Share this page!

Amélie E. Koran Profile picture
Twitter logo
22 Dec, 7 tweets, 2 min read
You know, reading this NYT, I have a theory... & oddly it’s maybe traced back to the #CDM program. This was the first government-wide effort to enumerate agency infrastructure, down to core components & architecture. Which could explain why #SolarWinds was an effective vector 1/
So they say they got into Treasury D.O. accounts (Departmental Offices). But thinking, if this went back always for 2019 and prior, I think about how casually docs for CDM were shared between the agency leads and the contractors doing CDM. nytimes.com/2020/12/21/us/… 2/
To that end, if you got a dump of those, either from DHS, an agency, or contractor (which were also limited in number), you literally have a map with road signs as to what was installed where, who managed it, and what was enabled. This is easy targeting info. 3/
The reports out denote precision targeting and stealth, and given that the only program that had that level of infrastructure detail from across government was that - and it was compulsory to provide. Probably looking at that, they saw large swaths of SolarWinds as a common floor
Also, I say this as somebody who ran Phase 1 and part of Phase 2 for all of Treasury and knew the info gathered. Internally, we secured the data, but still had to provide it to contractors, so it left agencies, and no accounting where it went after that. I’d be ...
Curious if we see HPE, DXC and BAH wrapped up in the investigation... if this was a vector - which scares the shit out of me. We went through so much to clear folks into areas, IRS being the hardest, TBH... and then maybe this being the key? Hypothesis, yes, confirmed, nope.
Just could be the tools and programs designed to prevent or save us from having this happen - actually be the things that caused the downfall. (Also, those docs had listed what stuff wasn’t being monitored or brought into centralized logging and auth)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Amélie E. Koran

Amélie E. Koran Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @webjedi

Amélie E. Koran Profile picture
24 Dec
BTW, a little primer that got buried in a recent thread - but is applicable for the "Why didn't the US Government do better for the #SolarWInds since we there so much money and resources at it..." - the simple answer is, "we didn't , actually" and here's a little why. #thread
I officially became a Fed in 2010, but was a contractor in 2006/2007 and an FFRC staff 2009/2010, so I got back a ways... but the Federal budgeting process has changed a little in that time... thank you deficit spending.
Our housing bubble famously exploded in 2008, so THAT was fun. But it caused some scramble on how the Federal government went about funding stuff. Mainly, as tax dollars dried up a little and folks supposedly got serious about balanced budgets, agencies were forced to...
Read 32 tweets
Amélie E. Koran Profile picture
23 Dec
Nope, nope, nope, nope. You tickle the wrong sh*t and that's the end of things. You will hear it from agency leads as well as mission folks. Imagine tickling a dam control system at BOR, and whoops, flood. VA hospital... the folks there need at least a ride-along. #BadIdeasOfBad
There's reasons that you have permissions being granted, and it's not to hide stuff, but there are systems at NIH & CDC (lab systems), LE systems at multiple agencies, CIP at Interior, medical at VA that require scheduling to not affect operations - this is just dumb on its face.
Imagine knocking out the system printing social security checks or medicare claims, that'll raise some fun... or the US Mint and BEP? Those systems are protected, and separated, but unannounced system probes and such will do more harm than good. Trust me. BTDT
Read 5 tweets
Amélie E. Koran Profile picture
3 May
so everybody seems to have harped on the FB/Twitter/Insta post about the pizza food truck owner and his @Grubhub bill and subsequent minuscule take-home. However, there's a little more to unpack, and while I'm not defending either, always look at your data and ask questions. 1/
He had 46 orders for a total of $1042.63 - $22.66/order avg. - which, if a regular pizza joint in a highly populated area, is sort of average for a 16" pizza. - if a food truck "long" pizza, that's like two takeaway orders. And note, he said "food truck", so this isn't B&M 2/
The agreed upon Grubhub commission/fee is about 20% (19.8%), which is their cost for advertising, usually hosting an ordering site, and so forth. Having done e-commerce many times before, the split of 10% for ops and 10% for marketing seems in line - and this may be on top 3/
Read 14 tweets
Amélie E. Koran Profile picture
16 Jan
it still hurts when I sit in a conference talk where government "cyber workforce" discussions occur, and they still beat the same drum that hasn't worked for years, and realize that none of them come to things like BSides, Defcon, Shmoo, and others to have a realistic discussion
they merely talk about frameworks and policies, but nothing actually actionable or results... granted, having also sat in on agency discussions where there was a lot of, what could be best described as "whining", but no after action to address those concerns...
as I said MANY times, that if you have a shortage or want to focus on development and recruitment, you need to meet where the talent goes to learn, rather than hope and pray that a fishing expedition via job postings attract who and what you think you need...
Read 11 tweets
Amélie E. Koran Profile picture
26 Nov 19
It still boggles my mind that we will have people flock to conferences about the latest and greatest thing, and then come back to their org wanting to do that latest and greatest, but not be willing to invest in the basic work required to share up and mature the org to fix stuff.
"I want to do $buzzword_tech" while not even taking a moment to possibly get all their systems to a maintainable standard, reliable inventory and maintenance cycle, and repeatable and reliable processes. Again, like building the Burj Khalifa on quicksand. gizmodo.com/without-trucks…
...you're doubling down on resources, and creating exponentially larger piles of tech and process debt that, given the tenure or most tech execs, will not be their problem, as they will be gone by the time the shit tankers run out of places to dump... fix this, then modernize
Read 18 tweets
Amélie E. Koran Profile picture
28 Dec 18
I figured it was worth a little explainer for the Anti-Deficiency Act and relation to IT operations and shutdown activities. I write as somebody who's been through a few in various roles... (1/12)
To clarify on the “it’s a static site, why can’t they…” comments. Each agency affected typically has a mix of appropriated funding: “no-year” & annual, each with time limits of when and what it can be spent on as well are... (2/12)
...“fee-based” for certain programs. During shutdown activities aligned with a “lapse in appropriation,” agencies and their components will utilize remaining funding to wind down operations to a minimum (hence the “Not Open” signage)... (3/12)
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @webjedi has new unrolls!

Check out other threads from @webjedi!

Read all threads by @webjedi