On this week’s show we’re covering off all the big news of the week: the arrest of Reality Winner, the apparent hacks that have ratcheted up the political crisis in Qatar and the renewed calls for Internet companies to be more government-friendly.

In this week’s feature interview we catch up with Samy Kamkar to get his take on what the lowering cost of hardware-based hacking could mean for our increasingly automated world. And in this week’s sponsor interview we chat with Duo Security’s Pepijn Bruienne about some recent attacks against the Mac OS software supply chain.

Big thanks to Duo Security for sponsoring this week’s show. Duo makes all manner of kick-ass two factor authentication solutions, you can check them out at Duo.com.

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

Patrick is taking a vacation. Risky Business will return on June 28

On this week’s show we’re taking a detour: This week’s feature interview has absolutely nothing to do with infosec. But it is related to the Internet. Sort of. If you squint a little.

This week’s feature guest is John Safran. He’s been gracing television screens here in Australia for nearly 20 years, but John is also a rather brilliant author. I’ve just finished reading John’s new book, Depends what you mean by Extremist, Going Rogue with Australian Deplorables. Honestly, it’s fascinating enough for me to just squeeze it into this show.

Basically John wrote a book about the year and a half he spent hanging out with all sorts of extremists; Left-wing Marxists, anarchists, right wing anti-Islam types and even Islamic State supporters, some of whom are now up on terror-related charges.

I speak to John about the Internet’s influence on extremism, as well as extremism in general. I highly, highly recommend this book. It’s a fascinating look at the contemporary political landscape through the eyes of extremist movements of all flavours, and it’s not a tough read. It’s actually quite funny and it really the most on-point thing I’ve read in a long, long time.

This week’s show is brought to you by Bugcrowd, big thanks to them! And in this week’s sponsor interview we’ll chat with Casey Ellis, Bugcrowd’s founder and CEO. Now that outsourced bug bounties have gone mainstream, we know more what they’re for and how people find them useful. So we speak to Casey about how a lot of orgs are basically just throwing the lower value testing out to bounties to free up their infosec teams to do higher value work. We talk about that and a couple of other points.

Adam Boileau, as always, drops in to discuss the week’s security news!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

During last week’s AusCERT conference I did a 50 minute talk that reflected on a 15 year career writing about information security. It was a repeat of the talk I did at BSides Canberra in March.

It covered thoughts on attribution, fake activist groups (Guardians of Peace, Cutting Sword of Justice etc), the possible motivations of high-impact leakers (Mark Felt, Chelsea Manning, Edward Snowden) and the need to create norms around acceptable state behaviour when it comes to computer network operations.

In the leakers section I got a detail wrong and I want to correct it. Hopefully I’ll convince you that in context of what I was talking about the error doesn’t actually change all that much.

That whole section of the talk was really written to put forward the case that leakers have complicated motives. Even when leaks are in the public interest, it doesn’t mean that the leakers’ motives are as pure as the driven snow.

I speculated that perhaps FBI deputy director Mark Felt, better known as Watergate source Deep Throat, might have been tactically leaking against people who stood in between him and the FBI directorship. He loathed both Nixon and FBI director L Patrick Gray (no relation) and only lasted another month at the bureau after Gray got the knife and was replaced by William Ruckelshaus.

So that’s a theory: His leaks brought down the people in his path, but in the end he didn’t get the top job, so he resigned. I wasn’t trying to prove Felt was motivated by self interest, just that it’s a plausible motivator.

I also spoke about Chelsea Manning. She was relentlessly bullied during her time in the army, frequently clashing with both her superiors and the rank and file. I have no doubt that Manning is indeed, as she claims, a pacifist. But I also have no doubt that the relentless bullying influenced her decision to leak. She was isolated and miserable, but found a friend in Wikileaks’ Julian Assange. I sincerely believe there was an element of rage underpinning those leaks. Some revenge. (And honestly? Fair enough. The military failed her, big time.)

Eventually I boil the whole thing down to these factors: Self interest, public interest, ego, rage and combinations of the four.

To explore ego as a possible motivator, I spoke about Edward Snowden. Snowden always strived for great things but didn’t quite make the grade. He wanted to be a special forces soldier, he failed. He wanted to be NSA TAO, he failed. But when he leaked massive amounts of NSA documents, he could invent himself as anything he wanted, and he has. But a bunch of his public statements about his experience at NSA seem pretty shaky, bordering on outright bullshit.

