Tag Archives: SolarWinds

October 3, 2023 · 22:10

Cutting corners

Something did not sit well with me yesterday. I have been mulling things over for most of today and it all started with Politico (at https://www.politico.com/news/2023/09/12/pentagon-cyber-command-private-companies-00115206) where we are given ‘The U.S. is getting hacked. So the Pentagon is overhauling its approach to cyber.

This setting comes in a few stages. Lets start with the given that I have no opposition to the Pentagon getting involved. But the stage is not that simple. So we start with the quote “attacks on critical U.S. companies and federal agencies, and as the Pentagon eyes Chinese hacking efforts with increasing concern.” The first issue is that I would have said “Chinese and Russian hacking efforts”, it would be more accurate. There is an additional side to all this. If American corporations had done their job BETTER, this issue would not be the critical issue it currently is. 

Equifax (2017)
Marriott International (2018)
Capital One (2019)
First American (2019)
Solarwinds (2020)
Colonial Pipeline (2021)
LikedIn (2021)
Microsoft Exchange Server (2021)
Twitter (2022)

This is merely a small grasps, this grasp has millions of records online for each of these cases, In this Linked in stood out with “Personal records of over 700 million users – 92% of the user base – were scraped from the platform and put up for sale in a hacker forum. Why did this happen? Attackers found a public API without authentication and breached it to scrape content.” This case is also the larger issue (beside the fact that it was an API and I wrote about that risk in ‘A simpleminded A, B, C’ On August 30th (at https://lawlordtobe.com/2023/08/30/a-simpleminded-a-b-c/) a simple setting now out in the open. People still think I was grasping at straws? Now here we see (in the LinkedIn case) “Attackers found a public API without authentication”, as such couldn’t they do their bloody jobs? I understand the setting of the Pentagon, but there needs to be a bill for utter stupidity and a link to your data without authentication is definitely one.

Corporations have been cutting corners on cost and staff and now that the consequences are out in the open, the Pentagon needs to rescue them? Screw that!

It is nice that the Pentagon comes to the rescue, but every rescue needs to come with an audit of that company and a hefty bill for the action. Consider a pointless rescue by coast guard and Marine rescue, these people get a hefty fine, I see that someone employs an API without authentication in pretty much the same way.

Yet the article is merely the start. You see, we can all agree on “Hackers are increasingly infiltrating private companies and government agencies far outside the Pentagon’s usual purview, and the hacks are being perpetrated by cybercriminals who honed their strategies abroad before striking the United States.” OK, that is fine and the fact that the Pentagon and its digital weapon systems are brought to bear is fine, but the utter stupid setting by corporations that cut corners is part one and that is on those corporations. I am even willing to accept that it took a disgruntled employee to hand visibility to the wrong people. Yet that also implies that these corporations have a larger problem and THEY have to pay for that. 

So about Three weeks ago, we were handed the 2023 DoD Cyber Strategy guide. The PDF (see bottom) is a nice piece of work. My issue is with page 6 where we are given “The Department will continue to persistently engage U.S. adversaries in cyberspace, identifying malicious cyber activity in the early stages of planning and development. We will track the organization, capabilities, and intent of malicious cyber actors. We will leverage these insights to bolster the cyber resilience of the Nation and will coordinate with interagency partners to publicize this information as circumstances permit.” As I personally see it, it should say “The Department will continue to persistently engage U.S. adversaries in cyberspace, identifying malicious cyber activity in the early stages of planning and development. We will track the organisation, capabilities, and intent of malicious cyber actors, whilst registering corporate shortcomings. We will leverage these insights to bolster the cyber resilience of the Nation and will coordinate with interagency partners to publicise this information as circumstances permit, where corporate shortcomings will not be silenced.” In this case some will state that this is not the job of the DoD and they would be correct, but Corporate America fell short and they now want help, that shortcoming needs to be illuminated as well. You cannot have it both ways.

The document gives us a lot to think about and I agree with 99% of it all, especially when it comes to the Department of Defense Information Network. 

I created the Hub+1 intrusion solution in 2014 (or 2015). As far as I know, no one is at this time ready for that creative little caper. I got there shortly after the Sony hack. The information never added up to me and I started to wonder how it could have been done (always a nice way to find the issue by re-engineering the possibilities). And all this is long before we consider issues like non-repudiation, a simple setting I learned about in UTS (University of Technology Sydney) about 3 years before the Sony hack and corporations have been cutting corners ever since. Consider the routers of the FBI, DoD, DMV, Department of Homeland Security and the postal services. Now check EVERY router and tally the ones where the password was Cisco123. I reckon you will find close to a dozen routers. I know it is more presumption than speculation on my side, but that is the larger failure and that is BEFORE we check all the corporate routers. People in IT have been too lazy (for many obvious reasons) and most of them involve resource shortages and why should the Pentagon pay for that bill?

I see that corporate America needs to pay for their cutting corners, the Pentagon has enough issues to work through and when it needs to step in (and when shortcomings are found) that corporation needs to get billed. This is specific. Corporate players cannot shield themselves from top tier hackers, that is BS. But letting the Pentagon pay for corporate stupidity is equally stupid and that needs to be out in the open. 

So this was my rant on stupidity, enjoy the day.

2023_DOD_Cyber_Strategy_SummaryDownload

Leave a comment

Filed under IT, Media, Military, Politics, Science

Tagged as , , , , , , , , , , , , , , , , , , , , ,

April 1, 2023 · 18:54

Focal and blinders

We all face them at times, I am no different. The problem is when is what what. Let me be a little more clear, in my case Microsoft is an issue, as I personally see it, if they buy Blizzard, they will need $92,000,000 of profit a day just to break even with the purchase of 3 houses (Mojang, Bethesda and Blizzard), now this is not set correctly, they bought Mojang some time ago, as such the amount is a few million less, but it is not less by much. They already crashed Redfall PS5, which they are allowed to do. They are allowed to do whatever they need to with what they own. Yet, consider that the PS5 has well over 30,000,000 consoles in the field and they allegedly need $92 million a day, does the act make sense? So am I concentrating on a focal, or a blinder. Consider that a blinder lets you NOT see in a specific direction. We attribute all kinds of ‘evil’ towards Microsoft, are they blinders or are they seen as the result of a focal? That is actually a lot harder to answer than you think. When is one could also be the other.

