Monthly Archives: January 2023

Security Through Stupidity

Security through obscurity is a well-known term in the computer industry, but what if the security is not even obscured? Security through obscurity implies that some efforts were made to hide something, anything. But this does not always seem to be the case – because if it were, the people responsible would not just be ignorant, but also stupid; hence the term “security through stupidity.”

Maybe I am being a bit harsh; but let us look at a few examples.

The information was there all along

In 2021, a journalist for St. Louis Post-Dispatch discovered teachers’ social security numbers on the state of Missouri’s website. The sensitive information was not directly visible on the webpage, but it was there if you right clicked and selected “view source” in your browser.

Allegedly, this journalist had “hacked” the website to gain access to this information. Let me repeat that: The state of Missouri leaked social security numbers on their website and threatened the person who found out and reported the vulnerability.

The stupidity here is not only the governments lack of security, but also how they chose to react.

Ask and you shall receive

Ever wondered what would happen if you replaced your user id in the address bar with someone else’s? Maybe you would find some personal information, or maybe you would find a lawsuit.

A Norwegian developer found himself in such a situation. He wanted to make a mobile app where you could find the owner of a vehicle using the license plate. This is not secret information by the way; you can get it by sending a text message to the Norwegian department of motor vehicles.

This developer wanted a more seamless interaction however, and he found a solution. When logged into the department of motor vehicles, he would see his own car details. No surprise there. However, by changing the address in the browser he could find the owner of other cars as well. He decided to use this to generate his own database of vehicle information. Scraping the information using publicly available APIs.

The department of motor vehicles were not amused when he told them he had found a solution to his problem, and they presented him with a lawsuit. Now the most astonishing part, from my point of view, is he lost the first trail, which tells you a lot about the legal system and its understanding of technology. Luckily, the verdict was later overturned and once again we are allowed to change the address bar in the browser.

Ordering off-menu

This may be my favorite. Probably because I used it with immense success in the past. It is also a variant of the “ask and you shall receive” listed above. It boils down to a simple “let’s trust the user’s input.”

In my case, I discovered that I could get my hands on the license key to any combination of Volvo car and a DVD containing map updates for the satnav. The website handling license requests worked like this: You entered your cars VIN, vehicle identification number, and a list of previously bought maps for this vehicle would show up. Select one, enter your email address, and a license key would arrive in your inbox along with a “thank you, and have a nice day.”

Now, what do you think happened if you changed one of the available maps with a map you did not legally own? Bingo, you got mail: “Thank you, and have a nice day.” And just how do you change this you ask? Well, developer tool in Chrome, Edge or Firefox would do fine.

Conclusion

If you want to hide or protect information, at least give it some effort. More importantly, if you get a heads-up that you may be leaking secrets; thank them for sharing, fix it, and move on. Do not sue or threaten to sue them. And lastly, if you do not understand technology, do not pretend you know technology. It is that simple.

My Year in Books

And by “My Year in Books” I obviously mean 2022, the year we just left behind.

Cover of three books: The Storyteller by Dave Grohl, Project Hail Mary by Andy Weir and Becoming by Michelle Obama
Three of the books I read in 2022.

In 2022 I started the year with a goal to read 36 books; I ended up reading 31. There are several reasons why I didn’t reach my goal, but the main one is that I simply didn’t read enough.

This year my goal will be (at least) 40 books. I selected that goal because a) based on last year’s reading habit, it is ambitious but still realistic, and b) I may or may not turn 40 this year.

To be able to reach this goal I have realized that I must read more fiction in between the “heavy stuff” of self-help, biographies, technical books and what not. Some books are just easier to digest than others. Barack Obamas brick, A Promised Land, is not one of them, and that’s why I still haven’t finished it. Sorry Barack, but I preferred your wife’s writing.

Back to fiction, the best book I read last year: Project Hail Mary. I cannot stress how good this book was. It is a book I want to read again, and again. It is just so darn good.

I can also recommend “The Storyteller” by Dave Grohl, the Foo Fighter himself. I’m currently reading (among other books) “Born to Run” by Bruce Springsteen. So far Dave Grohl has been more captivating in his storytelling, but I’ve just started “running”, maybe it will change once I get a bit further into the book.

To see the whole list of books I read, you can roam around in my Goodreads profile.