Google Speaks But Is MIT Technology Review Delivering Useful Information or Just PR?

February 4, 2021

I read “Google Says It’s Too Easy for Hackers to Find New Security Flaws.” I assume that the Google is thrilled that its systems and methods were not directly implicated in the SolarWinds’ misstep and possibly VMWare’s and Microsoft’s. But I don’t know because the information is dribbling out at irregular intervals and in my opinion has either been scrubbed or converted to euphemism. A good example is the Reuters’ report “Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on US Payroll Agency — Sources.”

The esteemed institution supported by Jeffrey Epstein and housing a expert who allegedly had ties to an American adversary’s officials reports:

Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees.

What makes this story different is that the Google is now agreeing that today’s software is easy to compromise. The write up quotes an expert who offers:

Over its six-year lifespan, Google’s team has publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero-days that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working. Many such attacks, she says, involve basic mistakes and “low hanging fruit.”

This is news? I think it is more self congratulatory just like the late January 2021 explanation of the SolarWinds’ misstep which I discuss in the February 9, 2021 DarkCyber video program. You can view the video on this blog.

Stephen E Arnold, February 4, 2021

Come On, Man: Hackers Seeking Legal Immunity

February 3, 2021

The hacking industry is thriving and there are companies labeled private sector offensive actors (PSOAs) selling cyberweapons enabling their customers to become hackers. PSOAs are nasty bad actor groups and they are trying to gain legal immunity to avoid criminal charges. Microsoft has more details in the story, “Cyber Mercenaries Don’t Deserve Immunity.”

One of these PSOAs trying to gain legal immunity is the NSO Group. The NSO Group sells cyberweapons to governments and the company argues its afforded the same legal immunity as its customers. Microsoft President Brad Smith stated the NSO Group’s business model is dangerous. It would allow other PSOAs to skirt laws and avoid any repercussions from their cyberweapons.

The biggest worry is that PSOAs’ technology could fall into the wrong hands and be used for nefarious deeds. Another worry is that if the NSO Group is granted sovereign immunity their actions will be profit driven rather than for the common good:

“Second, private-sector companies creating these weapons are not subject to the same constraints as governments. Many governments with offensive cyber capabilities are subject to international laws, diplomatic consequences and the need to protect their own citizens and economic interests from the indiscriminate use of these weapons. Additionally, some governments – like the United States – may share high-consequence vulnerabilities they discover with impacted technology providers so the providers can patch the vulnerability and protect their customers. Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them, and the exploits they create are constantly recycled by governments and cybercriminals once they get into the wild.”

Human rights are another concern, because governments run by bad actors can use the cyberweapons to harm their citizens. Anyone who fights for human rights could be tracked and have their information stolen. This could ultimately lead to their deaths.

The NSO Group and PSOAs must be held to the same standards as other private companies. If their products are used by bad actors with the PSOAs’ knowledge they must be held liable.

Whitney Grace, February 3, 2021

DarkCyber for January 12, 2021, Now Available

January 12, 2021

DarkCyber is a twice-a-month video news program about online, the Dark Web, and cyber crime. You can view the video on Beyond Search or at this YouTube link.

The program for January 12, 2021, includes a featured interview with Mark Massop, DataWalk’s vice president. DataWalk develops investigative software which leapfrogs such solutions as IBM’s i2 Analyst Notebook and Palantir Gotham. In the interview, Mr. Massop explains how DataWalk delivers analytic reports with two or three mouse clicks, federates or brings together information from multiple sources, and slashes training time from months to several days.

Other stories include DarkCyber’s report about the trickles of information about the SolarWinds’ “misstep.” US Federal agencies, large companies, and a wide range of other entities were compromised. DarkCyber points out that Microsoft’s revelation that bad actors were able to view the company’s source code underscores the ineffectiveness of existing cyber security solutions.

DarkCyber highlights remarkable advances in smart software’s ability to create highly accurate images from poor imagery. The focus of DarkCyber’s report is not on what AI can do to create faked images. DarkCyber provides information about how and where to determine if a fake image is indeed “real.”

The final story makes clear that flying drones can be an expensive hobby. One audacious drone pilot flew in restricted air zones in Philadelphia and posted the exploits on a social media platform. And the cost of this illegal activity. Not too much. Just $182,000. The good news is that the individual appears to have avoided one of the comfortable prisons available to authorities.

