The Importance of Practicing Digital Hygiene

Episode Transcription

David:

Welcome to Disarming Data. This is the second generation of an earlier podcast known as Decrypted Unscripted, which was an award-winning podcast on privacy and data. And it's hosted by me, David Bitterman, a lawyer in Los Angeles, and by my friend and daughter, Paige Bitterman. Paige, want to introduce yourself?

Paige:

I'm a student in Philadelphia studying behavioral economics.

David:

The premise of this is that we have two generations of perspectives looking at data. And we're very, very grateful to have Adrianus Warmenhoven as our guest. And to start out, Adrianus, introduce yourself. And then we will start getting into the conversation.

Adrianus:

Yeah. First of all, thank you for having me. I'm hailing from the beautiful city of Zwolle from the Netherlands. It's in the east of the Netherlands. For US people, it's close to Amsterdam because everything in the Netherlands is close to Amsterdam. It's just an hour-and-a-half drive. So, I've been doing, but let's get why I'm in security for in the first place. I've been doing security, and hacking, and all this kind of stuff since 1985, 1986, somewhere around there, which is ages ago.

Adrianus:

And it started out with so many of my peers by accident. My mom was really fair always, and my brother in those days. Hip Hop was coming up, and he wanted to get a big ghetto blaster. He was always in profession and stuff. So, my mom wanted to be fair and told me you can pick something from the store as well. So, I picked a small ZX spectrum home computer thingy. And started playing around with that. And at some point, I started doing things with modems and connections that was really expensive in those days when you had phone lines.

Adrianus:

And then you started learning about how to, it wasn't illegal in those days, so you learned how to convince carriers that you were also a carrier so you could use the phone line for free. And then you got access to all of this knowledge. And then actually, I started doing this because I wanted to show my father some pictures that NASA just has gotten from Mars and from the moon. And the Internet, as we know it now, did not exist. If you wanted to watch, look at a picture of Mars, you had to go to the library.

Adrianus:

It's hard to understand for people nowadays because you have a world brain in your pocket. You just can call up any picture of anything. And even with DLI, with the newest AI, you can create new stuff. But in those days you had to go to the library. Or, you had to go to the computers from NASA to get the pictures directly from them. And that was my introduction in all this networking stuff. Way before I started at the University of Amsterdam. When I started studying at the university of Amsterdam, I was quite disruptive.

Adrianus:

And at some point, I started one of the first web-hosting companies in the Netherlands. I think it was Europe, but I can't be sure. On the science park of the University of Amsterdam. And it was good fun. And then I learned a lot of other people, I learned to know them. And from that on, that company got sold to a bigger telco. And I got to do things. And doing the first ISP in Africa, first commercial ISP in Africa with satellite dishes. Over the years, I got to do so many fun things from the perspective of either IT, but mostly from security. And from security, it's awesome.

Adrianus:

You get to play with trains, with planes, literally, I've played with planes, with high voltage power batteries, with television equipment, with medical equipment. And over the course of the years, I ended up doing more and more security. And before I joined Nord where I'm now, I was CSO for the largest Dutch owned cybersecurity company for two years. And that was quite nice because at around 18 months, maybe two years, that's about a burnout rate for CSO. I switched jobs before a burnout rate. I still have lots of good contact with all of my colleagues from early on. And now, I'm with Nord.

David:

Going back, how old were you when you first, 1985, how old were you? And what kind of equipment did you buy?

Adrianus:

Birth year, it was in 1970. So, I was 15, 16 when I first started out. And I had to go to the library a lot to learn about all these things. And also you had these computer magazines. Shops where they also sell tobacco, and then other kind of things. I got befriended with the guy who was selling tobacco because all these magazines were way too expensive, and he was also into computers. So, I befriended him. And together, we just leaf through the magazines in the shop. So, I didn't have to buy them. But I still learned. And I wrote down everything I needed to know.

Adrianus:

The first modem, it's called an acoustic coupler. And this is difficult to explain because a lot of people nowadays don't even know that you had these fixed phones with this rotary dial, but you had to rotary dial the number. And there was this horn like device, which you add to your ear and your mouth. And you had to plug that into something called an acoustic coupler. Otherwise, there was no way to make a connection over the telephone line.

Adrianus:

So, that was really the first modem connections that we used. And it was slow. You learned a lot of patience in those days. And now, gigabits up and down. It all goes in seconds. I used to download for days on end. Start something now, and really hope that by Friday or Saturday it might be ready. Those kind of things.

Paige:

What exactly do you do for Nord?

Adrianus:

For Nord, I'm a defensive strategist for the threat protection products. And actually what we're doing is to make a baseline threat protection for your device. So, you get the VPN, NordVPN is quite well known around the world. It's one of the most advanced VPNs. And we also have threat protection.

Adrianus:

And threat protection is not just an antivirus, but basically everything we can do to keep your device more safe, and also keep you more anonymized. Removing trackers, but also we're building an antivirus solution. So, just to keep you moderately safe at no extra cost.

