Profile picture
Mudge @dotMudge
, 17 tweets, 4 min read Read on Twitter
So... I suppose it’s time to share a bit.

I have always worked to try to educate the government so they can make better informed decisions that will benefit all citizens.

1/n documentcloud.org/documents/4598…
During the last election the Democrats reached out to me.

I was happy to help and made it clear that if a reasonable candidate from an opposition party asked for my advice I would provide similar counsel in regards to improving computer, network, and information security.

2/n
I lean a particular way, but my goal is to do the greatest good irrespective.

They were ok with that.

3/n
I devoted a lot of personal time attempting to educate people. Some of these people were considered experts in the field, although none had operational or technical experience and I called them on that. They did have management and government experience, which is important.

4/n
I argued internally for a lot of improvements and changes (CFAA, ECPA, title 10/50 challenges, protecting vuln research, etc.).

The most effort was expended on trying to get them (and any political candidacy that would listen to me) to implement rudimentary OPSEC protocols.

5/n
Biggest pushback, from people now touting themselves as candidates for security advisors to new politicos, was surprising:

They refused to require 2fa: it would be annoying.

They pushed back on gsuite to enable document control/access/auditing: another email is too much.

6/n
I walked them through previous compromises of both parties in prior elections.

The bare minimum defense, which GOOG has made pretty easy to achieve (they were already using GOOG), which disproportionately raises adversary costs, was too much to ask.

It gets better/worse.

7/N
I offered to deploy 2fa, hardened computers, and configure the communal (cloud) work systems to protect their information. No cost.

It was turned down. But I tried.

A bunch of things happened They are well known and politicized in various ways.

But wait, there’s more... 8/N
After the election my name started to float around inside the Oval Office of the incumbent as a possible option for the “Cyber Czar” (or similar) role.

People reached out to me to see if I would be receptive.

I relayed that if I could help my country I would consider it.

9/n
Shortly after that I get contacted by Russia Today (RT) asking if I would do an on air interview on voting security (not an area in which I am publicly known to be involved). Strange.

I’ve spiked on foreign lists before.

Back channels confirm/imply I’m ‘interesting’ again.
I get an OOB message that I’m off the table. I ‘helped’ the opposition party so I’m tainted.

I think both parties have (different) serious issues, which is why I’ll try to improve either of them if I see an opportunity.

But now I’m in an interesting place: ...
The people who asked for my counsel fought basic hygiene, which made the subsequent compromises easier/possible.

The new administration considered me an enemy because I tried to educate the opposition party (even though I was willing to educate anyone).

and then..
Shortly after my name gets tossed around inside the executive branch RT reaches out to me.

That could be a coincidence, probably was (my old colleagues imply otherwise). But whatever.

The topic was a bit disconcerting though (hacking national elections) 2016/2017...
Only a few days later I start getting interesting iMessage spam (I don’t open it or click on anything). iMessage spam is relatively costly... good job Apple.

A few days later white screens of death (common for failed jailbreaks) each time shortly after I power cycle.
I can’t confirm that this isn’t/wasn’t some of ‘my’ own kit being thrown back against me.

It looks like it, and it also only worked against a few minor revs prior to what I was running.

Similar failure modes to what you see in the failures above after Apple patched.
So what I ‘choose’ to take from all of this is:

A) Occasionally I warrant nation state interest (yay?)

B) I don’t warrant high end stuff (that I know of)

C) The recent indictment is very forthcoming compared to what the IC/DoJ normally reveal.

documentcloud.org/documents/4598…
End of Line

/HT MCP
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Mudge
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @dotMudge see all

Profile picture
A few weeks back the non-profit group CITL, cyber-itl.org, released a comparative report of software hygiene in 28 home routers...

and vulnerabilities that affect all Linux MIPS systems (not just IoT).

Some thoughts and data...

(Thread 1/N)

cyber-itl.org/2018/12/07/a-l…
This thread intends to get past some security nihilism, use data to refute some assumptions put forward by people as “facts”, and point out the big picture... which the security community largely missed.

Something about not being able to see the forrest through the trees ;)

2/
Let’s look at the router paper first.

cyber-itl.org/assets/papers/…

It’s true that none of the routers did well in regards to basic software safety hygiene, but thinking there’s nothing consumers can do is security nihilism and misses the actionable information in the paper...
Read 16 tweets
Profile picture
Due to Floating Point emulation, Linux MIPS (Kernels 2.4.3.4 through 4.7 2001-2016) have executable stacks.

The patch, released in 2016 and still present - Kernel 4.8, introduces a universal DEP and ASLR bypass.

cyber-itl.org/2018/12/07/a-l…

cyber-itl.org/assets/papers/…
Think about this for a moment...

MIPS is the most common architecture for home routers (ubiquity, Netgear, Asus, linksys) and similar devices.

