Tag Archives: Ukraine

Malicious Barcode Scanner App

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/02/malicious-barcode-scanner-app.html

Interesting story about a barcode scanner app that has been pushing malware on to Android phones. The app is called Barcode Scanner. It’s been around since 2017 and is owned by the Ukrainian company Lavabird Ldt. But a December 2020 update included some new features:

However, a rash of malicious activity was recently traced back to the app. Users began noticing something weird going on with their phones: their default browsers kept getting hijacked and redirected to random advertisements, seemingly out of nowhere.

Generally, when this sort of thing happens it’s because the app was recently sold. That’s not the case here.

It is frightening that with one update an app can turn malicious while going under the radar of Google Play Protect. It is baffling to me that an app developer with a popular app would turn it into malware. Was this the scheme all along, to have an app lie dormant, waiting to strike after it reaches popularity? I guess we will never know.

The problematic Wannacry North Korea attribution

Post Syndicated from Robert Graham original http://blog.erratasec.com/2018/01/the-problematic-wannacry-north-korea.html

Last month, the US government officially “attributed” the Wannacry ransomware worm to North Korea. This attribution has three flaws, which are a good lesson for attribution in general.

It was an accident

The most important fact about Wannacry is that it was an accident. We’ve had 30 years of experience with Internet worms teaching us that worms are always accidents. While launching worms may be intentional, their effects cannot be predicted. While they appear to have targets, like Slammer against South Korea, or Witty against the Pentagon, further analysis shows this was just a random effect that was impossible to predict ahead of time. Only in hindsight are these effects explainable.
We should hold those causing accidents accountable, too, but it’s a different accountability. The U.S. has caused more civilian deaths in its War on Terror than the terrorists caused triggering that war. But we hold these to be morally different: the terrorists targeted the innocent, whereas the U.S. takes great pains to avoid civilian casualties. 
Since we are talking about blaming those responsible for accidents, we also must include the NSA in that mix. The NSA created, then allowed the release of, weaponized exploits. That’s like accidentally dropping a load of unexploded bombs near a village. When those bombs are then used, those having lost the weapons are held guilty along with those using them. Yes, while we should blame the hacker who added ETERNAL BLUE to their ransomware, we should also blame the NSA for losing control of ETERNAL BLUE.

A country and its assets are different

Was it North Korea, or hackers affilliated with North Korea? These aren’t the same.

It’s hard for North Korea to have hackers of its own. It doesn’t have citizens who grow up with computers to pick from. Moreover, an internal hacking corps would create tainted citizens exposed to dangerous outside ideas. Update: Some people have pointed out that Kim Il-sung University in the capital does have some contact with the outside world, with academics granted limited Internet access, so I guess some tainting is allowed. Still, what we know of North Korea hacking efforts largley comes from hackers they employ outside North Korea. It was the Lazurus Group, outside North Korea, that did Wannacry.
Instead, North Korea develops external hacking “assets”, supporting several external hacking groups in China, Japan, and South Korea. This is similar to how intelligence agencies develop human “assets” in foreign countries. While these assets do things for their handlers, they also have normal day jobs, and do many things that are wholly independent and even sometimes against their handler’s interests.
For example, this Muckrock FOIA dump shows how “CIA assets” independently worked for Castro and assassinated a Panamanian president. That they also worked for the CIA does not make the CIA responsible for the Panamanian assassination.
That CIA/intelligence assets work this way is well-known and uncontroversial. The fact that countries use hacker assets like this is the controversial part. These hackers do act independently, yet we refuse to consider this when we want to “attribute” attacks.

Attribution is political

We have far better attribution for the nPetya attacks. It was less accidental (they clearly desired to disrupt Ukraine), and the hackers were much closer to the Russian government (Russian citizens). Yet, the Trump administration isn’t fighting Russia, they are fighting North Korea, so they don’t officially attribute nPetya to Russia, but do attribute Wannacry to North Korea.
Trump is in conflict with North Korea. He is looking for ways to escalate the conflict. Attributing Wannacry helps achieve his political objectives.
That it was blatantly politics is demonstrated by the way it was released to the press. It wasn’t released in the normal way, where the administration can stand behind it, and get challenged on the particulars. Instead, it was pre-released through the normal system of “anonymous government officials” to the NYTimes, and then backed up with op-ed in the Wall Street Journal. The government leaks information like this when it’s weak, not when its strong.

The proper way is to release the evidence upon which the decision was made, so that the public can challenge it. Among the questions the public would ask is whether it they believe it was North Korea’s intention to cause precisely this effect, such as disabling the British NHS. Or, whether it was merely hackers “affiliated” with North Korea, or hackers carrying out North Korea’s orders. We cannot challenge the government this way because the government intentionally holds itself above such accountability.


We believe hacking groups tied to North Korea are responsible for Wannacry. Yet, even if that’s true, we still have three attribution problems. We still don’t know if that was intentional, in pursuit of some political goal, or an accident. We still don’t know if it was at the direction of North Korea, or whether their hacker assets acted independently. We still don’t know if the government has answers to these questions, or whether it’s exploiting this doubt to achieve political support for actions against North Korea.

ЕСПЧ: за честта на мъртвите

Post Syndicated from nellyo original https://nellyo.wordpress.com/2018/01/25/art8/

Две решения на Съда на правата на човека в последно време привличат вниманието към  правната защита на доброто име. Това са решенията по делата  Putitstin v Ukraine  и MAC TV v  Slovakia.

Различните правни системи допускат или не допускат да се водят дела за защита на доброто име на починали лица. В България защитата на доброто име е лична.

Двете решения на ЕСПЧ откриват възможността член 8 ЕКПЧ да разреши при подходящи обстоятелства да бъде предявен иск за честта на мъртвите.   Това би било  радикално ново развитие в практиката на Съда за правата на човека.

В Обединеното кралство този въпрос е бил обект на продължителна кампания от страна на Маргарет и Джеймс Уотсън, родителите на починалата Даян Уотсън. Дори е публикуван консултативен документ за  промяна в закона,   за да се позволи на  съпруга, близките и децата  да съдят издатели, но проектът е отхвърлен от парламента.

Ако двете решения  станат начало на практика на ЕСПЧ (разширяване на прилагането на чл.8 ЕКПЧ),  това ще е  аргумент, че държавата има позитивно задължение да защитава правата на близките – като част от личния им живот – по чл.8 от Конвенцията.