One quick point: DarkCyber accepts zero advertising and no sponsored content. Some have tried, but begging for dollars and getting involved in the questionable business of sponsored content is not for the DarkCyber team.

Finally, this program begins our third series of shows. We have removed DarkCyber from Vimeo because that company insisted that DarkCyber was a commercial enterprise. Stephen E Arnold retired in 2017, and he is now 77 years old and not too keen to rejoin the GenX and Millennials in endless Zoom meetings and what he calls “blatant MBA craziness.” (At least that’s what he told me.)

Kenny Toth, January 12, 2021

A Tiny Clue about the Entity Interested In the SolarWinds Misstep

January 11, 2021

I read “Putin’s Disinformation Campaign claims Stunning Victory with Capital Hill Coup.” The write up points out that a study by the Berkman Klein Center for Internet & Society describes a broad campaign against the United States. The article references a Rand study which offers additional color.

However, my interpretation of the write up is that Russia may be just one facet of the “truth decay” approach. Disinformation is complemented by penetration of US networks and systems. Even if no data were exfiltrated, undermining confidence is cyber security methods is another chess move by Russia.

The buzzword is widening the fissures. Serious weakness, exploitable weakness.

Stephen E Arnold, January 11, 2021

SolarWinds Are Gusting and Blowing Hard

January 5, 2021

Many pundits have reacted to the New York Times’ story “As Understanding of Russian Hacking Grows, So Does Alarm.” Work through those analyses. What’s missing? Quite a lot, but in this short blog post I want to address one issue that has mostly ignored.

At one time, there was a list on the SolarWinds’ Web site of the outfits which had been compromised. That list disappeared. I posted “Sun Spotting in the Solar Wind” on December 23, 2020. In that post, I reported three outfits which had been allegedly compromised by the SolarWinds’ misstep (and some of the information I used as a source remains online):

City of Barrie (Canada)

Newton Public Schools (US)

Regina Public Schools (Canada).

The question is, “Why are outfits like a municipality known as part of the Greater Golden Horseshoe, Newton’s public schools, and the Regina public schools? (I’ve been to Regina in the winter. Unforgettable is it.)

My research team and I discussed the alleged exploits taking up residence in these organizations; that is, allegedly, of course, of course.

Here’s what my team offered:

  • A launch pad for secondary attacks. The idea is that the original compromise was like a rat carrying fleas infected with the bubonic plague (arguably more problematic than the Rona)
  • A mechanism for placing malicious code on the computing devices of administrators, instructors, and students. As these individuals thumb typed away, these high trust individuals were infecting others in their social circle. If the infections were activated, downloads of tertiary malware could take place.
  • Institutions like these would connect to other networks. Malware could be placed in server nodes serving other institutions; for example, big outfits like Rogers Communications, a government ministry or two, and possibly the cloud customers of the beloved Rogers as well as BCE (Bell Canada’s parent) and Telus.

The odd ducks in the list of compromised organization, just might not be so odd after all.

That’s the problem, isn’t it? No one knows exactly when the misstep took place, what primary and downstream actions were triggered, and where subsequent rats with fleas infected with bubonic plague have go to.

Net net: It’s great to read so many words about a misstep and not have signals that the issue is understood, not even by the Gray Lady herself.

Stephen E Arnold, January 6, 2020


Telecom Security: An Oxymoron?

January 4, 2021

Two ideas: First, an unanticipated suggestion for bad actors and a reminder that the telco pros at AT&T are more like the New York Jets than the A team at the old AT&T IBM facility in Piscataway.

I read “Nashville Bombing Froze Wireless Communications, Exposed Achilles’ Heel’ in Regional Network.” USA Today is not my go to source for high technology information. One of my research team was a technology columnist, and I recall his comments about those who reviewed his write ups. Those mentioned at lunch were different from the topics my team and I discussed. Remember those Dummy books from some rolling-in-dough dead tree publisher. My recollection is that the technology write ups were simpler, edited by the estimable Gannett to TV Digest readability. It seems that USA Today pushed its content barriers with this USA Today write up about the Nashville incident included some information of use to bad actors. Here are a couple of examples:

  • An injury to one’s Achilles’ heel means crippling. To a pro football player like AT&T, that’s not good.
  • Single-point-of-failure. For a professional telecom like AT&T, this means zero effective redundancy, fail over, or smart route arounds. (Was the pre Judge Green AT&T built this way?)
  • Three feet of water pooled where the back up generators lived. Water and generators, water and batteries – quite a one-two combo like an ailing quarterback and an ineffective but expensive offensive line.