It’s been nearly four years since Snowden went public with his leaks. In the talk I said it feels to me like something is off about the guy. Details have filtered out through the grapevine, and they tend to clash with his public statements.

It’s clear, for example, that he massively overstated his seniority at NSA. And parts of his story just don’t line up. I’m not talking about the conspiracy theories that a foreign power put him up to it or he was some sort of spy – I think that’s really, really unlikely – it’s more that he mislead on things that are basically inconsequential, like his reason for washing out of his military training. He also failed to correct some really shitty reporting on his leaks.

We’re getting to the mistake, hang in there.

As an example of Snowden coming across as less than totally honest I cited his non-reaction to an article written for The Guardian about the so-called PRISM program in 2013. In that piece, Greenwald writes: “The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.”

In my talk I described that as totally wrong, but it’s actually only mostly wrong.

There was no “direct access” and NSA did actually have to request this material from the service providers. That’s been established. The part I got wrong is NSA doesn’t actually have to obtain an individual court order for every selector tasked from a court. In my talk I said it did.

Selectors are created under FISC oversight, but the court’s job is to ensure the compliance of those selectors to the rules it established and maintains, not to green-light each selector.

Over the last few years I’ve chatted with people who are familiar with this program. For their part, the technology companies mentioned in the PRISM program stories were all baffled when the story broke, both publicly and privately. Greenwald made it seem that the NSA had unfettered access to their servers. Their response, in most cases, is that they would only hand over data to the authorities if there was a valid court order.

So, over the years I’ve asked some people who’d know to tell me about the process that NSA goes through to “task” collection on an individual using PRISM.

They said that in order to obtain information from a company like, say, Facebook, they’d have to start by preparing a “FISA package”. This means they’d have to put together a case that could show the proposed target isn’t a US citizen, is not in the USA, and that intercepting their data is likely to reveal something of importance to national security.

These packages are worked up – that process involves senior NSA staff – then the package is sent up the chain for authorisation. When authorisation is granted, it’s the FBI, not the NSA, that approaches the technology company and asks it to hand over the data.

And here’s where I made the mistake: The tech companies said they hand over data based on court orders. People familiar with the NSA side of this program described the authorisation process for each individual target. I mistook these two data points as meaning the FISA court was authorising each individual collection. They don’t.

The package is actually sent off to the Office of the Director of National Intelligence (ODNI) and Department of Justice (DoJ) for post-tasking review. You can read about that process here. That’s the detail I got wrong.

But the FISA court is involved. It oversees and mandates the process through which the validity of selectors is determined, and there was regular review of the rules around tasking. Everyone tells me these rules were strict and adhered to rigidly. That’s not to say mistakes aren’t made. In a post-Snowden review, NSA found 0.4% of PRISM tasking accidentally collected the information of people who were either located in the USA (not allowed) or US citizens (also not allowed).

I realised I got this detail wrong when fellow AusCERT attendee Troy Hunt posted a picture of my slide that referenced FISC authorisations for individual selectors. Just looking at that slide in isolation I had a funny feeling.

So I went back to my notes and some source documents and realised I’d made the mistake. I asked Troy to remove the Tweet, not because I’m trying to hide my mistake, but because I don’t want people to believe something that isn’t true. It was a typical case of a non-lawyer getting something law-related wrong.

That said, I don’t think it really changes my argument with regard to Snowden. Even though some people may see ODNI and DoJ selector authorisation as inferior to direct authorisation by a court, albeit a secret one, the fact remains that none of the reporting even acknowledged any oversight or even a process for tasking.

Take this Ed Snowden quote: “I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President, if I had a personal e-mail,” he told The Guardian.

No, Ed, you didn’t.

In the case of PRISM I’m pretty sure the NSA senior staff might object, given collection against US citizens is verboten under 702. If they didn’t then ODNI or DoJ might have some feelings about it. And if they let it through my guess is the FBI might actually think something was wrong if you were trying to task collection on the US president.

