Tag Archives: Kurt Stammberger

December 16, 2020 · 04:41

A political stage of nowhere

Less than an hour ago the BBC gave us ‘EU reveals plan to regulate Big Tech’, apart from the discriminatory nature of the stage, are they doing anything else than merely fuelling their own gravy train? Consider the news from last July, there we were given ‘Apple has €13bn Irish tax bill overturned’, a case that started in 2016, had Apple and the government of Ireland in a twist, when you consider “The Irish government – which had also appealed against the ruling – said it had “always been clear” Apple received no special treatment”, I am on the fence, and in this the European Commission wasted 4 years in going nowhere, in the light of that revelation, can we even trust the approach the EU has? When we look at the first option, we see ‘Online harms law to let regulator block apps in UK’, this means an almost immediate blocking of Twitter, Facebook, WhatsApp and a few more. Local laws have been ‘accomodating’ to large corporations for such a long time, that social media is caught in the middle (and yes they benefitted too), so they re now pushing for changes that end privacy, because that is a conclusion. If we hunt down the perpetrators, we need to coat the materials in identity revealing codes, in addition, the EU government will have to adjust laws to make the poster responsible for what they post and that will lead to all kinds of privacy adjustments (that does not worry me), yet when insurance companies will use that setting to see transgressions on social media and they demand adjustment by handing over the posted evidence, how long until people like Margrethe Vestager start realising that they were clueless from the start? The BBC article gives us “The law would give local officials a way to ask Airbnb and other apps to hand over information or remove listings”, which now puts some players on the dark-web and the chaos (and organised crime involvement) merely increases. For example, when we see “not use data gathered via their main service to launch a product that will compete with other established businesses”, how will that be proven and tested? By handing all data over to the government? How many frivolous cases will that grave train launch? How is it impossible to stop advantage seekers a stage where they use Margrethe Vestager and her gang of idiots to do the bidding of (optionally) organised crime?

Even though I spoke of the Accountability Act, a legal direction that could thwart a few issues from the start in June 2012, 8 years later and this group is hardly even on the track of resolving anything, only to get their grubby greedy fingers on data, the new currency. And in this, the tech companies have their own games to play as Facebook shows with “Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook”, what Apple does, IBM did for decades, what Apple does Microsoft did for decades, so where is that train station? So even as we see “And they may influence other regulators – in the US and elsewhere – which are also planning to introduce new restrictions of their own” we also need to realise that after a decade, the local and EU laws have done little to nothing to hold the poster of information to criminal account, it seems to me a massive oversight. And in all this there is no view that the EU will wisen up any day soon. 

So as I see it, this will soon become a political stage that goes nowhere and in all this these layers merely want their fingers on the data, the currency that they do not have. How is that in any way acceptable?

Oh and when we see the blocking of apps and localisation, how long until people find an alternative? An alternative that the EU, the UK and the US have no insight over? Will they block apps that interact with data centres in China, Saudi Arabia and optionally other locations too? I raised it in other ways in ‘There is more beneath the sand’ in 2019 as well as some issues in 2018, a setting that was almost two years ago, as such is it not amazing that we see a shortsighted approach to this issue, whilst I gave the option EIGHT YEARS AGO and the laws are still not ready? They are ready to get the data from Google, Facebook, Apple, Amazon and Microsoft, as such when the trial goes wrong, hw will these people be compensated for the loss of uniquely owned data, data that they collected over the decades? Will the stupid people (Margrethe Vestager et al) compensate per kilobyte? How about $25,000,000 per kilobyte? Perhaps we should double that? What will be the price and in this, we should demand that Margrethe Vestager and her teams will be criminally liable for those losses, or will the gravy train decide that it is a little too complex to hold one station to order, and let face it, that gravy train has 27 stops to make, all with their own local needs, their local incomes and their local digital wannabe’s.