Book Review: Twitter and Tear Gas, by Zeynep Tufekci

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/07/book_review_twi.html

There are two opposing models of how the Internet has changed protest movements. The first is that the Internet has made protesters mightier than ever. This comes from the successful revolutions in Tunisia (2010-11), Egypt (2011), and Ukraine (2013). The second is that it has made them more ineffectual. Derided as “slacktivism” or “clicktivism,” the ease of action without commitment can result in movements like Occupy petering out in the US without any obvious effects. Of course, the reality is more nuanced, and Zeynep Tufekci teases that out in her new book Twitter and Tear Gas.

Tufekci is a rare interdisciplinary figure. As a sociologist, programmer, and ethnographer, she studies how technology shapes society and drives social change. She has a dual appointment in both the School of Information Science and the Department of Sociology at University of North Carolina at Chapel Hill, and is a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University. Her regular New York Times column on the social impacts of technology is a must-read.

Modern Internet-fueled protest movements are the subjects of Twitter and Tear Gas. As an observer, writer, and participant, Tufekci examines how modern protest movements have been changed by the Internet­ — and what that means for protests going forward. Her book combines her own ethnographic research and her usual deft analysis, with the research of others and some big data analysis from social media outlets. The result is a book that is both insightful and entertaining, and whose lessons are much broader than the book’s central topic.

“The Power and Fragility of Networked Protest” is the book’s subtitle. The power of the Internet as a tool for protest is obvious: it gives people newfound abilities to quickly organize and scale. But, according to Tufekci, it’s a mistake to judge modern protests using the same criteria we used to judge pre-Internet protests. The 1963 March on Washington might have culminated in hundreds of thousands of people listening to Martin Luther King Jr. deliver his “I Have a Dream” speech, but it was the culmination of a multi-year protest effort and the result of six months of careful planning made possible by that sustained effort. The 2011 protests in Cairo came together in mere days because they could be loosely coordinated on Facebook and Twitter.

That’s the power. Tufekci describes the fragility by analogy. Nepalese Sherpas assist Mt. Everest climbers by carrying supplies, laying out ropes and ladders, and so on. This means that people with limited training and experience can make the ascent, which is no less dangerous — to sometimes disastrous results. Says Tufekci: “The Internet similarly allows networked movements to grow dramatically and rapidly, but without prior building of formal or informal organizational and other collective capacities that could prepare them for the inevitable challenges they will face and give them the ability to respond to what comes next.” That makes them less able to respond to government counters, change their tactics­ — a phenomenon Tufekci calls “tactical freeze” — make movement-wide decisions, and survive over the long haul.

Tufekci isn’t arguing that modern protests are necessarily less effective, but that they’re different. Effective movements need to understand these differences, and leverage these new advantages while minimizing the disadvantages.

To that end, she develops a taxonomy for talking about social movements. Protests are an example of a “signal” that corresponds to one of several underlying “capacities.” There’s narrative capacity: the ability to change the conversation, as Black Lives Matter did with police violence and Occupy did with wealth inequality. There’s disruptive capacity: the ability to stop business as usual. An early Internet example is the 1999 WTO protests in Seattle. And finally, there’s electoral or institutional capacity: the ability to vote, lobby, fund raise, and so on. Because of various “affordances” of modern Internet technologies, particularly social media, the same signal — a protest of a given size — reflects different underlying capacities.

This taxonomy also informs government reactions to protest movements. Smart responses target attention as a resource. The Chinese government responded to 2015 protesters in Hong Kong by not engaging with them at all, denying them camera-phone videos that would go viral and attract the world’s attention. Instead, they pulled their police back and waited for the movement to die from lack of attention.

If this all sounds dry and academic, it’s not. Twitter and Tear Gasis infused with a richness of detail stemming from her personal participation in the 2013 Gezi Park protests in Turkey, as well as personal on-the-ground interviews with protesters throughout the Middle East — particularly Egypt and her native Turkey — Zapatistas in Mexico, WTO protesters in Seattle, Occupy participants worldwide, and others. Tufekci writes with a warmth and respect for the humans that are part of these powerful social movements, gently intertwining her own story with the stories of others, big data, and theory. She is adept at writing for a general audience, and­despite being published by the intimidating Yale University Press — her book is more mass-market than academic. What rigor is there is presented in a way that carries readers along rather than distracting.

The synthesist in me wishes Tufekci would take some additional steps, taking the trends she describes outside of the narrow world of political protest and applying them more broadly to social change. Her taxonomy is an important contribution to the more-general discussion of how the Internet affects society. Furthermore, her insights on the networked public sphere has applications for understanding technology-driven social change in general. These are hard conversations for society to have. We largely prefer to allow technology to blindly steer society or — in some ways worse — leave it to unfettered for-profit corporations. When you’re reading Twitter and Tear Gas, keep current and near-term future technological issues such as ubiquitous surveillance, algorithmic discrimination, and automation and employment in mind. You’ll come away with new insights.

Tufekci twice quotes historian Melvin Kranzberg from 1985: “Technology is neither good nor bad; nor is it neutral.” This foreshadows her central message. For better or worse, the technologies that power the networked public sphere have changed the nature of political protest as well as government reactions to and suppressions of such protest.

I have long characterized our technological future as a battle between the quick and the strong. The quick — dissidents, hackers, criminals, marginalized groups — are the first to make use of a new technology to magnify their power. The strong are slower, but have more raw power to magnify. So while protesters are the first to use Facebook to organize, the governments eventually figure out how to use Facebook to track protesters. It’s still an open question who will gain the upper hand in the long term, but Tufekci’s book helps us understand the dynamics at work.

This essay originally appeared on Vice Motherboard.

The book on Amazon.com.

NonPetya: no evidence it was a "smokescreen"

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html

Many well-regarded experts claim that the not-Petya ransomware wasn’t “ransomware” at all, but a “wiper” whose goal was to destroy files, without any intent at letting victims recover their files. I want to point out that there is no real evidence of this.

Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.

But these things aren’t evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.

The simplest, Occam’s Razor explanation explanation is that they were simple mistakes. Such mistakes are common among ransomware. We think of virus writers as professional software developers who thoroughly test their code. Decades of evidence show the opposite, that such software is of poor quality with shockingly bad bugs.

