Podcast appearances and mentions of Kim Zetter

Three Buddy Problem - Episode 37: This week, we revisit the public reporting on a US/Russia cyber stand down order, CISA declaring no change to its position on tracking Russian threats, and the high-level diplomatic optics at play. Plus, a dissection of ‘The Lamberts' APT and connections to US intelligence agencies, attribution around ‘Operation Triangulation' and the lack of recent visibility into these actors. We also discuss a fresh batch of VMware zero-days, China's i-Soon ‘hackers-for-hire' indictments, the Pangu/i-Soon connection, and a new wave of Apple threat-intel warnings about mercenary spyware infections. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

In this edition of Between Two Nerds Tom Uren and The Grugq talk about the United State's Vulnerabilities Equities Program, which balances the need for intelligence collection with the need to protect the public. The government recently revealed that in 2023 it released 39 vulnerabilities, but what does this really tell us? This episode is also available on Youtube. Show notes The unclassified VEP appendix Kim Zetter's Zero Day substack

Three Buddy Problem - Episode 29: Another day, another Ivanti zero-day being exploited in the wild. Plus, China's strange response to Volt Typhoon attribution, Japan blames China for hacks, a Samsung 0-click vulnerability found by Project Zero, Kim Zetter's reporting on drone sightings and a nuclear scare. Plus, hijacking abandoned .gov backdoors and Ukrainian hacktivists wiping a major Russian ISP. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

This episode of the Cybersecurity Defenders podcast is a two-part mini-series about the greatest cyber attack ever conceived: Stuxnet. Joining to help us tell the story is Kim Zetter, Journalist and Author - Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency. This episode was written by Nathaniel Nelson, narrated by Christopher Luft, and produced by the team at LimaCharlie.

Our daily lives are more and more connected online. This includes our utility grids. Jojo Maalouf, Hydro Ottawa's Director of Cybersecurity and IT Infrastructure, joins thinkenergy to discuss the role of cybersecurity in the energy sector. From cybersecurity threats, like cyber warfare and ransom-seeking hacktivists, to the measures required to defend our energy systems. Plus, how AI both helps and complicates matters. Listen in to learn what's driving change and the collaboration needed to protect the grid. Related links Ontario Cybersecurity Framework: https://www.oeb.ca/regulatory-rules-and-documents/rules-codes-and-requirements/ontario-cyber-security  Get Cyber Safe resources: https://www.getcybersafe.gc.ca/en  Jojo Maalouf on LinkedIn: https://www.linkedin.com/in/jojo-maalouf-cism-cissp-0546b03/  Trevor Freeman on LinkedIn: https://www.linkedin.com/in/trevor-freeman-p-eng-cem-leed-ap-8b612114/  Hydro Ottawa: https://hydroottawa.com/en  To subscribe using Apple Podcasts:  https://podcasts.apple.com/us/podcast/thinkenergy/id1465129405 To subscribe using Spotify: https://open.spotify.com/show/7wFz7rdR8Gq3f2WOafjxpl To subscribe on Libsyn: http://thinkenergy.libsyn.com/ Subscribe so you don't miss a video: https://www.youtube.com/user/hydroottawalimited Follow along on Instagram: https://www.instagram.com/hydroottawa Stay in the know on Facebook: https://www.facebook.com/HydroOttawa Keep up with the posts on X: https://twitter.com/thinkenergypod   Transcript:   Trevor Freeman  00:07   Welcome to think energy, a podcast that dives into the fast, changing world of energy through conversations with industry leaders, innovators and people on the front lines of the energy transition. Join me, Trevor Freeman, as I explore the traditional, unconventional and up and coming facets of the energy industry. If you have any thoughts, feedback or ideas for topics we should cover, please reach out to us at thinkenergy@hydrottawa.com Hi everyone, welcome back. It won't be a surprise to anyone listening that our energy systems, like much of the rest of our lives, are becoming more and more connected and more online than ever before. Let's just take a look at our own personal lives. We've got apps that can control multiple aspects of our homes. For example, for my phone, I can adjust temperature, set points and fan speed heating and cooling in my house, I can turn on or off lights, both inside and outside. I can look and see who just rang my doorbell, even if I'm in another city, and I can check and see where my vehicle is, whether it's charging or not. And I can even turn it on all from my phone. And I would consider myself like middle of the road in terms of how connected and online I am. There are even further examples of this in some of those ultra-connected homes. This is part of our fast paced and constant evolution towards invenience and using technology to find solutions to problems that we didn't always know existed, and maybe they didn't actually exist. We've all heard that term, the Internet of Things, referring to this ultra-connected world where it's not just people talking over the internet, but our devices and systems are talking as well. I was absolutely floored when I was doing some research on this podcast to find out that this term, the Internet of Things, was first used 25 years ago, in 1999 when I first wrote the text for this. I put a placeholder in to say, oh, it's been around for over 10 years. And then when I actually did my research, it's over 25 years. Think about how far we've come since that idea was thought of in 1999 how different life is today than 1999 our energy systems and our utility grids are undergoing a similar transition. I talked about this a little bit with Hydro Ottawa's Jenna Gillis in a previous episode about grid modernization. So go back and have a listen to that. If you haven't already, we are adding more and more data points to our grids, and that includes sensors, smart switches, fault detectors, smarter meters, etc., etc. Even for hydro Ottawa, a local distribution company with around 350,000 customers, we are talking about many times that number of smart devices in the coming years, all connected, all trading data between themselves and our central systems and the smart folks who run them now, there is a ton of upside to this transition, and that's why we're doing it. More data leads to better decision making, a better view of what's happening, whether that's during an outage or at times when the grid is heavily utilized. It lets us get more out of the equipment we have, react and adjust to the needs of our customers, and react and adjust to the needs of the grid. It will lead to faster restoration during outages, and sometimes that restoration will be automatic without having to roll a truck. It will allow us to better integrate distributed energy resources like small scale solar and storage and other things into our grid for the benefit of our customers and the grid. There is no question that this is a move in the right direction, and hydro Ottawa is leaning into this aspect of the energy transition to build a smarter grid for our customers. However, it does highlight something that has long been a priority for us, cyber security. With so many connected devices, with so much data out there, we need to be extremely vigilant and rigorous with our digital security. Cyber-attacks on utility infrastructure are not theoretical. In 2015 and 2016 attacks on the Ukrainian power grid resulted in large scale power outages in that country, as we increasingly rely on electricity for so many aspects of our lives, attacks like this, whether by nation states or bad actors seeking financial gain, can have devastating consequences. Luckily, this is something that has been a priority for us for many years, and as the threats become more sophisticated, so too do our strategies to protect our systems and our grid from those attacks. Joining me today to talk about this is Hydro Ottawa's director of cybersecurity and IT infrastructure. Jojo Maalouf, JoJo, welcome to the show.   Jojo Maalouf  04:46   Thanks for having me.   Trevor Freeman  04:47   All right, so Jojo, cyber security is a little bit of a buzzword that a lot of folks have probably heard in a bunch of different contexts. Help us unpack it a little bit. What do we actually mean when we talk about cybersecurity threats and cybersecurity prevention, I guess?   Jojo Maalouf  05:05   Very good question, right? So, I mean, let's kind of simplify things, so we obviously have these adversaries, right? And these adversaries are trying to get into organizations networks. We hear a lot of the sensitivity or the criticality of information, so they're trying to obtain that information. And, you know, can they look at potentially monetizing that? Really what we're kind of trying to do, or what cyber security is, is, if you think about it, we have these bad guys, these adversaries. They're trying to get into organizations they possess or introduce some sort of level of risk. What we are trying to do as people in cyber security is defend those organizations from those risks and those adversaries. So, in order for us to do that, we need to put together a program. We need to make sure we have the relevant controls in place, because, at the end of the day, what we're trying to do is mitigate that risk to an acceptable level where the business can run.   Trevor Freeman  06:07   Yeah, totally. And who are these threats coming from? Like, we hear a lot about state sponsored groups for profit, hackers. There's sort of that hacktivists, kind of ideologically driven group. Who are we worried about in the in the energy industry?   Jojo Maalouf  06:20   You know, it's very good question. I think, to be honest, you, I think we worry about all of them. I think from from our perspective, threats are threats. And obviously, depending on the magnitude of those threats and where they're coming from, they could potentially possess or introduce a different type of risk. But the reality is, they all introduce a level of risk. Yes, we are worried about state sponsored entities. You know, we've seen what's happened throughout the years. It started out in Stuxnet with Iran in 2010 we've seen what's happened with Ukraine in 2015 the end of day, what are we trying to protect? We're trying to ensure that a cyber-attack doesn't actually impact our ability to deliver power to our customers. What we are seeing now in the industry, obviously, is that adversaries are understanding that they can really monetize this, right? So, we're seeing the exponential growth of ransomware throughout the years. I remember back in 2016 when a major Canadian university was asked to pay a think approximately a $35,000 ransomware. Where we looked at that in comparison in 2024 where the average cost of a ransomware attack is just under $5 million. So, it's a billion dollar industry, right? And it's only growing. You know, I'd say the threats are coming everywhere, but you're definitely seeing the monetization aspect of it growing exponentially.   Trevor Freeman  07:51   Yeah. So, I guess from our perspective, it really doesn't matter what the motivation is. If someone's getting into our systems and sort of impacting our ability to do what we do doesn't matter what the motivation is. It's a problem for us, and we try and guard against it.   Jojo Maalouf  08:05   Correct. I think, I think people are very highly motivated now, whether it's for it's ransomware, whether it's state sponsored, I think entities, or I would say adversary, sorry, are definitely highly motivated. And it doesn't really change our approach. So, you know, the energy sector needs to make sure that they do what they can to protect the systems.   Trevor Freeman  08:23   Yeah, fair enough. So, we've talked in the past on the show, and in my intro, I talked about grid modernization, and this sort of evolution of our grid, and the technology on our grid to have more and more connected devices out in the field, and the amount of data that's flowing on our grid is increasing. Obviously, there are many benefits to this, but inherently that brings a degree of risk as well. Can you talk to us about the risk that their grid modernization brings, and sort of how we're thinking about that?   Jojo Maalouf  08:58   So, Trevor, I think you said it well when you said more and more devices are connected now. So really, what ends up happening every time we add a device that's connected, it increases the organization's risk profile. So ideally, what we want to be able to do is we want to manage exactly what that those entry points into potential organizations are. So, every time I add a device, I have to think that it increases that attack surface to a degree. So, I mean, you've talked about what grid modernization can do. There are many capabilities I think that's going to benefit organizations. But I think as this happens, we need to ensure that cybersecurity risks are managed to ensure that that risk profile is managed to an appropriate level.   Trevor Freeman  09:48   How prepared is the energy industry to respond to and to recover from a major cyber-attack, if one were to happen on the power grid?   Jojo Maalouf  09:57   Honestly, I think that the energy sector as well. Prepared as a critical infrastructure entity, the energy sector has the benefit of dealing a lot with government partners. So, I think what you want to do as an organization is you want to build that trust, that ecosystem of partners, whether it is through public and private relationships. But I'd say from a critical infrastructure perspective, there are very good relationships with the industry, very good relationships with government partners. I think testing organizations resiliency has been in play now for many, many years. But I think from a cyber perspective, I think it's something where organizations continue to be prepared, continue to do some of the appropriate testing, you know? And I'll be honest, I say it's, it's, you never want to be complacent, right? And I think what we've learned over the years is threats are evolving. Threats are changing. The industry is always going to be susceptible to attacks.   Trevor Freeman  11:00   Are we collaborating and working with other stakeholders? I mean, both at the sort of other utility level, you mentioned, governments and regulatory bodies, are we collaborating with those other entities? And sort of in line when it comes to cybersecurity?   Jojo Maalouf  11:15   There is a lot of collaboration that occurs within the industry, whether it's in Ontario, you'll see now that the regulator, the Ontario Energy Board, you know, there is the Ontario cybersecurity framework that has been in play now since around 2018 even at the national level there. Here are many different bodies where, you know cybersecurity, like critical infrastructure protection is paramount, as discussed regularly, and then obviously there's the government agency. So, there's a lot of collaboration that goes whether it's from the provincial, the National, and then the government side as well. And I mean, I think you need those relationships, right? You need those partnerships to help.   Trevor Freeman  12:02   Yeah, we're not we're not a lone utility kind of figuring out on our own. We're working with our partners and our peers to figure that out. The other kind of area of emerging technology that I want to talk about is, AI, artificial intelligence and sort of machine learning. Are we using those technologies? Or do you see us using those technologies in the future to sort of enhance the cyber security of our grid and our assets?   Jojo Maalouf  12:29   Yeah, I mean, I think obviously artificial intelligence, machine learning, seems to be the 2024 theme. The reality is, is a lot of technologies have already adopted, whether it's AI or machine learning, into their into their solutions. You know, I think the whole Gen AI aspect is growing, and it's something that I think is going to benefit everybody in the industry as well. The unfortunate thing is, is that I think adversaries are going to be able to use these technologies as well. You know, whether it's to paint a better picture of an organization, maybe to customize some attack patterns, but I think it's something where we have to embrace the technology. We have to use it in our, I would say, in our toolkit, but we're very much cognizant of the fact is that adversaries are going to be using these, these tool sets as well to potentially target organizations within the energy sector.   Trevor Freeman  13:33   And are there specific things that you know, speaking as the local distribution company, specific things that our customers can do or should be aware of? What's the role of our customer when it comes to cybersecurity?   Jojo Maalouf  13:46   It's a very good question. I mean, from a from a customer's perspective, I think customers need to realize the importance of their information. So, I mean, the reality now is a lot of adversaries are targeting people directly because they want their information. Their information. Their information is valuable. So, I think as a customer, what they want to make sure they do is that they do what they can to protect their information. So, some very simple steps that they can do make sure you have a complex password that only you know, that's not easily guessable. The other thing is, you don't want to use that password across multiple systems. So, what's the best way for you to be able to manage all your passwords? Invest in a password manager. There are free solutions out there. There are other really good solutions that are at a fraction of a cost as well as that password. What you want to make sure you do is you have multi factor authentication attached to it. What that really means is it's a second level of authentication that's going to challenge you to make sure you are who you say you are. It could just be an application that's installed on your phone. Think those are really some really good ways that you know a customer can use to protect themselves. I think even investing in credit monitoring is really good because. Is the last thing you want to do is an adversary to target you, steal your information, then all of a sudden, are starting to open up accounts in your name, right? So credit monitoring is another really important one. So, I mean, I think those are some really basic ones, but I think that they can go a long way to protecting a customer from threats. There are some really good online resources that they can use. Public Safety Canada has their get cyber safe website that provides a lot of information for, you know, everyday residential people or customers, sorry, steps that they can take to protect themselves.   Trevor Freeman  15:33   And for our listeners that kind of are thinking like, Oh, I feel like I've heard that before. I think you're right. You have it is those basic steps that really can protect us. And just so that everybody knows this is a focus of us internally as well, all employees of Hydro Ottawa also have a focus on what can we as employees do in order to make sure we're protecting our systems, we're protecting our data, and all the things that JoJo mentioned when it comes to password integrity, conscious of protecting our data. We're focused on that on a day-to-day basis as well. Jojo, thanks very much for taking the time to talk us through this. It's something that is maybe a bit adjacent to the energy transition, but so important as we increasingly digitize our grid, digitize our systems, as I mentioned, add more data points. We can't sort of leave cybersecurity behind. So, I really appreciate you taking the time to join us today, as our listeners know, and as you know, we always end our interviews with a series of questions to our guests. So I will jump right into those. Jojo, what's a book that you've read that you think everybody should read?   Jojo Maalouf 16:39   Yeah, good question. I'll give you two books, especially within the context of cybersecurity. You know, we did briefly mention Stuxnet. A really good book is by Kim Zetter. It's called Zero Day, and it basically depicts what happened with Stuxnet. Really informative. It's actually really good read. It's not necessarily technical, but just goes to show kind of how cyber warfare was actually built. Another really good one is from Andy Greenberg. It's called sandworm, a new era of cyber war in the hunt for the Kremlin's most dangerous hackers. Another really good read as well. So, I think those are two books, I would say, in the cybersecurity context, that I think are really good reads.   Trevor Freeman  17:29   Nice. Same question. But for a movie or a show, is there a movie or show that you think everyone should have a look at?   Jojo Maalouf  17:36   I'm actually really into Yellowstone these days, right? So, I'm gonna give that props.   Trevor Freeman  17:41   Nice. That's a good one. If someone offered you a free round-trip flight anywhere in the world, where would you go?   Jojo Maalouf  17:48   Good question, I think right now where I am, I'd probably go anywhere, either in the Alps or in the Dolomites, to ski.   Trevor Freeman  17:56   That's awesome. And our last question, what is something about the energy sector or its future that you are particularly excited about?   Jojo Maalouf  18:04   To be honest with you, I What really interests me and what I'm really excited about is, think the evolution in change into we are now a technology company, And I think what we're where the energy sector is grow is, is moving towards, is really exciting. You know, I think over the years, it's been a very siloed approach to the way services are driven or given where I find now, its very technology focused, right? And I think that's very exciting times.   Trevor Freeman  18:39   Very cool. Well, JoJo, I really appreciate your time today, and you sharing your insight with us, and thanks for coming on the show.   Jojo Maalouf  18:46   Thank you, Trevor, it's great being here.   Trevor Freeman  18:50   Thanks for tuning in to another episode of The think energy podcast. Don't forget to subscribe wherever you listen to podcasts, and it would be great if you could leave us a review. It really helps to spread the word. As always, we would love to hear from you, whether it's feedback comments or an idea for a show or a guest. You can always reach us at think energy@Hydroottawa.com.  

