Tag Archives: SolarWinds

SET trust = 0.

Yup, we all have a stage when there is no trust, there is no confidence and we wonder the why part. In this, I had questions, so I asked the agency, but they did’t know, then I asked the FBI, I asked Langley and I asked Commander Andrew Richardson, they all gave the same story, there is No Such Agency, so I Googled them and Yes! There they were, complete with phone number (+1 301-677-2300) and all, yup, we got them, so now we get to their story (at https://breakingdefense-com.cdn.ampproject.org/c/s/breakingdefense.com/2021/04/nsa-about-to-release-unclassified-5g-security-guidance/amp/).

Via the BBC, we get ‘NSA About To Release Unclassified 5G Security Guidance’ and I started to read, the article makes a lot of sense. Which gave me “Noble’s speech highlighted the importance of zero-trust architecture in 5G networks”, and it got me thinking, the approach makes a lot of sense, just like SE-LINUX, the setting of ‘no-trust’ makes sense, especially in a world where Microsoft keeps on fumbling the ball, not merely their exchange servers, but the (what I personally see as greed driven) push towards Azure, it comes with all kinds of triggers and dangers, especially as they are ready to cater to as many people as possible, the no-trust rule is pretty much the only one that makes sense at present. I have written about the dangers more than enough. So when we are given “it’s reasonable to expect that future NSA 5G security recommendations will emphasise zero trust as a key component”, I believe that the approach has a lot of benefits, especially when such a setting can be added to anti viral and Google apps, it could increase safety to well over 34% overnight, and option never achieved before and we should all applaud such a benefit. There are a few thoughts on “NSA has characterised zero trust as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy.” It’s a “data-center centric” approach to security, which assumes the worst — that an organisation is already breached or will be breached.” A choice that is logical and sets the cleaning directly at servers and ISP’s, and they are the backbone in some cases to close to 75% of all connections, so to set a barricade on those places makes sense, there is no debating, the choice of calling themselves No Such Agency wasn’t their best idea, but this is a game changer. 

I have been critical of the US government in all kinds of ways for years and on a few topics, yet I have to admit that this is an excellent approach to prevent things going from bad to worse, moreover, there is every chance that it will make things better for a lot of us overnight as such a system deploys, it will have a trickle down effect, making more and more systems secure. 

That one thing
Yup there is always one thing and we see the dangers when we consider Solarwinds and Microsoft (their mail server), the one part is when we rely on rollbacks and we see rollback after rollback creating a hole and optionally a backdoor, the most dangerous system is the one deemed to be safe, ask Microsoft, or their exchange server. When you believe all is safe, that is when the most damage can be made. And as the article looks at 4 parts, we see ‘Improved network resiliency and redundancy’, yes it makes sense, but rollback efforts are possibly out of that equation and when we get some people tinkering there, there is a chance that the solarwinds paradox returns, yet this time with a dangerous seal of approval by the No Such Agency, it will be the one part all criminal minds are hoping for, in this I personally hope they fail, but these buggers can be resilient, tenacious and creative, the triangle that even the Bermuda Triangle fears and that is saying something.

Leave a comment

Filed under IT, Military, Science

An almost funny thing

I saw an article at the BBC and I will get to that in a moment, but it reminded me of a situation that happened in 2010. I needed a new laptop and I was looking in a shop at their Collection of laptops. A man came to me and was trying to convince me just how amazing this laptop was. My inner demon was grinning, I get it, the man was enthusiastic, he was giving the numbers, but in all this, did he realise what he was saying? I am not doubting the man’s skills, he was doing a good job, I was however in IT and had been there for 30 years, so I have pretty much seen it all, and there it was, my little demon, on my right shoulder calling me ‘pussy’. So as the man stated ‘this laptop has a one terabyte hard-drive, can you even imagine ho much that is?’, I could not resist and my response was ‘Yup, that would fit roughly 10% of my porn collection’, his jaw dropped to the ground, his eyes almost popped, the demon inside me stated ‘Nice!’ Actually, it was not quite true, it would only fit a rough 0.32114%. It was the impact of the shock factor. You see, there is a hidden agenda there, when you (appropriately) use the technique, you get to see the real salesperson and that was what I needed. He was thrown, but he recomposed and continued giving me the goods on the laptop, I bought that laptop roughly 132 seconds later.

