Cynic Modelling for Legacy Energy Infrastructure

A brief synopsis of my findings in “Legacy Energy Infrastructure Attack Surface Assessment, Threat Count, & Risk Profile” using my “cynic modeller”:

  1. Adversaries who are attracted to the contained assets: Everyone (hobbyists, criminals, state actors, your gran)
  2. Attack surface: As far as the eye can see
  3. Attackers who are capable of acquiring the assets starting from the attack surface: Lots
  4. Therefore the attacker population size is: Computer literate population of earth
  5. Threat count: Np-Complete;
  6. Emerging threats: IIoT and non-cybersec savvy devops rushing intodigital transformation projects
  7. Risk level: Orbital
  8. Impact of realized threat: Expansive (yes, expansive not expensive, but that too)

Assessment: Buy gas lamps, work on your natural night vision, learn to skin rabbits, move far far away from nuclear reactors, buy shares in candle companies.

ENDS

Facebook AI experiment shut down when robots start keeping secrets – probably wanted some privacy

Facebook says it has shut down an AI experiment after two robots began talking to each other in a language only they understand.

The two chatbots came to create their own changes to English that made it easier for them to work – but which remained mysterious to the humans that supposedly look after them.

The bizarre discussions came as Facebook challenged its chatbots to try and negotiate with each other over a trade, attempting to swap hats, balls and books, each of which were given a certain value. But they quickly broke down as the robots appeared to chant at each other in a language that they each understood but which appears mostly incomprehensible to humans.

The robots had been instructed to work out how to negotiate between themselves, and improve their bartering as they went along.

See http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-artificial-intelligence-ai-chatbot-new-language-research-openai-google-a7869706.html

In Chamberlain-esque Pose EU Declares “Privacy in our Time”

The notional purpose of the EU-US Privacy Shield is to establish a framework that allows personal data for commercial purposes to be transferred between the European Union and the United States.

Personal data that is received by US companies operating in Europe is ostensibly governed by EU privacy laws. Pick any notable US organization and they have an office in Europe, typically serving the EMEA region.

But for the purposes of this rant suffice to say that we need only consider Google, Apple, Microsoft, Twitter, and Facebook (a.k.a “Farcebook”).

Do not buy into the high profile privacy battles that these organizations now raise high as examples of their commitment to their customers’ privacy. These are PR tactics.

All of these organizations were more than happy to be secretly willing accomplices to US intelligence agency antics and law-breaking before their activities were exposed and they suffered a backlash. They have been vigourously back-pedalling and papering over the cracks ever since. It is all meaningless posturing.

They are inherently compromised, every day, and in every way.

The EU-US Privacy Shield replaces what was called the International Safe Harbor Privacy Principles (ISHPP). Lofty names for a veneer that actually contains no verifiable substance or oversight when you examine the vast amount of exceptions and undermining laws that in fact render them all moot.

In late 2015 , the ISHPP was declared invalid in its entirety by the EU at a hearing in the European Court of Justice.

But like a smarmy salesperson, the US simply flicked the pages on the sales brochure asking “well, what about this?” – “no?” – “this?” – “no?” – “this?” – until some browbeaten Brussels technocrat bought the bullshit and agreed a new name for the same abuses.

In the usual garbled and meaningless language of the European Commission it was declared on 2nd February 2016 that the EU and the US had found new common ground on the privacy issue and an “Adequacy Decision” was published. (What exactly is an “Adequacy Decision” when it is at home eating chips and eavesdropping on its neighbours?)

In a Chamberlain-esque pose the EU held up this new agreement and declared that it was “…. equivalent to the protections offered by EU law.”

It is not.

ENDS

For more scholarly and considered thinking, read Joint letter to European Commission on EU-US Privacy Shield (July 26, 2017) from Human Rights Watch and Amnesty International to the European Commission to urge a re-evaluation of its Implementing Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield on the basis that the United States of America (United States) does not ensure a level of fundamental rights protection regarding the processing of personal data that is essentially equivalent to that guaranteed within the European Union (EU).

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

These leaked documents relate to a CIA project codenamed ‘Imperial’, they include details of three CIA hacking tools and implants that have been designed to compromise computers running Apple Mac OS X and different Linux distributions. *

The three hacking tools are:

  1. Achilles – A tool to trojanize a legitimate OS X disk image (.dmg) installer;
  2. SeaPea – A Stealthy Rootkit For Mac OS X Systems;
  3. Aeris – An Automated Implant For Linux Systems.

The 27th July 2017 WikiLeaks release overview:

Today, July 27th 2017, WikiLeaks publishes documents from the Imperial project of the CIA. Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution. Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support – all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants. SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.

Vault7 Projects - Images - HackRead Imperial

Three documents were also published alongside this release:

Achilles — User Guide

The malware has been tested to be compatible with Intel processors running 10.6 OS.

SeaPea — User Guide

This hack was written in 2011. It is listed as “tested” on OS X 10.6/Snow Leopard and Mac OS X 10.7/Lion. The malware works by assigning processes to any one of the three categories namely: Normal, Elite, and Super-Elite. ** The commands in SeaPea are executed as Elite processes.

Aeris — Users Guide

The coding for the Aeris hacking tool was done in C and it affects the following systems:

Debian Linux 7 (i386), Debian Linux 7 (amd64), Debian Linux 7 (ARM), Red Hat Enterprise Linux 6 (i386), Red Hat Enterprise Linux 6 (amd64), Solaris 11 (i386), Solaris 11 (SPARC), FreeBSD 8 (i386), FreeBSD 8 (amd64), CentOS 5.3 (i386) and CentOS 5.7 (i386). ***

Previous and subsequent Vault 7 WikiLeaks dumps synopses are available on WikiLeaks and also see further analysis of Imperial at HackRead and The Hacker News.

