I started my day today with a little hands-on work setting up a Raspberry Pi 5. A tiny prebuilt computer, I’ve hooked it up by the main wifi router with plans to turn it into a homeserver for some personal projects in the near future.

My coffee this morning is a pleasant shot of espresso. A Columbian grind, I think this may be favorite of the Nespresso varieties that I have tried.

Happy Friday, everyonel.

//

In the news.

CISA, the Cybersecurity Information Sharing Act (not to be confused with CISA) expired at the end of this September, ending liability and anti-trust protections for companies sharing cyber threat data with each other.
Threat sharing is one of the main ways that companies and governmental organizations stay safe from hackers and data-breaches, and the sunsetting of this legislation potentially chills important communication between parties in the cybersecurity space.
The blocking of CISA’s reauthorization is largely due to Sen. Rand Paul’s efforts to include new language in the act. MSSP Alert has the full story.

In a follow-up to the Kido nursery hack story from Tuesday, Radiant, the hacker group behind the breach, have allegedly caved to public backlash.
Originally fixed to a bitcoin ransom equal to around $808,000, the hackers have apologized for their actions targeting children and their families and (if you believe them) deleted all data from the hack.

ICE continues to turn heads in the Cybersecurity world as it continues to adopt and use powerful tools like PenLink.
At the core of the ethics debate surrounding tools like this is the question of warrantless searches. So much of the data that LE scrapes to use in tools like this comes purchased from data brokers.
Is it ethical for the government to amass huge volumes of personal and geographical data without warrants in this way? Do you think that the law has not kept up with the technology?

For my coffee this morning I pour myself a Red Eye… caffeine is the name of the game today.

I want to talk about the s-word:

Surveillance.

Anyone whose had the (dis)pleasure of speaking to me for more than a handful of minutes has probably heard me wax eloquent on the matter of state surveillance.

It would be tempting to think, then, that I’m opposed to concept en bloc.

Not at all—surveillance is an incredibly useful tool, it also just so happens to be one that is incredibly easy to abuse.

One doesn’t have to go far to find examples of useful surveillance. But as easy to find are examples of governmental overreach.

The UK Home Office has frequently pushed Apple (an industry leader in message privacy and encryption) to backdoor their data and provide data to them from users of any national origin.

And while the freedom loving patriot inside of all of us no doubt rebels at this attempted offense, we need to acknowledge the utility of these tools.

Consider the graph above… it seems pretty subjective, right? One of the hardest part of this debate is finding where to draw the line.

Everyone is ok with a bank having a security camera to safeguard their money, no one is ok with being videotaped in the shower.

I’m not qualified enough to create exact measurements for this hypothetical formula, but I can recommend a guideline for judging how “good” a tool may be.

How severely could a Nazi abuse it?

I’m thoroughly opposed to watering down the political discourse by name-calling members of either party, so if you think I’m implying anything about a particular faction at this time, you are mistaken.

No, what I want to do with this cartoonish example is remove the “it’s ok we’re the good guys” from your mind.

Forget how upstanding a person your local LE and Sheriff’s dept. might be, forget how patriotic and noble your friends and family in the military might seem.

When you are evaluating a technology or methodology, you need to imagine a devil at the helm, not an angel.

Picture a literal Nazi, a goose stepping SS member from 1939 with the skull on his hat and everything, and imagine what he would do with a given technology.

How about Flock cameras? A hugely popular pick among townships and cities across the US, Flock cameras and license plate readers have come under fire for being made widely available to all manner of agencies not originally contracted with them. (e.g. ICE, FBI, and more.)

My own neighborhood went to the trouble of installing cameras at the entrances to the development.

Flock provides some very real utility to LE. Last year I rode along with a local Sheriff’s deputy and saw firsthand how the deputies would get notifications if a license plate registered to a stolen car passed a given camera.

That’s pretty useful!

But let’s not forget our mental exercise. What if, instead of a honest, community focused sheriff’s deputy looking at that data, it was someone evil?

All of a sudden, I’m not so game to have free access to camera’s right by my house at every hour of the day.