David:

Would you say Nord is pretty much safe from cyber attacks?

Adrianus:

I'm now speaking as the CSO again. Nothing is safe from cyber attacks. It all depends on the level of risk that you're willing to accept. Risk acceptance, that's basically the key word in the whole of the cybersecurity. If I don't care if I download malware or anything like that, I can go with my laptop without any antivirus, or without any VPN, or anything like that. I just accept that risk.

Adrianus:

So, for me, it's a hard question to answer because I don't know how much risk people are willing to accept. If I look at people, I think they're willing to accept a lot of risk until I talk to them. And well, when they understand, they don't want to accept all that risk.

Paige:

When do you think that the rise of hackers started to happen?

Adrianus:

Hackers have always been there in human history. Sometimes I give lectures at universities and sometimes I explain them. In the core, a hacker is somebody who understands something, sometimes better than the creator, and then modify some parameters to make the thing do whatever the hacker wants it to do. Really earlier, hackers from history are people like Leonardo da Vinci.

Adrianus:

Hackers study everything into a minute detail, and then start doing things with that. So, the hacking mindset has always been there within a couple of humans. And now, with technology, it's a lot easier to be a hacker. This is not the same thing as a criminal because all the cyber attacks and all the cyber criminality is just from criminal organizations who are not philanthropists. They're not into cyber crime to give you some entertainment value. No, they want to get some money back from it.

Adrianus:

And this is the thing that we actually, when we nowadays talk about hackers and about cyber crime, we talk about criminal organizations. Criminal groups who are really good, well-organized. And actually just added to maybe drug trafficking, or drug creation, or other really bad things, they're just added as one of the new forms of revenue. Hackers themselves, what I consider to be hackers, we already had them since the beginning of IT in any form.

Adrianus:

But what happened is that, of course, if your population grows, as with hackers do, then at some point, some people have different life goals and different objectives from the good guys. So, that there's criminal organizations simply saying, "Well, you can make 90,000 with that company, but you can make 200,000 if you do it for us. Don't ask what you're doing." Those kind of things make now that we have extremely advanced malware and extremely advanced criminal capabilities.

Adrianus:

Because when I talk to my team and talk to other people about cyber crime, it's not like malware and viruses crawl out of the nature. They're really built by human beings. And those human beings are really smart. They're really intelligent people on the other side. They really understand the same things that I understand at the same level. And they're spent a lot of time and a lot of effort in making their technology. Cyber crime basically is humans versus humans, even though it doesn't feel like it. But it's really a battle from between humans. And the only thing is technology are just the sticks that both sides build to hit each other with. It's a human versus human game.

David:

How about nation state attacks versus for dollars?

Adrianus:

Nation states in cyber security is basically this unwritten saying, or I don't know, whenever you encounter a nation state, all bets are off. You lose if you're a CSO, unless you have a really specific mandate and the right context, which your secret services and military intelligence. Normally, what you do is when you make your risk plan, when you write a nation state, basically you just write down what do we lose and how fast can we recover from that?

Adrianus:

No, really because nation state has all the resources available to do whatever you want. Normally, hackers need to have this return on investment. A nation state does not have to have this return on investment financially. They only need to achieve their objective. So, if their objective is disrupt your stuff, they can spend as much as they want because they never have to recoup any of their expenditures. If they want to steal some data, they can even go to links like, "Okay, we groom somebody and we train somebody to get hired by the company so we have an insider."

Adrianus:

They can explore any and all facets to get into your systems. There is no way to defend against that. There's ways to defend against some form of attack from the nation states like viruses, like fake news, all of those kind of things, like the broad buckshot approach attacks. You can defend against. But if a nation state targets you specifically, basically get your backups ready and hope your encryption is up to scratch. Or, in essence you lose.

David:

Are you surprised at the level of cyber attacks that's occurred with the war in Ukraine? Is it greater or less than you thought it would be?

Adrianus:

The efforts have skyrocketed from all sides. But it's also because a lot of people with emotions have joined the fray. This is also one thing, of course, in the cyber domain. Any single person can start fighting any intelligence or any military. It's an all against all if it really comes to that. What really has caught my eye in the sense of war, is I already made this statement, we have now entered the state of permanent cyber warfare. Before this war, it was testing the waters. And as soon as US saw this is either maybe China, or Iran, or any country, they will back down. And it would be just a political, some brouhaha, a little bit. But then it would be over. Nowadays, everybody has accepted that it's a permanent state of affairs.

David:

Some people have said, this is like that the attacks are not as great, at least this is what I've heard, as expected say from Russia to a Western infrastructure because its mutual assured destruction. I don't know what your thoughts are on that.