So today I saw ‘The Rise of extortionware’ (at https://www.bbc.com/news/technology-56570862), here I notice “where hackers embarrass victims into paying a ransom”, it is not new, it is not even novel. I will also give you the second game after the people involved get arrested, they will demand anonymity and any bleeding heart judge will comply. I state that these people will be handed the limelight so that the people that faced ransomware attacks can take their frustration out of these people. But that remains wishful thinking. So next we get “Experts say the trend towards ransoming sensitive private information could affect companies not just operationally but through reputation damage. It comes as hackers bragged after discovering an IT Director’s secret porn collection.” I have the question was it a private or a company computer? You see, sone focus on the boobies, just what the advertisers on Twitter hope for, they want the click bitches, it makes them money. It is time that we set the larger stage, you see the entire mess would be smaller if Cisco and Microsoft had done a proper job. OK, I apologise, Cisco does a proper job, but some things slip through and in combination with Microsoft exchange servers it is not slipping through, it is a cyber hole the size an iceberg created on the Titanic and we need to set a much larger stage. So when we see “Thanks God for [named IT Director]. While he was [masturbating] we downloaded several hundred gigabytes of private information about his company’s customers. God bless his hairy palms, Amen!”, it seemingly answers that he might keep it on a corporate computer, or he uses his private computer for company stuff. Yet in that same light the hacker should not be allowed any anonymity, we all get to see who the hacker is. If there is something to be learned it is see with “Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts” There are two sides

  1. The station of ALWAYS ONLINE needs to change, there needs to be an evolving gateway of anti hack procedures and a stage of evolving anti hack routers and monitoring software. You think that Zoom is an option?
    Tom’s Guide gave us less than 2 weeks ago “More than a dozen security and privacy problems have been found in Zoom”, as well as “Zoom’s ease of use has made it easy for troublemakers to “bomb” open Zoom meetings. Information-security professionals say Zoom’s security has had a lot of holes, although most have been fixed over the past few year”, so whilst you contemplate ‘most have been fixed’, consider that not all are fixed and that is where the problem goes from somewhat to enormous. Well over 20% of the workforce works at home, has zoom meetings and that is how cyber criminals get the upper hand (as well as through disgruntled employees), a change in mindset is only a first station.
  2. Remember that Australian? (Julian Assange) We were told that soon there would be some leaks on issues on banks (Wall Street) then it suddenly became silent, now some will say that it is a bluff, but in light of the meltdown in 2008, I am not so certain, I reckon that some have ways to show the hackers who they are and they profit by not doing that. Can I prove this? Absolutely not. It is speculation, but when you look at the timeline, my speculation makes sense. 
  3. The third side is optionally the second side as the second side might not be a real side. When we see “Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts”, the underlying station is ‘information that can be weaponised’ and the IT sector is helping them.

How did I get there? The cloud is not as secure as some state, and the salespeople need to take notice. Business Insider gave us about 6 months ago “70% of Companies Storing Data With Cloud Companies Hacked or Breached”, see the link we are now slowly getting presented? 

In the OSI model, we see layers 3-7 (layer 8 is the user). So as some have seen the issues from Cisco, Microsoft and optionally Zoom, we see a link of issues from layer 3 through to layer 7 ALL setting a dangerous stage. Individually there is no real blame and their lawyers will happily confirm that, but when we see security flaw upon security flaw, there is a larger stage of dangers and we need to take notice. And here the dangers become a lot more interesting when we consider the Guardian yesterday when we saw “Intelligence value of SolarWinds hacking of then acting secretary Chad Wolf is not publicly known”, what else is not publicly known? How many media outlets ignored the Cisco matter, how come ZDNet is one of the few giving us “it’s not releasing patches for some of the affected devices that reached end of life” less than 8 weeks ago. Again I say Cisco did the right thing by informing its customers close to immediately, yet when we see “More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support” (source: bleepingcomputers.com) as far as I can see, a lot of the media ignored it, but they will shout and repeat the dangers of Huawei, without being shown actual evidence, and I state here, that unless we make larger changes, the extortion path will evolve and become a lot larger. With 70% of cloud systems getting hacked or breached, a large chunk of the Fortune 500 will pay too much to keep quiet and who gets to pay for that? There is a rough 99.867765% chance that its board members will not, it might be speculatively, so please prove me wrong.

A stage where the needs of the consumers changes in a stage where the corporations are not ready to adjust and all whilst the IT salespeople have that golden calf that does everything and make you coffee as well. Adjustments are needed, massive adjustments are needed and we need to make them now before the cybercriminals are in control of our IT needs and that is not mere speculation, when you see flaw after flaw and too little is done as too many are the victim of its impact is a serious breach and it has been going on for some time, but now it is seemingly out in the light and too many are doing too little and as we laugh at “God bless his hairy palms, Amen!” Consider that stage, and now consider that they invade a financial institution, these are clever criminals, they do not empty your account, they merely take $1, perhaps $1 every other month, this implies that they are looking at a $16,000,000 every two months. And this is merely one bank, one in a thousand banks, some a lot bigger than the Australian Commonwealth bank and lets face it, the fact that layer 3 to layer 7 is leaky in hundreds of thousands of customers, do you really think that banks are off-limits? Do you really think that this is a simple hick-up or that the scenery is changing this quickly by people claiming that it will be fixed in no-time? 

We need massive changes and we need them a lot sooner than we think.