Neither you nor I can pick who in government is going to have access to those systems. If we want to protect our 4th amendment rights, we have to limit the powers of the organizations that we fund through our tax dollars.

Every government and enforcement agency on Earth is pushing to equip themselves with the most advanced, AI-empowered surveillance systems in the world. It is in their interest to do so.

At the voting booth, it is your duty to tell them to restrain themselves for the good of our Republic and the morality of our culture.

//

In other news.

Security Week reports on an amusingly named attack procedure, the Battering RAM. The attack involves putting a piece of hardware, here called an interloper, between a computers CPU and DRAM memory. The device than can bypass protected memory addresses and encryption.
The good news? Someone would need to physically install the device for the attack to work. The bad news? It’s relatively cheap and easy to do so. Be careful leaving your computer with that shady computer repair shop!

China is tightening regulations for its service providers. Starting in November service providers will have only 60 minutes to report security incidents involving critical networks.
Reporting time limits are important for good response time in any jurisdiction, but 60 minutes is an insanely small window to hit. Fascinating.

Finally, an update on the NYC SIM farm. Jeffrey Burt of Security Boulevard reports that LE has found another 200,000 SIM cards and servers. Does this increased capacity lend greater credence to the Secret Service’s previous descriptions of the scale of the operation?

It’s been a slow start to my day, I confess.

Awaking with a head-ache (Don’t stay up past midnight, kids) I enjoyed a lemon-lime Gatorade before my coffee today… meandering through my emails and a handful of communications left over from the day before, I turned at last to blessed caffeine.
Today I’m enjoying a Nespresso Capriccio. Nespresso encourages consumers to let this capsules “light acidity and a savory cereal note surprise you in this refreshing but deep light-roasted Arabica-Robusta espresso blend.”

Between you and me, I think it tastes like every espresso I’ve ever tried. Which, to be fair, is good.

After coffee, I adjust the parameters of Cold Turkey, an application and URL blocker that I use to stay focused on my work. Only the good lord knows why it took me this long to realize I could both block YouTube, and exempt specific educational channels in the same rule.

Confidently assured of my productivity, I spend too much time calibrating my AutoHotKey macros. I obsess over every keystroke saved by these trivial optimizations…

Practicing for the Sec+ Exam…

After breakfast/lunch, I consume a cup of half-caf and attempt a 90-minute practice exam from Professor Messer’s set. I just can’t quite come to the surface today… 80% correct, right on the line again.

The topics that threw me off all come from the sections on Security Architecture and Operations, with a few oddball questions about Encryption that I wasn’t sure about. It’s always nice to be able to see where you went wrong, and where you need to study up.

//

In the news.

I didn’t have much brain-power for the news today, but I did want to highlight a story from last week: a class action lawsuit against major credit reporting agency TransUnion. The TL;DR here is that TransUnion did not delete consumer data from its databases. This is an extremely common violation of consumers data rights—my gut instinct is that most companies don’t properly delete data they no longer should have because it is a) hard to enforce and b) they often have a financial incentive to continue leveraging that data.
In the case of credit reporting agencies like TransUnion, any user data is a data they can potentially sell to anyone who wants to evaluate a lendee’s likelihood of repayment.

How does it make you feel that credit reporting agencies are selling you as a product even when they shouldn’t?

Ah, surveillance, surveillance, surveillance. That double-edged sword… we love it when it’s used on the bad guys, we hate it when it’s used against us. I strike a contemplative pose as I put my cup of half-caf in the microwave to reheat, for no other reason than to pretentiously retell the moment here.
Surveillance, surveillance, surveillance… hm.

One of my biggest concern in this field is the massively growing capabilities of governmental agencies. People of all creeds have joked anecdotally about the NSA’s omniscience for years, but increasingly we see ICE and local LE openly gearing up with capabilities that rival the conspiratorial.

Reason.com details ICE’s 2 million dollar contract with Paragon, a remote phone hacking service, and their $11 million contract for Cellebrite devices to crack phones in their possession.