Adrianus:

The cyber capabilities of a lot of countries, well, and as we can see in the news now that it is a bit same as with their physical abilities, have been pretty much exaggerated. Russian cyber attacks are not as strong or fierce as everybody was afraid of. Everybody was already afraid of. They had lots of exploits. Exploits are the things that you use to get into a system or to compromise a system. And normally, when you're military, you have a couple of them lying on a shelf, not for long, but you have some of them ready, so you can immediately attack.

Adrianus:

And it turns out that, well, outside of the fake news and all of those kind of things, it's not that spectacular what everybody can be doing. The reason why people were afraid of Russia before is that a lot of cyber criminality comes from Russia is not being dealt with. And the reason for that is that if there's no, on the Russian bomb, if there are no Russian victims, Russia will not prosecute. So, you can even give all the evidence, and give it to Russia and say, "This is a cyber criminal. This is all the evidence."

Adrianus:

And then they will ask, "Are there any Russian victims?" And you say, "No." And then it's the end of the story. The cyber crime is really hard and really persistent from Russia. And there's a couple of hacker groups who have made a lot of money. And then who are really public, like Turla. Those guys post on Instagram pictures of themselves with a new Ferrari, or Lamborghini, or something else because they're untouchable. They don't touch Russian victims. Nobody can do anything about them.

Adrianus:

The same goes for Bulletproof Hosting, which is in Russia a black TDS. Those kind of things. Everybody knows who's behind it, but there's nothing we can do about it. This is in the cyber crime domain. So, that gave rise to the feeling that Russia as a military would have at least some extrapolated capabilities like that. But it's not. In the end, it's just that the cyber criminals are just as rampant as they always were, but that there's no bigger army of them. There's just the criminals who just get money for themselves.

Adrianus:

Well, this is basically the lesson that we see in all facets of this war. A lot of people higher up or at various levels are just looking out for themselves. And this makes the overall a lot weaker. The cyber crimes is still going strong. And that's actually the thing that you have to fear most from Russia.

David:

Really? More so than the infrastructure attacks things, such as taking down a power plant, or?

Adrianus:

The military doesn't have that capability. And then the cyber criminals would have that capability. But they're always trying to be at a level where it's not suddenly a concerted effort of the rest of the world, like Interpol, or any of those organizations, trying to hunt them down.

Adrianus:

If you just stay below that threshold, then you can make a lot of money for yourself. And pulling down a power plant gives you no money. And if the Russian military cannot pay them, these guys make things like 72 million dollars in a weekend. You have to pay them extreme amounts. And they're not as patriotic as everybody might think. They're very selfish.

David:

That's really interesting because I just had understood that the technology was there, both the United States, Western countries, and Russia, and that they just weren't exercising it.

Adrianus:

You probably can. If it really targets something, it's always possible to do weird and wonderful things, especially on hacker. Congress, as you see, how they can do things with the train systems or get into IoT. But the problem is it's not very specific. It's very uncontrolled if you do that. Let's say example from Stuxnet, which was put into Iran in the nuclear reactor, or at least it was the plan. It was really nice put together, but it was not very subtle.

Adrianus:

There's no subtlety in those systems. And as soon as you start taking down a power plant, you know that you've crossed a line. And you know that power plants on your side will also be going down. I don't think either any country wants to test those waters yet because everybody has to deal with enough things as it is. It is possible, and I think even lesser hackers and cybersecurity specialists will be able to do this. But it will not come from a general as a good idea of doing that. There's no sensible objective to be achieved by that.

David:

Okay. Even in war?

Adrianus:

As soon as you do that, you do something on territory of the foreign nation. And then you start a war. So, at the moment, there are no objectives to be achieved by doing that.

David:

Okay. It's all about dollars.

Adrianus:

It's about dollars. And of course, as soon as you start it, there will be repercussions and consequences. And none of those fit into a good battle plan at the moment. So, it might still happen after a while, if this continues on and things become more desperate. But by then, we'll have crossed a lot of bridges I think. That's my personal opinion.

Paige:

Well, my question was since we were talking about Russia, I guess it made me think of social media a bit. There's a lot of hacking happening, Facebook and Instagram. And I don't know what countries that's coming from. But a lot of my personal friends even get hacked. It's quite often. So, I was wondering if, well, A, who's doing it? And B, how also to prevent it from happening personally to yourself?

Adrianus:

So, the first question, I'm sorry, with the first question, what do you mean by somebody on social media getting hacked? Do you mean their profile is taken over? Or, do you mean the device is getting compromised?

Paige:

I mean, I've heard of both happening actually. And it's common.

Adrianus:

Yes. I make the differentiation because hacking of social media profiles is usually just guessing. It doesn't get any more sexy than that. Security of a lot of those big social media companies is pretty up to scratch. They're really good. And what happens most of the time is, and that this is a bit silly thing, those reset questions, you could probably get that from the same profile. What's the name of your dog? And then you look at somebody's page, and then they post a picture of themselves with the name of their dog. And a lot of it is guessing.