1 Comment

Filed under IT, Law, Media, Science

The wide net

We all have the idea to go phishing, we want trout, we want salmon and we use the biggest net possible to get at least one. So when AP gave us ‘Casting a wide intrusion net: Dozens burned with single hack’ (at https://apnews.com/article/donald-trump-politics-europe-eastern-europe-new-zealand-f318ba1ffc971eb17371456b015206a5), not only was I not surprised, I had been warning people about this for a few years, that setting is apparently upon us now (or at least some are admitting it now). There we see “Nimble, highly skilled criminal hackers believed to operate out of Eastern Europe hacked dozens of companies and government agencies on at least four continents by breaking into a single product they all used” this does not surprise me, this happened in the late 80’s as well when someone used Aston Tate’s DB3 to introduce a virus, it is simple find something they all use and hamper its function, a basic strategy that an Italian (Julius Caesar) introduced 2000 years ago, there he hampered the roads and not servers but you get the idea, the classics still work.

When we are given “The Accellion casualties have kept piling up, meanwhile, with many being extorted by the Russian-speaking Clop cybercriminal gang, which threat researchers believe may have bought pilfered data from the hackers. Their threat: Pay up or we leak your sensitive data online, be it proprietary documents from Canadian aircraft maker Bombardier or lawyer-client communications from Jones Day.” It might seem rash but the people relied on others to keep their data safe and whilst we see more and more that they cannot contain the bacon the clients are suffering, this is not a simple station and we get it, but package solutions tend to come with flaws and that has been a truth for 20 years, so why are you all crying now? It is the final part that has more bearing “Members of Congress are already dismayed by the supply-chain hack of the Texas network management software company SolarWinds that allowed suspected Russian state-backed hackers to tiptoe unnoticed — apparently intent solely on intelligence-gathering — for more than half a year through the networks of at least nine government agencies and more than 100 companies and think tanks. Only in December was the SolarWinds hacking campaign discovered by the cybersecurity firm FireEye. France suffered a similar hack, blamed by its cybersecurity agency on Russian military operatives, that also gamed the supply chain. They slipped malware into an update of network management software from a firm called Centreon, letting them quietly root around victim networks from 2017 to 2020.” This is important because of what happened in the last two years, remember how ‘stupid’ American people started to blame Huawei for all the bad whilst offering absolutely no supporting evidence? Huawei does not need to bother to aid whichever government there was, silly software developers are doing that for them, we see an abundance of intrusion problems that include SolarWinds, Accellion and Cisco. A stage where thousands of systems are at risk, but no, the ‘silly’ people kept on blaming Huawei. Even I knew better and as Sony gave me the idea for an intrusion method called ‘Plus One’ (a viable way to drive the Pentagon nuts) with an alternative direction that I call ‘Vee One’, but that one has a few hiccups I reckon. Then I got creative and saw a new parameter in play. One that is based on a little part I read in a Cisco manual, the text “When You Add A Hard Disk To A Virtual Machine(VM), you can create a new virtual disk, add an existing virtual disk, or add a mapped Storage Area Network (SAN) Logical UnitNumber (LUN). In most cases, you can accept the default device node. For a hard-disk, a non default device node is useful to control the boot order or have different Small Computer System Interface (SCSI) controller types. For example, you might want to boot from an LSI Logic controller and use a Bus-logic Controller With bus sharing turned onto share a data disk with another VM.” You see that small text indicates that there is a nice workaround in Cisco CMX and it opens up a lot more than they bargained for, that in conjunction with the share issues thy were already facing gives out a whole new meaning to the phrase ‘Copy me I want to travel’, n’est pas? (for the French victims)

It is a much larger stage, most laws aren’t ready for this, prosecuting the guilty parties is close to impossible and any quick fix they make will only make things harder, the setting was and has for always been the makers of software, time constraints and lack of deep testing makes for a lousy solution and in most cases these players have a pushy marketing department (example: Ubisoft), and yes ‘You be soft!’ because the small tidbit that AP gives us with “Attackers are finding it harder and harder to gain access via traditional methods, as vendors like Microsoft and Apple have hardened the security of the operating systems considerably over the last years” yet it is a small stage and not a correct one. Weaknesses in Azure, issues with advertising in apps and a larger stage of programming, we see it clearest in .NET, but it goes way beyond that, for example “The problem of memory leaks is not uncommon in any technology. Simply put, the framework doesn’t release the memory that it no longer needs. .NET is frequently criticised for memory leaks and memory-related issues. Although .NET has a garbage collector for this sort of problem, engineers still have to invest additional efforts into proper resource management. And the leaks keep on growing as the application scales.” (source: Altexsoft) and it shows the smallest part, if there is a leak in one place, there will be in other places too and the leaks are not the real problem, getting it to semi-crash and taking over its right on a network are a quick way into any system, I saw the example with an accounting program (censored name), I got the program to crash (took about 20 seconds) and I ended up with the administrator rights to the entire mainframe from ANY location running that software. I get it, there will always be a bug in any place and the makers were quick to fix it, but for a few weeks there was an entrance point that took minimum efforts and that setting is only increasing with routers and cloud systems, these companies rely on marketeers that are ready to push for the investors sake and leave the client swimming in a swamp, I have seen it more than once and it will happen again, and this setting has been going on since 1989 and over the next 3-4 years it will grow to 150%, the push to billions and to quickly get to billions will be overwhelming for too many players all whilst the law will not be able to protect the victims, they will merely point at torts law, even though that you are the victim, most contracts are offered as an ‘as is’ solution and for the most software makers can avoid prosecution for the longest time, long enough for the hackers to get away with your data and sell it, what a lovely system you bought. Oh and before I forget, organised crime is way ahead of me, so for some it will already be too late.