When a setting like that goes nowhere, you better believe that there is someone behind the curtain pulling strings for their own enriching needs, that is how it always has been, as such, let me give you the smallest example from January 2020, there we see “‘DIGITAL CROSS-BORDER COOPERATION IN CRIMINAL JUSTICE’ CONFERENCE”, with the nice quote “The e-Evidence Project led by the European Commission, DG Justice and Consumers, provides for the e-Evidence Digital Exchange System that manages the European Investigation Order/Mutual Legal Assistance procedures/instruments (e-Forms, business logic, statistics, log, etc.) on European level. The Reference Implementation Portal is the front-end portal of the e-Evidence Digital Exchange System and is also provided by the EC”, yet this is only step one. In all this we can also include the EC (at https://ec.europa.eu/home-affairs/what-we-do/policies/cybercrime/e-evidence_en), where we see: “However, present-day solutions too often prove unsatisfactory, bringing investigations to a halt”, I get it, you will say, will this not resolve it? Well, consider “provide legal certainty for businesses and service providers: whereas today law enforcement authorities often depend on the good will of service providers to hand them the evidence they need, in the future, applying the same rules for access to all service providers will improve legal certainty and clarity”, in this we need to look in detail at ‘provide legal certainty’, which at present under privacy laws is a no-no, and the poster cannot be identified and cannot (and will not) be held to account. As well as ‘applying the same rules for access to all service providers’, still the poster remains out of reach and the local and EU laws have done NOTHING for over a decade to change that, as such, when we consider this, why should Google, Facebook, Apple, Amazon and Microsoft suffer the consequences, in addition we see the absence of IBM, why is that? Does it not have data collection software, it has data centres, it has cloud solutions, so why are they absent?

And in light of earlier this year, as we were told ‘Google starts appeal against £2bn shopping fine’, how will that end? The law remains untested in too many aspects, in this the entire data stage is way too soon and in that the blowback will be enormous, all whilst the EU (UK too) is unable to do anything about data driven organised crime, other than blame state operators Russia and China, consider the Sony Hack of 2011, I was with the point of view by Kurt Stammberger (before I even knew about Kurt Stammberger), North Korea lacks infrastructure and a whole deed of other parts. I also questioned the data, like “former hacker Hector Monsegur, who once hacked into Sony, explained to CBS News that exfiltrating one or one hundred terabytes of data “without anyone noticing” would have taken months or years, not weeks”, I even considered an applied use of the Cisco routers at Sony to do just that, all issues that North Korea just could not do and in that environment, when we see these levels of doubt and when we get “After a private briefing lasting three hours, the FBI formally rejected Norse’s alternative assessment”, which might be valid, but when we see a setting where it takes three hours to get the FBI up to speed, can we even trust the EU to have a clue? Even their own former director of German Intelligence, gave us recently that they did not fully comprehend Huawei 5G equipment, and they will investigate the data owners, al before the posters of the messages are properly dealt with? I think not!

Leave a comment

Filed under IT, Politics, Science

Tagged as , , , , , , , , , , , , , , , , , , , ,

September 22, 2016 · 12:18

Targeting the FBI

Do not worry, the FBI is not under attack from any hostile force, in this particular case it is me who will be on the offensive regarding statements made in 2014. Let me explain why. To get to the start of this event, we need to take a step back, to be a little more precise we need to turn to the moment 645 days ago when we read that Sony got hacked, it got hacked by none other than North Korea. It took me around an hour to stop laughing, the stomach cramps from laughter are still on my mind when I think back to that day. By the way, apart from me having degrees in this field. People a lot more trustworthy in this field, like Kim Zetter for Wired Magazine and Kurt Stammberger from cyber security firm Norse. The list of sceptics as well as prominent names from the actual hacking world, they all had issues with the statements.

We had quotes from FBI Director James Comey on how tightly internet access is controlled there (which is actually true), and (at https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation) we see “the FBI now has enough information to conclude that the North Korean government is responsible for these actions“. I am pretty sure that the FBI did not expect that this would bite them down the track. This all whilst they rejected the alternate hack theory that Cyber Intelligence firm Norse gave (at http://www.politico.com/story/2014/12/fbi-rejects-alternate-sony-hack-theory-113893). Weirdly enough, the alternative option was no less than ten times more possible then the claim that some made. Another claim to have a giggle at came from Homeland Security, the quote was “The cyber-attack against Sony Pictures Entertainment was not just an attack against a company and its employees. It was also an attack on our freedom of expression and way of life“, which is a political statement that actually does not say much. The person making it at the time was Jeh Johnson.