Even if he wasn’t talking specifically about the PRISM program in that instance, everyone I’ve ever known who spent any time at a five eyes SIGINT agency tells me the same thing – everyone’s searches are logged and audited no matter what the program. The compliance hurdles and internal rules are universally described as a pretty serious (but necessary) pain in the ass.

This next part is important: I’m not an expert in intelligence oversight, and I can’t say whether the NSA’s oversight is appropriate or not. But I can say that it’s just crazy to write up stories about these programs without even mentioning the tasking procedures, auditing and oversight. These stories have convinced people that individual NSA operators could simply spy on whoever they like, using direct access to the back-end servers of major Internet companies. It’s just not correct.

My argument is Snowden’s silence following the publication of some of these stories is a massive red flag when it comes to his credibility.

But because he painted himself as a truth-telling whistleblower, Snowden was able to convince some journalists and many among the public that he was the only source who could be trusted when it came to discussing these programs. Everything else, his supporters say, is disinformation.

Of course, there has been legitimate public interest in Snowden’s disclosures. The NSA had been doing some pretty shady shit, most notably the (since discontinued) 215 phone metadata collection program. But that doesn’t make Snowden himself a saint. He’s not. He is what I’d charitably describe as “properly weird”.

In telling that story, I did get a detail about oversight wrong. Sorry about that!

On this week’s show Adam pops in to discuss the week’s news. (Links below) After the news segment Adam and Patrick both chat about topics near and dear to their hearts: Shoddy infosec marketing and shoddy MSP security.

This week’s show is brought to you by WordFence, a company that makes a WordPress security plugin. It’s not so much an enterprise security tool, but it turns out that when you run two million Wordpress plugins you wind up collecting some pretty valuable threat intel and IOCs. WordFence’s Mark Maunder joins the show this week to talk about WordPress security and malware distribution!

You can add Patrick, or Adam on Twitter if that’s your thing. Show notes are below…

On this week’s show, of course, we are taking a deep dive on WannaCry. Most of the coverage of this debacle has actually been pretty bad, and there’s been nothing that I’ve seen that even approaches being comprehensive, so we’re going to try to fix that in this edition of the show.

This week’s show is sponsored by Cylance, which, it must be said, didn’t “ambulance chase” this interview, they booked this sponsor slot in January this year.

Cylance CEO Stuart McClure joins the show this week to talk about ambulance chasing, why it is that we still don’t have a decent technical analysis of WannaCry and he generally gives us an industry view on this thing.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

We’ve got a real bread-and-butter show for you this week. Adam is along in this week’s news segment to talk about the latest on the Intel AMT bugs, Tavis Ormandy’s horror-show Windows Defender bug, the Macron email dump and more.

In this week’s feature interview we speak with Adobe security engineer and OAuth 2 in Action co-author Antonio Sanso about what companies like Google might be able to do to make their OAuth implementations a little safer for users… Which, you know, might be something worth considering given an OAuth-based phishing attack was able to compromise something like a million Google accounts the other week.

This week’s show is brought to you by Thinkst Canary! Canary is of course the wonderful little hardware honeypot device Thinkst makes that you can plug into your network that’ll let you know when you have attackers on your LAN. Thinkst’s head of development, Macro Slaviero, joins the show this week to talk about the CIA’s leaked watermarking solution Scribbles, as well as to talk a little about Thinkst’s so-called “bird guide”. It’s a document (linked below) with a bunch of advice for those of you considering using Honeypots.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

This Soap Box edition is all about desktop microvirtualisation! Bromium has been around for about six years now, and they make an endpoint security package that is really, really different to other solutions in the market. The whole thing hinges on what they call a Microvisor, which amounts to hardware-enabled isolation on your desktop.

Bromium’s software is basically a way to virtualise user tasks, whether that’s working on a Word document or browsing an exploit-riddled lyrics website with Java and Flash enabled, the idea is if an exploit gets dropped on you it gets trapped in a micro-VM.

Personally, I’m a big fan of Bromium’s stuff. one of the things that kind of hindered the adoption of this tech in its early days is it relies on CPU features that were basically new six years ago, so not everyone could run it. There was also a bit of a UX hit. But there’s good news! Hardware refresh cycles have taken their course, and now running Bromium’s software is viable in almost all enterprises.

Where this goes from being interesting to downright compelling is if you’re an enterprise forced to run vulnerable software. I’m thinking specifically of old browsers running things like Java. In many organisations, running out-of-date crapware is a business requirement.