Adrianus:

A lot of passwords, you can brute force passwords. A lot of passwords are with password breaches, which people you reuse, or they use a password on a really simple site. They're never are going to visit, but they use the same password as on Facebook. That site they're never going to visit again is being hacked. And then somebody has a password for Facebook. So, a lot of the social media things you can quickly fix by using a password manager and two factor authentication.

Adrianus:

If you do that, 99% of all those hacking attempts will fail. And use a password manager, or use password phrases. I'll get to that in a bit because that's my favorite thing to say. The device compromise comes usually from advertisement networks. Advertisement, those networks, aren't being scrutinized as much as the social media themselves. So, what happens is let's say I want to attack a target, you. I figure out everything that makes you unique, as unique as possible, like area code, school, preferences in food, all those kind of things.

Adrianus:

And then I know that my advertisement, as a criminal, my advertisement would be only shown to you and maybe 10 other people in that area. And I can put some malware in there in my advertisement because I directed that code, will only be shown to you as soon as you come in. And then your device gets compromised. So, a good antivirus is also a must if you are doing anything on online nowadays. But most of it really comes from password guessing and reuse of passwords. I mentioned password phrase a bit earlier. A password phrase is just the same as a password, but easier to remember.

Adrianus:

If you don't want to use a password manager, instead of a password with all these difficult characters and making it eight characters and you will never remember it, take a sentence from your favorite book, or from a song, or a poem, because a sentence is quite easy for you to remember. A sentence usually has some inter function like a comma, or capital letters, or exclamation mark, or colon, I don't know, with those. And if you substitute maybe one or two things with a number, then it's really easy to remember.

Adrianus:

And it's also easy to find how you write it because you just pick up the book again, or the poem, or you listen to the record again, and you know exactly what your password is again. Then make it longer. The longer you make it, the more difficult it is to hack actually. Password phrase instead of passwords. But password manager is even better.

David:

If I were just to go out and get a password manager, which one should I go to? I'm not asking you to endorse anybody.

Adrianus:

Obviously, I'm going to say the one from Nord. NordPass. But there's a couple of them which are really quite famous. You can look those up as soon as you type in password manager, you'll find it. NordPass, of course, is included with the NordVPN.

Paige:

I've also heard of people downloading apps, and then those apps attributing to them getting hacked. How true is that?

Adrianus:

Oh, that's a whole can of worms. When you download apps, most of those apps are being checked by the App Store, especially if they're really popular. It's fine. There's a couple of scenarios where an app can become evil. One of course, is just when it's a fake app that puts the app into the App Store with a name that's almost one that you really want to. But what it in fact does is just hack your mobile device. You can spot those quite quickly by looking at the number of downloads, and seeing who the publisher is.

Adrianus:

For instance, all the things by Facebook are made by Meta. Microsoft will always have Microsoft in there. So, you can look at the publisher and see, "Okay, this is not the company I was looking for. Not the app I was looking for." It gets more problematic with apps that are popular for a while, and which are totally benign, which are of a small developer. Let's say Flappy Birds, that was an app that was hugely popular, but it was only one guy developing it.

Adrianus:

As soon as that happens, and something is popular, what happens sometimes is that the criminal organization says, "Listen, this Flappy Bird, it gets you 4, $5000 a month in advertisement revenue. How about we give you $750,000 for all the rights? We own the app." The developer one guy says, "Yeah, sure." And he sells it. But from that moment on, you have to remember that that app is installed already on millions of devices and it'll automatically update.

Adrianus:

So, the criminal only needs to add some criminal code to its update, and they own it, so they can sign it. So, the App Store will not filter them out. And it gets distributed to all those people. And this is how unknown apps or really obscure apps can also help hack your devices. There's another way. There's another thing that's growing. And it worries me a bit. It's called residential proxy. I have to explain that a bit. A lot of revenue in normal apps and in really benign apps now is from advertisement.

Adrianus:

And it gives you maybe a cent per 1000 clicks. I don't know what the rate is in advertisement, but it's really low. You have to get a lot of advertisements to monetize it. Now, a criminal comes along and says, "Well, we have a framework." And it simply says, "As soon as you start this app, we can route traffic through your mobile device." You don't do anything illegal because you just put in the end user license agreement that as soon as the user installs it, they agree with us routing traffic through your device. So, it's a legal transaction.

Adrianus:

But most users, they don't read the whole end user license agreement. They just scroll down, press okay, and the app is installed. And they legally now have said, "You, the criminals, are allowed to use my mobile device for criminal activities." Or, no. They don't say, "Criminal activities." But for traffic redirection. So, this is called residential proxy. And then the other thing which is really also scary about that is that your mobile device is inside behind your firewall in your own mobile network. If your mobile device has that app, it's connected to your own WiFi in your home and is behind your own firewall. So, it's already inside.

