Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html What I want to know is *how* did the trojan MSP update get on the SolarWinds server in the first place? Am I missing where they tell that part of the story? Or do they not know? At one security conference, I heard a nerd claim that Linux systems were trivial to hack. All you need is a weakness in their package/dependency management tool (e.g. Yum). Yikes! Philosophically, we're closer and closer to the concept that data is code and code is data ... which for the psychology-obsessed, sounds a lot like pure behaviorism and some kind of holographic principle. (And note the paragraph on steganography in that article!) -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
uǝʃƃ ⊥ glen
|
Web-based (most software) systems are a complicated Jenga tower of dependencies, each one of which provides an access point for introducing malware, trojans, viruses, etc. The story of Azer Koçulu and how his removal of eight lines of code (left-pad) brought down major Web actors and sites
https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ should be informative. Part of the reason that I have been arguing that software development — specifically software engineering — is not sustainable, https://medium.com/swlh/it-is-not-sustainable-cb2c379baf4b davew On Tue, Dec 15, 2020, at 10:33 AM, uǝlƃ ↙↙↙ wrote: > Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise > Multiple Global Victims With SUNBURST Backdoor > https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html > > What I want to know is *how* did the trojan MSP update get on the > SolarWinds server in the first place? Am I missing where they tell that > part of the story? Or do they not know? At one security conference, I > heard a nerd claim that Linux systems were trivial to hack. All you > need is a weakness in their package/dependency management tool (e.g. > Yum). Yikes! > > Philosophically, we're closer and closer to the concept that data is > code and code is data ... which for the psychology-obsessed, sounds a > lot like pure behaviorism and some kind of holographic principle. (And > note the paragraph on steganography in that article!) > > -- > ↙↙↙ uǝlƃ > > - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . > FRIAM Applied Complexity Group listserv > Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam > un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com > archives: http://friam.471366.n2.nabble.com/ > FRIAM-COMIC http://friam-comic.blogspot.com/ > - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
Dependence on *left pad* was an absurd convenience. Software *can* be sustainable.
Still, watch them semicolons :)
Sent from the Friam mailing list archive at Nabble.com. - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
In reply to this post by Prof David West
Well, it's one thing to simply screw up a dependency. Any programmer whose participated in a large project has done that at one point or another. But the interesting quote is this:
"Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, ..." They were digitally signed. Either they were legitimately signed and the vector is the typical one (humans [ptouie]) or the bad actor (not necessarily human) harvested a secret key and illegitimately signed them. And that's just the signing part. They also had to *post* them, which may well be the easier part. But it still had to be done. How did they 1) sign the packages and 2) post the packages? On 12/15/20 12:23 PM, Prof David West wrote: > Web-based (most software) systems are a complicated Jenga tower of dependencies, each one of which provides an access point for introducing malware, trojans, viruses, etc. The story of Azer Koçulu and how his removal of eight lines of code (left-pad) brought down major Web actors and sites > > https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
uǝʃƃ ⊥ glen
|
Yes, it sounds like they were methodical and patient. Impressive work.
