I am so tired of conspiracy theories about 1) Nationwide blackouts 2) Nationwide internet takedowns
It's like suggesting somebody is going to simultaneously unscrew every screw of varying sizes and types in your home.
Neither of those things is happening in modern times without a nuke or an asteroid.
Also, the "national blackout" wet dream conspiracy theory is about the lamest one I can possibly think of - grow some post-apocalyptic creativity. Places all over the world do fine with unstable power. I think of 11 more interesting ways to destroy civilization by breakfast.
Okay, so real talk - some countries with authoritarian governments have constructed their nationalized internet infrastructure so there are only a few ways in and out and it *can* be shut down by the government. Ours is a commercial hodgepodge of redundancies and egress points.
With regards to power infrastructure in the United States - we *do not have a national grid*. Here's what it actually looks like. We even share some infrastructure with Canada. We have three grids. They are each made up a colorful mix of independent providers and technologies.
Can you imagine, as red teamers, coordinating efforts to take down power in three separate grids, eight regions, four interconnects, and 3,300 electric utilities all using slightly different tech or operational models?
Like I said, your conspiracy theories are inadequately researched and lack creativity.
Before our salespeople yell at me - electric utilities and their industrial systems are absolutely a target of hacking, and adversaries are exploring and targeting them for a multitude of criminal and state-sponsored reasons. However, they're using a scalpel, not a machete.
Here's a good twitter list which includes my much more accomplished pals in ICS security at some different companies, from @chrissistrunktwitter.com/i/lists/969993…
@threadreaderapp would you be so kind as to unroll this for folks?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
We live in wild times. Absolutely unbelievable, what’s happened in the span of one week. So much precedent being set, too.
I find the Parler takedown especially fascinating. Yes, there’s schadenfreude because many awful humans are using it to hurt people, but it is also a glimpse into all the logistical and technical elements that make a modern social site “go”, who can cut them off, and how fast.
We watch malware site and infrastructure takedowns all the time, but those are often LEO backed and not normally like, web presences with MFA and legitimate payment processing.
I would pay very serious and close attention to Mr. Nance. He is an eminently credible expert and I trust his judgement. Review your physical security plans at offices and data centers.
The safety and security of your people comes first. How are they protected, and how can they be rapidly evacuated or shelter safely in place? Have they recently drilled fire and active shooter scenarios? Is it essential they be on site?
After that, consider your disaster recovery, data security, and redundancy planning specific to physical attacks. What happens if there is major damage to a single data center or its links? Have these plans been reviewed and adjusted since the pandemic impacted operations?
Many many tweeters who think Parler is down because of App Store removal, and also that that somehow violates their 1st Amendment rights.
Clarification: both of those things are untrue.
Removing an app from the store simply makes it unavailable to download or update. The first amendment protects Americans from government suppression of free speech. Thank you for coming to my TED talk.
Twitter could change its TOS to ban all mention of pancakes, and promptly ban me for no other offense.
It's going to be really... interesting to research and report vulns to voting machine companies after one has been pushed into pursuing a *1.3 billion dollar* defamation case. Hopefully security researchers can maintain their good relationships with them.
Can imagine that figure scaring some folks off, especially inexperienced ones not backed by corporate lawyers. Particularly in cases where there's no or poor response to private disclosure.
(They are well within their rights to sue, of course - if I haven't made that abundantly clear)
It’s challenging to try to explain to liberal and libertarian, privileged baby boomers who are not already activists why gen x, millennials, gen z are arguing for what they perceive as very extreme political and social change. Healthcare, college debt relief, or social justice...
Until I started having conversations with otherwise sensible older people who are center-left and do support things like gay marriage, I didn’t realize how much of a disconnect and blind spot there is. A lot of my 20s-40s friends are in serious perpetual debt with no healthcare..
Economically, structurally, and socially people’s lives have changed a lot in the past fifty years...
Just a reminder that you can’t build a successful threat hunting program to detect the APT indicators everyone is posting unless you actually build the capacity to threat hunt - which had prerequisites, like understanding your environment and building collections of log sources.
Otherwise you’re just throwing pasta at the wall and hoping something will stick, and you don’t know if it means anything if it doesn’t.
Actual serious threat hunting: 1) Builds upon reasonably mature security monitoring capability 2) Requires actual well though out hypotheses about what an adversary might be doing in your environment based on architecture, Intel, Crown Jewels