It’s true that effectively, nPetya is a wiper. Matthieu Suiche‏ does a great job describing one flaw that prevents it working. @hasherezade does a great job explaining another flaw.  But best explanation isn’t that this is intentional. Even if these bugs didn’t exist, it’d still be a wiper if the perpetrators simply ignored the decryption requests. They need not intentionally make the decryption fail.

Thus, the simpler explanation is that it’s simply a bug. Ransomware authors test the bits they care about, and test less well the bits they don’t. It’s quite plausible to believe that just before shipping the code, they’d add a few extra features, and forget to regression test the entire suite. I mean, I do that all the time with my code.

Some have pointed to the sophistication of the code as proof that such simple errors are unlikely. This isn’t true. While it’s more sophisticated than WannaCry, it’s about average for the current state-of-the-art for ransomware in general. What people think of, such the Petya base, or using PsExec to spread throughout a Windows domain, is already at least a year old.

Indeed, the use of PsExec itself is a bit clumsy, when the code for doing the same thing is already public. It’s just a few calls to basic Windows networking APIs. A sophisticated virus would do this itself, rather than clumsily use PsExec.

Infamy doesn’t mean skill. People keep making the mistake that the more widespread something is in the news, the more skill, the more of a “conspiracy” there must be behind it. This is not true. Virus/worm writers often do newsworthy things by accident. Indeed, the history of worms, starting with the Morris Worm, has been things running out of control more than the author’s expectations.

What makes nPetya newsworthy isn’t the EternalBlue exploit or the wiper feature. Instead, the creators got lucky with MeDoc. The software is used by every major organization in the Ukraine, and at the same time, their website was horribly insecure — laughably insecure. Furthermore, it’s autoupdate feature didn’t check cryptographic signatures. No hacker can plan for this level of widespread incompetence — it’s just extreme luck.

Thus, the effect of bumbling around is something that hit the Ukraine pretty hard, but it’s not necessarily the intent of the creators. It’s like how the Slammer worm hit South Korea pretty hard, or how the Witty worm hit the DoD pretty hard. These things look “targeted”, especially to the victims, but it was by pure chance (provably so, in the case of Witty).

Certainly, MeDoc was targeted. But then, targeting a single organization is the norm for ransomware. They have to do it that way, giving each target a different Bitcoin address for payment. That it then spread to the entire Ukraine, and further, is the sort of thing that typically surprises worm writers.

Finally, there’s little reason to believe that there needs to be a “smokescreen”. Russian hackers are targeting the Ukraine all the time. Whether Russian hackers are to blame for “ransomware” vs. “wiper” makes little difference.


We know that Russian hackers are constantly targeting the Ukraine. Therefore, the theory that this was nPetya’s goal all along, to destroy Ukraines computers, is a good one.

Yet, there’s no actual “evidence” of this. nPetya’s issues are just as easily explained by normal software bugs. The smokescreen isn’t needed. The boot record bug isn’t needed. The single email address that was shutdown isn’t significant, since half of all ransomware uses the same technique.

The experts who disagree with me are really smart/experienced people who you should generally trust. It’s just that I can’t see their evidence.

Update: I wrote another blogpost about “survivorship bias“, refuting the claim by many experts talking about the sophistication of the spreading feature.

Update: comment asks “why is there no Internet spreading code?”. The answer is “I don’t know”, but unanswerable questions aren’t evidence of a conspiracy. “What aren’t there any stars in the background?” isn’t proof the moon landings are fake, such because you can’t answer the question. One guess is that you never want ransomware to spread that far, until you’ve figured out how to get payment from so many people.

Some notes on Trump’s cybersecurity Executive Order

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/05/some-notes-on-trumps-cybersecurity.html

President Trump has finally signed an executive order on “cybersecurity”. The first draft during his first weeks in power were hilariously ignorant. The current draft, though, is pretty reasonable as such things go. I’m just reading the plain language of the draft as a cybersecurity expert, picking out the bits that interest me. In reality, there’s probably all sorts of politics in the background that I’m missing, so I may be wildly off-base.

Holding managers accountable

This is a great idea in theory. But government heads are rarely accountable for anything, so it’s hard to see if they’ll have the nerve to implement this in practice. When the next breech happens, we’ll see if anybody gets fired.
“antiquated and difficult to defend Information Technology”

The government uses laughably old computers sometimes. Forces in government wants to upgrade them. This won’t work. Instead of replacing old computers, the budget will simply be used to add new computers. The old computers will still stick around.
“Legacy” is a problem that money can’t solve. Programmers know how to build small things, but not big things. Everything starts out small, then becomes big gradually over time through constant small additions. What you have now is big legacy systems. Attempts to replace a big system with a built-from-scratch big system will fail, because engineers don’t know how to build big systems. This will suck down any amount of budget you have with failed multi-million dollar projects.
It’s not the antiquated systems that are usually the problem, but more modern systems. Antiquated systems can usually be protected by simply sticking a firewall or proxy in front of them.

“address immediate unmet budgetary needs necessary to manage risk”

Nobody cares about cybersecurity. Instead, it’s a thing people exploit in order to increase their budget. Instead of doing the best security with the budget they have, they insist they can’t secure the network without more money.

An alternate way to address gaps in cybersecurity is instead to do less. Reduce exposure to the web, provide fewer services, reduce functionality of desktop computers, and so on. Insisting that more money is the only way to address unmet needs is the strategy of the incompetent.

Use the NIST framework
Probably the biggest thing in the EO is that it forces everyone to use the NIST cybersecurity framework.
The NIST Framework simply documents all the things that organizations commonly do to secure themselves, such run intrusion-detection systems or impose rules for good passwords.
There are two problems with the NIST Framework. The first is that no organization does all the things listed. The second is that many organizations don’t do the things well.
Password rules are a good example. Organizations typically had bad rules, such as frequent changes and complexity standards. So the NIST Framework documented them. But cybersecurity experts have long opposed those complex rules, so have been fighting NIST on them.