As such I have been concentrating on my two IP projects. Project Graveyard and Project Cluster. Two very different software and hardware IP settings. They both fit the Amazon Luna and optionally whomever buys the Google Stadia, which is why Kingdom Holdings was on my radar. One will be a decent downfall for Microsoft the other no less, but also takes the steam out of Facebook, and as such Amazon was the logical path to take and not just merely logical, Amazon was about to get a whole new range of revenue because of it. Yet I try not to be smitten by either blinders or focal (no matter how much fun they are). As such I saw the appearance of Tencent on time and even as several players are willing to ignore Tencent, I cannot and I will not. Tencent has seemingly the ability to unite gamers. In addition it allows China to grow in one additional industry where Americans thought they would not exist and now Microsoft in particular will have a problem because of the required $92 million a day will become a nose grounded with an anchor around the neck of American economy. And there are plenty of nay sayer spinners on the internet. It is all Microsoft and they are all getting on top of things. So lets have a go at that list 

1. Microsoft would acquire Mandiant to solve their solarwinds issue
There was one news cycle and then suddenly it went dark, there was no more news. I raised it in ‘What we hope for’ on March 7th 2022 (at https://lawlordtobe.com/2022/03/07/what-we-hope-for/). It became part of Google and it is a Google solution now. After that Microsoft and cyber solutions went a little dark on the matter.

2. Microsoft had a new Tablet to WOW the world. No, it didn’t never got close to the Apple iPad and it got even less close to the iPad Air, two devices that were more able and had a larger following and it still does. It still has a lot more to offer, but the spinners came with the ‘with the keyboard it was a more complete laptop’. No, it was not and it will never be that more. I saw people howling with agony as they saw failure after failure on their Surface. I still see some people trying to spin that thing. A $1650 solution trying to win over a $500 iPad, all whilst Apple has the more versatile device.

3. Microsoft has the cloud solution, Azure. Smell it, it smells nice. Which is laughingly the biggest loser of them all. In clarity, Azure is not bad, it lacks and it has no business in gaming. Azure is the Microsoft solution and after 3 years it is nowhere near ready to take on the AWS (Amazon Cloud solution). Last month someone wrote (not me) “Azure is more costly. Azure is the finest alternative for a robust Platform-as-a-Service (PaaS) provider and even a Windows integration. If a company needs infrastructure-as-a-service (IaaS) or a wide range of tools, AWS may be the ideal option”, so where are the SAAS and GAAS comparisons? And when I look, there is always a hidden issue where the people are promoting THEIR solution, no matter whether it involves AWS or Azure (Google is falling behind too much). At the moment the marketshare of AWS is a lot larger and in some reports it seems like Google cloud and IBM cloud are underreported. What matters is that this is another field where Microsoft is not ahead. 

4. The Microsoft gaming console is the most powerful in the world. It might be true, but the weakest console of them all (Nintendo Switch) surpassed the Microsoft sales numbers by a lot and did it in half the time Microsoft with their X/S console were in the field. Even now, these numbers of X and S series consoles are aggregated, the loss is that defining. They are way behind  the PS5 with their X series console, but it is the most powerful in the world. In addition the PS5 has a whole range of next generation titles that goes into the dozen and the Microsoft console is lacking there, even after two years it is still lacking in Next generation titles. 

I will ignore issues 5,6 and 7. 4 fields where Microsoft will need to do a lot better and for years they were not able to do so. So where is that $92 million a day profit coming from? I cannot see it, can you? And that was merely to claw back the investments on gaming alone. Amazon is hungry and they are driving their AWS (and optionally their Amazon Luna too) making the pain for Microsoft larger. Apple has a firm grip on their devices and even as we might not like Apple, their devices are solid and Microsoft has no chance of driving a wedge there. And as I see it, they already lost the console war. In that environment Microsoft is bleeding revenue all over the field, their books are red with blood and red ink. And for their security I have not seen an alternative for Mandiant (owned by Google). So where are they now? When will we see another Solarwinds? It is not a given, but they lack in cyber security, so I fail to see how they will stop the next wave. 

And now the battle field changes further, Tencent is about to arrive, I merely wonder if that was one of the reasons why the E3 was cancelled (I honestly do not know). If Tencent arrives, it arrives with more options and more settings than the Microsoft console field will allow for, no matter how that plays out, it makes the Blizzard $65,000,000,000 a massive anchor around the neck of Microsoft and it will hurt them, no matter what ideas they have. Tencent has been funding a lot of Unreal engine 5 stuff, as such they could wow the gaming community and if they are going the direction I am speculating on, it will hurt both Microsoft and Amazon to a larger degree, in this the pain to Apple remains unknown, or it might be minor. And that is all before some figure out that Project Cluster will enable a lot more than anyone considered, it was meant for that, to be ready for national 5G implementations. How many of them did that off the bat and how many (implying Microsoft) stated “We will get to that when it is ready”, it is the short term focal point of a quarter by quarter BI person. In this none of them have a real long term focal point and that is why Tencent is a danger to them all, they are focussing on 2025 and 2026 (the year Microsoft allegedly collapses).

So is Microsoft my blinder? Is it my focal, or did I see the stage for what it was one that offers great options for some and not that much for others. They limited their abilities by hanging an additional $65,000,000,000 anchor around their necks. I am calling it as I saw it. Perhaps I am wrong, you tell me. I gave you the numbers and the works, you can do your own research.

Leave a comment

Filed under Finance, Gaming, IT, Media, Science

Tagged as , , , , , , , , , , , , , , , , , , , , ,

March 1, 2023 · 21:48

Moments of clarity

It happens, we all have them and at times we do not know how it interacts with reality. For me it started yesterday. I was at first thinking No Ware, No where, Know Wear, Know What and so on, like a train, phonetic phrases. This took me back to a moment in the 80’s when I came across the idea for a phonetic virus. A virus that when played on a PC it does nothing, when on played on an Apple with a RISC processor it stops processes and other elements. Nothing destructive, merely disruptive. I never brought it into play for the reason that I had a job and I was too busy for anything else but work. So in that setting my mind starting mulling a few things over.