Leave a comment

Filed under IT, Law, Media, Science

Greed v Agony: 1-6

We see the set, we see the result, yet we do not understand the equation. The media is mulling it over, it is in despair on what to do. They have so many voices to listen too, producers, executives, stake holders and share holders, none can agree on the story and more precise, most of them are clueless on what the story is. Reuters gives us ‘SolarWinds hackers accessed Microsoft source code, the company says’, the story (at https://www.reuters.com/article/us-global-cyber-microsoft/solarwinds-hackers-accessed-microsoft-source-code-the-company-says-idUSKBN2951M9), gives us plenty, but are they giving us what we need to know? Even as we are told “It is not clear how much or what parts of Microsoft’s source code repositories the hackers were able to access, but the disclosure suggests that the hackers who used software company SolarWinds as a springboard to break into sensitive U.S. government networks also had an interest in discovering the inner workings of Microsoft products as well”, a stage that is a lot bigger than anyone knows, some cyber experts have an inkling of thought on just how bad things got, but they do not know just how bad, because we do not know what was accessed.

Back in Time
So as we consider that on December 13, 2020, The Washington Post reported that multiple government agencies were breached through SolarWinds’s Orion software. So this is when the worm got out, yet I believe that the first instances were early August, I cannot prove this, but that is when the first event took place, they were merely not seen or identified as such. As far as I can tell (through unconfirmed and slightly dubious sources), there was a mapping phase in play and it was in play for weeks. This mapping phase was not contained or limited to the US, or to governmental players. It was also not the first time it happened, but it seems it was the most complete and most successful attempt, and it is about to get a lot worse. You see, people didn’t learn from 9/11, from all these people who went to flight school just to take off and learn how to fly into buildings, they didn’t learn the first time, and they are not learning now (at https://www.youtube.com/watch?v=lZAoFs75_cs), it gets to be funnier, the ethical hacker is topped by another advertisers, offering the same with 75% discount, and would you know it, all these ‘new’ ethical hackers, what are the chances that a few have their own agenda? Now these people are not ready to take over Solarwinds yet, but they are en-route.

A lot of hackers started as ethical hackers and then didn’t end up with a decent job, they had to make ends meet, and would you know it, they had just the education to make that happen. So as they didn’t get high paying positions at Google, Apple or Sun systems, they decided to take the reins themselves. They do have their competitors, people who graduated from London Poly, or Moskovski politekhnicheski universitet an a few others, all having graduates and the world had no positions for them, so they became the new managers of another version of Ransomware, or some other solution. It was only 5 years ago that we saw “Trend Micro released a research paper about sextortion: the means through which cybercriminals obtain compromising personal images or videos of Internet users – which they then hold hostage until their demands have been met” and that was if you were lucky, the idiots that most governments have include idiots that put the national security and defence issues on a USB stick. 

Time flies when greed is in charge
Over the last 5 years we saw an abundance of issues, yet the greed driven idiots all had a bottom line and cost is not part of that bottom line, it is actually against it, that was what some of these executives were screaming. And as things were pushed back quarter after quarter, the setting became that nothing was done, so when SolarWinds was transgressed upon the bulk of all corporations had no issue to see just how screwed they were, the sales people needed their bonus structure and so do the board members, as such there was for the most no defence. And it gets to be worse, even as we all want to blame SolarWinds, we need to realise that anyone with a lack of defence only has itself to blame. This is why I took certain defence matters into my own hands and even as they are not perfect, it beats no defence at all. When the Telecom Companies start to scream murder because usage is out of control and the numbers start showing that 100,000 people used 200 GB, all whilst the numbers showed that for the most the average of 50 GB, we will see another issue, the loss of telecom data and more important, our financial records will not match up, and at that point you will see a stage where our data is up for sale and there are plenty of interested parties who want that data. A setting of 5 servers that can be used multiple times and 25 customers all willing to pay $10,000 for the usage records of 100,000-350,000 people, and after the financial data is aggregated, they can collect a lot more from another 40 customers. It boils down to $250,000 for a month of work, and that is merely one segment, once these people hit companies (especially those with underfunded IT departments), The numbers will add up larger and faster, especially when IP data is made available, by the time the companies learn just how intense the pull of data was it will be too late and for the most the global police settings will not be able to cover it, the US has an FBI who can get to the matter to some degree, but they still think that North Korea did the Sony gig, so I am not holding my breath on that one. And that is before they realise that I devised another setting that explains the inside job part and I found a new way of exporting that data, which took less than an hour, the shareholders who needed a patsy in North Korea are that much in the dark at present and for the last 7-9 years actually.

