jacobian Profile picture
7 Jan, 13 tweets, 3 min read
So much this. A physical breach is a nightmare scenario for infosec.

On the off-chance that any of my followers are involved in this -- I do have some experience in scenarios like this and would be happy to help. If I can be of assistance hit me up.
Just to give folks who aren't in the field an idea what we're talking about:

- we must assume that foreign agents were among the rioters
- snooping devices can be implanted into anything with a power cord
- so every device in the capitol is now a potential foreign asset
So, just for starters:

- all computers need to be inventoried, inspected inside and out, and the OS paved/rebuilt
- keyboards, mice, &c might now have implants, they probably should be tossed (see eg keelog.com/forensic-keylo… which looks like a usb cable but is in fact a logger)
Then everything with a power source needs to be audited. This means lamps. Thermostats. Those cute little portrait lights on top of photos. The vacuum cleaner in the storage closet. Even outlets — a fav trick of one Red Team I know is a fake outlet cover that hides a mic.
I'm probably missing about a dozen things. This is off the top of my head and I suck at physical security.
Oof, via a friend who'd like to remain anon, a huge one I missed: rioters were inside the capitol long enough to re-flash the firmware on any device with writeable firmware - which these days is almost everything. Anything with a mic or camera probably needs to be tossed.
Mic, camera, or internet access.

Oh for fuck's sake, I really hope Congress was smart enough not to install any IoT crap.
Remember: the "S" in "IoT" stands for "Security"

(*not my joke, but I can no longer recall where I first heard it)
Just to give an idea of the scope of work here:

the worst PhysSec breach I handled with was when someone stole about a dozen laptops during an office party. He was inside for about 10 minutes, on security cams the whole time. That took several days to recover from.
Just to be clear: the IT breach is hilariously far from the worst to happen today. That's the attempted overthrow of our government by white supremacists, incited to violence by the president.

I'm writing about IT b/c the the other thing is just too much for me to think about rn
This is a good point, another thing I missed. I don’t know much about classified info. I’d like to assume that all would be kept in a SCIF but it occurs to be that I don’t actually know for sure that the Capitol has SCIFs (surely they do, right?)

Yes, there are SCIFs in the Capitol. That’s good, because it means the most sensitive info was contained therein, logs of what’s inside, and camera coverage showing if they’ve been breached. But if one has, it’s a whole other level of bad.
Looks like, thank goodness, things may not quite be worst-case scenario at the Capitol. Here's a good thread from someone a lot more well-informed than I am:

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with jacobian

jacobian Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jacobian

2 Nov 19
THREAD: some marginalia and further reading for folks who attended my #nbpy talk and would like to explore further

On password complexity and rotation:

- Laurie Cranor, the then-Chief Technologist for the FCC, sums up the issues with rotation: ftc.gov/news-events/bl…

- Appendix A of NIST SP 800-83B is a wonderful roundup of how to think about complexity: pages.nist.gov/800-63-3/sp800…
On issues of usability vs security:

- Sydney Dekker, _The Field Guide To Human Error_: amazon.com/Field-Guide-Un… - a must-read IMO

- @Pinboard's _What I learned Trying to Secure Congressional Campaigns: idlewords.com/2019/05/what_i…
Read 6 tweets
19 Aug 19
I'm not ashamed to admit that sometimes I miss PHP.

Over 20 years later, and still nobody's even come _close_ to PHP's ease of deployment.

This tweet brought to you by the 3 programming languages and 5 Docker images I need just to run one app.
Turns out having what I thought was a mild opinion about web app deployment was an invitation for people to yell at me, assume I'm stupid, or sell me thier Next Great Thing.

The thing that boggles my mind is how people just assume no nuance whatsoever. Most replies seem to think that I don't get that there are good reasons things got more complex, or that I don't know there are downsides to yolo editing in production, or etc.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!