Local awareness
The setting is that there is no real way to keep things safe, pretty much any cloud system can be transgressed upon. I got there by the MSNBC article ‘U.S. Marshals Service suffers ‘major’ security breach that compromises sensitive information, senior law enforcement officials say’, nothing really new, Solarwinds brought that to the surface, the April 2021 events brought that to the surface and that was not the first event, more has happened that overthrows the statements regarding ‘Data at rest’ and ‘Data in motion’. The data vault programs on the iPad merely heightens the issue to a much higher and a much more visible event. We need programs that reserve memory on mobiles and make sure that it is local only, the idea to put it ‘safely’ in the cloud is a joke that is much bigger than the Titanic.

QR codes
Then I moved towards replacing the QR codes. There is nothing wrong with the QR code, it is an awesome invention, but there is a geriatric need. Many of these people are not good with their phone camera’s, and at times the use of such a code could have larger ramifications.

I came up with an idea. 4 blocks of 12 characters consisting of either A, C, D, E, G, H, K, L, M, P, S, T, U, W, X, Z, even with camera on an angle, there is every chance to repair the image and code. The 16 letters could represent a hexadecimal code, the 4 number groups separating the blocks could have all kind of uses and the hash in the middle is a check number keeping it all in balance and offer some kind of stage to repair the unclear image of such a code.

My initial use was to encrypt medication so that an image could help doctors when needed, but its use is much larger as I am imagining it. 

These elements are connected, but not essentially so. I was brainstorming on the use of different approaches to keep usage of data private. The approach could become larger, but that is what we all think of our ideas. Will it work? I cannot tell, there is a direct market to keep private for everyone, these so called providers come up with an idea and then place it in the cloud where EVERYONE can get a hand on it. There is a need to change things and others are seeing that stage evolve right now. 

 But it was an idea I have no real intentions to pursue and as such it made for a nice story on my blog. So have at it and have a great day

Leave a comment

Filed under IT, Science

Tagged as , , , , , , , , , ,

January 24, 2023 · 21:09

As I aid timing

There is a stage that is coming. I have stated it before and I am stating it again. I believe that the end of Microsoft is near. I myself am banking on 2026. They did this to themselves, it is all on them. They pushed for borders they had no business being on and they got beat three times over. Yes, I saw the news, they are buying more (in this case ChatGPT) and they will pay billions over a several years, but that is not what is killing them (it is not aiding them). The stupid people (aka their board of directors) don’t seem to learn and it is about to end the existence of Microsoft and my personal vies is ‘And so it should!’ You see, I have seen this before. A place called Infotheek in the 90’s, growth through acquisition. It did not end well for those wannabe’s. And that was in the 90’s when there was no real competition. It was the start of Asus, it was the start of a lot of things. China was nowhere near it was not in IT, now it is a powerhouse. There are a few powerhouses and a lot of them are not American. So as Microsoft spends a billion here and there it is now starting to end up being real money. They are in the process of firing 10,000 people, so there will be a brain drain and player like Tencent are waiting for that to happen. And the added parts are merely clogging all and bringing instability. Before the end of the year We get a speech on how ChatGPT will be everywhere and the massive bugs and holes in security will merely double or more. So after they got slapped in the Tablet market with their Surface joke (by Apple with the iPad), after they got slapped in the data market with their Azure (by Amazon with their AWS) and after they got slapped in the console market with their Xbox System X (by Sony with their PS5) they are about to get beat with over 20% of their cornerstone market as Adobe gets to move in soon and show Microsoft and their PowerPoint how inferior they have become (which I presume will happen after Meta launches their new Meta) Microsoft will have been beaten four times over and I am now trying to find a way to get another idea to the Amazon Luna people.

This all started today as I remembered something I told a blogger and that turned into an idea and here I am committing this to a setting that is for the eyes of Amazon Luna only. No prying Microsoft eyes. I have been searching mind and systems and I cannot find anywhere where this has been done before, a novel idea and in gaming these are rare, very rare. When adding the parts that I did write about before, I get a new stage, one that shows Microsoft the folly of buying billions of game designers and none of them have what I am about to hand Microsoft. If I have to aid a little hand to make 2026 the year of doom for Microsoft, I will. I am simply that kind of a guy. They did this all to themselves. I was a simple guy, merely awaiting the next game, the next dose of fun and Microsoft decided to buy Bethesda, which was their right. So there I was designing and thinking through new ways to bring them down and that was before I found the 50 million new accounts for the Amazon Luna (with the reservation that they can run Unreal Engine 5) and that idea grew a hell of a lot more. All stations that Microsoft could never buy, they needed committed people, committed people who can dream new solutions, not the ideas that get purchased. You see, I am certain that the existence of ChatGPT relied on a few people who are no longer there. That is no ones fault, these thing happen everywhere. Yet, when you decide to push it into existing software and existing cloud solutions, the shortcomings will start showing ever so slowly. A little here and a little there and they will overcome these issues, they really will, but they will leave a little hole in place and that is where others will find a way to have some fun. I expect that the issue with Solarwinds started in similar ways. In that instance hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software. What are the chances that the Orion IT monitoring part had a similar issue? It is highly speculative, I will say that upfront, but am I right? Could I be right?

That is the question and Microsoft has made a gamble and invested more and more billions in other solutions whilst they are firing 10,000 employees. At some point these issues start working in unison making life especially hard for a lot of remaining employees at Microsoft, time will tell. I have time, do they?