Well, running Bromium on those endpoints will basically solve that problem. Sure, nothing is magic, but by the time you’ve finished listening to this conversation with Bromium co-founder and President Ian Pratt, I think you’ll definitely want to take a look at the tech. You should take a look at the tech, because it’s borderline impossible to solve that problem any other way.

I hope you enjoy it!

On this week’s show we’re looking at an issue that kicked up last week when creepware scumbags Flexispy announced they were moving their bug bounty program to HackerOne. VICE journalist Joseph Cox asked HackerOne CEO Marten Mickos if he’d be happy to host their program, and his answer is as follows:

“Any company that operates legally within its jurisdiction, treats our hackers with respect and takes vulnerability disclosure seriously is generally welcome to run their program on the HackerOne platform. Improving the integrity of all connected software is to the benefit of the digital society.”

A lot of people, myself included, didn’t react so well to that line of thinking. HackerOne CTO Alex Rice suggested he come on the show to talk about the company’s stance. As you’ll hear, Alex is pushing a much softer line than his CEO, but still says this is complicated. Stay tuned for that, at times, excruciating interview.

This week’s sponsor interview is with Signal Sciences CSO and co-founder Zane Lackey. Zane was the head of security at Etsy, but he moved on to found Signal Sciences, a company that is making webapp security software that by all reports is pretty damn good.

He joins us in the sponsor slot this week to talk about Devops, WAFs and a whole bunch of other fun stuff.

Adam Boileau, as usual, drops by to discuss the week’s news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Risky Business #452 – Are Wikileaks charges a threat to press freedom? Brookings fellow and former NSA attorney Susan Hennessey joins the show…

Over the last week or so there’s been mounting speculation that the US government is getting serious about preparing charges against Wikileaks founder Julian Assange. The question is, could these charges threaten press freedom?

Joining us to discuss that this week is Lawfare’s managing editor Susan Hennessey.

This week’s show is brought to you by Senetas. Senetas makes layer two encryption equipment, but today they’re joining us to talk about some work it’s doing with ADVA Optical Networks in marrying its tech with some SDN stuff done at the telco level.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

NOTE: We had to re-post this. Originally we linked to the wrong mp3 (soapbox1 instead of snakeoilers1). It was rectified within about five minutes, but caches gonna cache, so we’ve reposted it. Sorry if you downloaded it twice!

This is the first ever Snake Oilers podcast from Risky.biz. It’s a wholly sponsored podcast in which vendors pop in and take 10 minutes each to pitch the audience on their stuff. The idea behind this whole thing is so that infosec buyers can actually hear a bunch of ten minute pitches without having to go to lunch with a salesperson with giant shiny teeth who doesn’t really understand what they’re selling.

These are product pitches from people who actually get the technology. And you know what? Even if you’re not a technology buyer, you’ll probably still find a lot of this interesting – it’s good to know how vendors are slicing and dicing some of the challenges we all face in security.

In this edition:

• Exabeam says it can save you buttloads of cash compared to other SIEM solutions like Splunk or ArcSight.
• Senetas urges you not to use babby’s first encryptor cards and opt for its 100gbps full line rate layer 2 encryptor instead
• Kolide pitches its osquery-based EDR solution. If it’s good enough for Facebook, it’s good enough for you!
• Senrio pitches its impressive IoT network sensor and developer tools.

Links below!

On this week’s show we talk about the latest Shadowbrokers shenanigans with Adam, as well as all the other major security news of the last couple of weeks.

After that we’ll be chatting with Adam’s colleague at Insomnia Security, Pipes, about the interesting aspects to the dump – what did it teach us about how NSA rolls? Well quite a lot, as it turns out. And yeah, the N0day bugs aren’t the interesting bit.

This week’s show is sponsored by Tenable Network Security. This week Tenable’s VP of federal, Darron Makrokanis, will be along to talk about how to speed up federal government adoption of new tech – what’s the best way for that to happen? That’s this week’s sponsor interview!

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

This week’s show is a fun one! We’ll be chatting with Josh Corman, the Atlantic Council’s Director of Cyber Statecraft. We’ll be speaking with him about an exercise he did recently with a whole bunch of students. Basically the whole thing was a simulation where students walked through various scenarios and had to respond. Unfortunately, Josh discovered that most students had a predisposition to escalating things unnecessarily. From Mirai to mushroom clouds, that’s this week’s feature interview.