Okay, enough already.

What do these factoids say to a person struggling for an idea to impair a major US telco? Maybe six RVs at regional centers conveniently located near fiber rich interstates? What about pulling a Quinn in front of Nashville-type facilities simultaneously with a half dozen cheap RVs?

Sound like a working idea?

The USA Today makes the idea more appealing with the statement from an AT&T professional:

Our systems are not redundant enough.

No kidding. Is it necessary, dear Gannett, to provide a roadmap for bad actors? Let’s hope the write ups in USA Today are not crafted with an eye toward readers who are looking for info between the lines. That takes more thought than making something simple.

And for the pros at the AT&T practice field, why not up your game. Less direct marketing of a failing TV venture and more of the old fashioned Ma Bell?

Stephen E Arnold, January 4, 2020

Microsoft: Information Released Like a Gentle Solar Wind

December 31, 2020

I read the New Year’s Eve missive from Microsoft, a company which tries to be “transparent, “Microsoft Internal Solorigate Investigation Update.” I am not sure, but I think the Microsoft Word spell checker does not know that SolarWinds is not spelled Solarigate. Maybe Microsoft is writing about some other security breach or prefers a neologism to end the fine year 2020?

Here’s a passage I found interesting:

Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated. [Bold added to highlight intriguing statements]

To me, an old person who lives in rural Kentucky, it sure sounds as if Microsoft is downplaying:

  • Malicious code within Microsoft’s systems
  • The code performed “unusual activity” whatever this actually means I don’t know
  • The malicious code made it to MSFT source code repositories
  • Whatever happened has allegedly been fixed up.

What’s that unknown unknowns idea? Microsoft may be writing as if there are no unknown unknowns related to the SolarWinds misstep.

If you want more timely Solarigate misstep info, here’s what Microsoft suggests as a New Year’s Eve diversion:

For the up-to-date information and guidance, please visit our resource center at

Stephen E Arnold, December 31, 2020

DarkCyber for December 29, 2020, Is Now Available

December 29, 2020

DarkCyber for December 29, 2020, is now available on YouTube at this link or on the Beyond Search blog at this link. This week’s program includes seven stories. These are:

A Chinese consulting firm publishes a report about the low profile companies indexing the Dark Web. The report is about 114 pages long and does not include Chinese companies engaged in this business.

A Dark Web site easily accessible with a standard Internet browser promises something that DarkCyber finds difficult to believe. The Web site contains what are called “always” links to Dark Web sites; that is, those with Dot Onion addresses.

Some pundits have criticized the FBI and Interpol for their alleged failure to take down Jokerstash. This Dark Web site sells access to “live” credit cards and other financial data. Among those suggesting that the two law enforcement organizations are falling short of the mark are four cyber security firms. DarkCyber explains one reason for this alleged failure.

NSO Group, a specialized services company, has been identified as the company providing technology to “operators” surveilling dozens of Al Jazeera journalists. DarkCyber points out that a commercial firm is not in a position to approve or disapprove the use of its technology by the countries which license the Pegasus platform.

Facebook has escalated its dispute with Apple regarding tracking. Now the social media company has alleged that contractors to the French military are using Facebook in Africa via false accounts. What’s interesting is that Russia is allegedly engaged in a disinformation campaign in Africa as well.

The drone news this week contaisn two DJI items. DJI is one of the world’s largest vendors of consumer and commercial drones. The US government has told DJI that it may no longer sell its drones in the US. DJI products remain available in the US. DJI drones have been equipped with flame throwers to destroy wasp nests. The flame throwing drones appear formidable.

DarkCyber is a twice a month video news program reporting on the Dark Web, lesser known Internet services, and cyber crime. The program is produced by Stephen E Arnold and does not accept advertising or sponsorships.