Leave a comment

Filed under Finance, Gaming, IT, Science

Tagged as , , , , , , , , , , , , , , , , , , , ,

November 9, 2022 · 20:14

It started with a prank

This is the story of a story if you want. To get the fill idea I have to take you back to 1974. We got a visit from an airforce officer, he showed us quartz. Not a small piece either, we needed both hands to hold it, it was like a small pyramid almost 10 inches each side and it was raw, not shaped, not prepared, raw quartz. It was almost like magic. Now we go back to almost the present. The movie Cloverfield is out and it is quite the trip and whilst I was watching the DVD it suddenly hit me. What if I could send pats of the edited movie on an SD card and hand it to the officer with the message to get it to DARPA. Apart from the simple fact that there were no SD card in 1974, the idea that a 10 year old knew about DARPA would be remote and the contraption would be unknown to the officer who would be able to see that it was advanced tech. Once they figured out it was 128GB the panic starts, because in 1974 a 200MB Winchester drive would be the size of an office desk. Then they need to decode what was there and when they saw the MP4 files panic would truly start. Lady Liberty, the Brooklyn bridge and more. The panic would be near complete and the prank would be utterly complete. So this was when the daydream stopped and the mind started to wind the cogs. What if it was not a prank, what if it was not then but now. What if hackers, not some government create a different kind of file. A file that gives a stage that could create panic. Like the light bar in newscasts, what if at 02:30 the transmission was interrupted WITHOUT the studios noticing that a special newscast that the bitcoin collapsed it was at this point 700 points down and expected to drop another 800 points. Not one, but orchestrated over half a dozen stations setting the stage in 2 timezones (in the US, China, Japan, or perhaps gullible North Korea). The panic wave would create a dip, large enough to make a decent killing, especially if the buys were not in the country where it was hit, and 30 minutes later all traces were gone. The media would have a field day trying to find out who did it and how it was done, but the stage is now complete. You see, What if Solarwinds did not just update supermarkets, what if that was the start of a specific backdoor that could not be found as it was too small and it was inactive (like the Optus hack).
The idea that people will drop their bitcoins at $14000 ($6K down) implies that there would be a lot of money be made in 30 minutes. And after the hour the bitcoin is sold again and the scoundrels walked out with millions, paying off their ‘loan’ with a healthy profit. It would need massive orchestration. The stations, the internet, several other elements and those who think it is impossible better realise that Solarwinds, Optus and a few more hacks overlap in places and a small cohesive group could be waiting below the line merely waiting for the right time and with the average detection time is set to 200 days there is plenty of manoeuvring space. 

The setting for a Hollywood script in a few hours. I need a hobby!

Well that was my scoundrel side thinking new ideas to be made into a script. Have a fun time and please invite me to the red carpet if the scripts becomes reality.

Leave a comment

Filed under Finance, IT, movies, Science, Stories

Tagged as , , , , , , , , ,

October 3, 2021 · 10:09

The balance of one and zero

I just woke up from the weirdest dream, so take my word on this, this is not about reality, this is entertainment (or the future). The dream was nice and ‘uplifting’ there is nothing not sexy about a dozen women in tight outfits defending a location killing anything in sight. I am sitting in a chair (I think), the women are patrolling the place, there are at least 4-5 women in my room and a lot more outside. But the difference between peace and the other thing is a mere switch. From one moment to another all the women change from tranquil to deadly, waves of attacks start and the women kill whatever comes in view and there is a lot coming their way, yet in the end it does not matter, nearly all are killed, the exercise is over. It was a training, but not one you would see. This was the training of a true AI. You see, AI’s lean differently. They had similar training a child has, but the AI becomes mature a lot faster, a thousand times faster and to teach an AI they get pointers. They literally get data points and point references. This is called aggregated evolution. 

This specific AI is owned by the CIA and the year is 21xx something. 

The evolution happens through what will call an Exabyte drive. The parsing of that data takes a little while and it is done in the background, and the AI takes in every aspect of the training. It makes the AI the dangerous thing it is, and it is truly dangerous. So at this time there are only a few true AI’s, some are economic, some are logistic, some are tactical, some are operational. And only the big players can afford them, a true AI is not some server, it is like making the 1984 comparison between an IBM model 36 mainframe to an IBM PCXT. There are other AI’s, they are not true AI’s, but are a lot similar. They are a lot smaller and they are evolved deeper learning systems. They bring the bacon but only to a degree and the world is in a stage to create stronger AI’s, and as people find cheap ways to evolve their AI, a hacker team is dedicated to finding and hacking streams with data from Exabyte drives. They cannot comprehend the data, but any AI can and the evolution of an AI is worth a lot of money, so as these hackers seek they find the wrong Aggregation file. They find the one that was highly secure, but still someone found a way and got the stream of the CIA and there the problem starts. At some point the wrong one is pushed into a zero (yes, it had to be a sexual reference). But here we get a new lesson, one that as out there, but not the one we envisioned. When you were young, you tried to play with matches and your parents stopped you, just like you were stopped playing with knifes. You were told danger, and evil, bad and dangerous. It was how we learn. An AI does not learn, it does not merely learn the game of chess, it gets handed the history of EVERY chess game ever played. It gets pointers and create the experience, free of morality, free of ‘burden’, so when it gets data it never had it learns in its own way and has no morality baggage, yet what it learns could be anything. The pointers the AI creates evolves it and it makes it worth a lot more. 

So as we turn a page to another time we see a young woman dressed in retro miniskirt (70’s) and tight tank-top, she is looking in a store for a 4K movie, she picks up the Notebook (off course she did) and walks to the counter to pay, but now the stage changes, the operational AI in that mall was fed the CIA drive and recognises the woman, it sees a danger and EVERY system in the mall is now out to kill her and her kind (basically all women overly nicely dressed). The woman has no problems dealing with any attack, the security guards were easily dispersed but it suddenly happens all over the mall, and the security guards and the police accept the alarms that AI’s give them, the AI locks down the mall to protect the people outside but the mall becomes a deathtrap and all the other nice women who have no idea what’s going on are killed almost instantly. Those women who were not alone are suddenly seen as group dangers and women, men and children are executed, the AI never understood foundational stages and disperses as it was taught that a transgressing danger must be killed. And it happens all over the place, not merely in one mall, in any mall that had the same operational AI. 

It becomes over time the dangers that short cuts, hackers and greedy overseers represent, it is not some avoidable setting, when we consider Solarwinds, Microsoft and a few other hacked places, they all gave the goods, but we need to understand that true AI’s have foundational differences. We have seen this in many movies, but did we learn anything? 