This week’s sponsor interview is also an absolute corker. Rapid7 is this week’s sponsor. In addition to making enterprise security software and running a pentest practice, Rapid7 also spends a considerable amount of time and money on developing Metasploit.

Rapid7 research director Tod Beardsley and director of transportation security Craig Smith join the show this week to talk about some recent changes to Metasploit that I’m amazed haven’t made a bigger splash. You can now run Metasploit against a CAN bus and they’ve built an RF module as well. That is absolutely awesome stuff, coming up in this week’s sponsor interview, with special thanks to Rapid7!

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

Soap Box is back! This time we’re chatting with Stephen Ridley and Jamison Utter about the tech Stephen has launched: Senrio Insight and Senrio Trace!

This is a fully sponsored blabfest about IoT security. Specifically, we drill into two different problems Senrio is trying to solve. The first is how the hell you deal with monitoring IoT on your network, especially when you can’t do DPI because of HIPAA. If you’re a CISO from a hospital, you will be very interested in this part of the podcast.

Then we talk about IoT security approaches for developers. Not only has Senrio developed a boring old network sensor to remedy the dumb but profitable-to-solve problem, they’ve also created a developer toolkit for manufacturers of IoT devices who need to be able to monitor them in the field.

Stephen Ridley is a bona fide expert on IoT. So much so, he used to actually train NSA staff on hacking IoT devices. Personally I think when you’re training NSA on how to own stuff, that makes you a genuine expert.

Jamison Utter, Senrio’s VP of Field Operations, also joins us for this podcast. I hope you enjoy it!

To book a demo with Senrio, click here.

On this week’s show I’ll be playing part two of my interview with In-Q-Tel’s chief security officer Dan Geer. That’s all about machine learning in infosec. Is it actually going to turn into something? Or is it just another infosec thought bubble?

This week’s sponsor interview is with Dan Guido of Trail of Bits.

Trail of Bits is a New York-based security engineering and testing company that does very interesting work. They don’t just break apps, they actually work on securing them. With that in mind, Dan’s team has been looking at implementing control flow integrity protections to various software projects. So we speak to him about the llvm versus Microsoft control flow guard approach, which is achievable. We also speak to him about mcsema, a tool they developed for reversing binaries into an intermediate language.

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

We’ve got a great show for you this week. In-Q-Tel CSO Dan Geer will be along for a very interesting conversation about the major cloud providers. Are they too big to fail the same way some banks are? Does the efficiency of highly concentrated ownership of a large chunk of the world’s Internet service capacity make it less resilient? We talk about that and more in this week’s feature interview.

This week’s sponsor interview is also an absolute cracker. We’re speaking with Mike Hanley of Duo Security. Mike is the senior director of security at Duo, and he’s along this week to talk about Google’s BeyondCorp initiative.

BeyondCorp is Google’s vision for the next generation of enterprise environments and it has a lot to do with deperimiterisation. Mike is along this week to talk about that concept and how solid authentication is basically the first step in moving towards that vision. It’s really, really solid stuff, so do stick around for that one.

Adam Boileau, as always, joins us to talk about the week’s security news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

On this week’s show Patrick and Adam have a look at the surprisingly great report about 0day prepared by RAND Corporation, as well as the other security news of the week. How ‘bout dat Struts bug, eh?

Dr. Vanessa Teague of the University of Melbourne also joins the show to talk about the latest developments around computerised voting. Vanessa is an expert on e-voting and she’s been in the space for a long time – she’ll be joining us this week to talk about how European authorities have been responding to the risks posed to their elections by outside parties, and we take a look at some voting security ideas for America.

This week’s show is brought to you by Netsparker. Netsparker is a black-box web application testing tool that aims to speed up webapp tests through automation. Netsparker’s creator Ferruh Mavituna is this week’s sponsor guest. He’s joining us to basically talk about what you can actually automate in webapp testing, but also about what you can’t automate. That’s a really interesting chat, one that the pentesters will love I’m sure.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

A couple of days ago I suggested the “Vault 7” material posted by Wikileaks may have in fact been obtained from Hal Martin’s unauthorised exploit stash.