Rick Howard, N2K CyberWire's Chief Analyst and Senior Fellow, discusses the meaning of cybersecurity materiality. References: Amy Howe, 2024. Supreme Court strikes down Chevron, curtailing power of federal agencies [Blog] Cydney Posner, 2023. SEC Adopts Final Rules on Cybersecurity Disclosure [Explainer]. The Harvard Law School Forum on Corporate Governance. Cynthia Brumfield, 2022. 5 years after NotPetya: Lessons learned Analysis]. CSO Online. Eleanor Dallaway, 2023. Closed for Business: The Organisations That Suffered Fatal Cyber Attacks that Shut Their Doors For Good [News]. Assured. Gary Cohen, 2021. Throwback Attack: Chinese hackers steal plans for the F-35 fighter in a supply chain heist [Explainer]. Industrial Cybersecurity Pulse. James Pearson, 2022. Russia downed satellite internet in Ukraine [News]. Reuters. Katz, D., 2021. Corporate Governance Update: “Materiality” in America and Abroad [Essay]. The Harvard Law School Forum on Corporate Governance. Kim Zetter, 2014. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon [Cybersecurity Canon Hall of Fame Book]. Goodreads. Lizárraga, C.J., 2023. Improving the Quality of Cybersecurity Risk Management Disclosures [Essay]. U.S. Securities and Exchange Commission. MATTHEW DALY, 2024. Supreme Court Chevron decision: What it means for federal regulations [WWW Document]. AP News. Rick Howard. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon [Book Review]. Cybersecurity Canon Project. Rick Howard, 2021. Using cyber sand tables to study the DNC hack of 2016. [Podcast]. The CyberWire. Rick Howard, 2022. Cyber sand table series: OPM. [Podcast and Essay]. The CyberWire. Staff, 2020. Qasem Soleimani: US strike on Iran general was unlawful, UN expert says [Explainer]. BBC News. Staff, 2023. Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure [Government Guidance]. U.S. Securities and Exchange Commission. Staff, 2024. Number of Public Companies v. Private: U.S. [Website]. Advisorpedia. Learn more about your ad choices. Visit megaphone.fm/adchoices

Kim Zetter, journalist and author of the book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.

Was the Stuxnet, "cyberworm," the first iteration of a new era of combat? Strider is scared! When scared, seek to understand.  striderwilson.com patreon.com/striderwilson Sources: spymuseum.org, smithsonianmag.com ‘Richard Clarke on Who Was Behind the Stuxnet Attack' by Ron Rosenbaum 2012, wired.com ‘An Unprecedented Look at Stuxnet, the World's First Digital Weapon' by Kim Zetter 2014, csoonline.com ‘Stuxnet explained: the first known cyberweapon' by Josh Fruhlinger 2022, britannica.com

Rick Howard, N2K's CSO and The CyberWire's Chief Analyst and Senior Fellow, presents the argument for why the SEC was misguided when it charged the SolarWinds CISO, Tim Brown, with fraud the after the Russian SVR compromised the SolarWinds flagship product, Orion. Our guests are, Steve Winterfeld, Akamai's Advisory CISO, and Ted Wagner, SAP National Security Services CISO. References: Andrew Goldstein, Josef Ansorge, Matt Nguyen, Robert Deniston, 2024. Fatal Flaws in SEC's Amended Complaint Against SolarWinds [Analysis]. Crime & Corruption. Anna-Louise Jackson, 2023. Earnings Reports: What Do Quarterly Earnings Tell You? [Explainer]. Forbes. Brian Koppelman, David Levien, Andrew Ross Sorkin, 2016 - 2023. Billions [TV Show]. IMDb. Dan Goodin, 2024. Financial institutions have 30 days to disclose breaches under new rules [News]. Ars Technica. David Katz, 021. Corporate Governance Update: “Materiality” in America and Abroad [Essay]. The Harvard Law School Forum on Corporate Governance. Jessica Corso, 2024. SEC Zeroes In On SolarWinds Exec In Revised Complaint [Analysis]. Law360. Johnathan Rudy, 2024. SEC files Amended complaint against SolarWinds and CISO [Civil Action]. LinkedIn. Joseph Menn, 2023. Former Uber security chief Sullivan avoids prison in data breach case [WWW DocumentNews]. The Washington Post. Kim Zetter, 2014. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon [Book]. Goodreads. Kim Zetter, 2023. SEC Targets SolarWinds' CISO for Rare Legal Action Over Russian Hack [WWW Document]. ZERO DAY. Kim Zetter, 2023. SolarWinds: The Untold Story of the Boldest Supply-Chain Hack [Essay]. WIRED. Rick Howard, 2022. Cyber sand table series: OPM [Podcast]. The CyberWire - CSO Perspectives Podcast. Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. Pam Baker, 2021. The SolarWinds hack timeline: Who knew what, and when? [Timeline]. CSO Online. Staff, 2009. Generally Accepted Accounting Principles (Topic 105) [Standard]. PWC. Staff. 30 October 2023. SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures [Website]. The U.S. Securities and Exchange Commision. Staff, 31 October 2023. Securities and Exchange Commission v. SolarWinds Corporation and Timothy G. Brown, No. 23-civ-9518 (SDNY) [Case]. The Securities and Exchange Commission. Staff, 29 March 2024. Cooley, Cybersecurity Leaders File Brief Opposing SEC's SolarWinds Cyberattack Case [Press Release]. Cooley. Stephanie Pell, Jennifer Lee , Shoba Pillay, Jen Patja Howell, 2024. The SEC SolarWinds Enforcement Action [Podcast]. The Lawfare Podcast.

Imagine a digital virus that could destroy your computer. Not crash its system, but actually wreck the physical hardware – say, melt the motherboard or burn up the hard drive. It might sound dystopian, but in fact, this kind of virus was discovered in Iran in 2010. And it wasn't just wrecking a humble laptop – it was sabotaging Iranian nuclear infrastructure. The virus (or worm) became known as Stuxnet, and investigative journalist Kim Zetter has been following it ever since. This week on Whale Hunting, host Bradley Hope speaks to Kim about the uncovering of Stuxnet and what its groundbreaking technology meant for digital warfare – as well as the early death of the intelligence mole who deposited Stuxnet on Iranian systems. To read more of Kim's work, make sure to follow her on Twitter at @kimzetter or find her regular posts at zetter-zeroday.com. For more fromWhale Hunting, make sure to follow the podcast – and you can subscribe to our newsletter at whalehunting.projectbrazen.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, Nick Scalzone loves Countdown to Zero Day by Kim Zetter, Bjorn RG hates bad parking, Hatfield sits in for Eliza Butler, and they give their thoughts about some Computer Movies.

This week Kali Fencl, Tim Helming, and Ian Campbell discuss Kim Zetter's work on the SolarWinds investigation along with the Senate's hearing on AI regulation.

This episode of the Cybersecurity Defenders podcast is the second part in a two-part mini-series about the greatest cyber attack ever conceived: Stuxnet.Joining to help us tell the story is Kim Zetter, Journalist and Author - Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.If you have not heard the first episode it is recommended that you do so before listening to this one. You can listen to the first episode here: Stuxnet (Part 1)Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.This episode was written by Nathaniel Nelson, narrated by Christopher Luft, and produced by the team at LimaCharlie.The Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.

The “godfather of AI” has left Google, offering warnings about the existential risks for humanity of the technology. Mark MacCarthy calls those risks a fantasy, and a debate breaks out between Mark, Nate Jones, and me. There's more agreement on the White House summit on AI risks, which seems to have followed Mark's “let's worry about tomorrow tomorrow” prescription. I think existential risks are a bigger concern, but I am deeply skeptical about other efforts to regulate AI, especially for bias, as readers of Cybertoonz know. I argue again that regulatory efforts to eliminate bias are an ill-disguised effort to impose quotas more widely, which provokes lively pushback from Jim Dempsey and Mark. Other prospective AI regulators, from the Federal Trade Commission (FTC)'s Lina Khan to the Italian data protection agency, come in for commentary. I'm struck by the caution both have shown, perhaps due to their recognizing the difficulty of applying old regulatory frameworks to this new technology. It's not, I suspect, because Lina Khan's FTC has lost its enthusiasm for pushing the law further than it can be pushed. This week's example of litigation overreach at the FTC include a dismissed complaint in a location data case against Kochava, and a wildly disproportionate ‘remedy” for what look like Facebook foot faults in complying with an earlier FTC order.  Jim brings us up to date on a slew of new state privacy laws in Montana, Indiana, and Tennessee. Jim sees them as business-friendly alternatives to General Data Protection Regulation (GDPR) and California's privacy law. Mark reviews Pornhub's reaction to the Utah law on kids' access to porn. He thinks age verification requirements are due for another look by the courts.   Jim explains the state appellate court decision ruling that the NotPetya attack on Merck was not an act of war and thus not excluded from its insurance coverage. Nate and I recommend Kim Zetter's revealing story on the  SolarWinds hack. The details help to explain why the Cyber Safety Review Board hasn't examined SolarWinds—and why it absolutely has to—because the full story is going to embarrass a lot of powerful institutions. In quick hits,  Mark makes a bold prediction about the fate of Canada's law requiring Google and Facebook to pay when they link to Canadian media stories: Just like in Australia, the tech giants and the industry will reach a deal.  Jim and I comment on the three-year probation sentence for Joe Sullivan in the Uber “misprision of felony” case—and the sentencing judge's wide-ranging commentary.  I savor the impudence of the hacker who has broken into Russian intelligence's bitcoin wallets and burned the money to post messages doxing the agencies involved. And for those who missed it, Rick Salgado and I wrote a Lawfare article on why CISOs should support renewal of Foreign Intelligence Surveillance Act (FISA) section 702, and Metacurity named it one of the week's “Best Infosec-related Long Reads.”  Download 456th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The “godfather of AI” has left Google, offering warnings about the existential risks for humanity of the technology. Mark MacCarthy calls those risks a fantasy, and a debate breaks out between Mark, Nate Jones, and me. There's more agreement on the White House summit on AI risks, which seems to have followed Mark's “let's worry about tomorrow tomorrow” prescription. I think existential risks are a bigger concern, but I am deeply skeptical about other efforts to regulate AI, especially for bias, as readers of Cybertoonz know. I argue again that regulatory efforts to eliminate bias are an ill-disguised effort to impose quotas more widely, which provokes lively pushback from Jim Dempsey and Mark. Other prospective AI regulators, from the Federal Trade Commission (FTC)'s Lina Khan to the Italian data protection agency, come in for commentary. I'm struck by the caution both have shown, perhaps due to their recognizing the difficulty of applying old regulatory frameworks to this new technology. It's not, I suspect, because Lina Khan's FTC has lost its enthusiasm for pushing the law further than it can be pushed. This week's example of litigation overreach at the FTC include a dismissed complaint in a location data case against Kochava, and a wildly disproportionate ‘remedy” for what look like Facebook foot faults in complying with an earlier FTC order.  Jim brings us up to date on a slew of new state privacy laws in Montana, Indiana, and Tennessee. Jim sees them as business-friendly alternatives to General Data Protection Regulation (GDPR) and California's privacy law. Mark reviews Pornhub's reaction to the Utah law on kids' access to porn. He thinks age verification requirements are due for another look by the courts.   Jim explains the state appellate court decision ruling that the NotPetya attack on Merck was not an act of war and thus not excluded from its insurance coverage. Nate and I recommend Kim Zetter's revealing story on the  SolarWinds hack. The details help to explain why the Cyber Safety Review Board hasn't examined SolarWinds—and why it absolutely has to—because the full story is going to embarrass a lot of powerful institutions. In quick hits,  Mark makes a bold prediction about the fate of Canada's law requiring Google and Facebook to pay when they link to Canadian media stories: Just like in Australia, the tech giants and the industry will reach a deal.  Jim and I comment on the three-year probation sentence for Joe Sullivan in the Uber “misprision of felony” case—and the sentencing judge's wide-ranging commentary.  I savor the impudence of the hacker who has broken into Russian intelligence's bitcoin wallets and burned the money to post messages doxing the agencies involved. And for those who missed it, Rick Salgado and I wrote a Lawfare article on why CISOs should support renewal of Foreign Intelligence Surveillance Act (FISA) section 702, and Metacurity named it one of the week's “Best Infosec-related Long Reads.”  Download 456th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cybersecurity Defenders podcast is the first part in a two-part mini-series about the greatest cyber attack ever conceived: Stuxnet. Joining to help us tell the story is Kim Zetter, Journalist and Author - Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.This episode was written by Nathaniel Nelson, narrated by Christopher Luft, and produced by the team at LimaCharlie.The Cybersecurity Defenders Podcast: a show about cybersecurity and the people that defend the internet.

One of Eastern Europe's largest professional tech conferences, is bringing together Ukraine's and international tech experts for a live event. The tech conference will be held in Lviv on September 30-October 1, 2022. Despite unprecedented challenges around the country, Ukraine's tech community has continued to thrive in 2022. In an act of bravery against the war, tech professionals will gather in person for the annual IT Arena conference that's scheduled at the end of September. IT Arena 2022, Ukraine 3.0: Digital,Lviv, September 30-October 1, 2022 This year, the event, themed ‘Ukraine 3.0: Brave. Resilient. Digital', will be in-person (offline) to show the strength and resilience of Ukraine. The topics will focus largely on: how the tech industry can support the country in these turbulent times; the future of military technology; insights on modern cyber tactics, and much more. Political attendance at this year's IT Arena includes the Deputy Minister of Digital Transformation of Ukraine, Alex Bornyakov, as well as other top government officials. IT Arena will once again give tech professionals and journalists in Ukraine and around the globe the unique opportunity to come together in one place to network and learn about the latest in tech. How many years has it been going? This will be our 9th edition. What was the inspiration to start it? IT Arena started as a meeting ground for tech professionals from all over Ukraine, but has expanded tremendously since then. What exciting things can people look forward to? The future of military tech, cybersecurity insights, discussions on how the tech industry can help Ukraine win the war. What opportunities are on offer for those attending? Exclusive networking opportunities. Who will be speaking? See the lineup here: What tips would you give to people attending to get the most out of it? Don't miss the startup competition How can people book tickets / when does it usually sell out? Tickets:; Due to security reasons, IT Arena has scaled down this year, the number of tickets is limited Two days of insightful talks This year's IT Arena hosts keynote speakers, including names such as Haluk Bayraktar, CEO of Turkey's premiere autonomous technology company Baykar, CEO of Dragonfly Cameron Chell, CEO of Atlas Aerospace Ivan Tolchynskyi, CEO of Prytula Charity Fund Serhiy Prytula, cybersecurity expert Kim Zetter. The popular Startup Competition is also back this year. The competition has become an excellent opportunity for new tech companies to showcase their projects and network with others in the industry. Participants will compete for a $53,000 prize fund as they validate their business models. Note that registration for the IT Arena startup competition is open until September 11, 2022. Keeping you safe at our event IT Arena 2022 event organizers are working with local authorities to ensure the safety of all attendees, speakers, and guests. This year's event will be scaled down to facilitate increased security. “We're committed to creating the safest environment we can,” said Stepan Veselovskyi, CEO of IT Arena and Lviv IT Cluster. “Despite unprecedented challenges around the country, Ukraine's tech community has continued to thrive in 2022. At the moment, the overwhelming sentiment from our members, partners, speakers and attendees is that we should go forward with our event. So we will gather in person to show the whole world how brave and resilient Ukraine is where we say life can and should go on.” About IT Arena Since 2014, IT Arena has annually brought members of the Ukrainian and Eastern European tech communities together for one special event. The conference typically attracts more than 5,000 tech professionals from over 40 countries. These professionals come to IT Arena from all areas of tech – from large companies like Google, F1, Spotify, Tesla to local startups like Liki24, Legal Nodes, AXDRAFT. IT Arena provides a plethora of opportunities for attendees to learn, network, and...