So whilst the sales people are in the push for revenue, I reckon that only the companies that have a CTO on their board of directors will have a decent chance, the rest is cannon fodder, it is basically that simple.

The greed drive looks that good, but in reality they are losing 6:1 at present, SolarWinds is merely showing the agony that is out there, it is ABC News that gives a much larger timeline, with ‘Malware may have been installed in June’, which does give voice to my timeline, but it is not enough, we see the larger stage with “the hackers piggy-backed on the company that made software running on hundreds of thousands of corporate and government networks” and in all this, where was the security of SolarWinds? I believe that the damage is much larger and the players just do not know what to trust and who to trust, and that will stay with them for the larger extent of 2021, implying that their systems will not be properly cleaned for a much larger time, because they look at the larger setting, but this pass over will hit EVERY system, and it will hit a few systems in different ways, because they will get found out in a few ways, but not in all ways and that is why the agony score is so high and all this before someone realises that their cloud system could be just as infected and that is another piece of cake entirely, one that does not clean up so easily. 

So whilst we see the trivialisation of “it says patient information was not stolen” or “there was nothing to suggest customer data had been accessed”, it is the basic defence of any company or government organisation, but in reality they are decently clueless on what data was accessed and how it was copied or positioned in a place they can get to. For example it might not show, but when you realise that a person was using 12-17 GB of data during the day, so why is that person’s account using this data on his sick day? Odd is it not? There are a few more examples, but I let you simmer on this, because 2021 has a few more surprises for all of you, perhaps for me too.

Leave a comment

Filed under Finance, IT, Media, Science

Historic view versus reality

We all seem to have views, it is not wrong, it is not bad it is not evil, it merely is. I saw in 1998-2002 how governments sat on their hands, how lawmakers sat on their hands (and optionally on their mistresses) and they all vocally agreed that hackers were nothing more than a nuisance, and as I see it the traitor Bradley Edward Manning (aka Chelsea Elizabeth Manning) gave up secrets that it was not allowed to reveal and gave it to the world. There is no doubt on guilt, there was no doubt on treason, there merely was the act and that was that, it was the first moment where governments got the first clear hint that hackers were a much larger danger. After that came Julian Assange and Edward Snowden. Julian might be many things, but technically he was not a traitor. Edward Snowden was one, and the law again disregarded the steps that were taken, he went intentionally to a place where he might get the most value out of his deeds, Russia picked him up, just to piss of the US, which they were speculatively allowed to do, yet the stage is rather large, more hackers, all under the guise that the law saw them as a mere nuisance, we all got introduced to ransomware, now we see governments hacked through a sunny breeze (Solarwinds), and the voyage does not end. Now we see less than a day ago ‘Hackers threaten to leak plastic surgery pictures’, as well as ‘National Security Agency warns hackers are forging cloud authentication information’, now I do not care for the plastic surgery part, but it is another case where personal and person inclined data is no longer free, the two elements also give a rather large stage for us to place a new premise. One could now argue that hackers are the clear and present danger to personal and corporate needs and as such they can be hunted down and put t death. So from nuisance to global danger, as such when all these mommies cry that their little boys did not know what they were doing, I have no issues putting a HK model 23 to their foreheads and executing them (optionally with silencer as to not scare the neighbours). 

I think it is time for lawmakers and government administrative types to wake up and smell the situation, and in this, perhaps some remember the words of Martin C. Libicki in Newsweek (2015) where he pushed the view ‘Cyberattacks Are a Nuisance, Not Terrorism’, well that is not really true, is it? When we see the definition of terrorism we see “The unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims”, there we see two parts up for debate, the fist is that ‘mental violence’ is still violence and the setting of intimidation is already achieved, the stage we still need to address ‘the pursuit of political aims’, not all terrorism is set to political aims, unless if you call self-enrichment the pursuit of political aims. 

And with ‘National Security Agency warns hackers are forging cloud authentication information’ we see an initial stage where commerce will come to a screeching halt. My IP does not cover for that, darn. But there is the old way (1981-1991), just kill them, be done with it. 