You see, we saw periodic tables of what one day might be an AI, we see ‘Knowledge refinement’, we see ‘Relationship learning’ but they are separated entities, and the AI is supposed to operate like this and it does not matter what you think or say, someone will come, someone will be stupid enough to enlarge any AI for a lot of cash and there lies the rub, once we give any true AI the exabyte drive it is out of our hands, we do not get to become ‘caring’ parents, we merely unleash what we have wrought and there is no cautionary tale, because the greed driven will not care. In this the news is already there. Bloomberg gave us a week ago ‘Trained in the American intelligence community, cyber-contractors are now making their expertise available to governments around the world’, and today the Financial Times give us ‘Hackers stole cryptocurrencies from at least 6,000 Coinbase customers’ (at https://www.ft.com/content/43ab875b-2e96-48b7-926d-be17e925f1c3) there we see “by exploiting a flaw in its two-factor authentication system. The news, first reported by Bleeping Computer, comes just a week after the company had to drop its plans to launch a new lending product following the threat of legal action from US securities regulators.” It is followed by a lot of yaba-yaba and with “Coinbase said it had “immediately” fixed the flaw, but it did not reveal when it had discovered the vulnerability or the hacking campaign” we see that whatever it fixed was AFTER the fact and the use of ‘immediately’ indicates that no one was cruising their system trying to find optional defects, so it could happen again. All this whilst there is a debatable situation on the timeline that was out there getting to 6000 clients, so now consider a CTO using hackers to make its system a lot more valuable. 

Are you catching on yet?

Yes, the story I started with was merely the setting for entertainment, a movie or a TV episode, but it is founded on the dangerous premise we see every day, we use servers, we are online and hackers are a danger, yet what happens when we see the adaptation from Bloomberg, who gave us “To meet the surging demand for their services, these firms recruited cyber-operatives and analysts from U.S. intelligence agencies, offering what one former Federal Bureau of Investigations agent described to me as “buy-yourself-a-Ferrari” salaries. For some, their job description evolved from playing defence against hackers to going on the offence, heading attackers off at the pass. Others were assigned to counterterrorism operations, doing for their new clients what they had previously done for their country, and often using the same tools.” These nations evolved their systems with the experts that they could afford. Were they wrong? We seem to forget that US greed allowed for this setting to evolve and everyone wants people with top notch cyber skills. As I see it they did nothing wrong, they merely went where the financial security takes them and when we see the US as bankrupt as it presently is, all those nations get to go on a shopping spree and start a digital brain-drain of the US (and Europe too). 

We are seeing the impact of billion in damage and an almost absent stage of stopping it from happening. Close to a dozen events in this year alone and how long until the damage ends at our desk, the insurance and banks can no longer foot the bill, and that is happening now. We are handed phrases like “Potential future lost profits. Loss of value due to theft of your intellectual property. Betterment: the cost to improve internal technology systems, including any software or security upgrades after a cyber event”, so consider the dangers we saw with solarwinds, at this point there is still debate whether the full extent of that damage is known and it has been more than 6 months. So change back to the AI story I had, when it is an exabyte of data (which is 1,000,000,000 gigabyte), how long until this is parsed? That is before you realise that there is almost no rolling back from that setting, the cost would be?

This is the balance of one and zero, we need a larger change in what people are allowed to do, not because we want to, but because we have to, a change that final needs to pushed to a larger station, and this is not merely against hackers, the greed driven need to be held to account, optionally doing double digits in a holiday location known as Rikers Island. We have entertained ‘fines’ for too long, it only fuelled what needs to be seen as a wave of enriching crime, but that might be merely my point of view on the matter.

Leave a comment

Filed under Finance, IT, Military, Politics, Science

Tagged as , , , , , , , , , , , ,

August 27, 2021 · 20:55

And the mystery is?


It is one of those ‘I told you so moments’. I am not happy or proud, but the profound sadness that hits me when I see the way it is reported on is just staggering. A few are reporting on it, but the larger stage is likely to be found in places like the Verge soon enough. The people who get it will soon understand that it will be worse and that my 90% of cloud transgressions was no joke. Yet to see part of that nightmare, you need to realise that the Microsoft Azure cloud has been in existence since October 2008, almost 13 years. Now it took the business to grow its customer base. Yet consider that the article at Reuters ‘Microsoft warns thousands of cloud customers of exposed databases’ (at https://www.reuters.com/technology/exclusive-microsoft-warns-thousands-cloud-customers-exposed-databases-emails-2021-08-26/) gives us “A research team at security company Wiz discovered it was able to access keys that control access to databases held by thousands of companies” Now we can only speculate how long that flaw was there, or perhaps that design error. Yet the damage is enormous. With “Microsoft agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to an email it sent to Wiz” we might think it is trivial because it only costed $40,000, but it is not. Thousands of firms with BILLIONS in IP values and other values have been in danger for years, at the most 3 years, yet the article does not really reflect on that (which is not the fault of the BBC or Reuters). And when we are told “We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure”, I wonder just how bad it is. Now, I get it, it might be fixed but if that was an easy fix, it might equally mean that it could have been easily prevented. 

So when we get to “This is the worst cloud vulnerability you can imagine. It is a long-lasting secret. This is the central database of Azure, and we were able to get access to any customer database that we wanted.” We get to see that Wiz Chief Technology Officer Ami Luttwak (a former Microsoft employee) now working at Adallom LTD and Wiz. Now we get it bugs happen, yet one would think that proper testing would be done and this bug whilst not proven to be transgressed upon went undetected for no one nows how long until an external group decided to test Microsoft access (optionally on Microsoft orders). So whilst some might think that “Microsoft only told customers whose keys were visible this month, when Wiz was working on the issue” passes the mustard, but it does not, mainly because the length of the transgression enabled time is still unknown, and that is not all. When we consider “The company was breached by the same suspected Russian government hackers that infiltrated SolarWinds”, as well as “a wide number of hackers broke into Exchange email servers while a patch was being developed” with the cherry on top of “A recent fix for a printer flaw that allowed computer takeovers had to be redone repeatedly” a well as “Another Exchange flaw last week prompted an urgent U.S. government warning that customers need to install patches issued months ago because ransomware gangs are now exploiting it”, as such one might speculate that they need to adjust their marketing vision, with the first optional change being “We advertise the most powerful console because the other stuff is buggered” and it seems that Microsoft has all kinds of testing and investigation flaws, that is merely my speculated view, yet for the customers who feel threatened by this, consider looking at Open office (at https://www.openoffice.org), I cannot guarantee it is more secure, but it is free and you are now paying for all the transgressions in a multitude of ways (including an annual fee) so you can at least negate one factor. 