This episode is the second part of our three-part series featuring the highlights of EEI 2022, our annual thought leadership forum. In this episode, you will hear conversations about topics including electric transportation, ESG, and cybersecurity featuring Michael Webber, Chief Technology Officer, Energy Impact Partners, and Josey Centennial Professor in Energy Resources at the University of Texas at Austin; EEI Director of Electric Transportation Kellen Schefter; Dan Hahn, Partner – Energy, Sustainability, and Infrastructure at Guidehouse; Deloitte's Specialist Lead – EV Strategy and Planning Adrian Rouse and Vice Chair of U.S. Power, Utilities & Renewables Leader Jim Thompson; and Kim Zetter, journalist and author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. Also featured are virtual remarks by Department of Transportation Secretary Pete Buttigieg and highlights from a keynote featuring Duke Energy Chair, President, and CEO Lynn Good and Director of the Cybersecurity and Infrastructure Security Agency Jen Easterly.

Welcome back to Source Code, Decipher's weekly news wrap podcast with input from our sources. This week, the U.S. government announced sanctions against the Tornado Cash cryptocurrency mixer. In other news, Black Hat kicked off with keynotes from former CISA director Chris Krebs and investigative journalist Kim Zetter.

Dr. Don and Professor Ben talk about the risks from pepper jack cheese left in a trunk for two days. Dr. Don - not risky

Canadian content? ✔️ Dr. Don and Professor Ben talk about the risks from pepper jack cheese left in a trunk for two days.Dr. Don - not risky

Using passwords as a way to prove your identity online, though ubiquitous, has several downsides. People forget them and, if they aren’t strong enough, passwords can be guessed by criminals. Last week, Apple, Google and Microsoft announced plans to work together on a “passwordless” authentication system for their various browsers, services and devices. The cross-platform collaboration is expected to start rolling out over the next year. The companies say they will support Fast Identity Online (FIDO) protocols across their most commonly used products. Marketplace’s Kimberly Adams speaks with Kim Zetter, cybersecurity journalist and author, about this collaboration.

Using passwords as a way to prove your identity online, though ubiquitous, has several downsides. People forget them and, if they aren’t strong enough, passwords can be guessed by criminals. Last week, Apple, Google and Microsoft announced plans to work together on a “passwordless” authentication system for their various browsers, services and devices. The cross-platform collaboration is expected to start rolling out over the next year. The companies say they will support Fast Identity Online (FIDO) protocols across their most commonly used products. Marketplace’s Kimberly Adams speaks with Kim Zetter, cybersecurity journalist and author, about this collaboration.

Enjoy this sample of CSO Perspectives, a CyberWire Pro podcast. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. On this episode, host Rick Howard discusses if the first principles theories prevent material impact in the real world, such as the latest SolarWinds attack. Previous episodes referenced: S1E6: 11 MAY: Cybersecurity First Principles S1E7: 18 MAY: Cybersecurity first principles: zero trust S1E8: 26 MAY: Cybersecurity first principles: intrusion kill chains. S1E9: 01 JUN: Cybersecurity first principles - resilience S1E11: 15 JUN: Cybersecurity first principles - risk S2E3: 03 AUG: Incident response: a first principle idea. S2E4: 10 AUG: Incident response: around the Hash Table.  S2E7: 31 AUG: Identity Management: a first principle idea. S2E8: 07 SEP: Identity Management: around the Hash Table. Other resources: “A BRIEF HISTORY OF SUPPLY CHAIN ATTACKS,” by Secarma, 1 September 2018. “Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers,” by 365 Defender Research Team and the Threat Intelligence Center (MSTIC), Microsoft, 18 December 2020. “A Timeline Perspective of the SolarStorm Supply-Chain Attack,” by Unit 42, Palo Alto Networks, 23 December 2020. “Cobalt Strike,” by MALPEDIA. “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Kim Zetter, Published by Crown, 3 June 2014. “Cybersecurity Canon,” by Ohio State University. “FireEye shares jump back to pre-hack levels,” Melissa Lee, CNBC, 23 December 2020. "Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), The Cyber Defense Review, Fall 2020. “Orion Platform,” by SolarWinds. “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” by Andy Greenberg, Published by Doubleday, 7 May 2019.  “Solarstorm,” by Unit 42, Palo Alto Networks, 23 December 2020. “The Cybersecurity Canon: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Rick Howard, The Cybersecurity Canon Project, 28 January 2015. “Using Microsoft 365 Defender to protect against Solorigate,” by the Microsoft 365 Defender Team, 28 December 2020.

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Some arrests of suspected Lapsus$ members in the UK Why the Okta incident is probably a fizzer Four FSB officers indicted over Triton/Trisis malware Kim Zetter interviewed Intrusion Truth Australian government to upsize ASD Wave bye bye to Finfisher Much, much more This week's sponsor interview is with Mike Wiacek from Stairwell. Stairwell makes a product that catalogues the files in your environment and lets you slice and dice that data. That makes threat hunting pretty easy and Mike is joining the show this week to talk about why organisations of all stripes should be doing threat hunting. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal - BBC News Okta ‘identifying and contacting' customers potentially affected by Lapsus$ breach - The Record by Recorded Future Okta revises original statement, says 366 customers affected by Lapsus$ breach - The Record by Recorded Future Okta apologizes for waiting two months to notify customers of Lapsus$ breach - The Record by Recorded Future Lapsus$ found a spreadsheet of accounts as they breached Okta, documents show | TechCrunch DOJ unseals indictments of four Russian gov't officials for cyberattacks on energy companies - The Record by Recorded Future Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide | OPA | Department of Justice Intrusion Truth - Five Years of Naming and Shaming China's Spies ASD to double in size after $10bn cyber security funding boost - Security - iTnews How the Biden budget goes big on cyber - The Record by Recorded Future FBI, CISA advise 13,000 orgs to have 'low threshold' for reporting cyberattacks - The Record by Recorded Future Senate report examines REvil ransomware attacks on US firms - The Record by Recorded Future Senate ransomware investigation says FBI leaving victims in the lurch Surveillance software firm FinFisher declares insolvency - The Record by Recorded Future NSO refused Ukraine's request for Pegasus spyware so it wouldn't anger Russia - The Washington Post FCC puts Kaspersky on security threat list, says it poses “unacceptable risk” | Ars Technica Traffic at major Ukrainian internet service provider Ukrtelecom disrupted - The Record by Recorded Future An interview with the chief technical officer at Ukrtelecom - The Record by Recorded Future Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests” – Krebs on Security North Korean hackers unleashed Chrome 0-day exploit on hundreds of US targets | Ars Technica Google releases emergency security update for Chrome users after second 0-day of 2022 discovered - The Record by Recorded Future Npm maintainers remove malicious packages after typosquatting attempt - The Record by Recorded Future ‘Spam Nation' Villain Vrublevsky Charged With Fraud – Krebs on Security $2 million stolen from DeFi protocol Revest Finance, platform unable to reimburse victims - The Record by Recorded Future Flash loan attack on One Ring protocol nets crypto-thief $1.4 million | The Daily Swig More than $625 million stolen in DeFi hack of Ronin Network - The Record by Recorded Future Hackers Who Stole $50 Million in Crypto Say They Will Refund Some Victims

Rick discusses if the first principles theories prevent material impact in the real world, such as the latest SolarWinds attack. Previous episodes referenced: S1E6: 11 MAY: Cybersecurity First Principles S1E7: 18 MAY: Cybersecurity first principles: zero trust S1E8: 26 MAY: Cybersecurity first principles: intrusion kill chains. S1E9: 01 JUN: Cybersecurity first principles - resilience S1E11: 15 JUN: Cybersecurity first principles - risk S2E3: 03 AUG: Incident response: a first principle idea. S2E4: 10 AUG: Incident response: around the Hash Table.  S2E7: 31 AUG: Identity Management: a first principle idea. S2E8: 07 SEP: Identity Management: around the Hash Table. Other resources: “A BRIEF HISTORY OF SUPPLY CHAIN ATTACKS,” by Secarma, 1 September 2018. “Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers,” by 365 Defender Research Team and the Threat Intelligence Center (MSTIC), Microsoft, 18 December 2020. “A Timeline Perspective of the SolarStorm Supply-Chain Attack,” by Unit 42, Palo Alto Networks, 23 December 2020. “Cobalt Strike,” by MALPEDIA. “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Kim Zetter, Published by Crown, 3 June 2014. “Cybersecurity Canon,” by Ohio State University. “FireEye shares jump back to pre-hack levels,” Melissa Lee, CNBC, 23 December 2020. "Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), The Cyber Defense Review, Fall 2020. “Orion Platform,” by SolarWinds. “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” by Andy Greenberg, Published by Doubleday, 7 May 2019.  “Solarstorm,” by Unit 42, Palo Alto Networks, 23 December 2020. “The Cybersecurity Canon: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Rick Howard, The Cybersecurity Canon Project, 28 January 2015. “Using Microsoft 365 Defender to protect against Solorigate,” by the Microsoft 365 Defender Team, 28 December 2020.

As part of its invasion of Ukraine, Russia is using cyberattacks against the country's infrastructure, banks, and more. Cybersecurity journalist Kim Zetter tells us the past, present, and potential future of Russia's digital aggression against Ukraine.  Read Kim's story. Today's episode was produced by Jon Ehrens, engineered by Cristian Ayala, and hosted by Adam Clark-Estes. Support Recode Daily by making a financial contribution to Vox! bit.ly/givepodcasts Learn more about your ad choices. Visit podcastchoices.com/adchoices

In this special release podcast, Hurricane Labs' Director of Security Operations and our Director of Splunk Operations discuss the security implications of the Russia-Ukraine conflict. Also, make sure to check out some of the articles and resources mentioned during this episode: CISA Alert (AA22-047A) Second Wiper Attack Strikes Systems in Ukraine and Two Neighboring Countries via Kim Zetter, Substack Ukraine: Disk-wiping Attacks Precede Russian Invasion via Symantec Enterprise Blogs Click here for our podcast episode transcript.

Kim Zetter is a former staff writer at WIRED and author of the seminal cybersecurity book “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.” Her work has appeared in The New York Times, POLITICO, The Washington Post and regularly in her Substack newsletter, “Zero Day.” In this episode, Kim talks about her approach to reporting, what sparked her Stuxnet investigation and how the discovery of that malware fundamentally altered our global cybersecurity conversation.Why you should listen:* Hear from one of the most influential and knowledgeable journalists writing about cybersecurity today.* Get her take on some of the biggest security stories of 2021 such as Colonial Pipeline and the Pegasus Project.* Learn more about the key policy debates around election security and critical infrastructure protections.Key Quotes:* “Stuxnet really helped shine a light on industrial control systems as a target.”* “We focus too much on the stuff that makes the headlines and completely ignore the innocuous things that you're downloading onto your phone .... Those things are spying on you, as well.”* “The Obama administration was the first administration to [make] cyber a priority, but they didn't really put critical infrastructure as a priority in the sense of using the government's weight to force security on critical infrastructure. We're actually only seeing that in this last year … in the wake of Colonial Pipeline.”* “When we saw Russia trying to interfere in 2016, that woke up DHS that someone, somewhere needed to have some kind of influence over election officials.”Links:* www.synack.com* https://zetter.substack.com/* https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html

Ongoing cyber threats to local water and wastewater systems were flagged in an advisory jointly sent out by the FBI, the EPA, and the Cybersecurity and Infrastructure Security Agency (CISA) last week. It warned that systems to ensure that sewage and other biohazards stay out of our drinking water are vulnerable. The advisory pointed to several cyberattacks in the last few years, like one in Oldsmar, Florida where someone tried to hack in and dump extra chemicals in one municipal system. CISA is urging water and wastewater facilities to plan for, and get ready to block, these attacks. Marketplace’s Kimberly Adams speaks with Kim Zetter, a cybersecurity journalist and author.

Ongoing cyber threats to local water and wastewater systems were flagged in an advisory jointly sent out by the FBI, the EPA, and the Cybersecurity and Infrastructure Security Agency (CISA) last week. It warned that systems to ensure that sewage and other biohazards stay out of our drinking water are vulnerable. The advisory pointed to several cyberattacks in the last few years, like one in Oldsmar, Florida where someone tried to hack in and dump extra chemicals in one municipal system. CISA is urging water and wastewater facilities to plan for, and get ready to block, these attacks. Marketplace’s Kimberly Adams speaks with Kim Zetter, a cybersecurity journalist and author.

Ongoing cyber threats to local water and wastewater systems were flagged in an advisory jointly sent out by the FBI, the EPA, and the Cybersecurity and Infrastructure Security Agency (CISA) last week. It warned that systems to ensure that sewage and other biohazards stay out of our drinking water are vulnerable. The advisory pointed to several cyberattacks in the last few years, like one in Oldsmar, Florida where someone tried to hack in and dump extra chemicals in one municipal system. CISA is urging water and wastewater facilities to plan for, and get ready to block, these attacks. Marketplace’s Kimberly Adams speaks with Kim Zetter, a cybersecurity journalist and author.

Read the title, do it, then come back. Acknowledgement of Country. Book recommendation: Countdown to Zero Day by Kim Zetter. Podcast recommendation: the Darknet Diaries. Seriously go update stuff now!

If you've been keeping up on security news recently you've likely heard of the Pegasus spyware and its authors, the Israeli firm NSO Group. While Pegasus is an impressive piece of software, the capabilities it brings to the table are nothing new (nor are the ethical and moral implications of government surveillance programs).Join us as we sit down with renowned security journalist Kim Zetter and hear what she has to say about these recent events and surveillance programs more generally.More of Kim's work can be found at:- https://zetter.substack.com/- https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/

    Once upon a time, Gartner predicted that by 2020, more than 25 percent of cyberattacks in healthcare delivery organizations would involve some kind of IoT device. In medical terms, that means wirelessly connected and digitally monitored implantable medical devices like pacemakers, deep brain neurostimulators and insulin pumps. These aren't the esoteric things that mioght make the world go round, but are difficult to explain to the layperson. But the people who are literally kept alive by these devices, it their continued functionality is literally a matter of life and death. You feel me? In 2018 Cybesecurity Ventures released research stating that medical devices have an average of 6.2 vulnerabilities each. Furthers, they found that 60% of medical devices were at end-of-life stage with no patches or upgrades available. The scariest of all cyber malintent in the healthcare space may lie ahead. Researchers in Israel announced last year that they'd created a computer virus capable of adding tumors into CT and MRI scans. They are talking about malware designed to fool doctors into misdiagnosing high-profile patients, according to a story by Kim Zetter in The Washington Post.   So what do we do?   On today's No Name Security Podcast, Matt Stephenson welcomes Mitch Greenfield, Director of Core Security Architecture at Humana. We go all over the healthcare security map in a chat ranging from returning to work to securing telehealth operations to the intricacies of securing a wildly diverse enterprise... we might even squeeze in a little bit of pickle ball. Yeah… you read that right. Great stuff this on this episode!  Check it out…   About Mitch Greenfield     Mitch Greenfield is Director of Core Security Architecture at Humana. He's been there for over 13 years and has served in previous roles which included ethical hacking and penetration testing for Humana as well as their partners and aqcuisitions.   Mitch is a Certified Ethical Hacker and Licensed Penetration Tester, among many other things.   He also co-hosts the Collaboration Chronicles podcast   About Matt Stephenson     Matt Stephenson (@packmatt73) leads the Social Media team at Forescout, which puts me in front of people all over the world. Prior to joining Forescout, I hosted podcasts, videos and live events all over the world which put me with experts on every corner of the cybersecurity landscape. The new No Name Security Podcast will continue and expand upon that tradition as we seak out the leading minds in the security industry as well as those may break things every now again. And… just for fun, there will be some wildcard guests as well.   In 10 years in the ecosystem of Data Protection and Cybersecurity I have toured the world extolling the virtues of Artificial Intelligence and Machine Learning and how, when applied to information security, these technologies can wrong-foot the bad guys. Prior to the COVID shutdown, I was on the road over 100 days a year doing live malware demonstrations for audiences from San Diego to DC to London to Abu Dhabi to Singapore to Sydney. One of the funniest things I've ever been a part of was blowing up a live instance of NotPetya 6 hours after the news broke... in Washington DC... directly across the street from FBI HQ... as soon as we activated it a parade of police cars with sirens blaring roared past the building we were in. I'm pretty sure they weren't there for us, but you never know...   Whether at in person events, live virtual events or podcasting, I get to interview interesting people doing interesting things all over the world of cybersecurity and the extended world of hacking. Sometimes, that means hacking elections or the coffee supply chain... other times that means social manipulation or the sovereign wealth fund of a national economy.   Wherever I go, my job is all about talking with the people who build, manage or wreck the systems that we have put in place to make the world go round...   If you tuned in to any of my previous podcasts, there's great news! The No Name Security Podcast is here! I will be bringing the same kind of energy and array of guests you know and love. Best part? We're still at the same spot. You can find it at Spotify, Apple, Amazon Music & Audible as well as, GooglePlay, Gaana, Himalaya, I Heart Radio and wherever you get your podcasts!   Make sure you Subscribe, Rate and Review!