Further, reason reports that ICE has been accessing Flock security camera’s around the company without giving specific reasons, and Palantir was scheduled to deliver a prototype tracking system called ImmigrationOS.

It’s easy to distance ourselves from these issues by saying “that’s for illegal immigrants,” or “that’s just for criminals.” Remember, surveillance is a sword; it’s a weapon. If it’s used for good, it has it’s uses, but who oversees the ethics of its execution? Who ensures it won’t be used to silence political critics and viewpoints that whichever administration is in power want silenced? Make no mistake—left, right, foreign, or domestic, any party with power will abuse it. Don’t make the mistake of thinking the “good guys” have the power.

When evaluating any powerful weapon you must ask. How would I feel if this were in the hands of my enemy? Of people who hate me and mine?

I’d better finish this coffee before it’s cold again.

\\

Also in the news.

The internet runs on encryption. In the big bowl of wifi and cell signals, the only thing keeping your information from being exploited by threat actors is its secrecy. But all that could change if the quantum computing arms race comes to fruition. A story from CIO details how current encryption standards are maybe not prepared for the paradigm shift that quantum computing could potentially bring. Although, cracking AES-256 is estimated to take trillions of years with current computational hardware… would quantum really reduce that amount by a significant enough margin?
I’m not so sure—but in this world it’s hard to tell VC hype from actual tech predictions.

So, you want an Apple AirTag, but you want to save a few bucks? Well maybe don’t trust Life360’s Tile to do the job. According to the Verge, Tile tags not only fail to implement common sense encryption, but they come with a so-called “anti-theft” mode that turns off the tag’s detectability… defeating the whole point of the tag in the first place.

Remember the 2008 bail-outs? Yesterday we looked at the story of Jaguar Land Rover starting to recover from their massive Cyber Attack. Via SecurityWeek this morning, we see that the UK government is giving a $2 billion loan guarantee to JLR’s creditor.
Will the bailout solve the problem, or just offer more incentive for bad actors to target UK institutions?

Gooood morning, ladies and germs,

Happy Monday! I hope everyone had a restful weekend. I had a grand old time getting caught up on sleep, catching up with my online RPG group.

I’m off to the races this morning with a little joe and a Sec+ practice exam. I got an 89% on this go-around; a solid improvement over the 72% I scored on it a month ago. Feelsgoodman.

\\

News round-up.

This morning.

I see that the Department of War has released an overview for their new cybersecurity framework. Frameworks in the cybersecurity space often serve the role of checklists for professionals to follow.
They are jumping off points that need to be tailored to the needs of a specific organization, but still serve as a solid starting point. Without documentation like this, even the best cybersecurity professionals will forget crucial vulnerabilities and leave potential openings in the attack surface.

In the crime world, a reminder that not all cyber crime is ransomware. A group calling themselves Radiant (No relation to Radiant, I imagine) stole pictures and personal data from a large number of nursery children and their families, the BBC reports.
As someone who substitute teaches now and again, nurseries, schools, and after-school operations haven’t exactly encouraged me in terms of their information security. Still, there is only so much you can do—when you put yourself or your child in the public square, you have to have a certain expectation that even undesirables may gain access to your information. 🎵Hide yo kids…🎵

In the world of supply chain attacks, Jaguar Land Rover has announced a partial resumption of production after a prolonged cyber-attack forced them to halt operations in early September. While I couldn’t find the specifics of the hack or the group behind it, the Guardian quotes Anupam Singhal as saying that JLR used:

“…smart factories where everything is connected.”

I can tell you right now, this lack of segmentation may not have enabled the hack to happen period, but it certainly allowed the hackers to violate such a large portion of JLR’s operation. In short: JLR may have had all their eggs in one basket in the name of efficient production.
The interruption in production will have cost them hundreds of millions of dollars by now and strained the finances of the smaller businesses in their supply chain.

This past weekend.

Suspected Russian incursions continues to test NATO members with drones violating their airspace. Will this be discussed at the unusual meeting of military brass that Defense Secretary Pete Hegseth has arranged?