Now I think we’re dealing with something a little more, ahem, “comprehensive”.

For those who are unfamiliar, Hal Martin was an intelligence contractor working for Booz Allen Hamilton who, as it turned out, was also performing “unauthorised offsite backups” of some of NSA’s most sensitive material. He was arrested by the FBI last August.

The thinking is the data he took home included the Tailored Access Operations (TAO) implants and exploits disclosed by a group called “Shadow Brokers”, who were likely a front for Russian intelligence.

Martin’s “backups” were discovered when Shadow Brokers started auctioning the NSA implants on the Internet. The assumption we’re working under here is investigators took a look at some logs pertaining to the Shadow Brokers files and saw Martin had accessed the lot. From there, they no doubt would have done a full audit of his network activities.

Cue arrest.

He’d hoarded an incredible volume of material relating to CNE over his 23 years of intelligence contracting. Thanks to a recent court appearance, we also know that he had access to CIA files as well as NSA files. (Also NRO, DoD etc etc.)

Was Hal Martin the source of the Shadow Brokers files? Well, maybe, but he’s been charged with mishandling information, not working in cahoots with a foreign intelligence service.

That leads us to a tantalising theory: Hal Martin hoarded all these documents, and at some point an enterprising Russian CNE type took a poke around his home network and found them there. After all, he held a top clearance and did work for Tailored Access Operations as a contractor. That’s a home network I’d take a look at if I worked for an FIS, that’s for sure.

Flash forward to this week, and it’s the Wikileaks Vault 7 dump that has everyone talking. Again, everyone’s talking about contractors. In a media release, Wikileaks says the CIA “lost control” of the material, and it was being circulated among “contractors” who then provided the material to Assange and his buddies.

There are more than a couple of curiosities in all of this: CIA insiders have been quoted in recent reports as saying they already knew this material was “out there,” yet other reports claim the FBI is investigating the leak. But these two narratives bump into each other. How could CIA know, months in advance, about the specifics of what was leaked, but not know who leaked them? Have they and their NSA cousins been popping a few shells on a laptop at a certain Latin American embassy? Could they see the material arrive, but not tell where it came from?

Or does it mean that the FBI found this stuff on Hal Martin’s network when they kicked his door in and worked under the assumption that it was in Russian hands? But, if Martin was the source, why investigate?

So there’s obviously a piece missing, and I think I might have it. What if this is bigger than just Hal Martin?

It’s not widely known, but Russia has been collecting the personal information of “cyber” contractors with high clearances – like Martin – via human intelligence operations for at least several years. Counterintelligence officers know about this.

So let’s run another theory up the flagpole, that being:

1. Russian intelligence services have realised intelligence contractors aren’t required to take their opsec and counter-intelligence training as seriously as their “on staff” counterparts.

2. They have collected as much information on these contractors as possible via passive and active campaigns.

3. They have then used that information to either directly compromise the contractors, or, more likely, their home networks. People have been taking stuff home they shouldn’t have.

4. For whatever reason, Russia decided to burn its own campaign last year. That led to the Shadow Brokers fiasco.

5. After weathering some opsec disasters related to the DNC and Podesta hacks, they decided to just dump the rest of the material on Wikileaks, knowing that Assange would do his job and launder the documents for them.

So it’s all just a theory, but it’s one worth floating: Russian intelligence services have owned the home networks of as many cleared contractors as possible, waiting for them to bring material home that they shouldn’t. If that’s what they’ve done you’ve got to hand it to them, it’s definitely lateral thinking. What a pipeline of information!

If we see some leaked memos from the likes of Booz and Raytheon in coming weeks suggesting that hey, really, taking your work home with you is a really fucking bad idea, we’ll know there’s something to this.

It’s just a theory, but let’s see.

On this week’s news we put Wikileaks’ latest dumps under the microscope and offer a few theories on what’s really going on.

We also have a chat with Mike Arpaia, the creator of osquery. osquery is host-based instrumentation software put together by Mike and his team when they worked at Facebook. It’s open source these days and now Mike is trying to get it adopted.

This week’s show is brought to you by Cyberark! And we’ll be chatting with Cyberark’s Chief Architect Gerrit Lansing. Cyberark makes software that manages privileged accounts, and we’ll be talking to Gerrit about privileged account management automation in this week’s sponsor interview.