This week, we consider whether information should ever be off-limits to journalists. It's a thorny ethical question raised by FBI informants, hacked sources and shockingly intimate personal data. Plus, why a conservative Catholic publication's outing of a gay priest has garnered criticism from all sides.  1. Ken Bensinger [@kenbensinger], investigative reporter for Buzzfeed News, on what new evidence surrounding the plot to kidnap Michigan governor Gretchen Whitmer says about the how the government defines, and attacks, domestic terrorism. Listen. 2. OTM reporter Micah Loewinger [@MicahLoewinger] and guest host Brandy Zadrozny [@BrandyZadrozny] examine whether or not it's possible to ethically use information from data breaches. Featuring: Kevin Collier [@kevincollier], cybersecurity and privacy reporter for NBC News, Kim Zetter [@KimZetter], senior staff reporter covering cybercrime for Wired, and Lorax Horne [@bbhorne], writer with Distributed Denial of Secrets. Listen. 3. Sara Morrison [@SaraMorrison], data and privacy reporter at Recode at Vox, discusses the dangers information for sale after a Catholic priest was outed by a newsletter that obtained his location data from an app. Listen.  4. Mike O'Loughlin [@MikeOLoughlin], national correspondent at Catholic media organization America, reflects on how new methods are stoking old fights in the Catholic Church. Listen.  

Siliconpolitik: The Upcoming Quad Summit-Pranay KotasthaneNews reports suggest that the first in-person Quad summit is likely to be held in September. The last online summit-level meeting created three working groups on vaccines, critical & emerging technologies (C&ET), and climate change.Though there has been some action on vaccine delivery, there are virtually no updates about the outcomes of the other two working groups. At least on the C&ET front, it seems to me that a vast agenda has bogged down any meaningful collaboration. To this day, it seems that the four countries do not even agree on which technologies are critical and emerging, and which aren’t. The four states will be looking for ways to get out of this rut as they meet in September. Hence it is useful to recommend C&ET ‘actionables’ that can be announced as part of this summit.I have earlier written why a semiconductor partnership would be an ideal start for the Quad C&ET collaboration. In this edition, here are a few tangible action items to begin this partnership.One, announce a Quad Semiconductor Supply Chain Resilience Fund. Think of this as a multi-sovereign wealth fund but for semiconductor investments across the Quad countries. This fund could focus on two areas:create a roadmap for new manufacturing facilities across the Quad countries. One of the focus areas should be to secure supplies not just at the leading-edge nodes but also at key trailing-edge nodes, which will continue to remain workhorses for automotive, communications (5G), and AI.Sponsor new standard developments such as composite semiconductors and create one centre for excellence in each Quad country in an area of its immediate interest. For example, Australia could host the CoE for new materials in electronics, Japan could host the CoE for silicon manufacturing equipment, while the US and India could host CoEs on specific fabless design architectures.Two, and this one is an even more ambitious goal, facilitate strategic alliances between companies in the four quad states. A precedent to learn from is the US-Japan arrangement in the early 1990s by when memory manufacturing had moved out from the US to Japan for cost reasons. The US National Research Council came out with a report in 1992 studying the types of alliances between US and Japanese semiconductor companies and recommended specific actions to take in furthering each of these arrangements. For example, the table below captured the sixteen types of alliances used by US and Japanese semiconductor companies.Nearly thirty years later, this typology remains a useful guide for Quad collaboration on semiconductors. Each area needs government facilitation. For example, reducing export control requirements between quad countries can aid more licensing, cross-licensing, and technology exchange arrangements. Similarly, lowering investment screening mechanisms for quad countries can accelerate joint development and acquisition arrangements. In short, there is much that can be done on the Quad C&ET agenda through the siliconpolitik route. Mineralpolitik: The Global Hustle for REEs -Aditya PareekRare Earth Elements(REE) are critical to modern high-tech supply chains. China has captured much of the Rare Earths market over the past three decades. One reason for this has been its willingness to bear the steep ecological cost of extracting and processing REEs. In 2010, during a dispute between China and Japan, the world got its first memorable jolt of how China’s dominance of the sector can affect the supply of everything - from strategically important tech to consumer electronics. Ever since, the need for diversifying and building separate supply chains not reliant on China has been felt and the COVID-19 induced disruption has only exacerbated these impulses. However, according to recently published data, as quoted in SCMP and Reuters, China’s Rare Earths exports have proliferated by a significant margin (25.3% compared to the first half of 2020 and 16.5% compared to the first half of 2019). While the US and other Quad states may be planning to shift away from China, it will take years for this to become a reality.According to an opinion piece in the Diplomat, Myanmar, which saw a military coup earlier this year, and has again become a pariah state to the West, is the “third-largest source of mined Rare Earths”. Most of these mines from which Mayanmar’s REEs come are in the long-troubled Kachin state region. Dysprosium is an important REE component in Neodymium magnets which in turn are used to build everything from basic motors in consumer electronics and appliances like cars, washing machines to all conceivable complex military equipment such as drones, combat vehicle engines, submarine electric propulsion systems etc.“The price of dysprosium oxide shot up nearly 60 percent in March, amid fears that prolonged unrest in Myanmar could tie up shipments of ores and concentrates.” As this feature in Mining Technology highlights, Tanzania can also soon emerge as a major supplier of very “high-grade neodymium praseodymium (NdPr) deposits in the world”. The neodymium supply, if it materialises, will be an important new source for building REE permanent magnets that are imperative to most modern systems civilian and military.An alternative source of REEs, apart from traditional mining methods, maybe urban mining, which is basically recycling REEs from scrapyards and garbage dumps containing REE rich e-waste. Until now, this hasn’t been a source of a significant amount of the world’s REE supply but as this article in Ars Technica points out over time it may emerge as a major source. If the content in this newsletter interests you, consider taking up the Takshashila GCPP in Technology Policy. It is designed for technologists who want to explore public policy. By the end of this course, you will be able to use a #ResponsibleTech framework to systematically understand the ethical dimensions of technology advancements. Intake for the 30th cohort ends on 22nd August. To know more click here.Cyberpolitik #1: The Secret’s Out-Nitansha BansalIt is happening again! Proof of global surveillance exercised by the states has once again come to light, this time in the form of the Pegasus Project. It is a coordinated effort of Forbidden Stories, a French media non-profit, and Amnesty International. Eighty journalists from ten countries collaborated to unearth the global spying tool with the technical support of Amnesty’s Security Lab which conducted forensic tests to identify the traces of Israeli cybersecurity firm NSO’s spyware called Pegasus. Spyware is malicious software that enters a device, gathers data and transmits it to a server without the consent of the owner of the data. Pegasus is such a powerful cyber-surveillance tool that it is classified as a weapon and requires the same export clearances as a lethal weapon, explains Suhasini Haider, the Diplomatic Affairs Editor of The Hindu. Once injected into the target’s device, it can read messages and mails, access call logs and stored files, switch on and off the device, turn on the camera and microphone, and can even affect the devices near the targeted device, without the knowledge of the device owner. Until 2018, NSO relied on Enhanced Social Engineering Message (ESEM) i.e. a malicious SMS or a WhatsApp message to inject Pegasus into the target’s device. However, the latest version of Pegasus is a zero-click spyware i.e. spyware that does not need the target to click on any link or pick any calls. The target does not need to interact with the spyware. It can enter the target’s device merely by sending a push notification or by sending a missed call to the device. In 2016, Canadian Citizen Lab first flagged the cybersecurity threat presented by Pegasus to Apple. Then in 2019, WhatsApp blamed the NSO for exploiting a zero-day vulnerability in its video calling feature to inject spyware into users’ devices. Citizen Lab reported again in 2020 about governments using Pegasus to spy on journalists at Al Jazeera and Al Araby TV. Now, the Pegasus Project has reportedly revealed over fifty thousand targeted contact numbers which are mostly concentrated in Azerbaijan, Bahrain, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary and the United Arab Emirates (UAE).State surveillance is not new. What is new is the ease of surveillance and the engagement of the private sector in mass surveillance. Also new is the Internet of Things (IoT), which could allow objects of daily use like cars and kitchen equipment to provide information about owners. It was with Edward Snowden’s revelations in 2013 that the world realized the omnipresence of the state in their daily lives. The symbiotic relationship between government spies and private companies has changed surveillance. Commercial corporations provide the technology, equipment as well as required information on citizens to government agencies in the form of online payment, searches, shopping, social media etc. What is also worth noticing in the case of Pegasus is the export of surveillance technologies from one country to another. NSO has maintained that the Israeli Minister of Defence has to approve NSO’s clients to make sure that the spyware is not used against Israel or its interests.I wonder if categorising nations as democratic or authoritarian has become archaic. We would do more justice to contemporary times if we compared governments on the basis of the mass surveillance they conduct on their own.Cyberpolitik #2: Digital Communication Networks and their harms-Prateek WaghreDigital Communication Networks (defined below) have led to concerns about rapid changes in the scale and structure of human networks, their impact on the quality of the information in circulation, and the role played by algorithms in directing the flow of information. Seventeen researchers have called for the study of collective behaviour to be elevated to a ‘crisis discipline’. A Takshashila Working Paper published earlier this week categorised the various harms attributed to Digital Communication Networks (DCNs). We define DCNs as composite entities consisting of the following components: Capability: Internet-based products/services that enable instantaneous low-cost or free communication across geographic, social, and cultural boundaries. This communication may be private (1:1), limited (1:n e.g. messaging groups), or broad (Twitter feeds, Facebook pages, YouTube videos, live streaming ), and so on. Operator(s): Firms/groups that design/operate these products and services. Networks: The entities/groups/individuals that adopt/use these products and services, and their interactions with each other. We did this because we felt existing terms such as ‘social media’, ‘big tech’, ‘digital platforms’, can be limited by context-dependence, or be too broad or too narrow. The proposed framing, we believe, encourages their study from the perspective of their effects on societies as a whole, rather than focussing on specific companies, technologies, sharing mechanisms, user dynamics, and other attributes which are constantly evolving.The paper classifies the harms attributed based on whether they have competitive, data-related or narrative effects.It then categorises these harms as potential market failures (3), social problems (13) and cognitive biases (9). The wide range of social problems and cognitive biases highlight the need for further study of the psychosocial effects of these harms and their broader impact in the Indian context. These considerations also raise the questions of how, and whether, the antitrust interventions currently being pursued in some of the developed economies will affect DCNs across competition, data and narrative spheres in the rest of the world.This is the first in a series of papers that will explore the different aspects of DCNs. Future work will investigate the benefits that DCNs enable, assess overlaps and contradictions between proposed or enacted DCN governance measures, and examine the role of global internet governance mechanisms. You can read a pdf version of the paper here.Our Reading Menu[Report] Some very useful conceptual thinking on what AI means for national power by the folks at Center for Security and Emerging Technology. Takshashila’s A Rare Earths Strategy for India [Discussion Document]Dr Yamuna Singh’s [Book] is the most comprehensive volume on the scientific and pragmatic context of REE extraction and processing in India. Kim Zetter’s [Book] Countdown to Zero Day.Andy Greenberg’s [Book] Sandworm. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit hightechir.substack.com

This week's OODAcast is with Kim Zetter, an incredibly well respected journalist who has been covering cybersecurity related issues for two decades.  Matt Devost talks with Kim about a wide variety of cyber-related issues including a deep dive into Stuxnet and the implications for today's security environment. Kim also shares details as to how she got into the field and how she developed relationships with the hacker community via her longstanding attendance at Def Con. Kim is an award-winning investigative journalist and author who has covered cybersecurity and national security for more than a decade, most recently as a staff writer for WIRED. Her work has also appeared in the New York Times Magazine, Politico, Washington Post and others. She has broken numerous stories about NSA surveillance, WikiLeaks, and the hacker underground, including an award-winning series about security problems with electronic voting machines. She has four times been voted one of the top ten security journalists in the U.S. by her journalism peers. She's considered one of the world's experts on Stuxnet, a virus/worm used to sabotage Iran's nuclear program, and wrote an acclaimed book on the topic – Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. Additional Resources: Countdown to Zero Day book Kim's Zero Day Substack Def Con hacker conference

In just the last couple of months, cybercriminals have hacked several U.S. companies using different types of ransomware, paralyzing a petroleum pipeline, compromising a meat manufacturer, delaying ferry operations between Massachusetts' mainland and Martha's Vineyard and Nantucket, and even targeting K-12 schools. Join us as host Kerri Miller talks to two cybersecurity experts about threats, the risks of corporate hacking, what can be done to prevent them and what can be done to protect those who are most vulnerable.Guests: Lauren Zabierek is the executive director of the Cyber Project at the Belfer Center for Science and International Affairs at Harvard Kennedy School. Kim Zetter is an investigative journalist who covers privacy, computer security and national security. She is also author of the book “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.” 