A few more details trickle out about the Collins Aerospace cyberattack I’ve been following this past week. Evidently the attacker’s were using the ransomware “Hardbit.” SecurityWeek.com’s article discusses multiple different hacker groups that may have been behind the attack.

Good morning guys and girls, I hope everyone has made it to Friday sane and a little richer than on Monday.

First, a quick matter of housekeeping. You may notice that a comments section has been enabled at the foot of this blog. Please chime in and let me know your takes on things!
The comments section of a given post should accept new comments for up to about a month after a post goes live. If you run into any issues with the comments section, please contact me through a different communication channel.

My security training trundles along this week with a focus on memorizing port numbers (some of the important ones, at least) and filling gaps in my knowledge. At this point I have a fairly good idea of what topics will be on the exam, and am methodically learning the ones that I can’t readily explain.

Practicing mastery of a topic by explaining it out loud is a process I’ve heard called the “Rubber Duck Method.” I endorse it fully—for me the most natural way to mentally manipulate a subject is to yap about it.

//

In the news.

A record setting UDP carpet bombing was mitigated by Cloudflare. The DDoS attack in question sent a whopping 11.5 Terabits per second (Tbps) for nearly a minute.

To put that in perspective, streaming an HD video from Netflix would take maybe as much as 7 Mbps. This attack was like 1.64 million devices trying to send video all at once to a single endpoint.

In international news, China is sanctioning U.S. companies that support Taiwan’s military capabilities. The companies affected include satellite communications companies and unmanned aquatic vehicle manufacturers.

As per the Guardian, Microsoft has terminated it’s contract with the Israeli military’s famous Unit 8200. Evidently Israeli forces were utilizing Microsoft’s Azure cloud service to store millions of Palestinian phone calls that were being made each day in Gaza.

“We do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades.”

—Brad Smith, Microsoft vice-chair and president

Finally today, we have a report that at least one unspecified U.S. government agency was breached by a threat actor with suspected ties to the Chinese state. The hackers have evidently been exploiting the flaws for months. Yikes.

49 days until I take my Sec+ exam, and another 4 after that until I ship to BCT. In the meanwhile, I spend my days balancing study (shout out to Professor Messer), a little freelance graphic design and editing, and a few days of substitute teaching here and there to fill in the gaps.

Life is good, as is this lungo. (Which refers to the coffee, and not the slow-witted minion of remarkable strength that I keep in my employ…)

Studying is all well and good, as the materials that CompTIA and Prof. Messer put out are fairly comprehensive. Still, many gaps remain in my knowledge, and I find my head swimming by the afternoon as I attempt to memorize port numbers (I’ll come up with mnemonics for this dross if it kills me), attack vectors, and the countless acronyms that seem to infect the world of cyber.

I find that I have a fairly good grasp of all the surface level concepts, but struggle with the specifics of many areas, especially those that are focused around corporate conventions. My great disadvantage in this field is my lack of professional experience, which is something that I hope to remedy with my service in the National Guard, and my own futile attempts on homelabbing (more on that some other day.)

In the meantime I finish my coffee, and turn a passing eye to the news…

Following up on the stories that I’ve been tracking this week, we see more news sources reporting on the NY SIM farm. As more opinions chime in, I hear few voices echoing Marcus Hutchens’ skepticism. I’ll keep an eye on this on for a little while longer, but I suspect we may not receive any new developments.

In a development for the EU airport ransomware story, an unnamed man was arrested and subsequently released on bail in the UK. It will be interesting to see what, if anything, he’s charged and tried for.

In the surveillance space, more light is being shed on the role of American companies in aiding and abetting Chinese surveillance. Bipartisan voices are giving lip service to an important issue thats closer to home than some of them realize. Here in America, companies like Flock and Palantir increasingly provide the government with dangerously powerful surveillance infrastructure to capture and interrogate the data of private citizens.