-----Original Message----- From: Friam <[hidden email]> On Behalf Of u?l? ??? Sent: Wednesday, December 16, 2020 7:06 AM To: FriAM <[hidden email]> Subject: Re: [FRIAM] 5 agencies compromised Well, it's one thing to simply screw up a dependency. Any programmer whose participated in a large project has done that at one point or another. But the interesting quote is this: "Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, ..." They were digitally signed. Either they were legitimately signed and the vector is the typical one (humans [ptouie]) or the bad actor (not necessarily human) harvested a secret key and illegitimately signed them. And that's just the signing part. They also had to *post* them, which may well be the easier part. But it still had to be done. How did they 1) sign the packages and 2) post the packages? On 12/15/20 12:23 PM, Prof David West wrote: > Web-based (most software) systems are a complicated Jenga tower of > dependencies, each one of which provides an access point for > introducing malware, trojans, viruses, etc. The story of Azer Koçulu > and how his removal of eight lines of code (left-pad) brought down > major Web actors and sites > > > https://qz.com/646467/how-one-programmer-broke-the-internet-by-deletin > g-a-tiny-piece-of-code/ -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
pwntastic, even. -- rec -- On Wed, Dec 16, 2020 at 11:07 AM Marcus Daniels <[hidden email]> wrote: Yes, it sounds like they were methodical and patient. Impressive work. - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
The main alarming thing, I guess, is that there is a large part of the world that is more easily motivated than me. I mean, it seems kind of boring to sort through all that. Impressive in sort of an autistic savant sort of way. I wonder
if they were paid well by U.S. standards. From: Friam <[hidden email]> On Behalf Of
Roger Critchlow pwntastic, even. -- rec -- On Wed, Dec 16, 2020 at 11:07 AM Marcus Daniels <[hidden email]> wrote:
- .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
Do you mean the forensics? Or the red team? My guess is the red team wasn't paid all that well. But they might have perks like high status. I think the forensic work pays fairly well. I don't know anything about FireEye. But an "incident response analyst" in VA might make $90k: https://www.salary.com/tools/salary-calculator/cyber-incident-response-analyst-ii/arlington-va
On 12/17/20 8:22 AM, Marcus Daniels wrote: > The main alarming thing, I guess, is that there is a large part of the world that is more easily motivated than me. I mean, it seems kind of boring to sort through all that. Impressive in sort of an autistic savant sort of way. I wonder if they were paid well by U.S. standards. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
uǝʃƃ ⊥ glen
|
I mean the "bad guys". A good reason to find out who did it is so that they can be offered jobs on the this side. Perhaps part of the high status is living an utterly lawless lifestyle -- something that would be hard to match in Europe or the United States. Spending power of $90k in VA would be easy to match I think. People that are really good at that would make much more, I think.
-----Original Message----- From: Friam <[hidden email]> On Behalf Of u?l? ??? Sent: Thursday, December 17, 2020 9:42 AM To: [hidden email] Subject: Re: [FRIAM] 5 agencies compromised Do you mean the forensics? Or the red team? My guess is the red team wasn't paid all that well. But they might have perks like high status. I think the forensic work pays fairly well. I don't know anything about FireEye. But an "incident response analyst" in VA might make $90k: https://www.salary.com/tools/salary-calculator/cyber-incident-response-analyst-ii/arlington-va On 12/17/20 8:22 AM, Marcus Daniels wrote: > The main alarming thing, I guess, is that there is a large part of the > world that is more easily motivated than me. I mean, it seems kind of boring to sort through all that. Impressive in sort of an autistic savant sort of way. I wonder if they were paid well by U.S. standards. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
Are we talking (cyber)Soldiers of Fortune here? Eric Prince and and
his ilk surely have a whole string of guys much better at first-person-shooters and cyberhacking than actual first-person shooting. I have never opened a "Soldier of Fortune" magazine, and even cringe when I see them, but imagine by now there is plenty of lure/candy for the guys (and gals) all over the world in their parent's basements (or small cardboard box behind the large cardboard box in the shanty town) lace into those rags (well, probably not literally, because who in that world actually touches paper?) > I mean the "bad guys". A good reason to find out who did it is so that they can be offered jobs on the this side. Perhaps part of the high status is living an utterly lawless lifestyle -- something that would be hard to match in Europe or the United States. Spending power of $90k in VA would be easy to match I think. People that are really good at that would make much more, I think. > > -----Original Message----- > From: Friam <[hidden email]> On Behalf Of u?l? ??? > Sent: Thursday, December 17, 2020 9:42 AM > To: [hidden email] > Subject: Re: [FRIAM] 5 agencies compromised > > Do you mean the forensics? Or the red team? My guess is the red team wasn't paid all that well. But they might have perks like high status. I think the forensic work pays fairly well. I don't know anything about FireEye. But an "incident response analyst" in VA might make $90k: https://www.salary.com/tools/salary-calculator/cyber-incident-response-analyst-ii/arlington-va > > On 12/17/20 8:22 AM, Marcus Daniels wrote: >> The main alarming thing, I guess, is that there is a large part of the >> world that is more easily motivated than me. I mean, it seems kind of boring to sort through all that. Impressive in sort of an autistic savant sort of way. I wonder if they were paid well by U.S. standards. > -- > ↙↙↙ uǝlƃ > > - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . > FRIAM Applied Complexity Group listserv > Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com > archives: http://friam.471366.n2.nabble.com/ > FRIAM-COMIC http://friam-comic.blogspot.com/ > - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . > FRIAM Applied Complexity Group listserv > Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam > un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com > archives: http://friam.471366.n2.nabble.com/ > FRIAM-COMIC http://friam-comic.blogspot.com/ > - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
correction EriK Prince:
https://www.rollingstone.com/politics/politics-features/erik-prince-libya-blackwater-roger-stone-trump-2020-election-1077089/ while I like to hear of the incompetence of Trump and his myriad Allies, I fear it is yet another level of in(mis)direction? On 12/17/20 11:44 AM, Steve Smith wrote: > Are we talking (cyber)Soldiers of Fortune here? Eric Prince and and > his ilk surely have a whole string of guys much better at > first-person-shooters and cyberhacking than actual first-person > shooting. I have never opened a "Soldier of Fortune" magazine, and > even cringe when I see them, but imagine by now there is plenty of > lure/candy for the guys (and gals) all over the world in their parent's > basements (or small cardboard box behind the large cardboard box in the > shanty town) lace into those rags (well, probably not literally, because > who in that world actually touches paper?) >> I mean the "bad guys". A good reason to find out who did it is so that they can be offered jobs on the this side. Perhaps part of the high status is living an utterly lawless lifestyle -- something that would be hard to match in Europe or the United States. Spending power of $90k in VA would be easy to match I think. People that are really good at that would make much more, I think. >> >> -----Original Message----- >> From: Friam <[hidden email]> On Behalf Of u?l? ??? >> Sent: Thursday, December 17, 2020 9:42 AM >> To: [hidden email] >> Subject: Re: [FRIAM] 5 agencies compromised >> >> Do you mean the forensics? Or the red team? My guess is the red team wasn't paid all that well. But they might have perks like high status. I think the forensic work pays fairly well. I don't know anything about FireEye. But an "incident response analyst" in VA might make $90k: https://www.salary.com/tools/salary-calculator/cyber-incident-response-analyst-ii/arlington-va >> >> On 12/17/20 8:22 AM, Marcus Daniels wrote: >>> The main alarming thing, I guess, is that there is a large part of the >>> world that is more easily motivated than me. I mean, it seems kind of boring to sort through all that. Impressive in sort of an autistic savant sort of way. I wonder if they were paid well by U.S. standards. >> -- >> ↙↙↙ uǝlƃ >> >> - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . >> FRIAM Applied Complexity Group listserv >> Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com >> archives: http://friam.471366.n2.nabble.com/ >> FRIAM-COMIC http://friam-comic.blogspot.com/ >> - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . >> FRIAM Applied Complexity Group listserv >> Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam >> un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com >> archives: http://friam.471366.n2.nabble.com/ >> FRIAM-COMIC http://friam-comic.blogspot.com/ >> > - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . > FRIAM Applied Complexity Group listserv > Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam > un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com > archives: http://friam.471366.n2.nabble.com/ > FRIAM-COMIC http://friam-comic.blogspot.com/ > - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
In reply to this post by Steve Smith
I think it's tiered. At the bottom, you find the Gift Card scammers. The next step up might be the password-guessers and phishers. Then comes the automatic server finders and ssh dictionary attackers. Etc. Somewhere near the top would be the cryptohackers who can execute man in the middle, network/audio/network/current sniffing, etc. But I think it takes a more sophisticated strategist to take that huge toolkit and customize "solutions".