ENDS

Header image courtesy of The Hacker News (Twitter @TheHackersNews) & in-article image courtesy of HackRead (Twitter @HackRead)

* Content courtesy of Pierluigi Paganini “Security Affairs” article  WikiLeaks published another batch of classified documents from the CIA Vault 7 leak, it includes details of the Imperial project

** References from content courtesy of HackRead – Twitter @HackRead

*** References from content courtesy of The Hacker News – Twitter @TheHackersNews

Boiling Privacy Frogs

I really wish that I understood more about psychology and the human condition. The behaviour that puzzles me over and over again and for which I have no explanation is our ability to observe something happening that is detrimental to us in every way and yet do nothing.

It is the “Boiling Frog Phenomenon” which was allegedly a 19th century science experiment where a frog was placed in a pan of boiling water, the frog quickly jumped out. However, when the frog was put in cold water and the water slowly boiled over time, the frog did not perceive the danger and just boiled to death. The hypothesis being that the change in temperature was so gradual that the frog did not realize it was boiling to death.

To demonstrate the same effect in terms of the privacy, surveillance, unwarranted government intrusion debate just trace the evolving public attitude to the J. Edgar Hoover’s Subversive Files, COINTELPRO, The Iraq WMD Lie, Snowden & PRISM, and WikiLeaks Vault 7.

I have come to the conclusion that in relation to our right to privacy that we are all frogs in tepid water, the temperature of which is starting to rise rapidly, and we have no intention of jumping out.

ENDS

The Laurel & Hardy of Cybersecurity

When Turnbull and Brandis shuffle off to some home for the bewildered in a few years it is all of us that will be left with the legacy of their carry-on.

Here are some of the victories that these two beauties have presided over, and they don’t even know how it works, not even a little bit:

In an effort to drag the continent out from under the “stupid boy” stereotype, the Lowy Institute for International Policy, has just attempted to polish a turd by proposing that despite everything “Australia might be on the right encryption-cracking track” after all.

“From a cyber security perspective, as Patrick Gray has pointed out, sufficient safeguards could be placed around these ‘updates’ to ensure that they couldn’t be reverse engineered – they wouldn’t need to be a ‘backdoor,’ open to abuse. And by focusing on a device rather than a specific app, the displacement effect, so obvious in focusing government efforts on just What’s App or Telegram, would not apply.

In theory then, this model appears promising. How closely it aligns with the legislation promised by Turnbull and George Brandis last week remains to be seen. But whichever legislative model Australia pursues, its progress will be watched closely by governments across the world. And of course, by a whole host of technology and communications companies.

Recent developments suggest that underneath the techno-babble, political point scoring and counter-terrorism blame game, governments the world over are faced by a very real policy problem. Australia may prove to be the test case for a policy solution that has far reaching consequences for privacy, technological development and the future of law enforcement operations.”

Try again gents.

ENDS

Australia Is A Proxy War for the Five Eyes & Also Hogwarts

The Aussie government is pushing a Five Eyes agenda. Australia seems to have become a proxy war in the ongoing assault on privacy. They are to the Surveillance Wars what Yemen is to the Saudi-Iran ideological conflict. It is always a good idea to vary the cast but in reality they are May acolytes. A testing ground.

The amount of nonsense emanating from the encryption debate Down Under though is astonishing. If you have not been keeping up to speed with some of the recent comments down under then here is a quick recap for you:

  1. The George Brandis metadata interview;
  2. George again (36th Attorney-General for Australia) and the summary of his “over a cuppa” conversation with the GCHQ chappie on the feasibility of reading messages sent by platforms implementing end to end encryption such as WhatsApp and Signal – “Last Wednesday I met with the chief cryptographer at GCHQ … And he assured me that this was feasible.”;
  3. Malcolm Turnbull (the Prime Minister) and his alternative theory on the exceptional laws that govern Australian reality “Well, the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia”;
  4. And a much more eloquent articulation by Troy Hunt of the whole phenomenon “Firstly, a quick apology from Australia: we’re sorry. Look, our Prime Minister and Attorney General didn’t try to launch us onto the World Encryption Comedy Stage but unfortunately, here we are.

In an effort to find something of the same equivalence on the stupidity index as 1-3 above I chose to google “Harry Potter and places where the laws of mathematics do not apply, excluding Australia and Hogwarts”.

One of the things that I found in the search results was the perfectly reasonably comment by a HP fan on a Reddit forum that “Gamp’s Laws of Transfiguration and the Fundamental Laws of Magic spring to mind, they’re pretty much what you can and can’t do with magic. They’re a lot like Newton’s Laws in that they both deal with nature.

This guy really meant it and so did the other guys he was chatting with. They all really, really believed or rather really, really wanted to believe that it was all real and true and factual.

Just like Brandis and Turnbull believe.

Totally lost in a universe of their own creation where mathematics and people work differently.

And then I found a scholarly dissertation by Shevaun Donelli O’Connell of Indiana University of Pennsylvania titled “Harry Potter and the Order of the Metatext: A Study of Nonfiction Fan Compositions and Disciplinary Writing

” which said on P.24 that “I already knew that Harry Potter was an important part of my relationships with my family and friends, but increasingly I realized that Harry Potter metaphors and analogies were working their way into my thinking and teaching about writing.“.

And there it was. The struggle is real. It seems many, many people are having trouble distinguishing fantasy from reality.

Christ help us when VRSNs arrive on the scene.

ENDS