It is also found in telecom gear, next gen corporate firewalls, corporate switch fabric, etc. for control plane, data plane, or both.
What makes this particularly tough to remediate is that addressing the issue needs the Kernel fix and *also* updates to the compiler toolchains and *also* that vendors/developers adopt both of these and *also* turn on the needed settings if they aren’t default enabled...
Read 5 tweets
Profile picture
On ‘names are hard’, X509 Distinguished Names (DN) can be a downright minefield.

Consider military (gov) where rank is part of the distinguished name field.

So what happens when someone gets a pay raise (get’s promoted)?

Each time that happens the DN changes which means...
The old certificate needs to be revoked.

Onto the certificate revocation list it goes...

New digital certificates are issued, access cards re-provisioned, CAs updated (and eventually synchronized).

Life goes on...

But what happens to the certificate revocation list (CRL)?
According to Wikipedia there were over 17 million Common Access Cards issued by 2008.

That’s a decade ago and there are ~1.4 million people in the US military this year alone (according to Google). Don’t forget that we’re talking about a lot more than just military people...
Read 5 tweets

Related threads

Profile picture
2 friends one in mid 30's (F1) and another in mid 40s (F2) met up after almost a decade.. after sometime the conversation was about politics and slowly they were up n about discussing the situation over past 5 yrs..

The conversation went as thus -

1/n
F1: hey have u seen the way India has zoomed back into the top 5 economies of the world?
F2: yes, I heard that. Infact they r on the verge of moving into 4th spot pretty soon n into 3rd spot in next 5 yrs or so if the same level of pace continues

2/n
F1: isn't it shame that it took us so long to get there while many other countries smaller than us that got freedom at about same time as us have zoomed past us
F2: yes that's true but we had our own challenges and in any case let bygones be bygones
F1: yes I agree

3/n
Read 45 tweets
Profile picture
Time to take my twitter beyond pedantic comments on @C_Garthwaite and live tweet the nber Health meetings to all 198 of my followers, including several humans
First up is Ami Ko presenting work with Hanming Fang on rating areas in the ACA —
The ACA imposes many “community rating provisions” — you have to charge everyone the same price with the exception of age, smoking status and geography
Read 122 tweets
Profile picture
[thread]

tl;dr:
1. Estimates are not necessarily waste.
2. Feature/story level estimation is almost always unnecessary.
3. You’re probably doing estimation wrong anyway.

For 1 we’re going to need a brief intro to Throughput Accounting (don’t worry) and what is and isn’t waste.
Throughput Accounting is dead simple. There are only three numbers:
- “Throughput” is how much money you make selling your product.
- “Inventory” is how much you spend on stuff you turn into Throughput.
- “Operating Expense” is how much you spend turning Inventory into Throughput
In this context Lean defines three types of work:
- “Value-adding work”, or just “Work”, is anything that turns Inventory into Throughput.
- “Kaizen” is anything you do to improve the system of work. More on that later.
- “Waste” is anything else: neither delivery nor improvement
Read 23 tweets
Profile picture
“Public attribution of foreign influence operations can help to counter and mitigate the harm caused by foreign-government-sponsored disinformation,” Rosenstein said. “When people are aware of the true sponsor, they can make better-informed decisions.” washingtonpost.com/world/national…
“Cyber is the new terror”

— Dan Coats, July 19, 2018
Fake, misleading social media posts exploding globally, Oxford study finds... 2016 U.S. election was part of a global “phenomenon”. amp.mcclatchydc.com/news/nation-wo…
Read 6 tweets
Profile picture
Having finished The Authoritarians, it's time to start a new thread of #IanLivetweetsHisResearch. Today I am finally getting past the introduction of How Propaganda Works by Jason Stanley.
Having slogged through some proper academic writing in my day, Stanley's writing is blessedly accessible. But after Altemeyer's light tone and constant dad jokes, Stanley's reads as pretty dry.
So far the introduction is full of a lot of quotations about the nature of democracy, from Victor Klemperer to Elizabeth Anderson to Plato. OF COURSE Plato.
Read 409 tweets
Profile picture
Things that surprised/amazed me about Japan, an ongoing thread.

(More likely UI than food, but you know this already.)

It’s my first time here. Please comment away and/or point out my cultural insensitivities!
1. A very friendly immigration officer and I laughed together, and when I said “I don’t really know where I’ll be staying,” he actually applauded it.
2. Very nice and clean train from the airport, with power sockets, and vending machines onboard.

Tons of solar panels passed by on the way.
Read 427 tweets

Trending hashtags

#RecordStoreDay #MOAB #dollars #ItsTime #independent #day1 #capitalism #formulafeeding #PeakTV #UninventInternet #Winning #government #childbirth #FactCheck #farmers #FLY #election #Lobbyist #LookNow #biomedicalization #SANSNetworkSecurity #Hitler #RecordStoreDay2019 #n #a6cee3

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!