@RidT's Threads
A reminder that the internet forgets every day, all the time. Unless we save it.
Yesterday I had coffee with @MarkGraham from the @internetarchive—I was, again, so inspired by their work and the principles that guide this work that I spontaneously donated $1K that evening.
Yesterday I had coffee with @MarkGraham from the @internetarchive—I was, again, so inspired by their work and the principles that guide this work that I spontaneously donated $1K that evening.
@MarkGraham @internetarchive Eg: check out the Wayback Machine's fantastic new "Save Page Now" in beta, for example: web.archive.org/save (requires you're logged-in) 
@MarkGraham @internetarchive Oh, and if you work for a security company that does serious investigations, say in digital forensics or IR, there's a very good chance that the Wayback Machine is part of your employer's critical infrastructure.
Tell them to say thanks > archive.org/donate
Tell them to say thanks > archive.org/donate
Leaks have long been a sharp tool of diplomacy (many historical examples.¹) Yet Darroch's resignation is raising the stakes—and the pressure for UK investigators to identify the source, and quickly. Foreign offices everywhere are watching nervously.
___
¹ amazon.com/Active-Measure…
___
¹ amazon.com/Active-Measure…
It is important to keep an open mind about the leak's source—a genuine, UK gov't source is still the most likely hypothesis here.
It is also important to keep in mind the active measures precedents. Here's a recent one
It is also important to keep in mind the active measures precedents. Here's a recent one
This reminds me: German diplomats have a very elegant verb to describe the process of gently placing well-timed information into ongoing news coverage, 𝘥𝘶𝘳𝘤𝘩𝘴𝘵𝘦𝘤𝘩𝘦𝘯, which literally means "piercing through"
U.S. operators have reportedly hacked an Iranian intelligence unit in retaliation—fascinating story by @JennaMC_Laugh et al. A few notes and questions news.yahoo.com/pentagon-secre…
N1: it is likely that any U.S. cyber ops story sourced from officials in DC isn’t really about the good stuff—especially absent noticeable effects, and/or when okayed in one way or the other by officials, especially intelligence officials. Publicity burns capabilities.
N2: big ships are hackable swimming networks—many connected devices, very bored users, little open pen-testing, likely change-averse admins, likely bad patching, likely bad air-gapping on the water, even navigation and other control systems likely hooked up to legacy boxes.
A few observations on today's "online escalation" New York Times story. I see lots of people making assumptions and jumping to conclusions. Also, why I’m filing this story under to-be-confirmed for now. nytimes.com/2019/06/15/us/…
The story makes two big claims: that CYBERCOM has placed “implants” “inside the Russian grid,” and that these U.S. intrusions were intended to be noticed in order to deter Russian decision-makers.
The NYT does not seem to have access to the “classified details of the operation.” The NSC and the NSA declined to comment on the record.
Note the story isn’t just about “the Russian grid,” but also other potential targets. Likely military targets.
Note the story isn’t just about “the Russian grid,” but also other potential targets. Likely military targets.
Just FYI I'm automatically removing all my LinkedIn connections right now (didn't want to delete the account for research purposes).
linkedhelper.com > "connections remover" is slow but appears to work fine.
linkedhelper.com > "connections remover" is slow but appears to work fine.
I hereby authenticate my remaining profile on linkedin (it has no connections).
Context: Max has raised a good point
Context: Max has raised a good point
Explanation: in my view the risks of using linkedin today outweigh its benefits (risk: very small; benefit: even smaller to negative).
Now back to interesting things.
Now back to interesting things.
Three days ago The New York Times claimed a variant of a ransomware used against city governments, including Baltimore—known as RobbinHood—was re-using EternalBlue, an old, leaked NSA exploit.
Proving that link forensically should be straightforward. So far no proof.
Proving that link forensically should be straightforward. So far no proof.
For there are at least two kinds of facts in infosec reporting:
1—facts that can, realistically, only be backed up through official sources, often anonymous intelligence sources.
2—facts that can easily be proven technically.
We're looking at type 2 here.
1—facts that can, realistically, only be backed up through official sources, often anonymous intelligence sources.
2—facts that can easily be proven technically.
We're looking at type 2 here.