So whilst some feel sorry for that multibillion company and how sad things are, consider that Azure is an issue, especially when you realise “Microsoft and outside security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud for more security”, when that comes to the surface, we see that Microsoft seemingly embraces ‘sharing is caring’ and with everything people have in that cloud sharing everything with EVERYONE, we might see Microsoft as the most caring behemoth in the universe, but I reckon the customers who pay a pretty penny for that ‘privilege’ will see this differently. But there is light at the end of the tunnel (well not really). Compare the logos of Microsoft and the olympics, now consider that only the black elements (the hackers) were not yet represented, but it seems that Microsoft gave them an internal challenge and so far the hackers are leading three to nil, which is the larger danger. 

And that larger danger is given to us at the very end with “But though cloud attacks are more rare, they can be more devastating when they occur. What’s more, some are never publicised. A federally contracted research lab tracks all known security flaws in software and rates them by severity. But there is no equivalent system for holes in cloud architecture, so many critical vulnerabilities remain undisclosed to users, Luttwak said”. 

So it is here that some might realise that 

  1. Some cloud transgressions are never shown the light of day.
  2. Many critical vulnerabilities remain undisclosed.
  3. (Speculated) The makers might not even be aware of some vulnerabilities.

That is the stage that cloud customers are exposing themselves to and in this, with too many corporations reducing their IT security staff and relying on the security of the cloud, how much is this costing the Fortune 500 who created that erroneous overly simple mindset? It was never a mystery to me, I have written about these kind of dangers since 2017, so if people are just now waking up, good morning and enjoy the coffee you have, you’ll need it.

Leave a comment

Filed under Finance, IT

Tagged as , , , , , , , , ,

July 24, 2021 · 07:11

The New business

The BBC informs us(via another route) that there is a new business in town, this business works on the old premise of the bully and the backstabbing method called Ransomware. Now, this method was not unknown, we have seen it before, yet the article (at https://www.bbc.co.uk/news/technology-57946117) called ‘Ransomware key to unlock customer data from REvil attack’ gives us “US IT firm Kaseya – which was the first to be targeted earlier this month – said it got the key from a “trusted third party”.” Yes, this might sound true, but I still have an issue here. And the quote “Kaseya’s decryptor key will allow customers to retrieve missing files, without paying the ransom. The company’s spokeswoman Dana Liedholm declined to answer whether Kaseya had paid for access to the key”, I get it, Kaseya accepts that there is a cost to doing business, without the key they are helpless, but in this instance they have also given voice to the new business. This is not on Kaseya, ransomware is a much larger stage and the law is not ready to deal with it. So when we get “But members of the group disappeared from the internet in the days following the incident, leaving companies with no way of retrieving the data until now”, I think that it was not merely fear. I think that they found a weakness in their armour and they needed to fix it, perhaps the FBI and NSA got too close? It is speculation, but I reckon that any hacker inviting the wrath of the NSA has something to fear, only the stupid do not fear that hunting machine. So when we get to the jewel of the article, a setting that describes a few elements by Joe Tidy (Cyber reporter), we see “Firstly, giving away the key now is far too late for most of the victims of this massive ransomware attack. Secondly, the mystery gifter was most probably linked to – or working with – the criminals directly.” I feel that he is on the right track, I get that Kaseya prefers the term ‘trusted source’, but that does not put Kaseya in the clear, moreover, as I reported the massive bungles that were made and the lack of oversight within Kaseya gives them a reason to cooperate with organised crime, but not a right, a right to do that is a form of treason towards ALL their customers and as Joe said it “giving away the key now is far too late for most of the victims of this massive ransomware attack”, if you doubt that call Coop (at +46107400000) and ask them the damage of 500 supermarkets shutting down, as well as a loss of data. And then Joe gives us the gem at the heart of this “I’m told by a hacker who claims to be a part of the inner circle that it was “a trusted partner” who gave the key away on behalf of the group’s leader, who calls himself Unknown. My contact says it’s all part of “a new beginning”.” I understand that this is hard to swallow and optionally it is a form of bragging, but I am not convinced that this is the case, as Joe gives us “it could well be the start of something else”, yes that has the ring that sounds true. It is the start of a new business venture and Kaseya is merely the pilot. In this we have two sets of minds, the first is that the shortsighted greed drive of Kaseya (as I discussed it in ‘Dream number three’, at https://lawlordtobe.com/2021/07/06/dream-number-three/) needs to have consequences. The dominant sales types with their ‘we’ll fix it down the road’ can no longer be allowed in this industry. The second part is that we have no choice but to return to a stage of targeted killing, and I do not care whether one of the hackers is a poor little 16 year old person hiding behind  ‘minor protection laws’, they guilty they get the $0.17 solution (price of a 9 mm bullet). We have no choice, the law did nothing for too long, giving hackers pass after pass as they ‘claimed’ that it was the only way. Well, so far it did nothing for a lot of people spanning a timeline that is a little over a quarter of a century, it is like an armistice race with too many casualties and the law merely shrugging at the damage that was not theirs. With Kaseya a large corner is turned and Kaseya partially has itself to thank for that. And in all this is has become time to recognise that Kaseya is not merely a victim (no matter what Dana Liedholm tells us), it did this to themselves as the source in the other article “were helping Kaseya plug the hole long before the hackers found it”, as such the ‘we’ll fix it down the road’ no longer holds water, especially as we take tally of the victims that are victims because of the shortsightedness of Kaseya. And they are not alone, there is every indication that the Microsoft exchange group and Solarwinds are part of that same stack. I have personally seen how the needs of proper testing took a back seat to Marketing and the board room drive of greed in more than one instance and that too needs to be addressed, yet I feel that the media will paint over that part with articles in emotional ways, their stake holders will not allow that to be any other way, adhering to their bonus whilst relying on marketing and sales to set out a new path based on ‘we’ll fix it down the road’, should Joe Tidy be correct (and I believe he is), we will soon see a new wave of REvil attacks and the law will be on the sidelines, as will governments all pointing at one another, all whilst keeping their ‘friends’ out of the line of fire.

It is merely my look on things, and I expect to be proven correct before the end of 2021. 