Adrianus:

So, what you should do about that, and this is I will always say this, but I know it will never happen, but people should really, really read the end user license agreement, and check the permissions, and see what's going on. It's really hard to act against those things because the only way that law enforcement can do something about it is if they have proof that not by accident, but on purpose, this residential proxy is being used for criminal purposes. In every other case, it's just a legal agreement for monetization of the app.

David:

Literally, you're saying some of those apps, you'll actually assign an agreement and say, "You can drop onto my phone?" Paige, what are your friends seeing? Do your friends care, Paige? This is the millennials here.

Paige:

I mean, well no one reads user agreements. And I don't think people will start. But I didn't know that there was a very gray line of legality to all those sorts of issues. But then you think about reading a user agreement and you're like, "That's very long." Another question I actually had, this is a little turn, is I had read that you had brought Internet to Tanzania. And I was just wondering what that experience was like?

Adrianus:

Well, I have to modify a little bit. There was Internet in the university. It was commercial Internet. So, it's not I pulled them out like in the telecoms dark ages or so that they already had. But it was university-wide. And it was actually a life changing experience because we were sitting with a company. We were sitting at a company dinner. And our director gave a speech and he said, "Well, Europe is going quite well with Internet."

Adrianus:

And we had an ISP with modems. And then it was at those times a really big ISP with 10,000 customers. It's ridiculous, that small amount nowadays. And he said, "We're also going to do Internet in Africa, in Tanzania." Because they had a telco shop already over there in Tanzania. So, we had some people there. And I was sitting there and think, "Oh, that sounds cool. I wonder who will be going?" And then he said, "Yeah. And in two months, Adrianus will be going." And I thought, "What? I haven't prepared for any of that." So, okay.

Adrianus:

So, I asked him, "How should I do that?" And he said, "Well, you're a smart guy. Figure it out." So, they gave me $25, some weird route. No, I'm not kidding. Some weird router, Cisco 2511. For the technical people listening, they can find out what type of router that is. A Cisco 2511. The address of the people in Tanzania we had from global access there. So, I went over. Really interesting getting that router through customs because they had no idea what I was doing with it.

Adrianus:

So, I said, "It's for recording music." Okay, because the Cisco logos looks a bit like music. So, I was allowed to go through it. They picked me up. And then we had to figure out with satellite, with a satellite dish we built our own little small building for our servers. We had a satellite dish, which we had to aim. We had these normal modems, which all had to configure by hand because the Tanzania telephone lines weren't as good of a quality. Yeah. It took me quite some time.

Adrianus:

And in the meantime, we went to the wildlife resorts. And then I went up to the Kilimanjaro. And for some reason, well, you listeners can't see it, but you can see I'm a big guy. And for some reason, whenever people in foreign countries see me, they think, "Yeah, this guy likes to climb a mountain or something like that." I always have to go with people up mountains. I mean, the view is awesome. But I'm not built for climbing. But for some reason they always want me to do. But it was awesome.

Adrianus:

It was a really nice experience. And it was for me, it was such a nice feeling when at some point, we finally got the connection working. And I had a chat program. And a friend of mine was in the Netherlands. And I said some sentence to him and said, "Listen, I got your mom on the phone at the moment." And I typed something. And my mom was, "Wow, we are talking across this immense distance." I mean, for younger people, this is now quite normal.

Adrianus:

But in those days, it was such a heavy experience that I sent a chat message across the satellite back up and back down. And this was in '94, 5, 6, I don't know, '97 maybe. And it was such an experience to get data, it had lag of 8 seconds. When I typed something, it took 8 seconds to go to the other side and then 8 seconds to get an answer back. But it was such a heavy experience. So, to make something from scratch work. And then yeah, it was awesome.

David:

That's unbelievable. It was for the university you said, ultimately, or?

Adrianus:

No, no, no. It was for the commercial. There was this telco company, and I figured out that using Internet email was cheaper than using fax. They used a lot of faxing for orders like Toyota and Nissan. They had a lot of orders in Africa for cars, of course. And then sending all the orders by fax, it was a lot more expensive than sending an email. But you can only send email if you have Internet. So, that was kind of the reason.

David:

Also, on your background I see you've got, what, is a seven year old son. Is that right?

Adrianus:

It's now eight years.

David:

Eight years. So, tell us what's that like? And what do you see for him in the future?

Adrianus:

Well, getting a son was the scariest thing I've ever done. I've faced down armies, and guns, and stuff, and nothing was as scariest suddenly having this baby in your arms and knowing that it will rely on me to survive. And that's the scariest thing I've ever had. But it's also the coolest thing. I love my son really to bits. I want him to do whatever he wants to do. And also, one thing for Paige, whenever I talk to younger people, I will always tell them, it's your world now.

