So... I suppose it’s time to share a bit.
I have always worked to try to educate the government so they can make better informed decisions that will benefit all citizens.
1/n documentcloud.org/documents/4598…
I have always worked to try to educate the government so they can make better informed decisions that will benefit all citizens.
1/n documentcloud.org/documents/4598…
During the last election the Democrats reached out to me.
I was happy to help and made it clear that if a reasonable candidate from an opposition party asked for my advice I would provide similar counsel in regards to improving computer, network, and information security.
2/n
I was happy to help and made it clear that if a reasonable candidate from an opposition party asked for my advice I would provide similar counsel in regards to improving computer, network, and information security.
2/n
I lean a particular way, but my goal is to do the greatest good irrespective.
They were ok with that.
3/n
They were ok with that.
3/n
I devoted a lot of personal time attempting to educate people. Some of these people were considered experts in the field, although none had operational or technical experience and I called them on that. They did have management and government experience, which is important.
4/n
4/n
I argued internally for a lot of improvements and changes (CFAA, ECPA, title 10/50 challenges, protecting vuln research, etc.).
The most effort was expended on trying to get them (and any political candidacy that would listen to me) to implement rudimentary OPSEC protocols.
5/n
The most effort was expended on trying to get them (and any political candidacy that would listen to me) to implement rudimentary OPSEC protocols.
5/n
Biggest pushback, from people now touting themselves as candidates for security advisors to new politicos, was surprising:
They refused to require 2fa: it would be annoying.
They pushed back on gsuite to enable document control/access/auditing: another email is too much.
6/n
They refused to require 2fa: it would be annoying.
They pushed back on gsuite to enable document control/access/auditing: another email is too much.
6/n
I walked them through previous compromises of both parties in prior elections.
The bare minimum defense, which GOOG has made pretty easy to achieve (they were already using GOOG), which disproportionately raises adversary costs, was too much to ask.
It gets better/worse.
7/N
The bare minimum defense, which GOOG has made pretty easy to achieve (they were already using GOOG), which disproportionately raises adversary costs, was too much to ask.
It gets better/worse.
7/N
I offered to deploy 2fa, hardened computers, and configure the communal (cloud) work systems to protect their information. No cost.
It was turned down. But I tried.
A bunch of things happened They are well known and politicized in various ways.
But wait, there’s more... 8/N
It was turned down. But I tried.
A bunch of things happened They are well known and politicized in various ways.
But wait, there’s more... 8/N
After the election my name started to float around inside the Oval Office of the incumbent as a possible option for the “Cyber Czar” (or similar) role.
People reached out to me to see if I would be receptive.
I relayed that if I could help my country I would consider it.
9/n
People reached out to me to see if I would be receptive.
I relayed that if I could help my country I would consider it.
9/n
Shortly after that I get contacted by Russia Today (RT) asking if I would do an on air interview on voting security (not an area in which I am publicly known to be involved). Strange.
I’ve spiked on foreign lists before.
Back channels confirm/imply I’m ‘interesting’ again.
I’ve spiked on foreign lists before.
Back channels confirm/imply I’m ‘interesting’ again.
I get an OOB message that I’m off the table. I ‘helped’ the opposition party so I’m tainted.
I think both parties have (different) serious issues, which is why I’ll try to improve either of them if I see an opportunity.
But now I’m in an interesting place: ...
I think both parties have (different) serious issues, which is why I’ll try to improve either of them if I see an opportunity.
But now I’m in an interesting place: ...
The people who asked for my counsel fought basic hygiene, which made the subsequent compromises easier/possible.
The new administration considered me an enemy because I tried to educate the opposition party (even though I was willing to educate anyone).
and then..
The new administration considered me an enemy because I tried to educate the opposition party (even though I was willing to educate anyone).
and then..
Shortly after my name gets tossed around inside the executive branch RT reaches out to me.
That could be a coincidence, probably was (my old colleagues imply otherwise). But whatever.
The topic was a bit disconcerting though (hacking national elections) 2016/2017...
That could be a coincidence, probably was (my old colleagues imply otherwise). But whatever.
The topic was a bit disconcerting though (hacking national elections) 2016/2017...
Only a few days later I start getting interesting iMessage spam (I don’t open it or click on anything). iMessage spam is relatively costly... good job Apple.
A few days later white screens of death (common for failed jailbreaks) each time shortly after I power cycle.
A few days later white screens of death (common for failed jailbreaks) each time shortly after I power cycle.
I can’t confirm that this isn’t/wasn’t some of ‘my’ own kit being thrown back against me.
It looks like it, and it also only worked against a few minor revs prior to what I was running.
Similar failure modes to what you see in the failures above after Apple patched.
It looks like it, and it also only worked against a few minor revs prior to what I was running.
Similar failure modes to what you see in the failures above after Apple patched.
So what I ‘choose’ to take from all of this is:
A) Occasionally I warrant nation state interest (yay?)
B) I don’t warrant high end stuff (that I know of)
C) The recent indictment is very forthcoming compared to what the IC/DoJ normally reveal.
documentcloud.org/documents/4598…
A) Occasionally I warrant nation state interest (yay?)
B) I don’t warrant high end stuff (that I know of)
C) The recent indictment is very forthcoming compared to what the IC/DoJ normally reveal.
documentcloud.org/documents/4598…
End of Line
/HT MCP
/HT MCP