And those "solutions engineers" require, I think, a fairly sophisticated and persistent infrastructure, implying a mid-sized corporation, data center, nation-state, etc. Although the loosely coupled guerrilla style organization presented in, say, Mr. Robot, sounds plausible, I think their capabilities would be constrained to the lower half of that tier. On 12/17/20 10:44 AM, Steve Smith wrote: > Are we talking (cyber)Soldiers of Fortune here? Eric Prince and and > his ilk surely have a whole string of guys much better at > first-person-shooters and cyberhacking than actual first-person > shooting. I have never opened a "Soldier of Fortune" magazine, and > even cringe when I see them, but imagine by now there is plenty of > lure/candy for the guys (and gals) all over the world in their parent's > basements (or small cardboard box behind the large cardboard box in the > shanty town) lace into those rags (well, probably not literally, because > who in that world actually touches paper?) >> I mean the "bad guys". A good reason to find out who did it is so that they can be offered jobs on the this side. Perhaps part of the high status is living an utterly lawless lifestyle -- something that would be hard to match in Europe or the United States. Spending power of $90k in VA would be easy to match I think. People that are really good at that would make much more, I think. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
uǝʃƃ ⊥ glen
|
Nation states could also acquire or steal source codes to efficiently find the zero day exploits and hire people away from the companies that wrote the codes. The reverse engineering could start with really good models of the target systems going in. The first thing to do is unlevel the playing field.
-----Original Message----- From: Friam <[hidden email]> On Behalf Of u?l? ??? Sent: Thursday, December 17, 2020 11:01 AM To: [hidden email] Subject: Re: [FRIAM] 5 agencies compromised I think it's tiered. At the bottom, you find the Gift Card scammers. The next step up might be the password-guessers and phishers. Then comes the automatic server finders and ssh dictionary attackers. Etc. Somewhere near the top would be the cryptohackers who can execute man in the middle, network/audio/network/current sniffing, etc. But I think it takes a more sophisticated strategist to take that huge toolkit and customize "solutions". And those "solutions engineers" require, I think, a fairly sophisticated and persistent infrastructure, implying a mid-sized corporation, data center, nation-state, etc. Although the loosely coupled guerrilla style organization presented in, say, Mr. Robot, sounds plausible, I think their capabilities would be constrained to the lower half of that tier. On 12/17/20 10:44 AM, Steve Smith wrote: > Are we talking (cyber)Soldiers of Fortune here? Eric Prince and and > his ilk surely have a whole string of guys much better at > first-person-shooters and cyberhacking than actual first-person > shooting. I have never opened a "Soldier of Fortune" magazine, and > even cringe when I see them, but imagine by now there is plenty of > lure/candy for the guys (and gals) all over the world in their > parent's basements (or small cardboard box behind the large cardboard > box in the shanty town) lace into those rags (well, probably not > literally, because who in that world actually touches paper?) >> I mean the "bad guys". A good reason to find out who did it is so that they can be offered jobs on the this side. Perhaps part of the high status is living an utterly lawless lifestyle -- something that would be hard to match in Europe or the United States. Spending power of $90k in VA would be easy to match I think. People that are really good at that would make much more, I think. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
A colleague of mine was here on a visa from Iran. And the way he described living in Iran made it sound quite nice. He was an atheist, though, and it was difficult to talk about his [a]belief ... but no more so than some regions of the US, I'd bet. From that point forward, I couldn't help but wonder if some "corporation" in Iran solicited me for a job req ... how would I respond? Fly over for the interview? Politely decline? I honestly don't know. I'm pretty sure my mouth would get me killed there. But you never know.
On 12/17/20 11:28 AM, Marcus Daniels wrote: > Nation states could also acquire or steal source codes to efficiently find the zero day exploits and hire people away from the companies that wrote the codes. The reverse engineering could start with really good models of the target systems going in. The first thing to do is unlevel the playing field. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
uǝʃƃ ⊥ glen
|
It adds a new dimension. A frustrated former employer doesn't send an nasty note through a lawyer. They paralyze you with ketamine and throw you in the river.