You see, this is all coming to light now for the weirdest of reasons. The Guardian (at https://www.theguardian.com/world/2016/sep/21/north-korea-only-28-websites-leak-official-data). The subtitle gives us “Apparent error by a regime tech worker gave the world a rare glimpse into the few online sources of information available“, so one of these high profile worldly infamous hackers got a setting wrong and we get “But its own contribution to the world wide web is tiny, according to a leak that revealed the country has just 28 registered domains. The revelation came after one of North Korea’s top-level name servers was incorrectly configured to reveal a list of all the domain names under the domain .kp“, you see, here we see part of the fun that will now escalate.

In this I invite NSA director Admiral Michael Rogers and FBI Director James Comey to read this, take note, because it is a free lesson in IT (to some extent). It is also a note for these two to investigate what talents their agencies actually have and to get rid of those who are kissing your sitting area for political reasons (which is always good policy). When  the accused nation has 28 websites, it is, I agree not an indication of other internet elements, but let me add to this.

The need to prototype and test any kind of malware and the infrastructure that could actually be used against the likes of Sony might be routed via North-Korea, but could never originate there. The fact that your boffins can’t tell the difference is a clear given that the cyber branch of your organisations are not up to scrap. In that case it is now imperative that you both contact Major General Christopher P. Weggeman, who is the Commander, 24th Air Force and Commander, Air Forces Cyber (AFCYBER). He should most likely be at Lackland Air Force Base, and the phone number of the base is (210) 671-1110. I reckon setting up a lunch meeting and learn a thing or two is not entirely unneeded. This is not me being sarcastic, this is me telling you two that the case was mishandled, got botched and now that due to North Korean ‘expertise’, plenty of people will be asking questions. The time requirement to get the data that got taken was not something that happened overnight. For the simple reason that that much data would have lit up an internet backbone and ever log alarm would have been ringing. The statement that the FBI made “it was unlikely that a third party had hijacked these addresses without allowance from the North Korean government” was laughable because of those pictures where we saw the Korean high-command behind a desktop system with a North Korean President sitting behind what is a mere desktop that has the computation equivalent of a Cuisena Egg Beater ($19.95 at Kitchen Warehouse).

Now, in opposition, I sit myself against me. You see, this might just be a rant, especially without clarification. All those North Korean images could just be misdirection. You see, to pull of the Sony caper you need stimulation, like a student would get at places like MIT, Stanford, or UTS. Peers challenging his solutions and blocking success, making that person come up with smarter solutions. Plenty of nations have hardware and challenging people and equipment that could offer it, but North Korea does not have any of that. The entire visibility as you would see from those 28 domains would have required to be of much higher sophistication. You see, for a hacker, there needs to be a level of sophistication that is begotten from challenge and experience. North Korea has none of that. Evidence of that was seen a few years ago when in 2012 in Pyongyang I believe, a press bus took a wrong turn. When some reporters mentioned on how a North Korean (military I believe) had no clue on smartphones. I remember seeing it on the Dutch NOS News program. The level of interaction and ignorance within a military structure could not be maintained as such the military would have had a clue to a better extent. The ignorance shown was not feigned or played, meaning that a technological level was missing, the fact that a domain setting was missed also means that certain monitoring solutions were not in place, alerting those who needed to on the wrongful domain settings, which is essential in regards to the entire hacking side. The fact that Reddit and several others have screenshots to the degree they have is another question mark in all this last but not least to those who prototype hacking solutions, as they need serious bandwidth to test how invisible they are (especially regarding streaming of Terabytes of Sony data), all these issues are surfacing from this mere article that the Guardian might have placed for entertainment value to news, but it shows that December 2014 is a very different story. Not only does it have the ability to exonerate the

We see a final quote from Martyn Williams, who runs the North Korea Tech blog ““It’s important to note this isn’t the domain name system for the internal intranet,” Williams wrote. “That isn’t accessible from the internet in any way.”” which is true to some extent. In that case take a look to the PDF (at https://www.blackhat.com/presentations/bh-usa-07/Grossman/Whitepaper/bh-usa-07-grossman-WP.pdf) from WhiteHat security. On page 4 we get “By simply selecting common net-block, scans of an entire Class-C range can be completed in less than 60 seconds“, yes, I agree you do not get that much info from that, but it gives us to some extent usage, you see, if something as simple as a domain setting is wrong, there is a massive chance that more obscure essential settings on intranet level have been missed, giving the ‘visitor’ options to a lot more information than most would expect. Another matter that the press missed (a few times), no matter how Time stated that the world was watching (at http://time.com/3660757/nsa-michael-rogers-sony-hack/), data needs to get from point to point, usually via a router, so the routers before it gets to North Korea, what were those addresses, how much data got ported through?

