Twitter is simply the best place to get #infosec news, gossip, rumors, and updates. Much of the community is alive, well and active on Twitter and, so am I under the handle @hackerhiker (because.. erm.. I hack and I hike). Many people I have spoken to tell me that Twitter is nothing but a wasteland of trolling, sh** posting, partisan rants, and (alleged) Russian bots. Frankly, I think they’d rather get a root canal! Fear not, gentle reader! I wade through the Twitter cesspool so you don’t have to and will present monthly my favorite InfoSec Tweets of the month!
Mudge Speaks Out
One of the top issues for cybersecurity making news in July was the allegations of Russian hacking in the 2016 US Elections and following indictment. On the heels of this announcement prominent hacker and security expert, Peiter Zatko (aka “Mudge”), released a series of tweets revealing (among other things) how he was contacted by the Democratic party in 2016 to increase security on their communication technology, but his advice was ultimately not acted upon. Advice, it should be noted, would have made the John Podesta email phishing attack far more difficult.
Full tweets included below for your review:
During the last election the Democrats reached out to me.
I was happy to help and made it clear that if a reasonable candidate from an opposition party asked for my advice I would provide similar counsel in regards to improving computer, network, and information security.
2/n
— Mudge (@dotMudge) July 14, 2018
I lean a particular way, but my goal is to do the greatest good irrespective.
They were ok with that.
3/n
— Mudge (@dotMudge) July 14, 2018
I devoted a lot of personal time attempting to educate people. Some of these people were considered experts in the field, although none had operational or technical experience and I called them on that. They did have management and government experience, which is important.
4/n
— Mudge (@dotMudge) July 14, 2018
I argued internally for a lot of improvements and changes (CFAA, ECPA, title 10/50 challenges, protecting vuln research, etc.).
The most effort was expended on trying to get them (and any political candidacy that would listen to me) to implement rudimentary OPSEC protocols.
5/n
— Mudge (@dotMudge) July 14, 2018
I argued internally for a lot of improvements and changes (CFAA, ECPA, title 10/50 challenges, protecting vuln research, etc.).
The most effort was expended on trying to get them (and any political candidacy that would listen to me) to implement rudimentary OPSEC protocols.
5/n
— Mudge (@dotMudge) July 14, 2018
I walked them through previous compromises of both parties in prior elections.
The bare minimum defense, which GOOG has made pretty easy to achieve (they were already using GOOG), which disproportionately raises adversary costs, was too much to ask.
It gets better/worse.
7/N
— Mudge (@dotMudge) July 14, 2018
I offered to deploy 2fa, hardened computers, and configure the communal (cloud) work systems to protect their information. No cost.
It was turned down. But I tried.
A bunch of things happened They are well known and politicized in various ways.
But wait, there’s more… 8/N
— Mudge (@dotMudge) July 14, 2018
After the election my name started to float around inside the Oval Office of the incumbent as a possible option for the “Cyber Czar” (or similar) role.
People reached out to me to see if I would be receptive.
I relayed that if I could help my country I would consider it.
9/n
— Mudge (@dotMudge) July 14, 2018
Shortly after that I get contacted by Russia Today (RT) asking if I would do an on air interview on voting security (not an area in which I am publicly known to be involved). Strange.
I’ve spiked on foreign lists before.
Back channels confirm/imply I’m ‘interesting’ again.
— Mudge (@dotMudge) July 14, 2018
I get an OOB message that I’m off the table. I ‘helped’ the opposition party so I’m tainted.
I think both parties have (different) serious issues, which is why I’ll try to improve either of them if I see an opportunity.
But now I’m in an interesting place: …
— Mudge (@dotMudge) July 14, 2018
The people who asked for my counsel fought basic hygiene, which made the subsequent compromises easier/possible.
The new administration considered me an enemy because I tried to educate the opposition party (even though I was willing to educate anyone).
and then..
— Mudge (@dotMudge) July 14, 2018
Shortly after my name gets tossed around inside the executive branch RT reaches out to me.
That could be a coincidence, probably was (my old colleagues imply otherwise). But whatever.
The topic was a bit disconcerting though (hacking national elections) 2016/2017…
— Mudge (@dotMudge) July 14, 2018
Only a few days later I start getting interesting iMessage spam (I don’t open it or click on anything). iMessage spam is relatively costly… good job Apple.
A few days later white screens of death (common for failed jailbreaks) each time shortly after I power cycle. pic.twitter.com/WaNdBplvR5
— Mudge (@dotMudge) July 14, 2018
I can’t confirm that this isn’t/wasn’t some of ‘my’ own kit being thrown back against me.
It looks like it, and it also only worked against a few minor revs prior to what I was running.
Similar failure modes to what you see in the failures above after Apple patched.
— Mudge (@dotMudge) July 14, 2018
So what I ‘choose’ to take from all of this is:
A) Occasionally I warrant nation state interest (yay?)
B) I don’t warrant high end stuff (that I know of)
C) The recent indictment is very forthcoming compared to what the IC/DoJ normally reveal.https://t.co/rJYC9zaaih
— Mudge (@dotMudge) July 14, 2018