-----Original Message----- From: Friam <[hidden email]> On Behalf Of u?l? ??? Sent: Thursday, December 17, 2020 11:45 AM To: [hidden email] Subject: Re: [FRIAM] 5 agencies compromised A colleague of mine was here on a visa from Iran. And the way he described living in Iran made it sound quite nice. He was an atheist, though, and it was difficult to talk about his [a]belief ... but no more so than some regions of the US, I'd bet. From that point forward, I couldn't help but wonder if some "corporation" in Iran solicited me for a job req ... how would I respond? Fly over for the interview? Politely decline? I honestly don't know. I'm pretty sure my mouth would get me killed there. But you never know. On 12/17/20 11:28 AM, Marcus Daniels wrote: > Nation states could also acquire or steal source codes to efficiently find the zero day exploits and hire people away from the companies that wrote the codes. The reverse engineering could start with really good models of the target systems going in. The first thing to do is unlevel the playing field. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
Ha! A bit like our police here in the US:
https://www.brookings.edu/blog/how-we-rise/2020/08/10/how-excited-delirium-is-misused-to-justify-police-brutality/ On 12/17/20 12:00 PM, Marcus Daniels wrote: > It adds a new dimension. A frustrated former employer doesn't send an nasty note through a lawyer. They paralyze you with ketamine and throw you in the river. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
uǝʃƃ ⊥ glen
|
I do wonder what work will look like after most of the small businesses fail.
"Didn't respond to police presence" -> "Didn't listen to the boss." "Hey where did Jamie go? Last time I saw him was at that meeting.." -----Original Message----- From: Friam <[hidden email]> On Behalf Of u?l? ??? Sent: Thursday, December 17, 2020 12:20 PM To: [hidden email] Subject: Re: [FRIAM] 5 agencies compromised Ha! A bit like our police here in the US: https://www.brookings.edu/blog/how-we-rise/2020/08/10/how-excited-delirium-is-misused-to-justify-police-brutality/ On 12/17/20 12:00 PM, Marcus Daniels wrote: > It adds a new dimension. A frustrated former employer doesn't send an nasty note through a lawyer. They paralyze you with ketamine and throw you in the river. -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
Kind of makes you wonder if the "deep state" conspiracy theories have a bit of merit. On Thu, Dec 17, 2020 at 3:29 PM Marcus Daniels <[hidden email]> wrote: I do wonder what work will look like after most of the small businesses fail. - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
In reply to this post by gepr
LANL's "communications dept" had their own posters printed up that
showed up everywhere for the full 27 years I was there for... maybe DOE and DOD supplied/inspired messaging... but the one that hit me as the most strange/hypocritical was the "Nations don't have friends, they have Interests" which was supposed to help undermine Scientists (and others with top clearances) from being seduced by nation-states who pretended to be "friends". The hypocrisy IMO was the illusion that our own Nation State was in some way our friend, when in fact, our very employment and even existence as *citizens* was ultimately a reflection of this Nation-State's "Interests"... I became acutely aware of some of this when a new director gave us all a lecture on "neither confirm or deny" and reminded us that even to deny some outlandish claim about a classified matter was in fact, a capital crime. The night before I had been in a hot-tub with a small group of Santa Fe Artist types who "Knew" all kinds of things about LANL, the Nuclear Weapons Programme, Area 51 and Aliens, not to mention Chemtrails, VaxxHOaxes, and ESP. I remember smirking and maybe even scoffing into my elbow a few times at some of those statements and my bosses' bosses' boss was reminding me that I had in fact committed a Capital crime with both smirk and scoff, though it WAS dark, they probably didn't see my smirk and I masked my scoff as a cough, etc. I checked my paycheck stub that week and realized I was in no way compensated with "hazard pay", since having classified info in my head was clearly a huge risk, taking my life into my own hands every time I learned a new secret... I was pretty clear in my own head what was true, was pro-nuke propaganda, what was anti-nuke propaganda and what of that which I knew enough about to confirm or deny was classified, but that didn't stop me from smirking and scoffing involuntarily from time to time. It was the beginning of the end... fortunately DOE Q-type classified material was not nearly as "risky" as the DOD TS type as our friend Ed Snowden found out... I think I winced every time I got close to the latter stuff right up until I left and the information (and my memory) started to age rapidly. > A colleague of mine was here on a visa from Iran. And the way he described living in Iran made it sound quite nice. He was an atheist, though, and it was difficult to talk about his [a]belief ... but no more so than some regions of the US, I'd bet. From that point forward, I couldn't help but wonder if some "corporation" in Iran solicited me for a job req ... how would I respond? Fly over for the interview? Politely decline? I honestly don't know. I'm pretty sure my mouth would get me killed there. But you never know. > > On 12/17/20 11:28 AM, Marcus Daniels wrote: >> Nation states could also acquire or steal source codes to efficiently find the zero day exploits and hire people away from the companies that wrote the codes. The reverse engineering could start with really good models of the target systems going in. The first thing to do is unlevel the playing field. - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
I'll see you and raise you a photograph of Donald Trump on the wall.