Another good example is intrusion-detection. These days, I scan the entire Internet, setting off everyone’s intrusion-detection systems. I can see first hand that they are doing intrusion-detection wrong. But the NIST Framework recommends they do it, because many organizations do it, but the NIST Framework doesn’t demand they do it well.
When this EO forces everyone to follow the NIST Framework, then, it’s likely just going to increase the amount of money spent on cybersecurity without increasing effectiveness. That’s not necessarily a bad thing: while probably ineffective or counterproductive in the short run, there might be long-term benefit aligning everyone to thinking about the problem the same way.
Note that “following” the NIST Framework doesn’t mean “doing” everything. Instead, it means documented how you do everything, a reason why you aren’t doing anything, or (most often) your plan to eventually do the thing.
preference for shared IT services for email, cloud, and cybersecurity
Different departments are hostile toward each other, with each doing things their own way. Obviously, the thinking goes, that if more departments shared resources, they could cut costs with economies of scale. Also obviously, it’ll stop the many home-grown wrong solutions that individual departments come up with.
In other words, there should be a single government GMail-type service that does e-mail both securely and reliably.
But it won’t turn out this way. Government does not have “economies of scale” but “incompetence at scale”. It means a single GMail-like service that is expensive, unreliable, and in the end, probably insecure. It means we can look forward to government breaches that instead of affecting one department affecting all departments.

Yes, you can point to individual organizations that do things poorly, but what you are ignoring is the organizations that do it well. When you make them all share a solution, it’s going to be the average of all these things — meaning those who do something well are going to move to a worse solution.

I suppose this was inserted in there so that big government cybersecurity companies can now walk into agencies, point to where they are deficient on the NIST Framework, and say “sign here to do this with our shared cybersecurity service”.
“identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities”
What this means is “how can we help secure the power grid?”.
What it means in practice is that fiasco in the Vermont power grid. The DHS produced a report containing IoCs (“indicators of compromise”) of Russian hackers in the DNC hack. Among the things it identified was that the hackers used Yahoo! email. They pushed these IoCs out as signatures in their “Einstein” intrusion-detection system located at many power grid locations. The next person that logged into their Yahoo! email was then flagged as a Russian hacker, causing all sorts of hilarity to ensue, such as still uncorrected stories by the Washington Post how the Russians hacked our power-grid.
The upshot is that federal government help is also going to include much government hindrance. They really are this stupid sometimes and there is no way to fix this stupid. (Seriously, the DHS still insists it did the right thing pushing out the Yahoo IoCs).
Resilience Against Botnets and Other Automated, Distributed Threats

The government wants to address botnets because it’s just the sort of problem they love, mass outages across the entire Internet caused by a million machines.

But frankly, botnets don’t even make the top 10 list of problems they should be addressing. Number #1 is clearly “phishing” — you know, the attack that’s been getting into the DNC and Podesta e-mails, influencing the election. You know, the attack that Gizmodo recently showed the Trump administration is partially vulnerable to. You know, the attack that most people blame as what probably led to that huge OPM hack. Replace the entire Executive Order with “stop phishing”, and you’d go further fixing federal government security.

But solving phishing is tough. To begin with, it requires a rethink how the government does email, and how how desktop systems should be managed. So the government avoids complex problems it can’t understand to focus on the simple things it can — botnets.

Dealing with “prolonged power outage associated with a significant cyber incident”

The government has had the hots for this since 2001, even though there’s really been no attack on the American grid. After the Russian attacks against the Ukraine power grid, the issue is heating up.

Nation-wide attacks aren’t really a threat, yet, in America. We have 10,000 different companies involved with different systems throughout the country. Trying to hack them all at once is unlikely. What’s funny is that it’s the government’s attempts to standardize everything that’s likely to be our downfall, such as sticking Einstein sensors everywhere.

What they should be doing is instead of trying to make the grid unhackable, they should be trying to lessen the reliance upon the grid. They should be encouraging things like Tesla PowerWalls, solar panels on roofs, backup generators, and so on. Indeed, rather than industrial system blackout, industry backup power generation should be considered as a source of grid backup. Factories and even ships were used to supplant the electric power grid in Japan after the 2011 tsunami, for example. The less we rely on the grid, the less a blackout will hurt us.

“cybersecurity risks facing the defense industrial base, including its supply chain”

So “supply chain” cybersecurity is increasingly becoming a thing. Almost anything electronic comes with millions of lines of code, silicon chips, and other things that affect the security of the system. In this context, they may be worried about intentional subversion of systems, such as that recent article worried about Kaspersky anti-virus in government systems. However, the bigger concern is the zillions of accidental vulnerabilities waiting to be discovered. It’s impractical for a vendor to secure a product, because it’s built from so many components the vendor doesn’t understand.

“strategic options for deterring adversaries and better protecting the American people from cyber threats”

Deterrence is a funny word.

Rumor has it that we forced China to backoff on hacking by impressing them with our own hacking ability, such as reaching into China and blowing stuff up. This works because the Chinese governments remains in power because things are going well in China. If there’s a hiccup in economic growth, there will be mass actions against the government.

But for our other cyber adversaries (Russian, Iran, North Korea), things already suck in their countries. It’s hard to see how we can make things worse by hacking them. They also have a strangle hold on the media, so hacking in and publicizing their leader’s weird sex fetishes and offshore accounts isn’t going to work either.

Also, deterrence relies upon “attribution”, which is hard. While news stories claim last year’s expulsion of Russian diplomats was due to election hacking, that wasn’t the stated reason. Instead, the claimed reason was Russia’s interference with diplomats in Europe, such as breaking into diplomat’s homes and pooping on their dining room table. We know it’s them when they are brazen (as was the case with Chinese hacking), but other hacks are harder to attribute.

Deterrence of nation states ignores the reality that much of the hacking against our government comes from non-state actors. It’s not clear how much of all this Russian hacking is actually directed by the government. Deterrence polices may be better directed at individuals, such as the recent arrest of a Russian hacker while they were traveling in Spain. We can’t get Russian or Chinese hackers in their own countries, so we have to wait until they leave.

Anyway, “deterrence” is one of those real-world concepts that hard to shoe-horn into a cyber (“cyber-deterrence”) equivalent. It encourages lots of bad thinking, such as export controls on “cyber-weapons” to deter foreign countries from using them.

“educate and train the American cybersecurity workforce of the future”

The problem isn’t that we lack CISSPs. Such blanket certifications devalue the technical expertise of the real experts. The solution is to empower the technical experts we already have.