Adam Boileau is along to discuss the week’s news.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.

The Russians go to a lot of effort to hack the Ukrainian electrical grid and do “flick the light” cyber attacks.

These last a few hours, don’t really cause that much damage (compared to say, shelling) and the military objective is clearly missing as there is never any follow up or attempt to use “light flicking” as part of a combined arms operation. It is just some considerable effort put into flicking the lights.

Heres the thing: The only people absolutely terrified of flicking the lights as a cyberwar activity are the Americans (and the West in general). “Cyber light flicking” isn’t militarily useful and isn’t even some sort of “strategic bombing” version of cyber war. The Ukrainians, modern as they are, are probably stoic enough to suffer threw a few hours of power outages in the middle of a shooting war.

Even American civilians have been known to survive for several hours without power, see CyberSquirrel1 for examples.

This light flicking costs money and burns some cyber capabilities these operations cost resources: the malware gets discovered, the vulnerabilities patched, etc. This isn’t free. Just planning and managing the operation is going to consume considerable time and resources. So these are expensive little ops with no apparent military objective.

Why would the Russian forces do something like this? There is one very obvious answer, but it seems to get lost in the excitement over “real” cyberwar. I think this is a layer deeper, using cyber for PSYOPS. Russia is signalling a capability to the US, one that they know the US (and the West) is uniquely terrified of. The spectre of cyberwar as the West understands it: “light flicking”.

There is a long history of Russia and the US using wars as a way of signalling to each other.

Here’s my speculation: The American cyberwar industry is currently all caught up in trying to figure out what counts as deterrence in the cyber domain. This a silly idea, but basically they are mentally modelling cyber like nuclear weapons.

Just like generals always fight the last war rather than the current one, the West are trying to model cyber as the last war that never happened. I think this is a completely foolish idea, but then again I don’t run a think tank.

The West believes that cyberwar is only real when there is a kinetic effect (eg light flicking), and they are also postulating that deterrence happens when you demonstrate your capability to your opponent so they know you can fuck them up. Russia is just demonstrating capability to deter the West from engaging in active cyber kinetic assaults.

I don’t believe that Russia has adopted the “demonstrate capability to deter activity” theory, but they know the West has, or at the very least is contemplating it. It’s a game they’re happy to play in the hope the West will follow through on their theories as praxis. Flicking lights doesn’t match Russian doctrine. These actions are designed for a western audience.

This expensive light flicking makes more sense when viewed as an influence operation to signal the West that Russia has what the West itself believes are “real cyberwar cyberweapons”. I also think that Russia knows how to run a conflict in the informatics sphere and completely dominate. They have a much better understanding of how the use of the internet as an information platform can be used to manipulate the way that the adversary thinks. Long story short? They know what they’re doing.

The infosec industry and the cyber military complex have been extremely excited figuring out and talking about the “how” of the Russian cyberwar operations in Ukraine, but maybe it is time they starting asking about the “why”.

Russia has flicked Ukraine’s lights twice now. The first one wasn’t a test run to see if the system was operational – there was no military followup with the second event – and it wasn’t to gauge the response to the use of this new “cyberweapon.”

We know this because there was no response, even after the second attack. There is no reason to run two tests of an offensive operation if the first is successful. They want to make sure the West gets the signal.

@thegrugq I dunno. There's really no history of Russia and West signaling each other through conflict in third party countries. pic.twitter.com/dkXpm6ZOHv

— John Hultquist (@JohnHultquist) March 3, 2017

We’ve got a real bread and butter show for you this week. Troy Hunt will be along to talk about the Cloudflare bug and why everyone freaked out about it, and Haroon Meer of Thinks Canary will be along to talk about RSA.

This week’s show is, of course, brought to you by Canary.Tools, and Haroon will tell us about his first ever RSA conference experience. That’s actually a really fun chat. Funny in parts, too.

Adam Boileau is along to discuss the week’s news. Microsoft, Amazon and a handful of Russians are all having an awful, awful week, and he’ll be talking all about that.

Links to items discussed in this week’s show have moved – they’re now included in this post, below.

Oh, and do add Patrick, or Adam on Twitter if that’s your thing.