Two noteworthy reactions to the NYT's EternalBlue claim with good overviews:
@daveaitel
cybersecpolitics.blogspot.com/2019/05/baltim…
@ErrataRob blog.erratasec.com/2019/05/a-less…
Also,
@daveaitel
cybersecpolitics.blogspot.com/2019/05/baltim…
@ErrataRob blog.erratasec.com/2019/05/a-less…
Also,
Mysterious leak triggers government crisis and snap elections in Austria.
sueddeutsche.de/politik/strach…
sueddeutsche.de/politik/strach…
SZ, who surfaced the Strache video, claims it verified the authenticity of the video, insists on full source protection derstandard.at/2000103393420/…
This is huge. If you think anonymous leaks have lost any of their razor-sharp edge post-Podesta, think again. theguardian.com/world/2019/may…
Sadly The New York Times fails again at covering infosec responsibly here — nytimes.com/2019/05/12/wor…
Missing footnote or something
or missing links to sources or something
Hey, we can't verify many facts here, but whatevs let's run with the story, also, who can come up with the most sensationalist headline? politico.eu/article/europe…
That report is supposed to be here safeguardcyber.com/resources/whit… < but I can't get the download to work. Can anybody throw over a copy?
Pro tip: don't do this, certainly not if you claim to care about security
Pro tip: don't do this, certainly not if you claim to care about security
Man is this bad
A noteworthy if small entry in the history of the internet: today CIA becomes world's first (known) intelligence agency to set up a highly secure onion site (formerly called "darkweb"), complete with vanity .onion URL wired.com/story/cia-sets…
Nevermind the infosec snark on CIA's new onion site — this is a truly remarkable step for three reasons.
First, CIA is explicitly endorsing Tor HS as a highly secure and highly trustworthy communications channel (really) — I cannot imagine that this step was not controversial: inside CIA, inside the IC, and among the wider USG. So, kudos @cia
A lot of unarticulated assumptions in this piece nytimes.com/2019/05/06/us/…
This need some unpacking. Symantec—confusingly, I think—uses the plural, "tools" here, as in "Equation Group tools". But it appears—unless I'm not seeing something—that APT3 used only *one* custom-designed exploit that included a "variant" of what Equation called DOUBLEPULSAR.
Also, so far no intelligence sources, not even anonymously, appear to back Symantec's narrative in the NYT web.archive.org/web/2019050701…
Context haaretz.com/israel-news/69…
There are way too many shortsighted infosec hot-takes on this post in my timeline
This joke on the part of the IDF spokesperson is tasteless and entirely inappropriate.
It is really quite remarkable how little we know from authoritative sources about the role of *automated* accounts (bots) in the 2016 election interference (as opposed to manual IRA troll accounts)—after all these investigations.
The (redacted) Mueller Report literally says *nothing* about automated accounts.
There are three short redacted paragraphs in that section, and the fourth does not talk about automated accounts.
Also nothing in the IRA indictment.
There are three short redacted paragraphs in that section, and the fourth does not talk about automated accounts.
Also nothing in the IRA indictment.
Twitter admitted that 50,258 "Russian-linked" [sic] bots posted "election-related" content during the election period in 2016.
That's all we got (from Twitter). Does anybody have access to these data? As far as I know the answer is no. Only IRA accounts are available publicly.
That's all we got (from Twitter). Does anybody have access to these data? As far as I know the answer is no. Only IRA accounts are available publicly.
The Mueller Report, 448 pages
At DOJ, 139 MB (not searchable, not handling the traffic too well) justice.gov/storage/report…
Google Drive (140 MB, searchable, OCR'd & uploaded by me just now) drive.google.com/open?id=12RQ-c…
At DOJ, 139 MB (not searchable, not handling the traffic too well) justice.gov/storage/report…
Google Drive (140 MB, searchable, OCR'd & uploaded by me just now) drive.google.com/open?id=12RQ-c…
A few preliminary notes on the Mueller report. Specifically: what are the new details on GRU hacking-and-leaking, and on IRA disinformation efforts in the run-up to the 2016 election? (that is Vol I, Part I, II, and III)
Background: the first round of edits of my book manuscript, ACTIVE MEASURES, is due in 12 days back to @fsgbooks. So good timing here — tinyletter.com/ridt
Surprised by how many stories on the Christchurch far-right terrorist attack are focusing on, basically, the internet—social media amplification, internet culture, online footprints—at the expense of neglecting the emerging root cause: violent transnational neo-fascist ideology.