Leave a comment

Filed under IT, Science

Tagged as , , , , , , , ,

July 19, 2021 · 11:56

The devil rang

This is too good, I had just finished yesterday’s article and the Guardian gives me ‘Spyware can make your phone your enemy. Journalism is your defence’, in this that I have some troubles accepting that journalism is my defence, they are al about circulation and satisfying their shareholders and stakeholders (optionally advertisers too). But the article came at the right moment, even as this is about Pegasus and the NSO group. Whenever I look back at the title ‘Pegasus’ I think back to Pegasus mail and windows 3.1. It is a reflex, but a nice one. So, the article gives us “The Pegasus project poses urgent questions about the privatisation of the surveillance industry and the lack of safeguards for citizens”, which is nice, but Microsoft, Solarwinds and Cisco made a bigger mess and a much larger mess, so pointing at Pegasus at this point seems a little moot and pointless. (Microsoot’s Exchange anyone?)

Yes, there are questions and it is fair to ask them, so when we see “This surveillance has dramatic, and in some cases even life-threatening, consequences for the ordinary men and women whose numbers appear in the leakbecause of their work exposing the misdeeds of their rulers or defending the rights of their fellow citizens”, yes questions are good, but the fact that millions of records went to the open air via all kinds of methods (including advertiser Microsoft) is just a little too weird. And it is not up to me, it was The Hill who asked the people (5 days ago after the Kaseya hack gone public, the larger question that actually matters ‘Kaseya hack proves we need better cyber metrics’ and they are right, when we see “Once “infected”, your phone becomes your worst enemy. From within your pocket, it instantly betrays your secrets and delivers your private conversations, your personal photos, nearly everything about you” we read this and shrug, but at this point how did a third party operator (NSO group) get the data and the knowhow to make an app that allows for this? Larger question should be handed to both Google and Apple. The fact that the phones are mostly void of protection comes from these two makers. This is a setting of facilitation and a lack of cyber security. The NSO group decided to set a limited commercial application (more likely to facilitate towards the proud girls and boys of Mossad) and they took it one step further to offer it to other governments as well, is that wrong?

So when we see “All of these individuals were selected for possible surveillance by states using the same spyware tool, Pegasus, sold by the NSO Group. Our mission at Forbidden Stories is to pursue – collaboratively – the work of threatened, jailed or assassinated journalists”, if that were true, we would see a lot more articles regarding the 120 Journalists jailed in Turkey, not to mention the 60 journalists that were assassinated (read: targeted killing exercise) there as well. The papers are all about a journalist no one cares about (Jamal Khashoggi) but the other journalists do not really make the front page giving pause and skepticism to “the work of threatened, jailed or assassinated journalists”, my personal view is that the advertisers and stake holders don’t really care about those lives. Then I have issues with “This investigation began with an enormous leak of documents that Forbidden Stories and Amnesty International had access to”, was it really a leak, or did one government take view away from them (by Amnesty International) and handed it towards the NSO group? A list of 50,000 numbers is nothing to sneer at, as such, I doubt it was a leak, it was a tactical move to push the limelight away from them and push it somewhere else. As we consider Kaseya, Solarwinds, Microsoft and Cisco, the weak minded democratic intelligence players from the Unified Spies of America come to mind, but I admit that I have no evidence, it is pure speculation.

And then we see the larger danger “But the scale of this scandal could only be uncovered by journalists around the world working together. By sharing access to this data with the other media organisations in the Forbidden Stories consortium, we were able to develop additional sources, collect hundreds of documents and put together the harrowing evidence of a surveillance apparatus that has been wielded ferociously against swaths of civil society”, who did they share access to? Who reports to another faction that is not journalism or is purely greed driven? In this, the article (at https://www.theguardian.com/world/commentisfree/2021/jul/19/spyware-can-make-your-phone-your-enemy-journalism-is-your-defence) gives us one other gem, it is “not to mention more than 180 journalists from nearly two dozen countries”, as such we see 0.36% of the data is about journalists, so if I was to look at a slice and dice dashboard, how will these 50,000 people distribute? So when we see “If one reporter is threatened or killed, another can take over and ensure that the story is not silenced”, yes, how did that end up for those journo’s in Turkey? What about outliers in data like Dutch journalist Peter R. De Vries? He is not getting the limelight that much in the last three days, you all moved on? You pushed the limelight towards Jamal Khashoggi for well over a year, who achieved less than 0.01% compared to Peter R. De Vries. I reckon that this article, although extremely nice is there to cater to a specific need, a need that the article does not mention (and I can only speculate), but when we see all this holier than though mentions and we see an inaction on Turkey’s actions, as well as a lack of news regarding Peter R. De Vries, I wonder what this article was about, it wasn’t really about the NSO group and Pegasus, they are mentioned 4 and 7 times, the article was to push people towards thinking it is about one thing and it becomes about the 0.36% of journalists in a list of 50,000, all whilst the number is mentioned once in the article without a breakdown. Someone else is calling, when you answer, just make sure the local number is not 666.

Leave a comment

Filed under IT, Military, Science

Tagged as , , , , , , , , , , , ,

July 13, 2021 · 21:20

The Lawyer wins, the law loses

Yes, it is a stage that we will be seeing soon enough. As the lawyer wins, the law loses and tht is just the beginning. As we see ‘Apple loses appeal in Fortnite court battle’ (source: Australian Financial Review) there is a secondary stage that comes up. It is not immediately clear, but someone gave the reader by Jeff Dotzler in GC Consulting in 2019 ‘Will You Get Sued if Your Business is Hacked?’ There we see “Even though the company was able to restore the records, one of the affected clients, Surfside Non-Surgical Orthopedics in Boynton Beach, sued Allscripts in federal court. Surfside accused Allscripts of not doing enough to prevent the attack or lessen its impact and sued on behalf of all affected clients for “significant business interruption and disruption and lost revenues.”” Now consider that ‘significant business interruption’ can be replaced with ‘game score disruption’, a stage I saw coming a mile away. Epic Games did not  consider the stupidity of their actions and now, should they win they will soon face several, if not well over a dozen class cases. They cannot make some ‘we are not responsible draft’, the moment ANYONE at Google or Apple squeals the setting of the hack and it comes with the accompanied ‘We could have prevented that’ Epic Games is lost, it will cost them billions in settlements and lawyer costs. If you doubt that, consider ‘SolarWinds says unknown hackers exploited newly discovered software flaw’ (at https://www.reuters.com/technology/solarwinds-says-unknown-hackers-exploited-newly-discovered-software-flaw-2021-07-12/), so they just got out of one mess only to land in a new one and these people have a decently simple system, Epic Games will have to spend on protection that is several levels higher and I feel decently certain that it is not enough. The moment any profile is transgressed on whilst there was a purchase, that is the game, loss Epic Games and loose they will, a lot. 

