so they will do anything to get some cash. For example, in many multiplayer games, you have these farms in China where people grind their way for in-game stuff that they sell for real money. People would do anything to get money and food. You have to understand that.

Do you think that more well-off Western countries will be likely targets for cybercriminals?

Yes, because there’s more to get from there. I know that in India I can get a delicious meal for 16 rupees, which is about 1 euro. So I can eat for ten days if I can steal 10 euros from somebody, which might not be a lot for you and me.

What are the most common mistakes that users make and then, as a result, become victims of cybercrime?

Oversharing on social media. Well, I can look up all the security questions like “What’s your mum’s maiden name?” So if I want to hack you, I can research and find out who your mom is, what her maiden name is, and where she was born. Everything is online. We are sharing so much that it’s almost hard if you’re using one of the more powerful open-source intelligence tools not to find things that people don’t want publicly available.

I started an initiative called Digital Hygiene some time ago. I wanted to tell people that they should treat their online identity and behavior as their physical identity. But most people live in these big filthy online homes. Their physical house might be squeaky clean, but they don’t do the equivalent of sanitizing everything online. You brush your teeth every day because you don’t want your teeth to fall out. But you made it a habit, and you do it every day. People don’t have the same practices of updating or minimizing stuff they share. Oversharing is just like throwing your food on the ground and leaving it there till it starts to rot. I hope the new generation will, at some point, teach their kids to practice some digital hygiene.

The last thing I want to mention is people sharing copies of their identities, which is harder to prevent. This happens if you go to a hotel and they ask you for a copy of your passport. The problem is that you shouldn’t have to give the whole passport copy (most people don’t know it). You only need to provide the document number — that’s the only thing required by law. But because we don’t want to have the hassle of arguing with a hotel clerk at 9 PM, we let them go away and make a copy of our passport, which is now scanned and sits on some disc that we have no control over. That disc could be stolen, or the clerk can copy it to a USB stick and sell it on the dark web. We avoid standing up for our rights.

This is the same with cookies, your driver’s license, and your credit card. We don’t want the hassle. We try to avoid inconvenience. To prevent this, I use pre-made copies of my passport with the purpose and dates of the copy written on it. So when I’m at the hotel, and they say they need a copy of my passport, I pull a copy out of my backpack and show it to them, but I never give my passport to them to copy. Instead, they get a premodified copy of it, which has big large red letters transparent across the whole copy saying “Hotel XYZ” or something like that. So if it ever gets stolen, everybody will know where it’s stolen from. People should also understand that identity is the primary source of all of their value online. If I have your identity, I can go to your bank or crypto exchange or whatever, and if I can convince them that I am you, they will give me all the credentials.

That’s a good tip because when I check into hotels, I also give out my passport without thinking about the potential consequences.

Under European law, they are not allowed to walk away with your passport and make a copy. If you let them, you should check that they press the reset button on the copy memory. They should also allow you to write a text signature across the copy. Under European Law, they only need to check the document number of your driver’s license or passport. Most hotel clerks don’t know this, so you will have to argue. This is why I have a couple of prints with the European law, with those specific sections so that I can explain it to them.

Some hotels might be annoying and say, “Well, you can’t stay here.” Depending on your energy levels, you can argue further and say, “Let’s get the cops,” and it will be fun. So if you’re in for a spectacle, you can go that route. I’m always in for the game, but most people aren’t. This is why these laws are hard to implement. No government explicitly tells you, “Ok, if you go on holiday, do this, know your rights.” There’s nothing like that.

Only police, military, and banks can see your full passport or identity credentials under European law. Everybody else can only see your document number.

Troy Hunt also expressed this idea in an interview. He provided the example of buying alcohol — you don’t need to give your full document. All they need is a date of birth to know you’re an adult.

Many cigarette vending machines, at least in Germany, use your debit card to verify your age. It checks your age with the bank. They don’t even need to check your identity or anything like that. So Troy has a point with that. They don’t need to know who you are — they just need to know you are legally allowed to do this.

This is the data collection that we see very often. Initially, developers don’t know what they need to collect, nor do the product owners or their superiors. So they collect everything. We had this nice case with the Dutch post office, which collected everything about anyone. They finally got fined heftily because they had become a data collection goldmine. They only needed to know from whom the parcel arrived and where and to whom it needed to be sent.