Independent investigative journalism, broadcasting, trouble-making and muckraking with Brad Friedman of BradBlog.com

Independent investigative journalism, broadcasting, trouble-making and muckraking with Brad Friedman of BradBlog.com

Short Review This is a book that an ICS security professional should give to friends and family to read so they know why they do what they do. Nicole guides the lay person through her compelling journey to understand the 0day market and its impact on the security of the systems we all rely on. The ICSsec pro will find it to be interesting except for the parts on ICS / critical infrastructure where it is a historical fiction ... historical incidents extrapolated to their most dire possible results rather than presented in their true context. Detailed Review This was a very difficult book to review. I'm conflicted because the story is engaging and will keep the lay person turning the pages. The 0day market through line is well told, and the theme and major points Nicole is making are clear and compelling. And yet the parts I know in detail, ICS security and critical infrastructure, are portrayed in a light that is misleading, and even deliberately misleading. Misleading because a lay reader, including government policymakers, would almost certainly conclude the US critical infrastructure at this moment is compromised and a click or two away from the Russians, or other adversaries, causing a major catastrophe. The Story ... The Positive Imagine you are trying to tell your Mom or Dad, your Husband/Wife/Partner, your close friend about cybersecurity risk and how it could affect their lives, their communities and their country or region. This is hard. If you get into the technical details you will lose them. If you try to add too much nuance (HT: RLee) you will lose them. There needs to be a captivating story that makes the non-technical audience keep reading even if they don't care about the tech. Nicole has succeeded in this area by inserting herself into the story. She is not the heroine of the story. Instead she is the observer, the Nick Carraway from The Great Gatsby, who is observing the players in the 0day world who are neither pure heroes nor pure villains. She begins her journey naively at S4x13 in Miami Beach and investigates for over seven years. Never actually reaching a point of knowing the market, and yet she describes what she knows and what cannot be known. The best parts of the book are when Nicole is an active character, walking through the world and talking to the players. You feel her frustration, fear, intimidation, dread and disgust. You want her to come out the other side with some answers or even the answer. Although to her credit she does not force a solution. The ending is actually more muddled than the beginning. It makes for a less satisfying journey, and it is more accurate. Nicole's journey is the highlight of the book. The reason why you can recommend it to your Mom or Dad. It would have been even better for the lay reader had she not tried to add in the history, the details. It does not go deep into the technical details like Kim Zetter's Countdown to Zero Day, which can be viewed as a positive or negative. My view is if you are not going to push for technical accuracy, then less is better. Still the book is an interesting read as my family members can attest. The Theme I'm sympathetic with the theme that the US Government's focus on offense, in this book primarily the accumulation of 0days, has made the world more dangerous. We see this offense focus clearly and unapologeticly stated by NSA and Cyber Command across multiple leaders. The dominance of offensive theory and capabilities makes for a less stable world. My hope for any policy makers reading this book is they reject the current philosophy of "we can't defend so we need to be able to attack first and potentially cause even greater damage". Nicole repeatedly shows where US actions to buy 0days resulted in an unexpected and negative result. What is less certain is whether the 0day market was inevitable whether the US participated, or even led, in the early years. Nicole bemoans that "the cyberarms market was an incoherent mess". There were buyers and sellers reaching agreement, so it was not an incoherent mess. It was unregulated and led to undesirable outcomes in the past and likely in the future. However unless there are agreed upon cyber norms, similar to biological and chemical weapons, this was and is to be expected. The Technical ... The Negative I'm only qualified to comment on the ICS / Critical Infrastructure part of the book. My guess though is if you are part of the Vulnerability Equities Process (VEP), 0day market, Ecko Party, ... the parts of the book that discuss your area will be frustrating. I say this because anyone reading the ICS / Critical Infrastructure part of the book would come out with an incorrect understanding of the current capability of Russia and other adversaries to cause a catastrophic event using existing deployed exploits of the US critical infrastructure. There is not a lot of factual detail in the book, again good for the lay person reader, and therefore creating an errata list wouldn't be a compelling case. In the ICS area, there was one major mistake on page 297: It was an act of unprecedented digital cruelty, but the Russians stopped just short of taking lives. Six hours later, they flipped the power back on in Ukraine, just long enough to send their neighbor, and Kyiv's backers in Washington a clear message: "We can torch you". This clearly implies that the Russians stopped their attack and turned the power back on in Ukraine. What actually happened was the Ukrainians went out to the substations and manually brought them back on line and operated them manually for many months. The SCADA system was down for about a year. Nicole was right that a "clear message" was sent. This error on its own in a 400-page book would not be an issue. The issue is that every incident is presented in its worst possible light. Often not wrong by a strict parsing of the text, but misleading. A great example is Wolf Creek Nuclear plant on page 397: the Russians were inside our nuclear plants ... The code made clear that Russia's hackers had breached the most alarming target of all: Wolf Creek, the 1200 mega-watt nuclear power plant near Burlington, Kansas. This was no espionage attack. The Russians were mapping out the plant's networks for a future attack; they had already compromised the industrial engineers who maintain direct access to the reactor controls ... And the goal wasn't to stop the boom. It was to trigger one. Although she doesn't state it, this quote and the surrounding text would almost certainly be read as the Russians were in the nuclear control and safety systems. The reality is that an adversary had breached the office network at the Wolf Creek Nuclear Power Plant, but they had not yet been able to breach the ICS that controlled the nuclear plant nor the safety systems that would need to fail to cause "the boom". Nicole wrote on page 392, "The technical community will argue I have overgeneralized and oversimplified, and indeed, some of the issues and solutions are highly technical and better left to them." When I had my interview with Nicole and wrote this review, this sentence kept running through my mind. After much introspection and consideration of this point, I do believe that this Wolf Creek example and many others in the book would lead the lay person to an incorrect understanding of the current state. How different would a reader's understanding be if the Wolf Creek incident would have said the Russians were just outside the control and safety systems. Yes, they were knocking on the doors where accounting, HR, and other office functions take place, but they had not yet gotten in to plant operations or safety systems. Another specific example is related to the Bowman Avenue Sluice Gate. To her credit Nicole notes in an early section that this is not Arthur R. Bowman dam in Oregon. However in the concluding chapter she writes, "We've caught Iranian hackers rifling through our dams." An Internet connected, ~5 meter wide, ~1 meter high sluice gate that keeps a neighborhood from flooding a couple of times a year is not a national security event and not worth noting as a reason for perilous concern in the concluding chapter. Beyond the ICS security specifics, and probably more important, are the unsubstantiated contentions that the Russians and adversaries are in our systems and a click away from causing a catastrophic event. There are many in the book's text and in the interviews. Page 297 "By now, Russian hackers were so deeply embedded in the American grid and critical infrastructure, they were only one step from taking everything down". Pivot Podcast "Russia's in our government networks, they are in the grid, they've gotten into the power plants, we've seen them break into nuclear plants" "the worst case scenario is just one more minute away is because no one has actually used these accesses to turn off the power yet; it's two clicks away."   Page 380: "Russia invisibly worked their way into an untold number of nuclear and power plants around the country." There are many more examples where the book's clear message is that the adversaries, Russians, Chinese, North Koreans, Iranians are able to cause a critical infrastructure catastrophe. The facts don't indicate this. As noted in the summary, Nicole has taken historical incidents and either extrapolated them to their most hysterical or left out the a sentence or two that would give the reader the correct impression. This approach is consistent throughout the text. If the goal is to grab the lay reader by the shoulders and shake them saying this is important, it is a successful deception. Still it is nearly as scary without the hyperbole. Recommendations The final chapter includes a set of recommendations that are underwhelming. Vendors need to have a security development lifecycle (SDL) and put out better systems. The end users, the people need to be more security aware. In this area I don't fault Nicole because there are not easy answers. It might have been better to leave this chapter off. One interesting suggestion was on Page 398: We could start by passing laws with real teeth that mandate, for instance, that critical infrastructure operators refrain from using old, unsupported software; that they conduct regular penetration tests, that they don't reuse manufacturers' passwords; that they turn on multifactor authentication; and that they airgap the most critical systems. This is NERC CIP, sans the air gap, that has been around for a decade plus. End If you've made it to the end of this book review, I hope you understand where the book succeeds and fails. Who it is written for, and who it is not written for. You and I are not the intended audience. The journey is compelling; the themes are on target; and maybe we should not get too upset that the specifics go beyond reality and are taken to their most extreme possibility. Subscribe to my Friday ICS Security News & Notes email.

Podcast: Unsolicited Response Podcast (LS 30 · TOP 10% what is this?)Episode: Book Review: This Is How They Tell Me The World EndsPub date: 2021-04-13Short Review This is a book that an ICS security professional should give to friends and family to read so they know why they do what they do. Nicole guides the lay person through her compelling journey to understand the 0day market and its impact on the security of the systems we all rely on. The ICSsec pro will find it to be interesting except for the parts on ICS / critical infrastructure where it is a historical fiction ... historical incidents extrapolated to their most dire possible results rather than presented in their true context. Detailed Review This was a very difficult book to review. I'm conflicted because the story is engaging and will keep the lay person turning the pages. The 0day market through line is well told, and the theme and major points Nicole is making are clear and compelling. And yet the parts I know in detail, ICS security and critical infrastructure, are portrayed in a light that is misleading, and even deliberately misleading. Misleading because a lay reader, including government policymakers, would almost certainly conclude the US critical infrastructure at this moment is compromised and a click or two away from the Russians, or other adversaries, causing a major catastrophe. The Story ... The Positive Imagine you are trying to tell your Mom or Dad, your Husband/Wife/Partner, your close friend about cybersecurity risk and how it could affect their lives, their communities and their country or region. This is hard. If you get into the technical details you will lose them. If you try to add too much nuance (HT: RLee) you will lose them. There needs to be a captivating story that makes the non-technical audience keep reading even if they don't care about the tech. Nicole has succeeded in this area by inserting herself into the story. She is not the heroine of the story. Instead she is the observer, the Nick Carraway from The Great Gatsby, who is observing the players in the 0day world who are neither pure heroes nor pure villains. She begins her journey naively at S4x13 in Miami Beach and investigates for over seven years. Never actually reaching a point of knowing the market, and yet she describes what she knows and what cannot be known. The best parts of the book are when Nicole is an active character, walking through the world and talking to the players. You feel her frustration, fear, intimidation, dread and disgust. You want her to come out the other side with some answers or even the answer. Although to her credit she does not force a solution. The ending is actually more muddled than the beginning. It makes for a less satisfying journey, and it is more accurate. Nicole's journey is the highlight of the book. The reason why you can recommend it to your Mom or Dad. It would have been even better for the lay reader had she not tried to add in the history, the details. It does not go deep into the technical details like Kim Zetter's Countdown to Zero Day, which can be viewed as a positive or negative. My view is if you are not going to push for technical accuracy, then less is better. Still the book is an interesting read as my family members can attest. The Theme I'm sympathetic with the theme that the US Government's focus on offense, in this book primarily the accumulation of 0days, has made the world more dangerous. We see this offense focus clearly and unapologeticly stated by NSA and Cyber Command across multiple leaders. The dominance of offensive theory and capabilities makes for a less stable world. My hope for any policy makers reading this book is they reject the current philosophy of "we can't defend so we need to be able to attack first and potentially cause even greater damage". Nicole repeatedly shows where US actions to buy 0days resulted in an unexpected and negative result. What is less certain is whether the 0day market was inevitable whether the US participated, or even led, in the early years. Nicole bemoans that "the cyberarms market was an incoherent mess". There were buyers and sellers reaching agreement, so it was not an incoherent mess. It was unregulated and led to undesirable outcomes in the past and likely in the future. However unless there are agreed upon cyber norms, similar to biological and chemical weapons, this was and is to be expected. The Technical ... The Negative I'm only qualified to comment on the ICS / Critical Infrastructure part of the book. My guess though is if you are part of the Vulnerability Equities Process (VEP), 0day market, Ecko Party, ... the parts of the book that discuss your area will be frustrating. I say this because anyone reading the ICS / Critical Infrastructure part of the book would come out with an incorrect understanding of the current capability of Russia and other adversaries to cause a catastrophic event using existing deployed exploits of the US critical infrastructure. There is not a lot of factual detail in the book, again good for the lay person reader, and therefore creating an errata list wouldn't be a compelling case. In the ICS area, there was one major mistake on page 297: It was an act of unprecedented digital cruelty, but the Russians stopped just short of taking lives. Six hours later, they flipped the power back on in Ukraine, just long enough to send their neighbor, and Kyiv's backers in Washington a clear message: "We can torch you". This clearly implies that the Russians stopped their attack and turned the power back on in Ukraine. What actually happened was the Ukrainians went out to the substations and manually brought them back on line and operated them manually for many months. The SCADA system was down for about a year. Nicole was right that a "clear message" was sent. This error on its own in a 400-page book would not be an issue. The issue is that every incident is presented in its worst possible light. Often not wrong by a strict parsing of the text, but misleading. A great example is Wolf Creek Nuclear plant on page 397: the Russians were inside our nuclear plants ... The code made clear that Russia's hackers had breached the most alarming target of all: Wolf Creek, the 1200 mega-watt nuclear power plant near Burlington, Kansas. This was no espionage attack. The Russians were mapping out the plant's networks for a future attack; they had already compromised the industrial engineers who maintain direct access to the reactor controls ... And the goal wasn't to stop the boom. It was to trigger one. Although she doesn't state it, this quote and the surrounding text would almost certainly be read as the Russians were in the nuclear control and safety systems. The reality is that an adversary had breached the office network at the Wolf Creek Nuclear Power Plant, but they had not yet been able to breach the ICS that controlled the nuclear plant nor the safety systems that would need to fail to cause "the boom". Nicole wrote on page 392, "The technical community will argue I have overgeneralized and oversimplified, and indeed, some of the issues and solutions are highly technical and better left to them." When I had my interview with Nicole and wrote this review, this sentence kept running through my mind. After much introspection and consideration of this point, I do believe that this Wolf Creek example and many others in the book would lead the lay person to an incorrect understanding of the current state. How different would a reader's understanding be if the Wolf Creek incident would have said the Russians were just outside the control and safety systems. Yes, they were knocking on the doors where accounting, HR, and other office functions take place, but they had not yet gotten in to plant operations or safety systems. Another specific example is related to the Bowman Avenue Sluice Gate. To her credit Nicole notes in an early section that this is not Arthur R. Bowman dam in Oregon. However in the concluding chapter she writes, "We've caught Iranian hackers rifling through our dams." An Internet connected, ~5 meter wide, ~1 meter high sluice gate that keeps a neighborhood from flooding a couple of times a year is not a national security event and not worth noting as a reason for perilous concern in the concluding chapter. Beyond the ICS security specifics, and probably more important, are the unsubstantiated contentions that the Russians and adversaries are in our systems and a click away from causing a catastrophic event. There are many in the book's text and in the interviews. Page 297 "By now, Russian hackers were so deeply embedded in the American grid and critical infrastructure, they were only one step from taking everything down". Pivot Podcast "Russia's in our government networks, they are in the grid, they've gotten into the power plants, we've seen them break into nuclear plants" "the worst case scenario is just one more minute away is because no one has actually used these accesses to turn off the power yet; it's two clicks away."   Page 380: "Russia invisibly worked their way into an untold number of nuclear and power plants around the country." There are many more examples where the book's clear message is that the adversaries, Russians, Chinese, North Koreans, Iranians are able to cause a critical infrastructure catastrophe. The facts don't indicate this. As noted in the summary, Nicole has taken historical incidents and either extrapolated them to their most hysterical or left out the a sentence or two that would give the reader the correct impression. This approach is consistent throughout the text. If the goal is to grab the lay reader by the shoulders and shake them saying this is important, it is a successful deception. Still it is nearly as scary without the hyperbole. Recommendations The final chapter includes a set of recommendations that are underwhelming. Vendors need to have a security development lifecycle (SDL) and put out better systems. The end users, the people need to be more security aware. In this area I don't fault Nicole because there are not easy answers. It might have been better to leave this chapter off. One interesting suggestion was on Page 398: We could start by passing laws with real teeth that mandate, for instance, that critical infrastructure operators refrain from using old, unsupported software; that they conduct regular penetration tests, that they don't reuse manufacturers' passwords; that they turn on multifactor authentication; and that they airgap the most critical systems. This is NERC CIP, sans the air gap, that has been around for a decade plus. End If you've made it to the end of this book review, I hope you understand where the book succeeds and fails. Who it is written for, and who it is not written for. You and I are not the intended audience. The journey is compelling; the themes are on target; and maybe we should not get too upset that the specifics go beyond reality and are taken to their most extreme possibility. Subscribe to my Friday ICS Security News & Notes email.The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Our interview is with Kim Zetter, author of the best analysis to date of the weird messaging from the National Security Agency (NSA) and Cyber Command about the domestic “blind spot” or “gap” in their cybersecurity surveillance. I ask Kim whether this is a prelude to new NSA domestic surveillance authorities (definitely not, at least under this administration), why the gap can't be filled with the broad emergency authorities for the Foreign Intelligence Surveillance Act and criminal intercepts (they don't fit, quite) and how the gap is being exploited by Russian (and soon other) cyberattackers. My most creative contribution: maybe Amazon Web Services, where most of the domestic machines are being spun up, would trade faster cooperation in targeting such machines for a break on the know-your-customer rules they may otherwise have to comply with. And if you haven't subscribed to Kim's (still free for now) substack newsletter, you're missing out. In the news roundup, we give a lick and a promise to today's Supreme Court decision in the fight between Oracle and Google over application programming interface copyrights, but Mark MacCarthy takes us deep on the Supreme Court's decision cutting the heart out of most, class actions for robocalling. Echoing Congressional Democrats, Mark thinks the court's decision is too narrow. I think it's exactly right. We both expect Congress to revisit the law soon. Nick Weaver and I explore the fuss over vaccination passports and how Silicon Valley can help.  Considering what a debacle the Google and Apple effort on tracing turned into, with a lot of help from privacy zealots, I'm pleased that Nick and I agree that this is a tempest in a teapot. Paper vax records are likely to be just fine most of the time. That won't prevent privacy advocates from trying to set unrealistic and unnecessary standards for any electronic vax records system, more or less guaranteeing that it will fall of its own weight.  Speaking of unrealistic privacy advocates, Charles-Albert Helleputte explains why the much-touted General Data Protection Regulation privacy regime is grinding to a near halt as it moves from theory to practice. Needless to say, I am not surprised. Mark and I scratch the surface of Facebook's Fairness Flow for policing artificial intelligence bias. Like anything Facebook does, it's attracted heavy criticism from the left, but Mark thinks it's a useful, if limited, tool for spotting bias in machine learning algorithms.  I'm half inclined to agree, but I am deeply suspicious of the confession in one “model card” that the designers of an algorithm for identifying toxic speech seem to have juiced their real-life data with what they call “synthetic data” because “real data often has disproportionate amounts of toxicity directed at specific groups.” That sure sounds as though the algorithm relying on real data wasn't politically correct, so the researchers just made up data that fit their ideology and pretended it was real—an appalling step for scientists to take with little notice.  I welcome informed contradiction.  Nick explains why there's no serious privacy problem with the IRS subpoena to Circle, asking for the names of everyone who has more than $20 thousand in cryptocurrency transactions. Short answer: everybody who doesn't deal in cryptocurrency already has their transactions reported to the IRS without a subpoena. Charles-Albert and I note that the EU is on the verge of finding that South Korea's data protection standards are “adequate” by EU standards.  The lesson for the U.S. and China is simple: The Europeans aren't looking for compliance; they're looking for assurances of compliance. As Fleetwood Mac once sang, “Tell me lies, tell me sweet little lies.”  Mark and I note the extreme enthusiasm with which the FBI used every high-tech tool to identify even people who simply trespassed in the Capitol on Jan. 6. The tech is impressive, but we suspect a backlash is coming. Nick weighs in to tell me I'm wrong when I argue that we didn't see these tools used this way against Antifa's 2020 rioters. Nick thinks we haven't paid enough attention to the Accellion breach, and I argue that companies are getting a little too comfortable with aggressive lawyering of their public messages after a breach. One result is likely to be a new executive order about breach notification (and other cybersecurity obligations) for government contractors, I predict. And Charles and I talk about the UK's plan to take another bite out of end-to-end encryption services, essentially requiring them to show they can still protect kids from sexual exploitation without actually reading the texts and pictures they receive.  Good luck with that! Download the 356th Episode (mp3)   You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Dave has an update on Baltimore’s spyplane, Ben describes concerns over violations by the FBI, CIA, NSA of FISA court rules, and later in the show our conversation with Kim Zetter on her recent article in The Intercept, titled “How Cops Can Secretly Track Your Phone.” It’s all about stingrays and dirtboxes, so stick around for that. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Elizabeth Goitein on Twitter In appeals court, Baltimore surveillance plane suit gets a mixed reaction Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.  Thanks to our sponsor, KnowBe4.