Adrianus:

I will gladly assist you guys. But I will not make any decisions or try to imprint my ideas. I've had my time. I've had a really blast. And now it's your run. And the same goes for my son. While he's a bit interested in technical stuff, he's also doing other stuff, doing normal kids things like soccer and going to music. And then he's now doing violin lessons. He's doing judo. The biggest concern I have for him is for the future is privacy and yeah, and control.

Adrianus:

That's something that I worry about, that his freedoms will be severely limited. That's one thing I try as a father, as a dad, not so much as a security person, but really I try to be active in that to help get some of that privacy, or at least keep some of that privacy available. When it goes to privacy, I need people to understand that for all intents and purposes, your digital you is you. There is no bank anymore, or almost no government institute that needs the physical you.

Adrianus:

There's almost no interaction anymore where your physical presence is necessary or even wanted. Your digital you is the real you. If you were to drop down and die, if your digital stuff is automated, those companies will think you're alive because that's who they are interacting with, with your digital you. About that, I need to explain to people that privacy is not about what you have to hide because a lot of people say, "I have nothing to hide." No. Privacy is about what you want to share. You should be in control about what you want to share.

Adrianus:

If you have nothing to hide, feel free to share everything. No problem at all. But I can easily give you a couple of examples for things you do not want to share with me. You do not want to share all your nude pictures around the Internet right now. You don't want to do it. So, at least one thing you have to hide. You don't want to share your credit card and control number with me right now because that's the second thing you already have done.

Adrianus:

And so, I can make a lot of things which you want to hide, and which luckily enough, you are in a position to control what you're sharing with me. If you're not sending anything to me at this moment, any of the pictures or your credit card details, you are in control. So, they're private. They're still yours. You haven't sent them to me. And this is the essence of what privacy means. It doesn't mean you're a criminal and want to hide any of your traces. But you need to keep those buttons, and levers, and possibilities of being in control.

Adrianus:

You need to keep them with you and not with somebody else. As soon as you have no control of that anymore, the only thing your body is good for is either to consume and do some work. Somebody else will control and tell you what to do. This is the whole thing about privacy. What I'm also learning my son is to make conscious decisions about sharing stuff. You might not want to read the end user license agreement, but maybe you make fake profiles. I'm teaching him already about fake profiles, fake personas. It's not a fake profile, but it's a fake persona.

David:

Tell us about that.

Adrianus:

Most people use one persona on online. So, that's what they perceive themselves to be the real them. Problem with that is with all the data correlation and the big data stuff, well, we've heard lots of things about Clearview, but even the US IRS wanted to do some things with Amazon, which was not a good idea. Then luckily they stopped it. But all this data collection and data correlation makes a big picture of you. And it gives you a full profile.

Adrianus:

And a full profile is not only harmful that if somebody knows everything about you, but they also know where your pressure points are and how to control you. So, what I'm explaining is make multiple personas. And for instance, I have a banking persona. Does nothing, simple browser. And this persona does only my financials. It has no social media or anything like that. And my interactions are all based on that persona. The same thing goes for social media.

Adrianus:

I have one social media presence at the moment, which is the me that's talking to you, which is LinkedIn. But I might have other personas for other social media, which are completely different from me, and with which I could interact with other people which are not connected to me. And the reason for that is that it gives you more freedom. But it also compartmentalizes what you automatically share about yourself. So, my son has different personas for his gaming platform.

Adrianus:

He likes to play on a console. And he has a completely different persona on that. And that persona is not linked to any social media or anything like that. Reason for that is that especially if kids if they get angry, they hack each other. Again, the password guessing game. And they like to find each other on social media, and then start griefing each other, or whatever else they do for sport. And if you keep those personas compartmentalized, this cannot happen. But the problem is it's an inconvenience. Sometimes you have to take those inconvenience.

Paige:

Do you feel like schools should be educating kids more about privacy with how fast technology is growing?

Adrianus:

Absolutely. That's a really good remark. Where they teach you writing, and also the technology, how to use it. But they're also give you some values and how to go on in life, no bullying and those kind of things. So, a lot of basic values are being brought in school. But also how to work with your computer and your social media. And school should give you those values, but also the risks about it.

Adrianus:

Because you do learn at school crossing the street. There's nursery rhymes when you cross the street and it's unsafe, or stranger danger. All of those kind of things you learn at school, except exactly as you said, they're failing in that they teaching kids what kind of profiles they should make because kids, they have a really direct mindset. They want to watch a video on YouTube. And YouTube says, "Yeah, you can watch a video, but you need to have a profile." Click, click, click. They have a profile because they want to watch the video.

Adrianus:

And the same goes for a game. And the game says, "Yeah, but we want to have access to all of these sensors on your mobile phone. Otherwise, you cannot play the game." Tick, tick, tick. All of them agreed. I want to play the game. And this is things parents should take some time for that. But schools have a lot longer contact moments with the children. Couple of hours a day where they have the full attention span of the kid. And not in the evening when a kid is tired, or wants to relax, or in the morning when there's a rush.

