A quick comment thread on the NTSB prelim MV Dali report.

The ship had a pretty typical 6.6kV HV/440V LV power system.

They were operating with the HV bus-tie breaker closed. This is, as far as I know, totally normal on most non-DP (dynamic positioning) vessels.

The UK mains electricity system in houses is a bit unique.

We have what is called a "ring main" where a large number of sockets are connected in a loop. The loop can provide 32A, but each individual plug can only do 13A.

So we have fuses in our plugs to limit current. The idea of these is that they limit the current to each thing you plug into your ring main. The plug/socket can only handle 13A and not 32A, so you need something to limit it.

Found a really quirky route to the OT side of a ship this week.

The corporate machines were on the 10.0.73.0/24 range.

When ARP scanning on this network, I could see a host on 192.168.1.45 - odd.

So I set my IP to 192.168.1.123 and scan 192.168.1.45 - a Windows machine. It's called CHIEFPC and it's a HP.

Current corp machines are Lenovo. And not named by role.

I head down to the chief's office and find that his old HP machine is being used for the CCTV onboard the vessel - which is on 192.168.1.0/24.

A thread of the variety of products on ships that allow remote monitoring of critical systems on ships.

Just really want to put to bed the idea that systems are always air gapped.

Kongsberg offer multiple systems allowing remote monitoring of ICMS.
kongsberg.com/globalassets/m…
Wartsila NACOS, another of the very popular ICMS, allows remote maintenance of their systems.

wartsila.com/docs/default-s…

I broadly agree with this thread, but there's a few aspects where I think the scale and magnitude of the issues on modern ships is maybe not clear.

The number of modern vessels that have all their critical safety systems air gapped is getting lower and lower.

https://twitter.com/johnkonrad/status/1775307764073365920

What do I mean by critical systems?

Steering (which, oddly, depends on the type of vessel)
Propulsion (which can be the same as steering)
Power management system
ECDIS (electronic charts, which may or may not directly impact navigation)

Ships might be "wide open" to cyber attack, but in my opinion, this shows a lack of nuance around what is being attacked, what the impact would be, and if it would be stopped by the crew.

https://twitter.com/LawrenceSellin/status/1773541530474823933

I would say that IT security - the corporate stuff - in maritime is as bad as it can get.

Getting from IT to OT - operational technology, the actual moving bits - is much harder.

(or just to OT, direct, another topic)

Another thread on container ships and how the power and steering systems *should* work when things go wrong.

This diagram is of a fairly typical containership's electrical distribution.

You have four main diesel generators (often called auxilliary engines). They are multi-MW in size and produce 6.6kV.

Picture from another ship BTW.

When you are maneuvering you need power and redundancy - so you will have 3 or 4 of these running and on the bus.

What are the engine rooms like on these Panamax container ships?

They are quite big!

This is the top of the single main engine. It's a Sulzer 10RTA96C.

That's 10 cylinder, each 96cm across. With a 2.5m stroke.

These are just the exhaust valves. It's a slow-speed, two stroke diesel. Max speed is around 100rpm.

The ship has a full blackout for over a minute before impacting the bridge, followed by a second shorter loss of power.

Just after the lights come back on, you can see heavy soot which would likely be one of the main diesel generators being brought up.

https://twitter.com/Bharat_Maurya66/status/1772558620044980564

A blackout at this point in time is about a worst case situation. You'd lose the rudder, main engine and bow thrusters, leaving you unable to do anything.

The 440V emergency generator would be first to start, but this would only restore power to the steering gear immediately.

I've obtained one of these "EMP generators" that are intended to cause glitches in gaming machines, either for free gaming or to dump coins.

It's pretty odd.

Most prominent is the 3-pin device on top.

It's an NPN transistor for RF.

It's socketed and comes with a spare....

I'm trying to decode some digital modes from an SDR and I think I've found the most capable but least user friendly software, ever.

Now, it is free. And it seems to be the best available. BUT OMG, the UI.

This is the config screen. Then you get the main RX/TX screen.

Can you spot the button you need to press to open the control of frequency?

After the #FlipperZero threads, there's been a few people questioning the ethics and legality of these devices, particularly with respect to NFC cloning.

I think explaining some of the history of NFC security - particularly Mifare Classic - attacks might help. Mifare Classic cards are everywhere.

In the UK and US, most hotels and a very large proportion of commercial access control systems will use Mifare Classic.

We've known that they have serious security weaknesses in these cards for over a decade, yet they are still used.

Onto another aspect of the Flipper Zero... and not really knowing what it does.

The Frequency Analyzer seems pretty opaque. When it works, it works, but under what conditions does it work? There is documentation, but it doesn't really explain any of the limitations.

docs.flipper.net/sub-ghz/read#b…

I finally caved and bought a Flipper Zero.

Whilst it's useful, there's a fair few bits of it that aren't particularly well explained.

Let's start with the Mifare Classic reading!

What's it doing, and how is it doing it? There are two dictionaries stored on the SD card in the device - both in /nfc/assets/

mf_classic_dict.nfc (built-in dictionary)
mf_classic_dict_user.nfc (user dictionary)

I'm looking at the VDDI-PROG and how it bypasses security mechansisms on many automotive microcontrollers. It's a nice device, in a good plastic case.

Double-sided board, no components on back.

Minimal silkscreen.

The 3V lithium cell is interesting - I'm not sure what needs backup.

No 32.768kHz crystal for an RTC and no real need.

Remember: seek out those to troll, do not let them seek out you. Remember.

How is your weekend going? I think I am going to get vanned.

Trance songs that I like but also have really strange low budget videos.

Delerium - Silence AKA woman going for a run on a beach with her man but he can't keep up and they are both very serious.

Darude - Sandstorm.

Lady steals briefcase and weird chase starts with handguns.

The world of Chinese audio gear is so strange.

Here we have the Nobsound power supply, made by Douk.

NOBSOUND?

LOOK AT THAT FONT MIXUP. It has a 4-bit display.

Ahead of the Emperor's Knew Cloves talk ending up on YouTube, it's worth showing some of the slides.

There have been persistent attempts to edit the What3Words Wikipedia page to suppress criticism. This resulted in the article being edited to misrepresent one of my tweets.

"Tierney admitted that three words are easier to remember and communicate than the alternatives"

The edit even linked to the tweet, and it said nothing of the sort!

I've been reading a few books about espionage recently, and the harm it causes to both those deceived and the deceiver.

And I can't help but think back to physical access jobs I have done where I have manipulated or exploited people.

And I'm not sure it is healthy. I'd love to distance myself from what spys do, but the techniques I use are calculated and practiced.

It's not a few off-the-cuff lines delivered as me to gain access, it's normally a name, persona, clothing, props, speech, body language, and pre-text. None of it is truth.