At least three government agencies have been the target of a major cyberspying campaign, apparently by the Russian government. We learned this week that hackers have been spying on the U.S. departments of Commerce, Treasury and even Homeland Security since the spring, and officials say it’s likely there are more victims that haven’t been revealed yet. The attackers got in by corrupting software updates from the company SolarWinds, which provides network management tools to the agencies. Molly Wood speaks with Kim Zetter, a cybersecurity journalist and author. Your support makes our podcast possible — become a Marketplace Investor today to keep us going strong.

At least three government agencies have been the target of a major cyberspying campaign, apparently by the Russian government. We learned this week that hackers have been spying on the U.S. departments of Commerce, Treasury and even Homeland Security since the spring, and officials say it’s likely there are more victims that haven’t been revealed yet. The attackers got in by corrupting software updates from the company SolarWinds, which provides network management tools to the agencies. Molly Wood speaks with Kim Zetter, a cybersecurity journalist and author. Your support makes our podcast possible — become a Marketplace Investor today to keep us going strong.

At least three government agencies have been the target of a major cyberspying campaign, apparently by the Russian government. We learned this week that hackers have been spying on the U.S. departments of Commerce, Treasury and even Homeland Security since the spring, and officials say it’s likely there are more victims that haven’t been revealed yet. The attackers got in by corrupting software updates from the company SolarWinds, which provides network management tools to the agencies. Molly Wood speaks with Kim Zetter, a cybersecurity journalist and author. Your support makes our podcast possible — become a Marketplace Investor today to keep us going strong.

At least three government agencies have been the target of a major cyberspying campaign, apparently by the Russian government. We learned this week that hackers have been spying on the U.S. departments of Commerce, Treasury and even Homeland Security since the spring, and officials say it’s likely there are more victims that haven’t been revealed yet. The attackers got in by corrupting software updates from the company SolarWinds, which provides network management tools to the agencies. Molly Wood speaks with Kim Zetter, a cybersecurity journalist and author. Your support makes our podcast possible — become a Marketplace Investor today to keep us going strong.

The Cybersecurity and Infrastructure Security Agency, or CISA, was created two years ago within the Department of Homeland Security to shield America’s critical infrastructure from cyberattacks. Last week, CISA’s assistant director was pushed out, and there have been reports that its director expects to be fired. So what does this all mean for that critical infrastructure? Molly speaks with Kim Zetter, a cybersecurity journalist and author.

The Cybersecurity and Infrastructure Security Agency, or CISA, was created two years ago within the Department of Homeland Security to shield America’s critical infrastructure from cyberattacks. Last week, CISA’s assistant director was pushed out, and there have been reports that its director expects to be fired. So what does this all mean for that critical infrastructure? Molly speaks with Kim Zetter, a cybersecurity journalist and author.

The Cybersecurity and Infrastructure Security Agency, or CISA, was created two years ago within the Department of Homeland Security to shield America’s critical infrastructure from cyberattacks. Last week, CISA’s assistant director was pushed out, and there have been reports that its director expects to be fired. So what does this all mean for that critical infrastructure? Molly speaks with Kim Zetter, a cybersecurity journalist and author.

The Cybersecurity and Infrastructure Security Agency, or CISA, was created two years ago within the Department of Homeland Security to shield America’s critical infrastructure from cyberattacks. Last week, CISA’s assistant director was pushed out, and there have been reports that its director expects to be fired. So what does this all mean for that critical infrastructure? Molly speaks with Kim Zetter, a cybersecurity journalist and author.

Dave has an update on Baltimore’s spyplane, Ben describes concerns over violations by the FBI, CIA, NSA of FISA court rules, and later in the show our conversation with Kim Zetter on her recent article in The Intercept, titled “How Cops Can Secretly Track Your Phone.” It’s all about stingrays and dirtboxes, so stick around for that. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Elizabeth Goitein on Twitter In appeals court, Baltimore surveillance plane suit gets a mixed reaction Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.  Thanks to our sponsor, KnowBe4.

QAnon claims Trump is fighting the deepstate. Then why does he love the CIA so much? To find out, we explored the QAnon perspective, some history, and what changed after Bush & Obama made a dent. To help us, cyber security and national security journalist Kim Zetter answers some questions about Trump & the CIA's cyber offensives. ↓↓↓↓ SUBSCRIBE FOR $5 A MONTH SO YOU DON'T MISS THE SECOND WEEKLY EPISODE ↓↓↓↓ www.patreon.com/QAnonAnonymous Follow Kim Zetter: https://twitter.com/kimzetter Merch / Join the Discord Community / Find the Lost Episodes / Etc: http://qanonanonymous. Episode music by G-DOG (https://doomchakratapes.bandcamp.com/album/g-dog-presents-tracks-of-life-free-download), Kobermann https://doomchakratapes.bandcamp.com/album/kobermann-xvii), From Beyond DJ (https://doomchakratapes.bandcamp.com/album/from-beyond-dj-where-are-you)

Cybersecurity journalist Kim Zetter talks with The Verge's Nilay Patel and Russell Brandom about the state of election security in the US — what methods are being proposed to stop potential interference in the voting process, the problems with mail-in voting during a pandemic, and how voting machines are not always the best solution for a presidential election. Learn more about your ad choices. Visit megaphone.fm/adchoices

Podcast: QAnon AnonymousEpisode: Episode 101: Trump & the CIA feat Kim ZetterPub date: 2020-07-21Notes from @BEERISAC: OT/ICS Security Podcast Playlist:Anton Shipulin: "Interview with Kim Zetter begins 24:35"QAnon claims Trump is fighting the deepstate. Then why does he love the CIA so much? To find out, we explored the QAnon perspective, some history, and what changed after Bush & Obama made a dent. To help us, cyber security and national security journalist Kim Zetter answers some questions about Trump & the CIA's cyber offensives. ↓↓↓↓ SUBSCRIBE FOR $5 A MONTH SO YOU DON'T MISS THE SECOND WEEKLY EPISODE ↓↓↓↓ www.patreon.com/QAnonAnonymous Follow Kim Zetter: https://twitter.com/kimzetter Merch / Join the Discord Community / Find the Lost Episodes / Etc: http://qanonanonymous. Episode music by G-DOG (https://doomchakratapes.bandcamp.com/album/g-dog-presents-tracks-of-life-free-download), Kobermann https://doomchakratapes.bandcamp.com/album/kobermann-xvii), From Beyond DJ (https://doomchakratapes.bandcamp.com/album/from-beyond-dj-where-are-you)The podcast and artwork embedded on this page are from Julian Feeld, Travis View & Jake Rockatansky, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Kim brings us our first guest and insight how one can be involved with information security in a non-technical capacity. We hear about investigative journalism, surveillance technology, election security, and some stories related to her book about Stuxnet. We hope you enjoy this episode as much as we did.@KimZetterhttps://www.techcongress.io/https://lifehacker.com/you-need-this-iphone-shortcut-if-youre-protesting-1843824931Support the show (https://www.patreon.com/bePatron?u=28069055)

Host Molly Wood speaks with Kim Zetter, a cybersecurity journalist, about the spike of Zoom bombing — a new phenomenon where strangers obtain Zoom meeting IDs and barge in digitally to disrupt the meeting. Zoom is also facing different scrutiny, Zetter says, now that it was discovered that the platform had been sharing data to Facebook without being fully transparent. Zetter adds that Zoom users — especially those hosting digital meetings — should be mindful of the privacy breaches the platform may have and start requiring passwords for Zoom guests to wait and be let into the e-meetings.

Host Molly Wood speaks with Kim Zetter, a cybersecurity journalist, about the spike of Zoom bombing — a new phenomenon where strangers obtain Zoom meeting IDs and barge in digitally to disrupt the meeting. Zoom is also facing different scrutiny, Zetter says, now that it was discovered that the platform had been sharing data to Facebook without being fully transparent. Zetter adds that Zoom users — especially those hosting digital meetings — should be mindful of the privacy breaches the platform may have and start requiring passwords for Zoom guests to wait and be let into the e-meetings.

Attacking Iran with Stuxnet Welcome to the History of Computing Podcast, where we explore the history of information technology. Because understanding the past prepares us to innovate (and sometimes cope with) the future! Today we're going to cover Stuxnet, which we now considered the first real act of cyber warfare. Iran has arguably been in turmoil since the fall of the Persian empire. Alexander the Great conquered Iran in 336 BC and then the Macedonians ruled until the empire fragmented and one arm, the Seleucids ruled until the Parthians took it in 129BC. Then the Sasanians, of Persian descent, ruled until the Muslim conquest of Persia in 651. The region was then ruled by a collection of Muslim dynasties until this weirdo Ghengis Khan showed up around 1220. After a few decades the Muslim forces regained control in 1256 and the area returned to turning over to different Muslim dynasties every couple hundred years on average until 1925 when the Pahlavi took control. The final Shah of that regime was ousted during the Islamic Revolution in Iran in 1979. Ruholla Khomeini ruled for the first ten years until Sayyid Ali Hosseini Khameneh took over after his death in 1989. Something very important happened the year before that would shape Iran up until today. In 1988 Pakistan became a nuclear power. Iran started working toward a nuclear program shortly thereafter, buying equipment from Pakistan. Those centrifuges would be something those, including the US, would attempt to keep out of Iranian hands through to today. While you can argue the politics of that, those are the facts. Middle Eastern politics, wars over oil, and wars over territory have all ensued. In 2015, Iran reached agreement on the Joint Comprehensive Plan of Action, commonly referred to as the Iran nuclear deal, with the US and the EU, and their nuclear ambitions seemed to be stalled until US president Donald Trump pulled out of it. A little before the recording of this episode General Sullemani was killed by a US attack. One of the reasons negotiated the JCPA was that the Iranians received a huge setback in their nuclear program in 2010 when the US attacked an Iranian nuclear facility. It's now the most Well researched computer worm. But Who was behind stuxnet? Kim Zetter took a two year journey researching the worm, now documented in her book Countdown to 0 day. The Air Force was created in 1947. In the early 2000s, advanced persistent threat, or APTs, began to emerge following Operation Eligible Receiver in 1997. These are pieces of malware that are specifically crafted to attack specific systems or people. Now that the field was seen as a new frontier of war, the US Cyber command was founded in 2009. And they developed weapons to attack SCADA systems, or supervisory control and data acquisition (SCADA) systems amongst other targets. By the mid-2000s, Siemens has built these industrial control systems. The Marrucci incident had brought these systems to light as targets and developers had not been building these systems with security in mind, making them quite juicy targets. So the US and Israel wrote some malware that destroyed centrifuges by hitting the Siemens software sitting on windows embedded operating systems. It was initially discovered by virus Blocada engineer Sergey Ulasen, and called Tootkit.Tmphider. Symantec originally called it W32.Temphid and then changed the name to W32.Stuxnet based on a mashup of stub and mrxnet.sys from the source code. The malware was signed and targeted a bug in the operating system to install a root kit. Sergey reported the bug to Microsoft and went public with the discovery. This led us into an era of cyber warfare as a the first widespread attack hitting industrial control systems. Stuxnet wasn't your run of the mill ddos attack. Each of the 3 variants from 2010 had 150,000 lines of code and targeted those control systems and destroyed a third of Iranian centrifuges by causing the step-7 software systems to handle the centrifuges improperly. Iranian nuclear engineers had obtained the Step-7 software even though it was embargoed and used a back door password to change the rotation speed of engines that targeted a specific uranium enrichment facility. In 2011, Gary Samore, acting White House Coordinator for Arms Control and Weapons of Mass Destruction, would all but admit the attack was state sponsored. After that, in 2012, Iranian hackers use wiper malware, destroying 35,000 computers of Saudi Aramco costing the organization tens of millions of dollars. Cypem was hit in 2018. And the Sands casino after Sheldon Adelsyon said the US should nuke Iran. While not an official response, Stuxnet would hit another plant in the Hormozgon province a few months later. And continues in some form today. Since Iran and Israel are such good friends, it likely came as a shock when Gabi Ashkenazi, head of the Israeli Defense Forces, listed Stuxnet as one of his successes. And so the age of State sponsored Asymmetric cyber conflicts was born. Iran, North Korea, and others were suddenly able to punch above their weight. It was proven that what began in cyber could have real-world consequences. And very small and skilled teams could get as much done as larger, more beaurocratic organizations - much as we see small, targeted teams of developers able to compete head-on with larger software products. Why is that? Because often times, a couple of engineers with deep domain knowledge are equally as impactful as larger teams with a wider skill set.

Welcome to the first podcast of 2020, podcast 333. Below, please find a list of items and links where applicable as the topics of the podcast are listed below. Breaches galore, the epidemic of whats happened in the last decade. Are we really looking for more trouble, or will it slow down? Freshbooks: thank you so much for giving me a great reason for talking about you today. On this podcast, I talk about how I had to reinstall the Freshbooks app, and how easy it was to reauthenticate with my account. I was afraid that I was needing to grab my 20 character password and paste in the password field. Not anymore! Twit.tv has a new sponsor on their list that spomnsors segments on Security Now. Sadly, I can't take advantage of it at this time, but it looks like something we could've and should've had many years ago. Learn about privacy.com and see if it will meet your needs. Michael in Indiana and I talked about software and reminisced about the old days of how downloading the wrong software wasn't fatal, but just a havoc. Today, this isn't the case. I mention Stuxnet as an example of software that was developed and it did some real world damage. Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon: by Kim Zetter is the name of the book and its author. I read this through Kindle and I may have talked about this on my podcast when I did. If this is the first actual weapon that destroyed data and things that were going on, is something else being developed we yet don't know about? As usual, our contact information is at the end of the program, and I hope you enjoy this first podcast. I'll be back on another edition very soon. Thanks so much for listening to this 71 minute program!