Now some (especially in law) will state that I am overreacting, yet am I? It is the lawmakers that could optionally be seen as cowards, hiding behind their golden calf called jurpisprudence. The law, for the most does a good job, it is not perfect, so be it, but for the most, it is OK. This covers the never trespassers and the limited trespassers, they make up for 75% of all people, then there are the criminals, 24.99%, the law takes care of them, they are repeat offenders, career criminals and as such the law was designed to deal with them, then there is the remaining 0.01%, these criminals are in it for the kill, to create a maximum amount of cadavers physically, mentally and financially, to make life for nearly all impossible, and that golden calf, the law cannot deal with them and we accept that, so we remove them in other ways. We hunt them down and put them to death, and when it is some 16 year old claiming he didn’t know what he was doing, we know, he did it to seem cool, he was willing to make all others suffer, just to look cool, to get the tits, to rub the vagina, his friends never could, as such there is a 9mm solution that solves it, if only his parents had raised him right. 

You think I am kidding?
You forget the poverty line is shifting massively because of COVID-19 and soon the insurances will not cover the impact, the media will merely snigger and cash in on all those clicks they got from the $x donation to an unnamed source, and it is now time to make the long overdue change, before governments are pushed to take away more and more of our freedoms, which will push us into the dark-web, a situation these criminals would love. And it is close to 15 years too late, but in this case it is better to be late to the party than not get there at all. 

Am I overreacting?
That would remain a fair question, I do not believe so as this step is well over a decade overdue, it is not something that was pushed to the top in the last few days, and it is partially due to governments and lawmakers not acting when they could have and especially when they should have, now the dike is levied and people are soon to be drowning and something must be done. From my point of view, to hit terrorists, you hit them harder, so the more extreme you hit these hackers, the clearer the message becomes. And a clear message is years overdue.

In this there is a two step setting, there are the “cool wannabe’s” who are mot likely teenagers, some of them are easy to find and after the first examples a lot of them will hide like cockroaches, but the second tier, the one the media and governments intentionally ignore are those in organised crime, they will be the real challenge and as most governments have nothing on stopping them, at best they can limit the damage, which is basically no solution, that gap will take time, but with ‘hackers are forging cloud authentication information’ less than a week old, there is now a chance that the NSA and other intelligence networks will realise that compromised clouds will have global commercial implications, as such governments must now act, the moment any cloud is openly seen compromised, it will be too late for well over a decade. It becomes a clearer situation  when you consider that global e-commerce was set to ‘Global e-Commerce hits $25.6 trillion’, by the United Nations Conference on Trade and Development (UNCTAD), s how much losses must global commerce endure before we act? Oh and if you think that this is the end? How much more powerful will organised crime become if they only get their fingers on 0.1% ($25,600,000,000)? It will become a sliding scale that goes from bad to worse, and governments knew that, they knew for well over a decade, but their delusions saw other non-solution, like perhaps, it will go away on its own, so tell me when was that ever a solution?

Leave a comment

Filed under Finance, IT, Law, Media, Military

When a scary dream is more

A lot of people have them, I do too, I just hd one and it scared me awake for some reason, and even now, one of the elements is already gone and my mind is fighting to hold onto the other thought, even though I am wide wake. It seems like the dreams are not giving up their secrets that easy, and it is a little bewildering. 

So here I am, in my dream, I meet a nice woman, she seems really nice, friendly and confused. She is confused as people are not calling her back and that is where this part is taking us, what we are not told. Changes that are a stage of what people think we should not need to know.

In this dream, I am learning that she has a 5G sim in her 4G phone, it seemingly works, but it only partially works, in the rear there are members of a nefarious organisation and they seemingly are aware that it would be possible to capture peoples hardware, autoforward their hardware and leave the owner unsuspected, a setting for large amounts of identity theft in 2023, as the bulk of our lives are going through a different device. You see, that thing you hold, that brick, that piece of plastic, it is not your mobile phone, not anymore. It has become your personal dat server and that is in this age a bit more powerful than you imagined and under 5G, taking a hold of finances and other means when you pump them through your mobile has consequences. So as I am pondering the dream, I see flares of the second dream. There I meet up with an old boss, he is wearing an old uniform jacket, like a bolero for men, shutting at the waist, the old Dutch uniform jacket of 1975-1980, some used to love them. The only thing I remember is that he had to remain aware in every room where the emergency exit was, it all went a blur after that, so here I am awake trying to figure out my delusions. So I started looking and through were several sources that are not worthy of mentioning, but Ericsson, with his setting gives us “The simple answer, under certain assumptions, is no. However, a complete answer is nevertheless trickier than just a yes or a no”, why can they not answer it: “Yes, if you have…. And no if you have the following situation”, why did I have to take notice of ‘a complete answer is nevertheless trickier’. 

And actually, their answer is surprisingly complete, and as I give you “While accessing the 5G system is one thing, the question we have is whether using the “new” security and privacy features of 5G requires a new kind of USIM other than Rel 99+ USIMs which could be used for 4G security. This is a valid question and something which we address below”, as well as “In 5G, subscription permanent identifier (SUPI) could be in two formats, one is the legacy format called international mobile subscriber identity (IMSI) and another is the format newly adopted in 5G called network access identifier (NAI). Furthermore, 5G provides at least two methods of authentication and key agreement (AKA) for accessing the network. One such method, 5G AKA, is an evolution of the authentication method in 4G. Another, called EAP-AKA’, is a method now widely adopted in 5G for broader use of the Extensible Authentication Protocol (EAP) framework”, which is interesting, I never knew any of this, I am literally learning this as I write the article, so why was the dream so unreal and partly scary? This is when I see “from the IdaM viewpoint, the Rel 99+ USIMs that could be used in 4G are still compatible with 5G, in that they can be used to authenticate and gain access to the 5G system. The main reason for this forward compatibility is the fact that there is no need for a new permanent security key shared between USIMs and the network”, as well as “5G has introduced significant privacy enhancements in terms of how permanent and temporary identifiers are used”, this optionally sets the stage for something really scary. What if the SolarWinds debacle is merely a test-run in getting some parts out there, optionally undetected? What if there is a run on copying all the data in some way because, as we see here ‘4G are still compatible with 5G’, I merely wonder what else is possible and why the dream scared me, more important, I knew nothing of this before now so how does my dream know? I have never seen an actual 5G sim before today, and as I see some of them, they are all vastly different, it also implies that the sim touches different points, in different cases, and I know that what I am seeing is marketing driven, but where is the reality? More important, what is the danger I dreamt of? If a person’s phone can be hijacked WITHOUT the owner knowing, what other dangers are their for their personal data servers? I worked on the IP to lower that danger, but it was merely a consumer driven IP, which aligned perfectly with something else, and here I am seeing that there is a danger, optionally merely a delusional one that is in the background, so I can pretty much kiss this night of sleep goodbye. 

Still, only 2 days left to get my groceries and most is done, but some parts I tend to leave to the last moment, that tends to be me. You see on the 24th many groceries start pricing down the stuff they cannot sell on the 25th for some reason and that is where my little profit is.

Still, my dreams seldom throw me to this degree and to be honest, when it comes to dreaming high tech and gorgeous women optionally scantily clothed, I still go for option two, even though I stopped being a teenager some time ago, well that’s me and for now I am considering something on branding for tomorrow, or the 25th, something happened and it puzzled me, but it is always a decent reason to dig into the matter and that I what I might do, yet for now, there was something on the dream that was more than delusional. It is not merely on what was done without our consent and knowledge, what happens when options like that become a larger stage of exploitation? What happens when EVERY sim is the first part of a tracker and 5G pushes us to allow for more, all whilst the evidence against us is legally not allowed to rely on data points to help prove our innocence? I will leave you to ponder on that element of the equation.

Leave a comment

Filed under IT, Science

Not for minors

OK, this is not the most subtle article I have ever written, but at times subtle just doesn’t do the story any justice, it happens. So this is a question to parents “If you have a daughter between 22-32, and she looks like Laura Vandervoort, Olivia Wilde, or Alexina Graham. Can I please fuck the bejesus out of her vagina?” To be honest, I don’t really need to, but it has been a while, so there. 

Are we all awake now? So consider ‘Facebook and Apple are in a fight. Your browsing history is in the middle’ (at https://www.nbcnews.com/tech/tech-news/facebook-apple-are-fight-your-browsing-history-middle-n1251612), apart from all the hackers getting access through Microsoft, we see another stage develop. The headline might not get you on board, so perhaps the by-line will “Facebook on Thursday ran its second full-page newspaper advertisement in as many days, attacking Apple’s plans to tell iPhone and iPad users when apps are tracking them online”, which implies that Facebook does NOT want you to know that apps are tracking your every move, and Apple does. It seems to me that Apple is in a stage to put awareness and security at the centre of your digital life, Facebook not so much. Now, I have no problems with Facebook keeping track of my actions ON FACEBOOK, but dos their ‘free’ service imply that they are allowed to do that anywhere I am? I believe that this is not the case and the money Facebook is getting is starting to feel tight around my digital profile, their actions had already made it important to delete Facebook software from my mobile phone (it was draining my battery), but the stage is larger and that is seen in the NBC News article (and a few others too).

So as the quote “Facebook on Thursday ran its second full-page newspaper advertisement in as many days, attacking Apple’s plans to tell iPhone and iPad users when apps are tracking them online” is given, how many of you are considering the following:

  1. A full page ad in the newspapers is pretty expensive.
  2. Facebook is seemingly untouched that multiple apps are following us.
  3. We are seemingly not allowed to know all the facts!