Adrianus:

Now, schools have exactly that attention moment where they should actually say, "Well, you should take care of your privacy. You should take a bit care about your passwords." I personally think that passwords and how you should do credentials and authentication should be educated on in school. It's a complex thing. And it's not something that the parents can quickly say with a couple of sentences, "Oh, no. You just use a password phrase. Okay. Go play outside now." No. You should really explain to kids why they should do it and what the dangers are.

Adrianus:

In some places they can skip it, and it's not as dangerous. You should also show the really awesome things of the Internet and awesome things of so social media, because it's not all gloom and doom. This is the problem when you talk to people like me from security background. We always talk like it's the apocalypse around the corner. But it's not. I love the Internet. I love how amazing it has been from having no computer at home to having a world brain and connected to everybody in your pocket. This has happened in my lifetime. And it's such an awesome realization.

Adrianus:

So, it's not always bad. But there are risks in involved. And really, it's a really good remark, schools should do that. I used to have a program called, Digital Hygiene, because I liken this education to how you teach hygiene at school. At school, they teach wash your hands, and all those kind of things. I think a lot of things you should do with your mobile devices or with your devices in general are chores that almost are the same as with hygiene. In your house, you brush your toilets, you clean your toilets because you don't want bacteria.

Adrianus:

You brush your teeth because you don't want bacteria. The same goes for your mobile device. You remove apps which you don't need because you don't want this situation. You use an antivirus just like the toothpaste because you don't want fires. Those kind of things belong to the current day normal life, especially for the age group of Paige. The digital device is something intrinsically linked into their life. It's something you will use without even knowing you are using it. In your mind, you probably think, "I am going to talk to my friend."

Adrianus:

You're not going to think like my generation or the older generation, "I'm going to take my phone. And I will talk to my friend." Because we have to that in between step. Your generation doesn't have that in between step because it feels just as natural as writing, as talking, as anything like that. And this is really why we should help kids, who will have even more that experience, teach them like brushing their teeth, clean up your laptop. Remove your password, change your password, those kind of things. And school is really failing there. Yeah.

David:

You're going to school. Don't they teach you something about that at school?

Paige:

Well, not when I was younger. They would teach us about cyber bullying and being nice to each other online. There wasn't nearly as much going on online when I was in school. But I definitely don't think they talk about hacking, or privacy, or things like that, especially not in college levels. If you're not in an engineering major or a data major. I have one more question. Do the Netherlands, because California has more privacy laws than other states, but do the Netherlands have good privacy laws set up?

Adrianus:

The Netherlands on its own is already really strong on privacy. Not as much as Germany. But we also have the umbrella of the EU. It's called GDPR. And this gives us a couple of protections. They're almost the same as with the Californian and the Canadian laws. However, we have more vocal in Europe, and in the Netherlands, more vocal privacy activists over here. The idea of relinquishing data and information to your government.

Adrianus:

And we still have, especially in Germany, the scars from World War II, where data collection was really put to some really bad uses. So, especially in Germany, that will always resonate. And these things are even not entirely in school. There is some government programs to bring it under the attention. But it can also be a lot better. But you feel quite protected if you, this is where it falls down, if you pay attention to what you agree upon. Because even the GDPR says, "Company is allowed to collect all of the data if that's their business."

Adrianus:

So, if Facebook or Google says, "Well, we collect all of your data because we sell advertisements based on your profile. Do you want to continue?" And you click, yes. Well, that's your legal contract. And that means that even the legal protection is from that moment, not entirely void, but yeah, you have given permission.

David:

It's getting better in California. But is GDPR, is it an opt out or opt in?

Adrianus:

Basically, you have to opt in. There's some basic protections. However, and this is escape clause, the justified cause for data collection, if that is sufficiently defined, then it becomes an opt out. In the Google example, it becomes an opt out. But for instance, for medical data, it will always be an opt in. And it will always be and notify each person personally.

David:

And what do you think about the changes that Apple just made to their apps? So, because now it's opt in, right. You have to opt in with Apple now when you download an app, right? Or, am I getting that right?

Adrianus:

Yeah. Apple always kind of puzzles me in how they do things. I never know if they understand that it's really good business to do things the right way, or if they really want to do things the right way. So, about their motivations, I cannot say anything. But the things they are doing of late are actually going the right way. Yeah. They're doing the right things. I don't know if it's for the right reasons. And also with security iOS is improving massively. So, yeah. They're doing the right things at the moment. So, yeah.

David:

Tell us, what do you see in the future? And are things really getting better? Are we more secure or less secure now?

Adrianus:

It's hard to say that in a generic statement. I've made several generic statements over the years. And almost all of them except for one turned out to be false.

David:

Okay. You got to tell us the one that was right. Sorry to interrupt you.