In other words, mandate that whoever is the “cyberczar” is a technical expert, like how the Surgeon General must be a medical expert, or how an economic adviser must be an economic expert. For over 15 years, we’ve had a parade of non-technical people named “cyberczar” who haven’t been experts.

Once you tell people technical expertise is valued, then by nature more students will become technical experts.

BTW, the best technical experts are software engineers and sysadmins. The best cybersecurity for Windows is already built into Windows, whose sysadmins need to be empowered to use those solutions. Instead, they are often overridden by a clueless cybersecurity consultant who insists on making the organization buy a third-party product instead that does a poorer job. We need more technical expertise in our organizations, sure, but not necessarily more cybersecurity professionals.


This is really a government document, and government people will be able to explain it better than I. These are just how I see it as a technical-expert who is a government-outsider.

My guess is the most lasting consequential thing will be making everyone following the NIST Framework, and the rest will just be a lot of aspirational stuff that’ll be ignored.

Growing Code Club

Post Syndicated from Philip Colligan original https://www.raspberrypi.org/blog/growing-code-club/

In November 2015 we announced that the Raspberry Pi Foundation was joining forces with Code Club to give more young people the opportunity to learn how to make things with computers. In the 18 months since we made that announcement, we have more than doubled the number of Code Clubs. Over 10,000 clubs are now active, in communities all over the world.

Photo of a Code Club in a classroom: six or seven children focus intently on Scratch programs and other tasks, and adults are helping and supervising in the background

Children at a Code Club in Australia

The UK is where the movement started, and there are now an amazing 5750 Code Clubs engaging over 85,000 young people in the UK each week. The rest of the world is catching up rapidly. With the help of our regional partners, there are over 4000 clubs outside the UK, and fast-growing Code Club communities in Australia, Bangladesh, Brazil, Canada, Croatia, France, Hong Kong, New Zealand, and Ukraine. This year we have already launched new partnerships in Spain and South Korea, with more to come.

It’s fantastic to see the movement growing so quickly, and it’s all due to the amazing community of volunteers, teachers, parents, and young people who make everything possible. Thank you all!

Today, we are announcing the next stage of Code Club’s evolution. Drum roll, please…

Starting in September, we are extending Code Club to 9- to 13-year-olds.

Three girls, all concentrating, one smiling, work together at a computer at Code Club

Students at a Code Club in Brazil

Those in the know will remember that Code Club has, until now, been focused on 9- to 11-year-olds. So why the change?

Put simply: demand. There is a huge demand from young people for more opportunities to learn about computing generally, and for Code Club specifically. The first generations of Code Club graduates have moved on to more senior schools, and they’re telling us that they just don’t have the opportunities they need to learn more about digital making. We’ve decided to take up the challenge.

For the UK, this means that schools will be supported to set up Code Clubs for Years 7 and 8. Non-school venues, like libraries, will be able to offer their clubs to a wider age group.

Growing Code Club International

Code Club is a global movement, and we will be working with our regional partners to make sure that it is available to 9- to 13-year-olds in every community in the world. That includes accelerating the work to translate club materials into even more languages.

Two boys and a woman wearing a Code Club T-shirt sit and pose for the camera in a classroom

A Code Club volunteer and students in Brazil

As part of the change, we will be expanding our curriculum and free educational resources to cater for older children and more experienced coders. Like all our educational resources, the new materials will be created by qualified and experienced educators. They will be designed to help young people build a wide range of skills and competencies, including teamwork, problem-solving, and creativity.

Our first step towards supporting a wider age range is a pilot programme, launching today, with 50 secondary schools in the UK. Over the next few months, we will be working closely with them to find out the best ways to make the programme work for older kids.

Supporting Code Club

For now, you can help us spread the word. If you know a school, youth club, library, or similar venue that could host a club for young people aged 9 to 13, then encourage them to get involved.

Lastly, I want to say a massive “thank you!” to all the organisations and individuals that support Code Club financially. We care passionately about Code Club being free for every child to attend. That’s only possible because of the generous donations and grants that we receive from so many companies, foundations, and people who share our mission to put the power of digital making into the hands of people all over the world.

The post Growing Code Club appeared first on Raspberry Pi.

Kalyna Block Cipher

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/03/kalyna_block_ci.html

Kalyna is a block cipher that became a Ukrainian national standard in 2015. It supports block and key sizes of 128, 256, and 512 bits. Its structure looks like AES but optimized for 64-bit CPUs, and it has a complicated key schedule. Rounds range from 10-18, depending on block and key sizes.

There is some mention of cryptanalysis on reduced-round versions in the Wikipedia entry. And here are the other submissions to the standard.


Post Syndicated from Philip Colligan original https://www.raspberrypi.org/blog/p-a-r-t-y/

On 4 and 5 March 2017, more than 1,800 people got together in Cambridge to celebrate five years of Raspberry Pi and Code Club. We had cake, code, robots, explosions, and unicorn face paint. It was all kinds of awesome.

Celebrating five years of Raspberry Pi and Code Club

Uploaded by Raspberry Pi on 2017-03-10.

It’s hard to believe that it was only five years ago that we launched the first Raspberry Pi computer. Back then, our ambitions stretched to maybe a few tens of thousands of units, and our hope was simply that we could inspire more young people to study computer science.

Fast forward to 2017 and the Raspberry Pi is the third most successful computing platform of all time, with more than twelve and a half million units used by makers, educators, scientists, and entrepreneurs all over the world (you can read more about this in our Annual Review).

On 28 February, we announced the latest addition to our family of devices, the Raspberry Pi Zero W, which brings wireless connectivity and Bluetooth to the Pi Zero for an astonishing $10. You seemed to like it: in the four days between the product launch and the first day of the Birthday Party, we sold more than 100,000 units. We absolutely love seeing all the cool things you’re building with them!

Raspberry Pi Zero W

Celebrating our community

Low-cost, high-performance computers are a big part of the story, but they’re not the whole story. One of the most remarkable things about Raspberry Pi is the amazing community that has come together around the idea that more people should have the skills and confidence to get creative with technology.

For every person working for the Raspberry Pi Foundation, there are hundreds and thousands of community members outside the organisation who advance that mission every day. They run Raspberry Jams, volunteer at Code Clubs, write educational resources, moderate our forums, and so much more. The Birthday Party is one of the ways that we celebrate what they’ve achieved and say thank you to them for everything they’ve done.

Over the two days of the celebration, there were 57 workshops and talks from community members, including several that were designed and run by young people. I managed to listen to more of the talks this year, and I was really impressed by the breadth of subjects covered and the expertise on display.

All About Code on Twitter

Big thanks to @Raspberry_Pi for letting me run #PiParty @edu_blocks workshop and to @cjdell for his continuing help and support

Educators are an important part of our community and it was great to see so many of our Certified Educators leading sessions and contributing across the whole event.

Carrie Anne Philbin on Twitter

Thanks to my panel of @raspberry_pi certified educators – you are all amazing! #piparty https://t.co/0psnTEnfxq

Hands-on experiences

One of the goals for this year’s event was to give everyone the opportunity to get hands-on experience of digital making and, even if you weren’t able to get a place at one of the sold-out workshops, there were heaps of drop-in and ask-the-expert sessions, giving everyone the chance to get involved.

The marketplace was one of this year’s highlights: it featured more than 20 exhibitors including the awesome Pimoroni and Pi Hut, as well as some great maker creations, from the Tech Wishing Well to a game of robot football. It was great to see so many young people inspired by other people’s makes.

Child looking at a handmade robot at the Raspberry Pi fifth birthday weekend

Code Club’s celebrations

As I mentioned before, this year’s party was very much a joint celebration, marking five years of both Raspberry Pi and Code Club.

Since its launch in 2012, Code Club has established itself as one of the largest networks of after-school clubs in the world. As well as celebrating the milestone of 5,000 active Code Clubs in the UK, it was a real treat to welcome Code Club’s partners from across the world, including Australia, Bangladesh, Brazil, Canada, Croatia, France, New Zealand, South Korea, and Ukraine.

Representatives of Code Club International at the Raspberry Pi fifth birthday party

Representatives of Code Club International, up for a birthday party!

Our amazing team

There are so many people to thank for making our fifth Birthday Party such a massive success. The Cambridge Junction was a fantastic venue with a wonderful team (you can support their work here). Our friends at RealVNC provided generous sponsorship and practical demonstrations. ModMyPi packed hundreds of swag bags with swag donated by all of our exhibitors. Fuzzy Duck Brewery did us proud with another batch of their Irrational Ale.

We’re hugely grateful to Sam Aaron and Fran Scott who provided the amazing finales on Saturday and Sunday. No party is quite the same without an algorave and a lot of explosions.

Most of all, I want to say a massive thank you to all of our volunteers and community members: you really did make the Birthday Party possible, and we couldn’t have done it without you.

One of the things we stand for at Raspberry Pi is making computing and digital making accessible to all. There’s a long way to go before we can claim that we’ve achieved that goal, but it was fantastic to see so much genuine diversity on display.

Probably the most important piece of feedback I heard about the weekend was how welcoming it felt for people who were new to the movement. That is entirely down to the generous, open culture that has been created by our community. Thank you all.

Collage of Raspberry Pi and Code Club fifth birthday images



The post P.A.R.T.Y. appeared first on Raspberry Pi.

1984 is the new Bible in the age of Trump

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/02/1984-is-new-bible.html

In the age of Trump, Orwell’s book 1984 is becoming the new Bible: a religious text which few read, but which many claim supports their beliefs. A good demonstration is this CNN op-ed, in which the author describes Trump as being Orwellian, but mostly just because Trump is a Republican.

Trump’s populist attacks against our (classically) liberal world order is indeed cause for concern. His assault on the truth is indeed a bit Orwellian. But it’s op-eds like this one at CNN that are part of the problem.
While the author of the op-ed spends much time talking about his dogs (“Winston”, “Julia”), and how much he hates Trump, he spends little time on the core thesis “Orwellianism”. When he does, it’s mostly about old political disagreements. For example, the op-ed calls Trump’s cabinet appointees Orwellian simply because they are Republicans:

He has provided us with Betsy DeVos, a secretary of education nominee who is widely believed to oppose public education, and who promotes the truly Orwellian-sounding concept of “school choice,” a plan that seems well-intentioned but which critics complain actually siphons much-needed funds from public to private education institutions.

Calling school-choice “Orwellian” is absurd. Republicans want to privatize more, and the Democrats want the state to run more of the economy. It’s the same disagreement that divides the two parties on almost any policy issue. When you call every little political disagreement “Orwellian” then you devalue the idea. I’m Republican, so of course I’d argue that the it’s the state-run education system giving parents zero choice that is the thing that’s Orwellian here. And now we bicker, both convinced that Orwell is on our side in this debate. #WhatWouldOrwellDo
If something is “Orwellian”, then you need to do a better job demonstrating this, making the analogy clear. For example, last year I showed how in response to a political disagreement, that Wikipedia and old newspaper articles were edited in order to conform to the new political reality. This is a clear example of Winston Smith’s job of changing the past in order to match the present.
But even such clear documentation is probably powerless to change anybody’s mind. Whether “changing the text of old newspaper articles to fit modern politics” is Orwellian depends entirely on your politics, whether the changes agree with your views. Go follow the link [*] and see for yourself and see if you agree with the change (replacing the word “refugee” in old articles with “asylee” instead).
It’s this that Orwell was describing. Doublethink wasn’t something forced onto us by a totalitarian government so much as something we willingly adopted ourselves. The target of Orwell’s criticism wasn’t them, the totalitarian government, but us, the people who willingly went along with it. Doublethink is what people in both parties (Democrats and Republicans) do equally, regardless of the who resides in the White House.
Trump is an alt-Putin. He certainly wants to become a totalitarian. But at this point, his lies are juvenile and transparent, which even his supporters find difficult believing [*]. The most Orwellian thing about him is what he inherits from Obama [*]: the two Party system, perpetual war, omnipresent surveillance, the propaganda system, and our nascent cyber-police-state [*].

Yes, people should read 1984 in the age of Trump, not because he’s created the Orwellian system, but because he’s trying to exploit the system that’s already there. If you believe he’s Orwellian because he’s Republican, as the foolish author of that CNN op-ed believes, then you’ve missed the point of Orwell’s novel completely.

Bonus: Doing a point-by-point rebuttal gets boring, and makes the post long, but ought to be done out of a sense of completeness. The following paragraph contains the most “Orwell” points, but it’s all essentially nonsense:

We are living in this state of flux in real life. Russia was and likely is our nation’s fiercest rival, yet as a candidate, President Trump famously stated, “Russia, if you’re listening, I hope you’re able to find the 30,000 [Clinton] emails that are missing.” He praises Putin but states that perhaps he may not actually like him when they meet. WikiLeaks published DNC data alleged to have been obtained by Russian operatives, but the election was not “rigged.” A recount would be “ridiculous,” yet voter fraud was rampant. Trusted sources of information are “fake news,” and somehow Chelsea Manning, WikiLeaks’ most notable whistleblower, is now an “ungrateful traitor.”

Trump’s asking Russia to find the missing emails was clearly a joke. Trump’s speech is marked by exaggeration and jokes like this. That Trump’s rivals insist his jokes be taken seriously is the problem here, more than what he’s joking about.

The correct Orwellian analogy to draw here is is the Eurasia (Russia) and Eastasia (China) parallels. Under Obama, China was a close trading partner while Russia was sanctioned for invading the Ukraine. Under Trump, it’s China who is our top rival while Russia/Putin is more of our friends. What’s Orwellian is how polls [*] of what Republicans think of Russia have gone through a shift, “We’ve always been at war with Eastasia”.

The above paragraph implies Trump said the election wasn’t “rigged”. No, Trump still says the election was rigged, even after he won it. [*] It’s Democrats who’ve flip-flopped on their opinion whether the election was “rigged” after Trump’s win. Trump attacks the election system because that’s what illiberal totalitarians always do, not because it’s Orwellian.

“Recounts” and “fraudulent votes” aren’t the same thing. Somebody registered to vote, and voting, in multiple states is not something that’ll be detected with a “recount” in any one state, for example. Trump’s position on voter fraud is absurd, but it’s not Orwellian.

Instead of these small things, what’s Orwellian is Trump’s grander story of a huge popular “movement” behind him. That’s why his inauguration numbers are important. That’s why losing the popular vote is important. It’s why he keeps using the word “movement” in all his speeches. It’s the big lie he’s telling that makes him Orwellian, not all the small lies.

Trusted sources of news are indeed “fake news”. The mainstream media has problems, whether it’s their tendency to sensationalism, or the way they uncritically repeat government propaganda (“according to senior government officials”) regardless of which Party controls the White House. Indeed, Orwell himself was a huge critic of the press — sometimes what they report is indeed “fake news”, not simply a mistake but something that violates the press’s own standards.

Yes, the President or high-level government officials have no business attacking the press the way Trump does, regardless if they deserve it. Trump indeed had a few legitimate criticism of the press, but his attacks have quickly devolved to attacking the press whenever it’s simply Truth disagreeing with Trump’s lies. It’s all attacks against the independent press that are the problem, not the label “fake news”.

As Wikipedia documents, “the term “traitor” has been used as a political epithet, regardless of any verifiable treasonable action”. Despite being found not guilty of “aiding the enemy”, Chelsea Manning was convicted of espionage. Reasonable people can disagree about Manning’s action — while you may not like the “traitor” epithet, it’s not an Orwellian term.

Instead, what is Orwellian is insisting Manning was a “whistleblower”. Reasonable people disagree with that description. Manning didn’t release specific diplomatic cables demonstrative of official wrongdoing, but the entire dump of all cables going back more than a decade. It’s okay to call Manning a whistleblower (I might describe her as such), but it’s absurd to claim this is some objective truth. For example, the Wikipedia article [*] on Chelsea Manning documents several people calling her a whistleblower, but does not itself use that term to describe Manning. The struggle between objective and subjective “Truth” is a big part of Orwell’s work.

What I’m demonstrating here in this bonus section is the foolishness of that CNN op-ed. He hates Trump, but entirely misunderstands Orwell. He does a poor job pinning down Trump on exactly how he fits the Orwellian mode. He writes like somebody who hasn’t actually read the book at all.

2017: inspiring young makers and supporting educators

Post Syndicated from Philip Colligan original https://www.raspberrypi.org/blog/2017-inspiring-young-makers-educators/

By any measure, the Raspberry Pi Foundation had a fantastic 2016. We ended the year with over 11 million Raspberry Pi computers sold, millions of people using our learning resources, almost 1,000 Certified Educators in the UK and US, 75,000 children regularly attending over 5,000 Code Clubs in the UK, hundreds of Raspberry Jams taking place all over the world, code written by schoolkids running in space (yes, space), and much, much more.

Tim Peake on Twitter

Fantastic to see 5,000 active Code Clubs in the UK, helping over 75,000 young people learn to code. https://t.co/OyShrUzAhI @Raspberry_Pi https://t.co/luFj1qgzvQ

As I’ve said before, what we achieve is only possible thanks to the amazing community of makers, educators, volunteers, and young people all over the world who share our mission and support our work. You’re all awesome: thank you.

So here we are, just over a week into the New Year, and I thought it might be a good time to share with you some of what we’ve got planned for 2017.

Young digital makers

At the core of our mission is getting more young people excited about computing, and learning how to make things with computers. That was the original inspiration for the Raspberry Pi computer and it remains our number-one objective.

One of the ways we do that is through Code Club, a network of after-school clubs for 9- 11-year-olds run by teachers and volunteers. It’s already one of the largest networks of after-school clubs in the world, and this year we’ll be working with our existing partners in Australia, Bangladesh, Brazil, Canada, Croatia, France, Hong Kong, New Zealand, and Ukraine, as well as finding more partners in more countries, to bring Code Club to many more children.

Code Club

This year also sees the launch of Pioneers, our new programme for teen digital makers. It’s built around a series of challenges that will inspire young people to make things with technology and share their makes with the world. Check out the first challenge here, and keep watching the hashtag #MakeYourIdeas across your favourite social media platforms.

This is Pioneers #MakeYourIdeas

UPDATE – The first challenge is now LIVE. Head here for more information https://www.youtube.com/watch?v=OCUzza7LJog Woohoo! Get together, get inspired, and get thinking. We’re looking for Pioneers to use technology to make something awesome. Get together in a team or on your own, post online to show us how you’re getting on, and then show the world your build when you’re done.

We’re also expanding our space programme Astro Pi, with 250 teams across Europe currently developing code that will be run on the ISS by ESA French Astronaut Thomas Pesquet. And, building on our Weather Station project, we’re excited to be developing new ideas for citizen science programmes that get more young people involved in computing.

European Astro Pi Challenge – Code your experiment

British ESA astronaut Tim Peake is safely back on Earth now, but French ESA astronaut Thomas Pesquet is onboard the ISS, keen to see what students from all over Europe can do with the Astro Pi units too.

Supporting educators

Another big part of our work is supporting educators who are bringing computing and digital making into the classroom, and this year we’re going to be doing even more to help them.

Certified Educators

We’ll continue to grow our community of official Raspberry Pi Certified Educators, with Picademy training programmes in the UK and US. Watch out for those dates coming soon. We’re also opening up our educator training to a much wider audience through a series of online courses in partnership with FutureLearn. The first two courses are open for registration now, and we’ve got plans to develop and run more courses throughout the year, so if you’re an educator, let us know what you would find most useful.

We’re also really excited to be launching a brand-new free resource for educators later this month in partnership with CAS, the grass-roots network of computing educators. For now, it’s top-secret, but if you’re in the Bett Arena on 25 January, you’ll be the first to hear all about it.

Free educational resources

One of the most important things we do at Pi Towers is create the free educational resources that are used in Code Clubs, STEM clubs, CoderDojos, classrooms, libraries, makerspaces, and bedrooms by people of all ages learning about computing and digital making. We love making these resources and we know that you love using them. This year, we want to make them even more useful.


As a first step, later this month we will share our digital making curriculum, which explains how we think about learning and progression, and which provides the structure for our educational resources and programmes. We’re publishing it so that we can get feedback to make it better, but we also hope that it will be used by other organisations creating educational resources.

We’re also working hard behind the scenes to improve the content and presentation of our learning resources. We want to include more diverse content like videos, make it easier for users to track their own progress, and generally make the experience more interactive and social. We’re looking forward to sharing that work and getting your feedback over the next few months.


Last, but by no means least, we will continue to support and grow the community around our mission. We’ll be doing even more outreach, with ever more diverse groups, and doing much more to support the Raspberry Jam organisers and others who do so much to involve people in the digital making movement.

Birthday Bash

The other big community news is that we will be formally establishing ourselves as a charity in the US, which will provide the foundation (see what I did there?) for a serious expansion of our charitable activities and community in North America.

As you can see, we’ve got big plans for the year. Let me know what you think in the comments below and, if you’re excited about the mission, there’s lots of ways to get involved.

The post 2017: inspiring young makers and supporting educators appeared first on Raspberry Pi.

Some notes on IoCs

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/12/some-notes-on-iocs.html

Obama “sanctioned” Russia today for those DNC/election hacks, kicking out 35 diplomats (**), closing diplomatic compounds (**), seizing assets of named individuals/groups (***). They also published “IoCs” of those attacks, fingerprints/signatures that point back to the attackers, like virus patterns, file hashes, and IP addresses.

These IoCs are of low quality. They are published as a political tool, to prove they have evidence pointing to Russia. They have limited utility to defenders, or those publicly analyzing attacks.

Consider the Yara rule included in US-CERT’s “GRIZZLY STEPPE” announcement:

What is this? What does this mean? What do I do with this information?

It’s a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It’s not really an anti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection afterward — such as attributing the attack. Signatures like this will identify a well-known file found on infected/hacked systems.

What this YARA rule detects is, as the name suggests, the “PAS TOOL WEB KIT”, a web shell tool that’s popular among Russia/Ukraine hackers. If you google “PAS TOOL PHP WEB KIT”, the second result points to the tool in question. You can download a copy here [*], or you can view it on GitHub here [*].

Once a hacker gets comfortable with a tool, they tend to keep using it. That implies the YARA rule is useful at tracking the activity of that hacker, to see which other attacks they’ve been involved in, since it will find the same web shell on all the victims.

The problem is that this P.A.S. web shell is popular, used by hundreds if not thousands of hackers, mostly associated with Russia, but also throughout the rest of the world (judging by hacker forum posts). This makes using the YARA signature for attribution problematic: just because you found P.A.S. in two different places doesn’t mean it’s the same hacker.

A web shell, by the way, is one of the most common things hackers use once they’ve broken into a server. It allows further hacking and exfiltration traffic to appear as normal web requests. It typically consists of a script file (PHP, ASP, PERL, etc.) that forwards commands to the local system. There are hundreds of popular web shells in use.

We have little visibility into how the government used these IoCs. IP addresses and YARA rules like this are weak, insufficient for attribution by themselves. On the other hand, if they’ve got web server logs from multiple victims where commands from those IP addresses went to this specific web shell, then the attribution would be strong that all these attacks are by the same actor.

In other words, these rules can be a reflection of the fact the government has excellent information for attribution. Or, it could be a reflection that they’ve got only weak bits and pieces. It’s impossible for us outsiders to tell. IoCs/signatures are fetishized in the cybersecurity community: they love the small rule, but they ignore the complexity and context around the rules, often misunderstanding what’s going on. (I’ve written thousands of the things — I’m constantly annoyed by the ignorance among those not understanding what they mean).

I see on twitter people praising the government for releasing these IoCs. What I’m trying to show here is that I’m not nearly as enthusiastic about their quality.

Note#1: BTW, the YARA rule has to trigger on the PHP statements, not on the imbedded BASE64 encoded stuff. That’s because it’s encrypted with a password, so could be different for every hacker.

Note#2: Yes, the hackers who use this tool can evade detection by minor changes that avoid this YARA rule. But that’s not a concern — the point is to track the hacker using this tool across many victims, to attribute attacks. The point is not to act as an anti-virus/intrusion-detection system that triggers on “signatures”.

Note#3: Publishing the YARA rule burns it. The hackers it detects will presumably move to different tools, like PASv4 instead of PASv3. Presumably, the FBI/NSA/etc. have a variety of YARA rules for various web shells used by know active hackers, to attribute attacks to various groups. They aren’t publishing these because they want to avoid burning those rules.

Note#4: The PDF from the DHS has pretty diagrams about the attacks, but it doesn’t appears this web shell was used in any of them. It’s difficult to see where it fits in the overall picture.

(**) No, not really. Apparently, kicking out the diplomats was punishment for something else, not related to the DNC hacks.

(***) It’s not clear if these “sanctions” have any teeth.