Imagine a world where one of our most critical instruments of democracy, voting systems, are connected to the internet where they are potentially vulnerable to hacking.Well, thanks to the work of Motherboard contributor Kim Zetter, we now know that's the reality we live in after she broke the story that researchers had found voting systems online, including systems in Wisconsin, Michigan, and Florida—all well known for being key swing states in presidential elections.But for years election officials have said our voting systems, used for closely fought Presidential election of 2016 and in 2012 when it was Romney versus Obama, weren't even on the internet and thus, they said, unhackable.CYBER recently caught up with Kim to discuss her massive scoop and how Russian troll armies might not be the thing threatening American democracy or scaring the intelligence community tasked with protecting it come 2020. See acast.com/privacy for privacy and opt-out information.

Imagine a world where one of our most critical instruments of democracy, voting systems, are connected to the internet where they are potentially vulnerable to hacking.Well, thanks to the work of Motherboard contributor Kim Zetter, we now know that’s the reality we live in after she broke the story that researchers had found voting systems online, including systems in Wisconsin, Michigan, and Florida—all well known for being key swing states in presidential elections.But for years election officials have said our voting systems, used for closely fought Presidential election of 2016 and in 2012 when it was Romney versus Obama, weren’t even on the internet and thus, they said, unhackable.CYBER recently caught up with Kim to discuss her massive scoop and how Russian troll armies might not be the thing threatening American democracy or scaring the intelligence community tasked with protecting it come 2020. See acast.com/privacy for privacy and opt-out information.

VICE Journalist Kim Zetter On American Election Security

Independent investigative journalism, broadcasting, trouble-making and muckraking with Brad Friedman of BradBlog.com

Independent investigative journalism, broadcasting, trouble-making and muckraking with Brad Friedman of BradBlog.com

The currently legal ability of obscenely rich people to bribe lawmakers and law enforcers is the source of many - if not all - of our political problems. In this episode, get an update on the few democracy-enhancing bills that have moved in this Congress and Jen speaks to Sam Fieldman - the National Counsel at Wolf-PAC - who explains how we can constitutionally end the role of money in politics by going around Congress. Joe Briney joins Jen for the thank you's. Please Support Congressional Dish – Quick Links Click here to contribute monthly or a lump sum via PayPal Click here to support Congressional Dish for each episode via Patreon Send Zelle payments to: Donation@congressionaldish.com Send Venmo payments to: @Jennifer-Briney Send Cash App payments to: $CongressionalDish or Donation@congressionaldish.com Use your bank's online bill pay function to mail contributions to: 5753 Hwy 85 North, Number 4576, Crestview, FL 32536 Please make checks payable to Congressional Dish Thank you for supporting truly independent media! ______________________________________________________ Recommended Congressional Dish Episodes CD129:The impeachment of John Koskinen CD192: H.R. 1 Outline Recommended Reading Article: Ensuring elections 'free from foreign intrusion' by John Sarbanes and Brian Frosh, Baltimore Sun, July 3, 2019 Article: Alexander-Murrary Bill, by Donald Shaw, ReadSludge.com, June 10, 2019. Article: Microsoft and Election Guard by Whitney Webb, MPN News, May 24, 2019. Document: Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters    SSRN, May 21, 2019 Article: DHS to Assess Risks Posed to Ballot-Marking Devices by Mark Niese, GovTech, May 2, 2019. Article: DHS, FBI say election systems in all 50 states were targeted in 2016 by Sean Gallagher, ARS Technica, April 10, 2019. Article: Amid Election Integrity Criticism, Georgia Governor Signs Bill to Replace Voting Machines by Greg Bluestein and Mark Niesse, Governing, April 5, 2019.  Article: Firm’s close ties to Georgia stir concerns about voting system purchase by Mark Niesse, Atlanta Journal, January 30, 2019 Article: “Our best friend in this debate is the public,” House Minority Leader Nancy Pelosi (D-CA) told reporters on Friday. by Ella Nilsen, Vox, January 04, 2019. Article: How the GOP is using the Help America Vote Act to block voting, by Thom Hartmann, Salon.com, November 23, 2018. Article: The Latest: Some Georgia Statewide Races Too Close to Call  U.S. News, November 7, 2018. Article: VOTING MACHINES ARE STILL ABSURDLY VULNERABLE TO ATTACKS by Lily Hay Newman, Wired, September 28, 2018. Article: Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States by Kim Zetter, Vice News, July 17, 2018. Article: Alexandria Ocasio-Cortez Ran—and Won—as a Movement Candidate, by DD Guttenplan, The Nation, June 27, 2018. Article: Voting machine vendor treated election officials to trips to Vegas, elsewhere  by Greg Gordon, Amy Renee Leiker, Jamie Self and Stanley Dunlap, McClatchy DC Bureau, June 21, 2018. Document: LD-2 Lobbying Report Disclosure Form Secretary of the Senate Office of Public Records, 2018 Data: Lobbying Spending Data:Lobbyists representing Election Systems & Software, 2018  OpenSecrets.org, 2018. Article: The Fraud Behind Article V Convention Opposition  by Sam Fieldman, Medium.com, October 12, 2017. Article: Some Machines Are Flipping Votes, But That Doesn't Mean They're Rigged  by Pam Fessler, NPR, October 26, 2016. Document: 2012 REDMAP Summary Report  Redistricting Majority Project, January 4, 2013. Document: Report on Proper Use of Campaign Funds and Resources  Committee on Ethics, January 4, 2013. Document: Title 36 organizations  Every CRSRReport.com, June 17, 2011.  _____________________________________________________ Bill Outline H.R. 2722: SAFE Act Sponsor: Zoe Lofgren of northern California 74 pages Passed the House on June 27, 2019 225-184 Only GOP yes: Newbie Rep. Brian Mast - 38 year old wounded Afghanistan war veteran representing the Palm Beach area Went to the Committee on Rules and Administration in the Senate Title 1: Financial Support for Election Infrastructure Subtitle A: Voting System Security Improvement Grants Sec. 102: Paper ballot requirements “The voting system shall require the use of an individual, durable, voter-verified paper ballot of the voters’ vote that shall be marked and made available for inspection and verification by the voter before the voter’s vote is cast and counted, which shall be counted by hand or read by an optical character recognition device or other counting device." “The voting system shall provide the voter with an opportunity to correct any error on the paper ballot…” Recounts: The paper ballot “shall constitute the official ballot and shall be preserved and used as the official ballot for purposes any recount or audit conducted with respect to any election for Federal office in which the voting system is used.” Sec. 104: Durability and readability requirements for ballots Ballots must be on “durable” paper, which means it is capable of withstanding multiple recounts by hand without compromising the fundamental integrity of the ballots” and they must maintain readability for 22 months. Sec. 105: Recycled Paper Ballots must be printed on recycled paper starting on January 1, 2021. Sec. 107: These rules will apply “for any election for Federal office held in 2020 or any succeeding year.” Grandfathered equipment: Districts using machines that print paper ballots with the votes already tallied can use those machines until 2022, but they must offer every voter the opportunity to vote using a blank paper ballot, which are not allowed to be designated as provisional. Sec. 111:Grants for equipment changes Federal tax money will be given to states to replace their voting system, if needed. Grant amount: At least $1 per the average number of people who voted in the last two elections To use these grants, the states can only buy voting equipment from a vendor “owned and controlled by a citizen or permanent resident of the United States” The vendor must tell government officials if they get any part of their election infrastructure parts from outside the United States Authorizes (but doesn’t appropriate) $600 million for 2019 and $175 million for each even number election year through 2026 Subtitle B:Risk-Limiting Audits Sec. 121: Risk-limited audits required for all elections for Federal office State election officials will make the rules for how these will be done Sec. 122: Federal government will pay for audits Authorizes “such sums as are necessary” Title II: Promoting Cybersecurity Through Improvements in Election Administration Sec. 201: Voting system cybersecurity requirements Vote counting machine rules Machines that count ballots must be built so that "it’s mechanically impossible for the device to add or change the vote selections on a printed or market ballot” The device must be “capable of exporting its data (including vote tally data sets and cast vote records) in a machine-readable, open data standards format” The device’s software’s source code, system build tools, and compilation parameters must be given to certain Federal and State regulators and “may be shared by any entity to whom it has been provided… with independent experts for cybersecurity analysis.” The devise must have technology that allows “election officials, cybersecurity researchers, and voters to verify that the software running on the device was built from a specific, untampered version of the code” that was provided to Federal and State regulators. Loophole for moles: The Director of Cybersecurity and Infrastructure Security can waive any of the requirements other than the first one that prohibits machines that can change votes. The waivers can be applied to a device for no more than two years. The waivers must be publicly available on the Internet. Not effective until November 2024 election. Ballot marking machines and vote counters can’t use or “be accessible by any wireless, power-line, or concealed communication device” or “connected to the Internet or any non-local computer system via telephone or other communication network at any time.” Effective for the 2020 general election and all elections after Ballot marking devices can’t be capable of counting votes States may submit applications to Federal regulators for testing and certification the accuracy of ballot marking machines, but they don’t have to. Sec. 202: Testing of existing voting systems 9 months before each regularly scheduled general election for Federal offices, “accredited laboratories” will test the voting system hardware and software with was certified for use in the most recent election. If the hardware and software fails the test, it “shall” be decertified. Effective for the 2020 General Election. Sec. 203: Requiring use of software and hardware for which information is disclosed by manufacturer “In the operation of voting systems in an election for Federal office, a State may only use software for which the manufacturer makes the source code… publicly available online under a license that grants a worldwide, royalty-free, non-exclusive, perpetual, sub-licensable license to all intellectual property rights in such source code…." …except that the manufacturer may prohibit people from using the software for commercial advantage or “private monetary compensation” that is unrelated to doing legitimate research. States “may not use a voting system in an election for Federal office unless the manufacture of the system publicly discloses online the identification of the hardware used to operate the system” If the voting system is not widely-used, the manufacture must make the design “publicly available online under a license that grants a worldwide, royalty-free, non-exclusive, perpetual, sub-licensable license to all intellectual property rights…” Effective for the 2020 General election Sec. 204: Poll books will be counted as part of voting systems for these regulations Effective January 1, 2020 Title III: Use of voting machines manufactured in the United States Sec. 301: Voting machines must be manufactured in the United States HR 391: White House Ethics Transparency Act of 2019 Pdf of the bill Reported June 12, 2019 out of the House Committee on Oversight and Reform 23-16 On January 28, 2017 - a week after taking office - President Trump issued an executive order that requires all executive agency appointees to sign and be contractually obligated to a pledge that… The appointee won’t lobby his/her former agency for 5 years after leaving Will not lobby the administration he/she previously worked for Will not, after leaving government, “engage in any activity on behalf of any foreign government or foreign political party which, were it undertaken on January 20, 2017, would require me to register under the Foreign Agents Registration Act of 1938” Will not accept gifts from registered lobbyists Will recuse themselves from any matter involving their former employers for two years from the date of their appointment If the appointee was a lobbyist before entering government, that person will not work on any matter that they had lobbied for for 2 years after the appointment BUT Section 3 allows waivers: “The President or his designee may grant to any person a waiver of any restrictions contained in the pledge signed by such person.” Sec. 2: Requires any executive branch official who gets a waiver to submit a written copy to the Director of the Office of Government Ethics and make a written copy of the waiver available to the public on the website of the agency where the appointee works. Backdated to January 20, 2017 (President Trump’s inauguration) H.R. 745: Executive Branch Comprehensive Ethics Enforcement Act of 2019 Reported March 26, 2019 out of the Committee on Oversight and Reform 18-12 Pdf of the bill  Sec. 2: Creates a transition ethics program Requires the President-elect to give Congress a list of everyone in consideration for security clearance within 10 days of the applications submission and a list of everyone granted security clearance within 10 days of their approval. Requires the transition team to create and enforce an “ethics plan” that needs to describe the role of registered lobbyists on the transition team, the role of people registered as foreign agents, and which transition team members of sources of income which are not known by the public Transition team members must be prohibited by the ethics plan from working on matters where they have “personal financial conflicts of interest” during the transition and explain how they plan to address those conflicts of interest during the incoming administration. The transition team ethics plan must be publicly avail on the website of the General Services Administration Transition team members need to submit a list of all positions they have held outside the Federal Government for the previous 12 months -including paid and unpaid positions-, all sources of compensation that exceed $5,000 in the previous 12 months, and a list of policy issues worked on in their previous roles, a list of issues the team member will be recused from as part of the administration. Transition team members that do not comply will not be granted any access to the Federal department or agency that isn’t open to the public. S. 195 : Creates a transition ethics program: Access to Congressionally Mandated Reports Act Pdf of the bill   Reported 4/10/19 out of the Committee on Homeland Security and Governmental Affairs. On Senate Calendar Sec. 2: Definitions “Congressionally mandated report” means a report that is required to be submitted to Congress by a bill, resolution, or conference report that becomes law. Does NOT include reports required from 92 nonprofit corporations labeled as “Patriotic and National Organizations” (“Title 36 corporations”) Sec. 3: Website for reports 1 year after enactment, there needs to be a website “that allows the public to obtain electronic copies of all congressionally mandated reports in one place” If a Federal agency fails to submit a report, the website will tell us the information that is required by law and the date when the report was supposed to be submitted The government can’t charge a fee for access to the reports The reports can be redacted by the Federal agencies Resources Twitter Link: Rachel Maddow Twitter Link  Twitter. Employment Profile: Employment History for Richardson, Sean J OpenSecrets.org Employment Profile: Employment History for Jen Olson  OpenSecrets.org Email Link: Sam Fieldman Email at Wolf-PAC   PDF Email: Email with Eli Baumwell of the W.V. ACLU Volunteer Link: Volunteer for Wolf-PAC Resource Link: Article V Wolf-PAC Resource Link Documentary: Wolf Pac Documentary Congressional Dish Interview: Interview with Sam Fieldman from Wolf-PAC Preet Bharara Podcast: Taking Trump to Court (with David Cole) YouTube Video: Wolf PAC Call for Volunteers - Get Money Out of Politics! YouTube Video: Mike Monetta On Why Wolf-PAC Is Making A Movie YouTube Video: Wolf PAC Resolution Passes New Jersey Senate  YouTube Video: Fight Against Money In Politics: Cenk Uygur (Wolf-PAC Presentation) YouTube Video: Republican Vermont Representative Vicky Strong YouTube Video: Americans for Prosperity testify in New Jersey YouTube Video: Hawaii Senate Judiciary Hearing on 2018 SCR 76, Wolf-PAC YouTube Video: Cenk Uygur's Speech at The Conference to Restore the Republic YouTube Video: Article V Debate Document: Case Docket: Citizens United v. Fed. Election Comm'n Document: Brief by ACLU in support of Citizens United Document: Brief by former members of the ACLU in support of neither party Document: Essay on Term Limits Document: Article V of the US Constitution - Overview Document: Virginia Plan (First draft of the Constitution) Document: Full Text of Congressional Regulations on Article V Document: 1984 Version of Congressional Regulations on Article V Document: 1987 Version of Congressional Regulations on Article V  Document: Congressional Record Archive Copy of Congressional Regulations on Article V Document: The Fix It America Constitutional Amendment Document: Take Back our Republic Document: Role of Congress Document: American Promise 28th Amendment Document: United for the People Amendments Reference Website: Massachusetts Commission Govtrack: H.R. 2722 Document: H.R. 391 Document: H.R. 745 Document: H.R. 745 Document: H.R. 964 Document: S. 195   Sound Clip Sources Watch on C-Span: House floor debate on HR 2722 June 27,2019 sound clip transcripts pdf Watch on C-Span: William Barr Testifies on Mueller Report Before Senate Judiciary Committee May 1, 2019 1:57:55 Sen. Amy Klocuchar (MN): For the last two years, Senator Lankford and I, on a bipartisan bill with support from the ranking and the head of the intelligence committee; have been trying to get the Secure Elections Act passed. This would require backup paper ballots. If anyone gets federal funding for an election, it would require audits, um, and it would require better cooperation. Yet the White House, just as we were on the verge of getting a markup in the rules committee (getting it to the floor where I think we would get the vast majority of senators), the White House made calls to stop this. Were you aware of that? Attorney General William Barr: No. Sen. Amy Klocuchar (MN): Okay, well that happened. So what I would like to know from you as our nation’s chief law enforcement officer if you will work with Senator Lankford and I to get this bill done? Because otherwise we are not going to have any clout to get backup paper ballots if something goes wrong in this election. Attorney General William Barr: Well, I will… I will work with you, uh, to, uh, enhance the security of our election and I’ll take a look at what you’re proposing. I’m not familiar with it. Sen. Amy Klocuchar (MN): Okay. Well, it is the bipartisan bill. It has Senator Burr and Senator Warner. It’s support from Senator Graham was on the bill. Senator Harris is on the bill and the leads are Senator Lankford and myself, and it had significant support in the house as well. Hearing: Committee on Oversight and Reform:Strengthening Ethics Rules for the Executive Branch, February 6, 2019 Watch on Youtube *28:00 Rep Jordan (OH): 2013 we learned that the IRS targeted conservative for their political beliefs during the 2012 election cycle systematically for a sustained period of time. They went after people for their conservative beliefs, plan in place, targeted people. They did it. The gross abuse of power would have continued, if not for the efforts of this committee. 2014 the Obama Administration doubled down and attempted to use the IRS rule making process to gut the ability of social welfare organizations to participate in public debate. Congress has so far prevented this regulation from going into effect, but HR 1 would change that. Hearing: Judiciary Committee For The People Act Of 2019, January 29, 2019  Witness: Sherrilyn Ifill - President and Director-Counsel, NAACP Legal Defense and Educational Fund Watch on YouTube 32:00 Sherrilyn Ifill: Well before the midterm election, in fact, Georgia officials began placing additional burdens on voters, particularly black and Latino voters, by closing precincts and purging. Over half a million people from the voter rolls the voter purge, which removed 107,000 people, simply because they did not vote in previous elections and respond to a mailing was overseen by the Republican candidate for governor Brian Kemp, who was also the secretary of state. LDF and a chorus of others called on him to recuse himself from participating in the election. But he refused.  ______________________________________________________ Community Suggestions See Community Suggestions HERE. Cover Art Design by Only Child Imaginations ______________________________________________________ Music Presented in This Episode Intro & Exit: Tired of Being Lied To by David Ippolito (found on Music Alley by mevio)