Consider the recent reports of ICE using Stingrays to locate immigrants. I discussed this invasion of privacy with a family member recently, and was surprised when they expressed unequivocal support for the effort. This is a mistake. Even if you agree with the goal of a given organization (like ICE) the methods are problematic. A government agency trawling our neighborhoods and intercepting all of our communications is hugely problematic.

Imagine if an ICE van followed your mail delivery fan, and searched your letters as they were delivered. Is it any less of a violation of the 4th amendment that they are doing that to your unencrypted phone traffic? I need more coffee…

Good morning ladies and germs,

The world is still turning and burning (much like this cup of half-caf as it sears my stomach) and cyberspace is as always alight with warfare and crime. Here’s a quick round-up of some of this week’s cyber news so far.

Yesterday I covered the Secret Service’s press release about the SIM farm they busted near NYC. Major outlets have been picking up the story and adding their own spin to it over the past 24 hours and, much like I did at first, they’re largely parroting the Secret Service’s PR line. (More on that in a moment.)

Take, for example, NPR’s coverage of the matter. Not only do they repeat everything we learned in the original release, but they go on to imply that a PRC-linked APT group, (APT in this context refers to an Advanced Persistent Threat.) Salt Typhoon, might be involved. As far as I can tell however, this is pure speculation on NPR’s part.

But before we go wild with interest over the potential involvement of foreign governments, we should take a step back and examine the actual scope of the SIM farm in question.

Playing counter-point to the main stream media opinions is cyber analyst Marcus Hutchins. An expert known for helping counter the infamous WannaCry attack in 2017, Marcus emphasized the scale of the attack as a reason for tempering our alarm.

”New York is incredibly dense,” Marcus opines. “… Think about the New Year’s Eve ball drop—you have possibly a million or more people all in Times Square at the same time. That is way more cell phones than this device actually has. … So it’s unlikely that a device with this low capacity would actually be able to overwhelm New York’s cell network.”

This is a great reminder for how media coverage can spin a story. I, and I’m sure many others, listened to the initial coverage and thought “wow, 100,000 is such a big number… that must make a huge difference!” without really stopping to consider the context in which that number is put. As Hutchins pointed out, 100,000 SIMs is a drop in the bucket to the overall network of NYC.

In other news, ransomware attacks committed against EU airports last Friday continue to cause delays and interfere with business operations.

In recent years, ransomware has rapidly become the most lucrative scheme in organized cybercriminals’ playbooks. So much of our modern world is dependent on digital infrastructure that any interruption to these services can put businesses in the unenviable position of having to either pay off the ransom to decrypt their systems, or risk greater losses in business while the systems remain inaccessible.

As I sip my espresso this morning (ok, fine—slurp.) my eyeballs roam over a secret service press release that a family member passed along.

Given my interest in electronic and wireless security, I’m eager to learn more.

The press release details how bad actors (criminal and foreign actors) in the NY Tri-state area had constructed a network of 300 SIM servers and 100,000 SIM cards across multiple sites in a 35 mile radius.

Special Agent in Charge Matt McMcool lays out the severity of this threat in his coverage on the Secret Services YouTube channel. This network had the capacity to take down cell phone towers and conduct major DoS attacks. Given the proximity of the network to UN General Assembly and it’s capacity to seriously disrupt the telecommunications infrastructure, one can understand why the Secret Service acted to take it down.

For me, stories like this highlight the reality of cyberwarfare in our IT infrastructure. At all times, our adversaries are scoping out both governmental (UN, US Gov, etc) and civilian systems to exploit.

So much of our daily lives are linked inextricably to the continuous operation of telecommunications networks.

Consider the impact of CrowdStrike going down from a bad update in July of last year, or the Russian virus NotPetya wiping out hundreds of millions of dollars of business by catching shipping giant Maersk in the crossfire of their cyberwar with Ukraine. How many 1s and 0s stand between you and your grocery store shutting down, and your gas stations running out?

I’ll try and follow this story a bit, and update it and others as time goes on.

Who do you think is behind this network that they’ve taken down?

When you where a child, did you ever cut an earthworm in half with a trowel? I don’t think I ever did, but I’m certain we all heard the urban legend: “If you cut a worm in half, both halves will grow back.” While untrue for earthworms, there are species (like the flatworm) that can do this.