Even as we are told “SolarWinds said the flaw was “completely unrelated” to last year’s hack of government networks”, it will not matter, another flaw is found and there is every chance that more than one will still be found. In this Forbes gives us ‘Why SolarWinds Is The Wakeup Call No One Heard’, it comes with “everyone talks a good game, but the very structure of American (and other businesses around the globe) makes it nearly impossible to, for example, deliberately and significantly reduce EBITDA to prepare for cyber warfare” and when you consider that EBITDA is Earnings Before Interest, Taxes, Depreciation, and Amortisation. You see the problem, it is not all, it is earnings before interest and depreciation that bites, earnings before interest is all earnings with cost diminishing this and too many corporate players tend to cut cost. In some cases they have no choice in the cloud a lot does not matter but it is transgressed on (according to some numbers) for almost 90%. And when you add that Amortisation is merely anther view of  depreciation the path is clear. Steve Andriole also gives us “The number of severity of cyberattacks will explode in 2020.  Cyberwarfare has now levelled the playing field in industry, in government, and in national defence:  why spend ten or fifteen billion dollars on an aircraft carrier when you can disable it digitally?” You think that this is about defence? Do you have any idea what 50 million whining gamers can do? EVERY ransomware player will target Epic Games and with an open Android and iOS setting they will succeed. I saw this when this all started in 2020 within 5 minutes, the short sightedness will hit Epic Games and others in a few ways. Think I am BS’ing you?  Consider that several sources gave you a month ago “Hackers Stole 780GB Data Including FIFA 21 Source Code in EA Hack” and EA has been in this game a lot longer than Epic Games has been. That is not evidence, but it is a setting that we need to consider and when Epic Games loses that data the class actions start, and it is not something that they can keep quiet (apart from that being a crime), the people will talk and the parties involved, including government parties will find a nice letter making claim to financial losses. The law source (see above) also gives us a link to the Ohio Data Protection Act. There we see “Under the law, damages cannot be imposed if a state court finds your company had a reasonable cybersecurity plan when a breach occurred and followed it to the best of your ability. Or, as the legislation puts it, the law is “an incentive to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”” In this I offer ‘reasonable cybersecurity plan’, was it followed through? Was there a backup if it fails, was there consideration for cross platform transgressions? In this last part I offer to the older programmers 

IF(clipper)
  
ELSE
   …
ENDIF

Those who know will nod and consider what else Epic Games and others have forgotten, what happens when someone exploits a Sony flaw over the entire system, and at that point these companies have little to no protection. 

Which gets us to ‘when a breach occurred and followed it to the best of your ability’, but the suing side will argue that the breach could have been prevented on day zero, or even day -1, which will be their way of saying that they opened the system when they were not ready and that is another billion in class actions right there, and I agree with the stage that there will be enough cases that have no bering (just like the loot box cases in the media), yet Epic Games will have to hand to their lawyers to investigate them all, the hours alone will rake up millions and that is merely year one. The lawyer wins his bread and butter for a year (at the very least) and the law is up the creek without a clause. The law was never ready for this, so the going will be good towards the coffers of Epic Games, a looting box that requires time, not money. 

So when we go back to Forbes and consider “When I took the results to the CFO (to which technology weirdly reported), his only question was, “what’s all this going to cost me?,” which of course was the wrong question.” We see there setting, but I wonder who gave that same question to the Chief Legal Officer (CLO) with the question ‘What will this cost the firm?’, a question that he can decently predict when he considers 1-5 class actions and that result has to be scary and any consideration of future profit goes straight out of the window, not merely the legal costs, marketing will have to offer a whole range of products and services to stem the tide of people leaving for the next safer harbour, the most dangerous of all settings, and that is merely the beginning of year one as Android and iOS stores open. Forbes also gives a reference to Andy Greenberg (Wired Magazine, 2019) said about why governments have been unwilling to deal with cyberthreats: “More fundamentally, governments haven’t been willing to sign on to cyberwar limitation agreements because they don’t want to limit their own freedom to launch cyberattacks at their enemies.  America may be vulnerable to crippling cyberattacks carried out by its foes, but US leaders are still hesitant to hamstring America’s own NSA and Cyber Command, who are likely the most talented and well-resourced hackers in the world.” And this is not a government setting, Epic Games will be hit be greed driven and vengeance driven hackers as well as organised crime, a %5 billion company? With the state of cybercrime convictions? They are definitely on board. A stage Epic Games could have prevented from the start, but someone saw 30% of $5,000,000,000 and did the math, but whoever did the math was not ready for the tidal wave they would be inviting through that choice. In this, Forbes had one more gem, it comes from Nicole Penroth and ‘The hubris of American exceptionalism’, when we see “More hacking, more offence, not better defence, was our answer to an increasingly virtual world order, even as we made ourselves more vulnerable, hooking up water treatment facilities, railways, thermostats and insulin pumps to the web, at a rate of 127 new devices per second”, now consider that Fortnite is on Windows, MacOS, Switch, Sony, Microsoft, iOS and Android, they drew more than 125 million players in less than a year, do you think that there will be no flaws? And how many devices a second will that add to the equation? Do you have any clue what level of protection is required, even as Sony, Solarwinds, Nintendo and Microsoft have all been hacked even though they had nowhere near that level of complexity required. This was a dangerous situation from the start and gamers will soon have to seriously consider to remove any program that has an ‘open’ store, the cost will be too high for a lot of them. 

And that is not all, as Nicole spoke about ‘an increasingly virtual world’ the danger that open stores will mean that you either have a dedicated computer, or healthcare and safety products will not be considered to be insured in your house, when that happens we get a whole new level of nightmare, I can only imagine that setting, but I am clueless as to the impact, we cannot oversee that, not with an evolving IoT and 5G evolving before our very eyes.

Leave a comment

Filed under Gaming, IT, Law, Politics

Tagged as , , , , , , , , , , , , , , , , , , , , , , ,