https://www.youtube.com/watch?v=DiPXuo753i8 -----Original Message----- From: Friam <[hidden email]> On Behalf Of Steve Smith Sent: Thursday, December 17, 2020 4:54 PM To: [hidden email] Subject: Re: [FRIAM] 5 agencies compromised LANL's "communications dept" had their own posters printed up that showed up everywhere for the full 27 years I was there for... maybe DOE and DOD supplied/inspired messaging... but the one that hit me as the most strange/hypocritical was the "Nations don't have friends, they have Interests" which was supposed to help undermine Scientists (and others with top clearances) from being seduced by nation-states who pretended to be "friends". The hypocrisy IMO was the illusion that our own Nation State was in some way our friend, when in fact, our very employment and even existence as *citizens* was ultimately a reflection of this Nation-State's "Interests"... I became acutely aware of some of this when a new director gave us all a lecture on "neither confirm or deny" and reminded us that even to deny some outlandish claim about a classified matter was in fact, a capital crime. The night before I had been in a hot-tub with a small group of Santa Fe Artist types who "Knew" all kinds of things about LANL, the Nuclear Weapons Programme, Area 51 and Aliens, not to mention Chemtrails, VaxxHOaxes, and ESP. I remember smirking and maybe even scoffing into my elbow a few times at some of those statements and my bosses' bosses' boss was reminding me that I had in fact committed a Capital crime with both smirk and scoff, though it WAS dark, they probably didn't see my smirk and I masked my scoff as a cough, etc. I checked my paycheck stub that week and realized I was in no way compensated with "hazard pay", since having classified info in my head was clearly a huge risk, taking my life into my own hands every time I learned a new secret... I was pretty clear in my own head what was true, was pro-nuke propaganda, what was anti-nuke propaganda and what of that which I knew enough about to confirm or deny was classified, but that didn't stop me from smirking and scoffing involuntarily from time to time. It was the beginning of the end... fortunately DOE Q-type classified material was not nearly as "risky" as the DOD TS type as our friend Ed Snowden found out... I think I winced every time I got close to the latter stuff right up until I left and the information (and my memory) started to age rapidly. > A colleague of mine was here on a visa from Iran. And the way he described living in Iran made it sound quite nice. He was an atheist, though, and it was difficult to talk about his [a]belief ... but no more so than some regions of the US, I'd bet. From that point forward, I couldn't help but wonder if some "corporation" in Iran solicited me for a job req ... how would I respond? Fly over for the interview? Politely decline? I honestly don't know. I'm pretty sure my mouth would get me killed there. But you never know. > > On 12/17/20 11:28 AM, Marcus Daniels wrote: >> Nation states could also acquire or steal source codes to efficiently find the zero day exploits and hire people away from the companies that wrote the codes. The reverse engineering could start with really good models of the target systems going in. The first thing to do is unlevel the playing field. - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/ |
Free forum by Nabble | Edit this page |