This is the big one “attacking Apple’s plans to tell iPhone and iPad users when apps are tracking them online”, so why are we not allowed to know what is being done to us, that we are being followed in a digital way and Facebook does not want us to be aware? This is where we see my (not so) subtle hint regarding your daughter and “fuck the bejesus out of her vagina”, how many fathers will be slightly less than enthusiastic? I get it, your little princess (your consenting and adult) little princess needs a knight on a white horse and always bring flowers and chocolates, have honourable intentions and to set your mind at ease keeps your daughter a virgin until the day she marries. It is not realistic, but parents are allowed to be overly protective of their princes and princesses. Yet Facebook seemingly does not want you to be in that park, they want you to be unaware of what is going on, and Apple drive it to the surface. So when we see “Apple is planning to roll out a new feature on its devices that will alert people when an app such as Facebook is trying to “track your activity across other companies’ apps and websites.” People will have options such as “Ask App not to Track” or “Allow.””, they did something really clever, if Microsoft (after they resolve all their hacks) does not follow suit, Microsoft stands to lose a massive slice of the consumer pie and that will not make them happy. I for the most am completely on the Apple side when we see “Users should know when their data is being collected and shared across other apps and websites — and they should have the choice to allow that or not”, I personally am realistic enough to see that Apple has an additional side to this, not sure what yet, but this is about a lot more than mere advertisements, I am however not too sure about what that is. When we see “Facebook uses data such as browsing history to show people ads they’re more likely to want to see, and to prove to marketers that its ads are working”, we need to realise that I would have no issues with any link opened within Facebook towards whatever we were going to in any advertisement. For example, if Facebook opens up a browser window, within Facebook and tracks the clicker, I would not completely be opposed to it, but Facebook realises that the data it I tracking is a much larger stage and I feel that this is not merely about “prove to marketers that its ads are working”, I believe that these trackers keep tabs on a lot more, keep tabs on what we do, where we do it and how we do it. I believe that it is a first step in the overly effective phishing attacks we face, Facebook might not be part to that, but I reckon the phishing industry got access to data that is not normally collected and I personally believe that Facebook is part of that problem, I also believe that this will turn from bad to worse with all the ‘via browser gaming apps’ we are currently being offered. I believe that these dedicated non console gaming ‘solutions’ will make things worse, it might be about money for players like Epic (Fortnite), but the data collected in this will cater to a much larger and optionally fairly darker player in this, I just haven’t found any direct evidence proving this, in my defence, I had no way of seeing the weakness that SolarWinds introduced. It does not surprise me, because there is always someone smarter and any firm that has a revenue and a cost issue will find a cheaper way, opening the door for all the nefarious characters surfing the life of IoT, there was never any doubt in this.

And in this, it was for them NEVER directly about the money, in this look at the ‘victims’:
The US Treasury Department, The US Department of Commerce’s National Telecommunications and Information Administration (NTIA), The Department of Health’s National Institutes of Health (NIH), The Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), The US Department of State, The National Nuclear Security Administration (NNSA) (also disclosed today), The US Department of Energy (DOE) (also disclosed today), Three US states (also disclosed today), City of Austin (also disclosed today) (source: ZDNET). It was about the information, the stage of a more complete fingerprint of people and administrations. It gives the worry, but it also gives the stage where we can see that Apple has a point and we need to protect ourselves, because players like Microsoft will not (no matter what they claim). In this I name Microsoft, but they are not alone, anyone skating around margins of cost are potential data leaks and that list is a hell of a lot larger than any of us (including me) thinks it is.

So whilst we look and admire the models, actors and actresses and we imagine whatever we imagine, consider that they are not a realistic path, a desirable one, but not a realistic one and that is the opening that organised crime needs to claimingly give you ‘access’ to what you desire whilst taking your data. It is the oldest game in the book, all wars Arte based on deception and you need to wake up, the moment your data is captures and categorised you are no longer considered an interesting party, you are sold and they move onto the next target. So whilst you get trivialised, consider that Apple has a plan, but whatever they plan, it seems you are better off on that side, than the one Facebook is planning. When was the last time that you were better off staying in the dark on what happens to your data, on what happens when others keep tabs on you?

And in this consider “Facebook is making a last-ditch effort to persuade Apple to back off or compromise with industry standard-setters.With offline ads in newspapers such as The Washington Post and The Wall Street Journal, the social networking company is trying to rally to its side the millions of small businesses who buy ads on Facebook and Instagram”, so in that quote where do we see any consideration on the people or us as the consumers? When we see “millions of small businesses who buy ads on Facebook and Instagram” where is the consideration that they should have for the customers who walk into their business? When you get in any shop what do you hear? How can I be of service? Or do you hear: What do you want? I let you consider that whilst you consider the position Facebook needs to have and consider that non digital advertisement never kept track of what other newspapers you were reading. 

We seemingly forgot that there is a price for the presence of IoT, Apple is making us aware of that. I am not silly enough that Apple is holier than though, but at least they created the awareness and the greed driven players are not looking too good today, are they?

Leave a comment

Filed under IT, Law, Media, Science