Adrianus:

I was in a hefty discussion with a reporter from Wired and something I think 2016, 2015. And it was about submarines cutting the Internet wires across the ocean bed, Internet wires. And this journalist said, "That's a stupid idea. Nobody will ever think about this." And for some reason, in the beginning of this Ukraine war, we got this intelligence that some countries in Europe were scared about Russian submarines. And then on the news we saw all these scenarios that the military intelligence were working out about cutting the submarine cables.

Adrianus:

So, I don't think I should do those kind of predictions anymore. But yeah, overall, I think the handheld devices, we will get at some point there that's just as like with hygiene. And that's why I always will use hygiene as an analogy. When you sensibly the mobile devices will become secure enough because they will at some point be our complete avatar in the digital world. While we do all our banking, all our communicating, even our presence, telling our house where we are, getting a car, whatever we want to do, those devices will be our avatar.

Adrianus:

I also once mentioned to some other friends that they will be our magic wands of the 21st century because you can basically open your house, drive a car with it, get a bike, anything. So, those things will become more secure. And the other thing is we need to figure out, and this is the privacy part, where as a society we want to be in digital domain. The problem is that a lot of people of my age and older are still running the world. I can say it. And, yeah. But we have not had this digital world be part of our youth or part of our life.

Adrianus:

So, we see it as something separate, as something that we can tweak, and modify, and get the most out of it for our business or for ourselves. However, it has now become a part or a carrier for social interactions for society itself. And this is something that I think my generation and others should not talk about because we have a completely different understanding of what it has to be with social relations, with personal relations. We still visit our friends physically a lot. I go to barbecues. And that's what we do.

Adrianus:

Younger people can have a great evening having somebody on the mobile phone, and have group watch on Disney, or something else, and watch the same movies. But just have the person digitally. So, that means that they should actually be the ones to tell us, "Okay, please build it like this because this is what we want. This is what we need for our future." I mean, there's a lot of people like me who can do a lot, who can build you anything you want. But I think we should relinquish control of this. Now, we should not say this is how it should be because in my mind, I'm way too much like this old engineering stuff, a lot of times, I'm this cranky old guy, "Get off my lawn," when it goes about technology.

Adrianus:

I think these new young developers, they are so astute. They've spent ages about the color of their editor or whatever teaming, I don't know. Black and white, that's enough for me for my editor. But, yeah. I learned that's how they live. And I should not have an opinion about that. I lived my life in complete freedom. I've had an awesome run. So, I think the younger people should be more vocal about what they want to happen. And really not just, this is my advice, and not just by shouting it to each other on social media because you get all these echo chambers. No. Go for the politics. Go for where it counts because there's more of you at this moment than there are of us.

Adrianus:

Make sure your vote counts to the right people. And don't vote or stop voting because you don't like it, or it's boring, or anything like that because this is the moment where you can grab the driver's wheel. And I think if they do that, and shift some of the companies back into line saying, "Okay, you can process all this data. But you have to give something back to society." Maybe by using this also for medical data for universities. Forcing them to also do good.

Adrianus:

Because some of the things that are horrifying to me from a privacy perspective, I do understand that it can also give us some good things and stop this whole for profit stuff. Make some good money out of it. No problem, if you're getting rich about it. But stop making it to these ridiculous amounts that we're seeing currently with a couple of people, the top 1%. It's almost like a comic. It's like a bad joke. And really make those things about helping each other.

Adrianus:

Because we're almost on the moon again. We almost have self-driving cars. We can talk to anybody on the planet at any moment, day or night. We can even see each other. So, your voice, think about this. I thought about that when we had this Internet. It blew my mind realizing it. You can have your voice heard on any place on the planet whenever you want. Your voice, even if you're not there. This is really a realization that all of the planet is at your fingertips. And make something good out of that. That is what I would say. And the digital world, we could do that. Get my generation off of the driving wheel really.

Paige:

We always say, "Is it'll change once the boomers die."

Adrianus:

I'm not a boomer.

Paige:

The gen X generation's much different too. But they're I think the kind of lost generation sort of. People forget about them. But the boomer generation definitely people always say a lot of things will be much different.

Adrianus:

Yeah. But at this moment, all of you are voting age. There are more of you than of any of the other groups. You can out vote any other group at this moment. Just do it. You have November. You're in the US, right? In November, it's when it counts.

David:

It is. Well, if they've got an election denier running for governor, and an election denier running for Senator in Pennsylvania.

Paige:

Well, I do think that there are a lot of young people that are really passionate about voting. I think their motivation behind it is a lot different than older people might be. But I think that you find on college campuses, young people are always talking about politics it seems like now. So, a lot of times people are like, "Oh, do I have to actually go and vote in person?" I think people like mail in voting because the young people never actually having to go in person anywhere.

Adrianus:

But there's more of you. Realize that. And then tell each other that. That there's none of the other groups can stop you if you don't let them.

David:

You'd better be taking notes here, Paige. Adrianus, all right. Adrianus, thank you so much for your time. This has been amazing. You're an amazing person. So, thank you.