The human consciousness is a concept that, at first blush, has nothing in common with flatworms. For a majority of us, our conscious experience is a seemingly continuous flow between each sleep cycle. And implicit to these assumptions is the underpinning assumption that we are each one, singular consciousness.

But learning of the existence of the corpus callosotomy procedure has challenged my acceptance of that notion.

A surgery typically used to help with severe surgical conditions, the corpus callosotomy acts to sever a a large portion of interhemispheric tissue, largely separating the halves of the brain.

Outside of reducing the severity of seizures (its intended usage), this procedure can have deeply intriguing side effects. They are myriad and I encourage you to take a deep-dive on Wikipedia to learn more about them, and the very interesting studies performed with their patients, but today I want to focus on the implications of one side effect in particular:

Alien Hand Syndrome.

A relatively rare effect, Alien Hand Syndrome occurs when the two hemispheres attempt to act out of sync with each-other. If my left brain wanted to put on my pants, but my right brain does not, one hand may confound my attempt to put on said pants. One thinks immediately of a certain Dr. Strangelove scene…

Alien hand syndrome poses a problem of categorization. We intuitively categorize the brain as the seat of consciousness for one person alone. But if the hemispheres of the brain are acting in opposition to each other, is that not evidence of more than one intellect (or at least will) being present?

For sake of argument, let us say that it is theoretically possible to divide a human mind very precisely into more than one person, in a manner vaguely analogous to the division of flatworms.

Delving into the realm of what might mildly be called “mad science,” what if we took a pair of twins (to maximize genetic compatability), and exchanged their left brains? Memory is a bihemispheric affair—how would it be effected? Would new memories be imagined in order to make sense of the disparities, or would the resultant hybrid-brained person be completely impaired by the conjunction of the hemispheres? Would the hybrid-persons articulate a body-swapping experience, since we moved their left brains specifically?

Stepping back to reality, let’s imagine a far more plausible scenario: could a relatively normal-functioning corpus callosotomy patient (one who isn’t suffering from alien hand syndrome or similar) have such a syndrome induced by process of indoctrination?

Let me explain. In some real experiments, researchers have given instructions to one hemisphere (“Walk across the room”) but not the other hemisphere. After the patient walked across the room, the researchers would question the other hemisphere. (“Why did you walk across the room just now?”) Reportedly the patient would then articulate an invented reason (“Oh, I wanted to pick something up from over here.”) and not be knowingly lying; their brains would simply rationalize the inexplicable actions.

Could a less-than-ethical researcher induce a personality conflict or alien hand syndrome in a person by, over a larger period of time, feeding in significant amount of data to the right brain that would never be given to the left brain? Does the right brain have sufficient conscious activity to diverge in personality and will from the left? I suspect so.

I think it very likely that the human mind is not a singular entity, but rather a collective of portions. After all, it is largely acknowledged that we have not merely conscious minds, but semi-conscious and unconscious faculities as well.

There are so many philosophical questions posed by this area of study… if I don’t digress now, I’ll be stuck here all day.

I’ll leave you with a personal anecdote: when I was boy (6 or younger, I think) I recall lying in bed late one night, and becoming aware of a horrifying realization: An arm was creeping up over the edge of the bed! I lay completely still, paralyzed by the certain fear that I was, at long last, about to meet the horrible monster-things that hide under children’s beds at night. After what felt like hours of excruciating deliberation I finally resolved to act. With my left hand I seized the arm, just at the same moment as it seized my right! Terror shot through me like lightning and I wrestled desperately for a brief moment before I finally realized that I had grabbed (you guessed it) my own arm which had, presumably, fallen asleep.

It is the height of hubris to speak when you have nothing to say.

Ergo, I must be full of myself.

This blog has no grand theme beyond that which interests me. I use it to opine on matters philosophical, aesthetic, and otherwise jibber-jabber as I please.

If these vapid musings are of interest to you—by all means subscribe to it.