When we use an online service or website, we usually need to provide a lot of info. For example, if you want to register at an e-shop, you must provide your full name, date of birth, and address. How can we avoid doing so? Should we fake our credentials? Are there any other ways a user could work around these requests?

Some users fake their data. But it’s not the proper way to do it. We should fix the system, not just try to find loopholes. There have been a lot of discussions about the decentralized ID and the European ID. I am skeptical about the implementation of that. The idea is nice and similar to all-out authentication. The site only checks with the European central ID and only gets the information they are allowed to have, and they need to state the purpose. But there’s a loophole in the GDPR that says that you can collect data about people if you have a justified cause. And this justified cause is described in just two sentences.

The problem with faking your identity is that it will not be you. But on some websites, it doesn’t matter. For example, on Twitter, I have no idea why they would need my identity except for permanently blocking me or law enforcement issues. Everything else is just me being a persona because most people aren’t their complete selves when they are on social media. They are just one aspect of their personality. So they only need data for this verification part. They only need to know if it’s still the same person connecting to this account. I don’t think faking would be a good idea, but it’s okay for now. But it is better to talk to your politicians, send them emails, and say that you want this to be different.

What do you think of passwordless login systems like biometric identification? Do you think they will improve our security or create additional threats?

They will improve it for a while because passwords have been milked so much and because they leave the choice to the users.

All of these methods — it doesn’t matter if it’s biometrics or a timed one-time password — all rely on the fact that I and the other side share a secret, and I prove to the other side that we have the same secret. This is basically how all authentication works.

Passwords work the same way — I know my passport, and the other side knows the secret, which is the same password. I send it over the wire, and I can prove that I know this password. Passwordless and biometric systems are just different ways of storing a secret. The problem with biometrics is that it is invariably tied to you as a physical person, not your online personas. So I don’t really like biometrics because they don’t give you the freedom to make online personas. You can only be your real physical self online.

The security part is all the same because it is the same cryptography whether you input your secret via biometrics or your IR scan. The only gain we have from getting away from passwords is that we’ve taken away the possibility for users to make dumb choices.

Are there any other ways apart from biometrics to replace passwords?

It makes it harder for criminals to gain access to these credentials by having private keys or, like I do, having a small card that goes into a device that handles a lot of identities. Besides passwords, there are many things, but most of these things, except biometrics, rely on the fact that you now need something physical to have with you. If you lose them, you’re in trouble. If I can gain access to it, I can be you. This is the danger of not having verification methods that rely on you remembering something unique. This is why I would be moaning about the demise of passwords.

I found an article about your work experience in Africa in the ’90s. I wonder, were there any cybersecurity measures back then? And if so, how were they different from the ones used in the West?

There weren’t any cybersecurity measures. I was building it. I was sent there with a router and a lot of money to buy a satellite dish. I had to make an internet connection via satellite. Only wealthy trade companies who still thought faxing was the way of sending orders could afford it. International phone conversations were costly, like 10 dollars per minute. To fax an order could easily cost you 20 dollars. As they had a lot of orders overseas, the price would accumulate. So they wanted to have the internet.

There was almost no cybersecurity, only the internet. A password to your server was the best thing you had. People still had to find vulnerabilities by reading the source code and then figuring out how to exploit them. It was not anywhere near the industry it is now. But people were just busy with building stuff.

I also ran a couple of ISPs. One of them was one of the biggest ISPs in the Netherlands. We saw that the culture changed as more users came. In the early ’90s, it was only scientists.

I started my first company. I was one of the first web hosters in Europe, just a couple of months after Tim Berners-Lee released the World Wide Web, which was HTML 0.9 at that moment. At that time, it was primarily people wanting to share knowledge. In archive.org, you can see that the early internet was about sharing knowledge and “how to do” stuff. Later, we got more and more customers. And the culture changed from the Usenet groups to emerging piracy and other stuff. And then cybersecurity started to catch on a bit.

There’s a really good book I can recommend. It’s called “The Cuckoo’s Egg.” It is written by Clifford Stoll and details the first actual hackers and the first cyberwarfare by KGB. The good thing about that book is that it is a [historic] document, and you will see that cybersecurity back then was something that people made up along the way. It didn’t exist at all as a discipline.

If you like it, you can read a counter book by the Chaos Computer Club. It describes the same events but from their viewpoint.