You see, the overreaction from the FBI, Homeland Security, NSA et al was overly visible. The political statements were so out in the open, so strong, that I always wondered: what else? You see, as I see it, Sony was either not the only one who got hacked, or Sony lost something else. The fact that in January 2015 Sony gave the following statement “Sony Entertainment is unable to confirm that hackers have been eradicated from its computer systems more than a month after the film studio was hit by a debilitating cyber-attack, a report says“, I mentioned it in my article ‘Slander versus Speculation‘ (at https://lawlordtobe.com/2015/01/03/slander-versus-speculation/). I thought it was the weirdest of statements. Basically, they had almost 3 weeks to set up a new server, to monitor all data traffic, giving indication that not only a weird way was used to get to the data (I speculated on an option that required it to be an inside job), yet more important, the fact that access had not been identified, meaning it was secured gave way to the issue that the hackers could have had access to more than just what was published. That requires a little bit more explanation. You see, as I personally see it, to know a transgressor we need to look at an oversimplified equation: ‘access = valid people + valid systems + threats‘ if threats cannot be identified, the issue could be that more than one element is missing, so either you know all the access, you know all the people and you know the identity of valid systems. Now at a place like Sony it is not that simple, but the elements remain the same. Only when more than one element cannot be measured do you get the threats to be a true unknown. That is at play then and it is still now. So if servers were compromised, Sony would need a better monitoring system. It’s my personal belief (and highly speculative) that Sony, like many other large companies have been cutting corners so certain checks and balances are not there, which makes a little sense in case of Sony with all those new expansions corners were possibly cut and at that point it had an IT department missing a roadmap, meaning the issue is really more complex (especially for Sony) because systems are not aligned. Perhaps that is the issue Sony had (again this is me speculating on it)?

What is now an issue is that North Korea is showing exactly as incapable as I thought it was and there is a score of Cyber specialists, many of them a lot bigger then I will ever become stating the same. I am not convinced it was that simple to begin with, for one, the amount of questions the press and others should have been asking regarding cloud security is one that I missed reading about and certain governmental parts in the US and other nations have been pushing for this cheaper solution, the issue being that it was not as secure as it needed to be, yet the expert levels were not on par so plenty of data would have been in danger of breaching. The question I had then and have now a lot louder is: “Perhaps Sony showed that cloud server data is even less secure than imagined and the level required to get to it is not as high as important stakeholders would need it to be“. That is now truly a question that matters! Because if there is any truth to that speculation, than the question becomes how secure is your personal data an how unaware are the system controllers of those cloud servers? The question not asked and it might have been resolved over the last 645 days, yet if data was in danger, who has had access and should the people have been allowed to remain unaware, especially if it is not the government who gained access?

Questions all worthy of answers, but in light of ‘statements made’ who can be trusted to get the people properly informed? Over the next days as we see how one element (the 28 sites) give more and more credible views on how North Korea was never the culprit, the question then becomes: who was? I reckon that if the likely candidates (China, Russia, UK and France) are considered there might not be an issue at all, apart from the fact that Sony needs to up their Cyber game, but if organised crime got access, what else have they gotten access to?

It is a speculative question and a valid one, for the mere reason that there is at present no valid indication that the FBI cyber unit had a decent idea, especially in light of the official response towards cyber security firm Norse what was going on.

Could I be wrong?

That remains a valid question. Even when we accept that the number of websites are no indication of Intranet or cybersecurity skills, they are indicative, when a nation has less websites than some third world villages, or their schools have. It is time to ask a few very serious questions, because skills only remain so through training and the infrastructure to test and to train incursions on a WAN of a Fortune 500 company is not an option, even if that person has his or her own Cray system to crunch codes. It didn’t make sense then and with yesterday’s revelation, it makes even less sense.

Finally one more speculation for the giggle within us all. This entire exercise could have been done to prevent ‘the Interview’ to become a complete flop. You know that movie that ran in the US in 581 theatres and made globally $11,305,175 (source: Box Office Mojo), basically about 10% of what Wolf of Wall Street made domestically.

What do you think?

 

Leave a comment

Filed under IT, Media, Military, Politics, Science

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,