Kenny Toth, December 29, 2020

Shopify: Going with the Flow

December 22, 2020

I read “Thousands of Fraudsters Are Selling via Shopify, Analysis Finds.” I know Shopify has been a must mention platform by one of the New Age broadcast stars, or I think it is podcast stars now. Other than that hype hose, I know zero about the company. In the write up, I spotted an interesting factoid. If the datum is accurate, I have learned a great deal about the governance of the firm and its ethical compass. Herewith is the allegedly accurate factoid:

According to the ecommerce authentication service FakeSpot, which analyzed more than 120,000 Shopify sites, as many as 21 per cent posed a risk to shoppers.


Stephen E Arnold, December 22, 2020

A New Year Is Coming: Let Us Confront the New Reality

December 21, 2020

Nope, not Covid. Nope, not the financial crisis. Nope, not the social discontinuities. Nope, not the big technology monopoly clown show.

What then?

How about security insecurity. Do you like the phrase? I do because it communicates that users of online systems may never know if the system or systems are secure.

One can pretend, what I call security theater, of course.

The new reality is that an actor or actors has slipped in the stage door after driving a delivery van near the security theater and double parked for what may have been months. The individuals do not work according to New York City labor rules. Nope, these actors moved around, ordered takeout, and lounged on the sidewalks. People passing did not notice. You know the New York attitude: We are definitely with it. This is Broadway.

I read “A Hack Foretold.” I was not impressed. The reason is that the original Internet was technology Play-Doh. Who could imagine the parti-colored constructs blobs of red, blue, and yellow could become.

The write up states with the assured naiveté of a thumb typer:

The point is the authorities have known about hacking for a long time. Whole bureaucracies have been established, and presidential directives have been promulgated, to enhance cybersecurity—and some of their actions have been effective. Still, the contest between cyber offense and -defense is a never-ending race, where the offense has the advantage and, so, the defense must never let up its guard. While security is a lot better than it used to be, vast networks have been left exposed in one way or another, and dedicated hackers who very much want to get inside those networks—and who have the resources of a nation-state—figure out a way.

I want to point out that the cyber security industry has flowered into billions of dollars a year because home economics majors, working with MBAs, constructed a fantasy story about computer security.

Security insecurity is little more than another symptom of efficiency thinking. What can be done to reduce costs and maximize revenue. Oh, so some people lose their jobs in Canton, Illinois, when the John Deere factory goes away. “Tough cookies,” say the efficiency wizards.

We have created a situation in which security insecurity is going to become a digital Covid. I am delighted I am old, retired, and living in a hollow in rural Kentucky. Can you imagine the meetings, the memoranda, the reports, and the self-serving explanations of:

  • Cyber security vendors
  • Smart software which acts like an antibody to protect a system
  • Individual security experts who did the “good enough” work to spoof the clueless lawyers, accountants, bureaucrats, and MBAs who manage technology operations
  • Consultants like those who populate LinkedIn and BrightTALK with lectures about security
  • Experts who assert that monitoring the Dark Web, Facebook, and chat provide an early warning of actions to come.

I could go on and toss in security appliance vendors, university professors who convert a clever workaround into a peer reviewed paper for IEEE or ACM, and former bad actors who see the light and become trusted advisors after serving jail time.

The New Reality is that I am not sure how one goes about determining the priorities for figuring out what was compromised, determining what other vulnerabilities have been installed, and bring up systems which do not have the charming characteristics of specialized software firms which have code that hides itself so that it can happily reinstall itself.

I spoke with a former CIA professional twice in the last 48 hours. He asked me, “What do I recommend to remediate the problem?” My answer was, “Investigate.”

The actors lounging in front of the security theater are not chatterboxes, and I have seen zero verifiable evidence that defines the timing, scope, and actions of these actors. Why guess then? Why look back and say “woulda, coulda, shoulda.” The time to embrace the New Reality is here.

The security theater has to go dark, and we need a new construct. Expensive, time consuming, and difficult for sure. Failure, however, means changes that those wrought by Covid are trivial. Thumb typers, are you confident your online activities are secure? In deference to the holiday season, here’s a modified carol: Deck the halls with boughs of folly, Tra la la, la la la la.

Stephen E Arnold, December 21, 2020

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta