Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘FUCKERY’ Category

Lights Out: A Modern Tragicomedy

leave a comment »

9780553419962

I had heard that Ted Koppel was making the rounds on TV trying to pimp his book on the end of the world as well know it through cyber. Of course I instantly knew it would be utter trash, a tissue of assertions and half ass reporting relying on government and beltway bandit quotes that likely would enrage me. How little did I know about the true scope of fuckery and rage that would ensue from reading its breathlessly penned pages about our coming Armageddon. Once again we have a reporter who does not really do his homework and takes the word of people with interests over the realities of those who work in the industry at the scene of the crime.

From the first pages we are being told that the grid is vulnerable to attack. Not just physical attack, no, worse, more scary, the dreaded CYBER attack. Of course as you delve deeper in to the book you do not get any kind of technical interviews with white hat hackers or security experts other than those bottom feeders such as former NSA directors and Richard Clarke. All of these players who worked (past tense) in the government that failed to secure all the things and who now offer services as board members and pitch men. You see, no one interviewed in this book actually has hacked anything.

But trust us.. The grid will go down if attacked by the CYBER.

I will not bore you with recalling the rest of this awful book. Truly, do not buy it and certainly do not read it if you want to know anything about the potential for the power going out more permanently. Instead, I would like to give you a primer on how hard it would be to actually take the whole grid down. I would also like to show you just how hard it would be to take great sections of it out as well. Neither of these scenarios is easy and neither of them is something we will not recover from. All of the bullshit around the bugaboo that the grid could be taken out by Da’esh is fantasy for the most part and a tool to scare the public by halfwits looking for clicks or book sales.

Are there issues with the grid? Yes, there are. Could damage be done that could cause a lot of consternation and perhaps even deaths? Yes this could happen in pockets of our society. These things are true but a systemic outage across the whole of the country that would cause severe, unrecoverable damage to the grid as a whole is not probable. In fact, it may not even be possible and I plan on telling you here why. By going through the internet and seeking out data from experts, governmental files, and papers by doctoral candidates as well as those who own and operate the power systems I can give you the data you need to see what the truth of the matter is.

However, let me break this down into small consumable bullet points for you.

  • Even a nation state with capable hackers could not own every system effectively enough to take them all down simultaneously
  • Even if systems are hacked and malware like stuxnet implanted, it still takes a kinetic attack to damage many of the systems out there that transmit the power as well as generate it. Malware alone will not kill the grid.
  • Current activities in gridsec and grid technologies are making these scenarios even harder to implement due to the nature of the diaspora that is power generation and transmission
  • Certainly sections of the grid could be taken down and have in the past. All you need do is Google Squirrel+blackout and you will see how their kinetic attacks caused systemic failures that caused outages.
  • Frankly, an X-Flare has a higher probability of taking out the grid as a whole should one hit the US. This should be a real concern and the companies and government should be looking to shield against EMP but they aren’t.

So all the bleak punditry about how the grid could be taken down by hackers using Shodan is really just sensationalistic bunkem. Of course there have been a couple of interesting theories, one that made some news back in 2008 I believe was a paper by a student on a cascade effect that could black out the grid. This possible attack might be the only one that would work but the control over the disparate systems involved to make it happen is almost impossible really. Another theory was one put forth by the government itself when they performed the AURORA experiment. This particularly relies on attacking nine points on the grid (power gen and transfer) that could be the genesis of a cascade attack.

Screenshot from 2015-11-06 14:27:18

It is the cascade attack that should trouble people but this is not really explained by most of the purveyors of FUD like Koppel. The real scary point about the cascade effect though is that the attack, if successful would take out the LPT’s and those by their nature are costly and take years to build. They are also on backorder so there is that too. If you take these out, and there are no replacements then you are pretty much stuck in the 19th century in certain areas until you get one replaced. Now once again I will tell you that to take them all out at one time is damn near impossible unless you have an X-Flare that covers the whole grid with an EMP.

Screenshot from 2015-11-02 11:15:47

So where does that leave us? Well, that leaves us with scary scary ideas but little follow through on actual means to that end. Of course now the big scary scary is over the CYBER right? And when they say CYBER they really mean SCADA, ICS, and HMI technologies that monitor and control the big hardware that generates and transfers the power from the generation plant to you. Now consider that there were as of 1996, 3,195 electric companies in the US that handle generation and transmission of power. That is a lot of targets to get into and control effectively, in tandem, to create a super grid blackout. All of this is going to be done by attacking their SCADA? Are there really that many of these things that are internet rout-able anyway? This means that the adversary would have to really hack the majority of them and have major footholds in all to access the networks to get at the systems that may not be networked to their non air gapped networks.

Think this through people.

Screenshot from 2015-11-02 11:08:50

Screenshot from 2015-11-02 11:08:26

This is just not a real tenable plan to start with and then you have to consider just who would try to pull this off and why. If you take out the grid in the US sure you cause mayhem but we have military bases all over the globe. We have ships and subs at sea. We have the capacity to bomb the shit out of anyone we think carried off such an attack. So really, unless you attempt this a la some scenario like “Red Dawn” with planes in the air and boots on the ground, you pretty much don’t win. Many of these scare pieces don’t go into the semantics of attack and counter attack, they only cry havoc about how we are CYBER doomed and the grid is a scary scary thing. It makes my ass tired even thinking about all these idiots out there talking to the likes of Richard “Dr. Cyberlove” Clark and believing them.

Stop the madness.

In the end yes, sections of the grid could go down and yes, they could be down for a while because of the nature of the hardware and it’s replacement. It would be inconvenient but it would not be the end of the world. It also would likely be more the action of Squirrels or tree limbs rather than a clandestine hacker attack on our SCADA systems. So everyone needs to just calm the fuck down and breathe. What you really should worry about is some form of EMP that melts everything and puts the whole of the country down, and really once again, that is the only scenario I buy into on this matter. If we have another Carrington Event, we are well and truly fucked.

Anyway, don’t give Koppel any money…

K.

READING MATERIALS

UPDATE: I left a review of this book on Amazon and the one response back was this:

Screenshot from 2015-11-09 11:07:53

I guess I am no Dick Clarke so meh, nevermind.

Written by Krypt3ia

2015/11/06 at 19:51

Cryptofuckery: Comey, OPM, YOU.

leave a comment »

tumblr_static_tumblr_lm05wykzkl1qdqgg6o1_500

I watched in ever increasing fits of rage as the hearings proceeded. First it was the five hearings on the OPM data loss and failures therein, then it was the two hearings on “going dark” featuring James Comey. By the end I was a seething mass of hate gnashing my teeth and using the last nearly shredded synapse I had left to parse the fuckery I had seen.

OPM:

What was all this? How did we get here? How the holy hell did our government completely abdicate its responsibilities around secret information that was used to grant people secret and top secret clearances? I sat mouth agape in rage as I watched Archuleta mumble and stumble her way toward insufficient if not blatantly obfuscated answers to the senators on what and how things had happened. It was clear by the mid point that we had been fucked collectively by the US government who consistently says “trust us” then turns us over and fucks us in the ass.

Now we hear that there actually were approximately 22 million people who’s personal data was stolen by god knows who, though really can we trust that figure? I mean how many times did Archuleta say she did not know how many to the senators? How many though is a relative thing when you are not logging, which now we also know per the CIRT team that testified in one of the hearings. When you aren’t logging it is like every day is a day in Vegas baby.

Fucking hell.

Meanwhile everyone is a twitter about the “who” that did it and the OPM and their minions are crying APT and CHINA! Well, what evidence has been presented that it was in fact China?

Oh, yeah, “trust us”

So, an org that wasn’t properly logging, wasn’t following recommendations from the IG, and had a terrible security record that included not hiring people who knew what they were doing but double and triple tasked current employees to be security is going to tell me definitively that China did it. Sure, I will just believe the fuck out of that. The reality though is that I can believe it was China since I have not seen any data for sale in the darknets and this is their modus operandi but that is cold comfort here. It could have been Russia, it could have been DPRK for all we really know and this can be said because once again, they weren’t logging and they weren’t practicing security due diligence so the bar to entry there was low.

For fucks sake, with what we know now it could have been little Billy in his bedroom with the sticky tube socks who hacked OPM right?

By the end of the hearings I had a massive headache and needed a bottle of whiskey to kill the memories and the pain. Do not get me wrong here people, this is no news to me. You see I once did some work in the gov space and in fact worked in the DOI where that server was housed by OPM (yeah, not even in their own space) and I know how that government sausage was made. I especially loved how I was lied to by employees, to my face, only to show them the actual scans and pentests that proved they were lying. Obviously nothing has changed since I was there many years ago.

The moral of this story though is not only about the lack of due diligence but I wanted to focus on the cryptofuckery that was on every senators lips.

“Why weren’t those files encrypted Mrs. Archuleta?”

Every time this question was asked I just wanted to yell at the tiny screen.

“NO YOU FUCKERS THE CRYPTO WOULD NOT MATTER! YOU DON’T FUCKING GET IT!”

I shook my impotent fist in the air and grumbled over and over but as you would expect it is to no one, since no one listens anyway. The fact of the matter though is that many in the world misapprehend what crypto is and does. A database that is encrypted and is live is not encrypted. The data is encrypted at rest, not while users have active access to it!! So it is useless to hang your hat on the crypto argument in the debate over OPM failure but the senate and the genpop just don’t get that.

Here it is for you all in plain lingo;

If the system is live and the user who has access to it is pwn3d then FUCK ALL matters crypto ok? Own the endpoint and you own the whole thing. I sense a Game of Thrones quote here somewhere but I just can’t put it together.

JESUS FUCK.

Comey The Backdoor King:

Then the hearings for “Going Dark” came and the derp parade was in full derp regalia. James “back door” Comey came to the senate to beg the question;

“What’s so bad about backdoor’s on crypto? I mean, trust us, we are the government!”

I sat agog once again as this guy took every opportunity to say “Well, I am not an expert but I see no problem with doing this” repeatedly to the senators. Senators mind you, that did not really take him to task. Instead they listened and nodded and agreed that ISIS is scary and that terrorism was as well. The odd thing though was that if you listened closely enough, Comey was not predicating all of this on Islamic terror but instead “regular crime” He chose to use the old pedophile routine and the obvious child kidnapping scenario to make his case.

It was Jack Bauer all over again except this time Jack was tearing the finger nails off of someone to get their crypto keys because the gubment did not have an easy access backdoor to just decrypt the everything. This is the same argument that we almost saw behind the scenes post 9/11 that got us to where we are today with global pervasive surveillance in the post Snowden era. The only difference this go around is that Comey is asking and the senate and us are watching. This time we at least get to watch and say “WHAT THE FUCK?”

Well, the hearing went on and on while Comey said the same thing again and again “We need this and I don’t think it’s a bad thing, I mean, there has to be a way right?” Contrary to what the experts did say though, that a back door, front door, side door, whatever, degrades the efficacy of the crypto and it should not be done at all. Never mind the whole issue of thinking that we live in an Orwellian dystopia now with pervasive surveillance, add to that that the government would have access, warrant or not, to a universal back door to cryptographic systems. This would be the shit sammich on top of the shit sunday we have today not to put too fine a point on it.

No Comey. Just. No.

Alas though we will see what the senate has to say and the rest of our “august” body we call our government. Kids, we are well and truly more fucked than we were before and I am afraid it is only going to get worse. Back door access to crypto will not help, people will come up with ways to use crypto that is not back door accessible and I am fucking sure that the terrorists and other bad actors will carry on as they have. No Comey, it’s time you did your fucking jobs and got more people into the HUMINT space not just back door all the things.

If I were you all… I would start coding new crypto programs or start printing one time pads.

K.

Written by Krypt3ia

2015/07/11 at 12:52

Posted in .gov, FUCKERY