First off, this by @IwriteOK is excellent: "The manifesto is a trap itself, laid for journalists searching for the meaning behind this horrific crime" bellingcat.com/news/rest-of-w…
The FBI as well as West European domestic intelligence were carefully watching a rise in transnational fascism in fringe youth culture in the early 1970s. Problem: there was no internet yet.
NSA quietly ended program that collected domestic call and text metadata from telcos, the NYT reports—without mentioning the likely reason for the move: the rise of messaging apps. Meaning: messaging platform providers now hold those metadata, not telcos nytimes.com/2019/03/04/us/…
Again topical wired.com/story/signal-s…
Important point here: why use phone numbers for secure apps?
Con: introduces selector.
Pro: enables fast growth.
I understand this is a real dilemma for secure apps—maximizing security and growth at the same time is very hard.
Con: introduces selector.
Pro: enables fast growth.
I understand this is a real dilemma for secure apps—maximizing security and growth at the same time is very hard.
US Cyber Command "basically took the [Internet Research Agency] offline" in an offensive operation to foil interference in the midterm elections, anonymous sources tell the Post's @nakashimae washingtonpost.com/world/national…
@nakashimae A few remarkable details in this story: first, it appears that NSA had real-time visibility into IRA communications directly after the offensive operation
@nakashimae Second, IRA, also targeted by direct messages in a US psychological operation, apparently launched an internal leak investigation in response
The UK's National Cyber Security Centre handled approximately 275 incidents per year that "have a state actor behind them," says Jeremy Fleming, Director GCHQ, in (badly edited) speech < this number is remarkably high gchq.gov.uk/uk-global-cybe…
It happened before at least once in 2018 ... still, remarkable to see the director of GCHQ explicitly namecheck and call out an adversarial Russian intelligence agency in public
Important detail: we don't know how GCHQ counted "incidents" here. Did NotPetya and WannaCry, for example, show up as one incident or as multiple incidents given the wide range of UK targets? Not unlikely the latter.
Sources and journalists: Signal and SecureDrop are pretty good. But there's one technology that's even harder to trace, if done right, as far as initial contact goes ... a paper letter in the mail.
Just adding here what I thought is obvious: you don’t need to write any sender’s address on a letter, you can postmark by hand (don’t lick), and drop it in a safe location (*if* you want a reply, maybe use secure e2e handle of choice).
There is a long history btw of active measures surfaced by mail. Western intelligence in some cases got saliva samples, blood type, and a city. But after that: dead end.
Phenomenal investigative work here by @Bing_Chris and @joel_schectman — several people named in this piece, and some unnamed, needed a lot of guts, especially Lori Stroud. I have no doubt she, and they, did the right thing. reuters.com/investigates/s… via @SpecialReports
You know you're writing about about the bad guys — or working for the wrong side, respectively — when sources are begging reporters to include this line in a story:
Has Stroud made a mistake? Yes
A big mistake? Yes
Did she notice at some point? Yes
Would earlier have been better? Yes
Did she anticipate massive blowback? Probably
Could she have stayed anonymous like the others? Yes
Did she still decide to put her name and picture out there?
A big mistake? Yes
Did she notice at some point? Yes
Would earlier have been better? Yes
Did she anticipate massive blowback? Probably
Could she have stayed anonymous like the others? Yes
Did she still decide to put her name and picture out there?
Zuckerberg may be underestimating two things at once: how quickly and how widely trust in main Facebook is evaporating — and how quick and how easy it is to move from one e2e messaging platform to another.
Just today I was talking with a friend. We started out on DM here. I then jumped over to WA without telling him. He responded there, then hopped over to his preferred Threema, where we stayed. The fact that shared baby pictures are gone now is a feature not a bug. No more lock-in
Useful thoughts here, always pay attention to @AlecMuffett
Wow exciting Johns Hopkins SAIS news coming very soon ...
Our official release releases.jhu.edu/2019/01/25/555…
Two quick polls on secure apps in one mini-thread for infosec people:
1—Which secure app do you *actually use* most?
1—Which secure app do you *actually use* most?
2—Which secure app do you *prefer to use* (but may not be that popular right now)?
Sorry there are only four options in polls here. These apps tend to be the most popular in my experience. But I could be wrong of course.