Thirteen-year-old Megan Meier was thrilled. She’d just logged onto MySpace, and found a message from a hot 16-year-old boy named Josh. Megan wasn’t allowed to spend much time online, but she and Josh quickly became friends. The pair bonded, but one day, Josh’s messages went from sweet to sour. Then, Kristin tells us a story that everyone has heard before. Back in the early 90’s, a woman went through the drive thru at McDonald’s. She ordered a coffee. She put the coffee between her legs and drove off down the road. As she sped off, the coffee spilled. It hurt. So what did she do? She sued McDonald’s for millions of dollars. This story has been hailed as an example of America’s many frivolous lawsuits. But reality isn’t quite so outrageous. And now for a note about our process. For each episode, Kristin reads a bunch of articles, then spits them back out in her very limited vocabulary. Brandi copies and pastes from the best sources on the web. And sometimes Wikipedia. (No shade, Wikipedia. We love you.) We owe a huge debt of gratitude to the real experts who covered these cases. In this episode, Kristin pulled from: “Scalded by coffee, then news media,” New York Times Retro Report “A matter of degree: How a jury decided that a coffee spill is worth $2.9 million,” Wall Street Journal by Andrea Gerlin “Hot Coffee” documentary “Liebeck v. McDonald’s Restaurants” Wikipedia entry In this episode, Brandi pulled from: ‘”My Space’ hoax ends with suicide of Dardenne Prairie teen” by Steve Pokin, St. Louis Post-Dispatch “Pokin Around: The story of Megan Meier’s suicide” by Steve Pokin, Springfield News-Leader “Judge Acquits Lori Drew in Cyberbullying Case, Overrules Jury” by Kim Zetter, wired.com “United States v. Drew” wikipedia.org    

On this week’s episode of CYBER, we sat down with Kim Zetter, the legendary cybersecurity reporter and the author of the original news story on the ASUS hack. Zetter walked us through this specific hack, and also told us about previous supply chain attacks, and why they’re so scary. See acast.com/privacy for privacy and opt-out information.

On this week's episode of CYBER, we sat down with Kim Zetter, the legendary cybersecurity reporter and the author of the original news story on the ASUS hack. Zetter walked us through this specific hack, and also told us about previous supply chain attacks, and why they're so scary. See acast.com/privacy for privacy and opt-out information.

Independent investigative journalism, broadcasting, trouble-making and muckraking with Brad Friedman of BradBlog.com

Independent investigative journalism, broadcasting, trouble-making and muckraking with Brad Friedman of BradBlog.com

Podcast: Darknet DiariesEpisode: Ep 29: StuxnetPub date: 2019-01-08Stuxnet was the most sophisticated virus ever discovered. It's target was a nuclear enrichment facility in Iran. This virus was successfully able to destroy numerous centrifuges. Hear who did it and why.Special thanks to Kim Zetter for joining us this episode. You can find more about Stuxnet from her book Count Down to Zero Day.  Learn more about your ad choices. Visit megaphone.fm/adchoicesThe podcast and artwork embedded on this page are from Jack Rhysider, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Podcast: Digital BondEpisode: Unsolicited Response Podcast – Interview with Kim Zetter from S4x15Pub date: 2015-02-17We had Kim Zetter on stage for an interview at ICSage during S4x15 Week to discuss her new book: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. This first 2015 episode of the Unsolicited Response Podcast features that interview. The podcast includes: Who was the target audience for the book Why […]The podcast and artwork embedded on this page are from Dale Peterson, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

On today's episode of Loud & Clear, Brian Becker and John Kiriakou are joined by Dr. Gerald Horne, a professor of history at the University of Houston and author of many books, including “The Apocalypse of Settler Colonialism: The Roots of Slavery, White Supremacy and Capitalism in Seventeenth Century North America and the Caribbean.”President Trump is heading to the border today to speak with Customs and Border Patrol officials about the so-called “crisis” there, even though those same officials aren’t being paid because of the government shutdown. Meanwhile, Venezuelan President Nicolas Maduro was sworn in today for a new term as the U.S.-backed regime change effort targeting his government continues, and Brazil’s new president, Jair Bolsonaro, moved today to withdraw his country from the UN global migration pact. Thursday’s weekly series “Criminal Injustice” is about the most egregious conduct of our courts and prosecutors and how justice is denied to so many people in this country. Paul Wright, the founder and executive director of the Human Rights Defense Center and editor of Prison Legal News (PLN), and Kevin Gosztola, a writer for Shadowproof.com and co-host of the podcast Unauthorized Disclosure, join the show. President Trump said today that he will “almost definitely” declare a national emergency soon to secure funding for his border wall. He made the comment as he departed today to Texas to meet with Customs and Border Patrol officials and continue making the case for hardline anti-immigrant policies. Brian and John speak with Isabel Garcia, co-founder of Coalición de Derechos Humanos. The US has accused Russia’s Kaspersky Lab of working with Russian spies on cyberwarfare. But Politico is reporting that Kaspersky actually helped catch an NSA data thief, even though the US had completely missed the theft. Kim Zetter, the author of the book “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” and a prolific journalist who has contributed to Politico, the Washington Post, the New York Times, CNN, NPR, and other outlets, joins the show. The New York Times today issued a correction--a retraction would be more appropriate--to a front-page story yesterday saying that former Trump campaign chairman Paul Manafort had shared polling data with a Russian contact for passage to a Russian oligarch. That information was untrue. Manafort had shared the information for passage to two Ukrainian politicians with whom he had had a business relationship. The true story undercuts any accusation of collusion between the Trump campaign and Russia. Dan Kovalik, a human rights and labor lawyer who is the author of the new book “The Plot to Control the World: How the US Spent Billions to Change the Outcome of Elections Around the World,” joins Brian and John. It’s time again for our regular weekly segment Veterans for Peace, where we’ll discuss contemporary issues of war and peace that affect veterans, their families, and the country as a whole. Gerry Condon, a Vietnam-era veteran and war resister who has been a peace and solidarity activist for almost 50 years, currently as national president of Veterans for Peace, joins the show.The UK’s departure from the European Union is fast approaching. The British parliament is now conducting the official debate on the Brexit deal ahead of a vote next week. But Prime Minister Theresa May may not have the votes necessary to pass the terms of the deal, and was dealt a blow when members of her own Conservative Party revolted to help pass a motion limiting her options in the event that the deal is rejected. Brian and John speak with Alexander Mercouris, the editor-in-chief of The Duran.

Stuxnet was the most sophisticated virus ever discovered. It's target was a nuclear enrichment facility in Iran. This virus was successfully able to destroy numerous centrifuges. Hear who did it and why. Special thanks to Kim Zetter for joining us this episode. You can find more about Stuxnet from her book Count Down to Zero Day.  Learn more about your ad choices. Visit megaphone.fm/adchoices

When you say “election hacking” it means something different than the Kremlin's disinformation campaigns. On this episode of CYBER, we talk about what real election hacking is with Motherboard contributor Kim Zetter, who just wrote a piece for New York Times Magazine called “The Crisis of Election Security.” Kim says the real vulnerability in our system is something of our own making: the outdated voting machines we use to carry out our key civic duties. See acast.com/privacy for privacy and opt-out information.

When you say “election hacking” it means something different than the Kremlin's disinformation campaigns. On this episode of CYBER, we talk about what real election hacking is with Motherboard contributor Kim Zetter, who just wrote a piece for New York Times Magazine called “The Crisis of Election Security.” Kim says the real vulnerability in our system is something of our own making: the outdated voting machines we use to carry out our key civic duties. See acast.com/privacy for privacy and opt-out information.

When you say “election hacking” it means something different than the Kremlin's disinformation campaigns. On this episode of CYBER, we talk about what real election hacking is with Motherboard contributor Kim Zetter, who just wrote a piece for New York Times Magazine called “The Crisis of Election Security.” Kim says the real vulnerability in our system is something of our own making: the outdated voting machines we use to carry out our key civic duties.

Russia interfered in the 2016 presidential election. That’s the consensus of a long list of U.S. intelligence agencies, including the CIA and the FBI. Now, the Director of National Intelligence is warning of foreign interference in this year’s election.Adding to the possible risk is aging equipment, the lack of a paper trail in some states, and human error.Is the election safe across the country? Joining Tom are voting security experts Liz Howard, from the Brennan Center for Justice at NYU, and Kim Zetter, a journalist who has covered cybersecurity for more than a decade. And he'll talk with Maryland State Election Administrator Linda Lamone about what’s being done to secure the vote closer to home.

Kim Zetter is longtime cybersecurity and national security reporter for the New York Times, and author of the book Countdown to Zero Day. She joins us to discuss her recent feature for the New York Times Magazine,  titled The Crisis of Election Security. In it she explores the structure and fragile integrity of the US election system, how we got to where we are today, and what can be done to reestablish confidence in the system. Link to Kim Zetter's feature The Crisis of Election Security: https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html

Kim Zetter, author of "Countdown to Zero Day," discusses a case of a missing server in Georgia's election system and David Cross, a lawyer with Morrison & Foerster, talks about a lawsuit against the state to get Georgia Secretary of State Brian Kemp to adopt paper ballots. See acast.com/privacy for privacy and opt-out information.

Since the 2016 election, our country has been questioning whether our elections are secure, fair, and accurate. In this episode, we examine the threats to our election administration, both real and overblown. Please Support Congressional Dish - Quick Links Click here to contribute a lump sum or set up a monthly contribution via PayPal Click here to support Congressional Dish for each episode via Patreon Send Zelle payments to: Donation@congressionaldish.com Send Venmo payments to: @Jennifer-Briney Use your bank’s online bill pay function to mail contributions to: 5753 Hwy 85 North Number 4576 Crestview, FL 32536 Please make checks payable to Congressional Dish Thank you for supporting truly independent media! Recommended Congressional Dish Episodes CD175: State of War CD172: The Illegal Bombing of Syria CD167: Combating Russia (NDAA 2018) LIVE CD108: Regime Change CD041: Why Attack Syria? Additional Reading Report: Dramatic increase in voters purged from voter rolls between 2014 and 2016 by Adia Robinson, ABC News, July 24, 2018. Article: Mueller's latest indictment suggests Russia's infiltration of U.S. election systems could get worse by Lawrence Norden, Slate, July 26, 2018. Article: State election officials didn't know about Russian hacking threat until the read it in the news, emails show by Sam Biddle, The Intercept, June 20, 2018. Article: Supreme court upholds Ohio's purge of voting rolls by Adam Liptak, The New York Times, June 11, 2018. Article: What we know and don't know about election hacking by Clare Malone, FiveThirtyEight, April 10, 2018. Report: America's voting machines at risk - An update by Lawrence Norden and Wilfred U. Codrington III, Brennan Center for Justice, March 8, 2018. Article: The dark roots of AIPAC: America's Pro-Israel Lobby by Doug Rossinow, The Washington Post, March 6, 2018. Article: Wyden presses leading US voting machine manufacturer on potential hacking vulnerabilities by Olivia Beavers, The Hill, March 6, 2018. Article: They myth of the hacker-proof voting machine by Kim Zetter, The New York Times, February 21, 2018. Article: No instant profits in US electronic voting machines, Financial Times, 2018. Article: Virginia is replacing some of its electronic voting machines over security concerns by Andrew Liptak, The Verge, September 10, 2017. Report: It took DEF CON hackers minutes to pwn these US voting machines by Iain Thomson, The Register, July 29, 2017. Article: Russian hackers broke into elections company used in Miami-Dade, Broward by Tim Elfrink, Miami New Times, June 6, 2017. Report: Exclusive: Trump says Clinton policy on Syria would lead to world war three by Steve Holland, Reuters, October 25, 2016. Article: The best Congress AIPAC can buy by L. Michael Hager, Foreign Policy Journal, March 22, 2016. Article: AIPAC-linked group launches $5 million ad campaign against nuke deal by Adam Kredo, The Washington Free Beacon, July 17, 2015. Article: The non-pliticians who profit from Election Day by Megan McCarthy, Fortune, November 4, 2014. Report: Diebold indicted: Its spectre still haunts Ohio election by Bob Fitrakis, Columbus Free Press, October 31, 2013. Article: The mysterious case of Ohio's voting machines by Kim Zetter, Wired, March 26, 2008. Letter: Elections: Federal efforts to improve security and reliability of electronic voting systems are under way, but key activities need to be completed, GAO, September 2005. Article: Ohio's odd numbers by Christopher Hitchens, Vanity Fair, March 2005. Article: Diebold's political machine by Bob Fitrakis and Harvey Wasserman, Mother Jones, March 5, 2004. Resources Brennan Center for Justice: The Help America Vote Act Congress.gov: S.2261 - Secure Elections Act GovTrack: H.R. 3295 (107th): Help America Vote Act of 2002 Internet Research Agency Indictment: Mueller John Husted, Secretary of State of Ohio Report: President/Vice President Voting Report: November 2, 2004 Justice.gov: New Indictment of Mueller Source Watch: Ashcroft Group Info Sound Clip Sources Hearing: Election Security Preparedness, Senate Rules and Administration Committee, C-SPAN, June 20, 2018. Witnesses: Matthew Masterson - National Protection and Programs Directorate at the Department of Homeland Security Jim Condos - Vermont Secretary of State Jay Ashcroft - Missouri Secretary of State Steve Simon - Minnesota Secretary of State Connie Lawson - Indiana Secretary of State Shane Schoeller - Clerk for Greene County, Missouri Noah Praetz - Director of Elections for Cook County, Illinois 2:40 Senator Roy Blunt (MO): January of 2017, the Department of Homeland Security designated our country’s election infrastructure to be critical infrastructure. This designation began the formalization of information sharing and collaboration among state, local, and federal governments through the creation of a Government Coordinating Council, some of our witness this day are already sitting on that newly formed council. More recently, in the 2018 omnibus, Congress appropriated right at $380 million to the U.S. Election Assistance Commission to help states enhance their election infrastructure. As of this week, 38 states have requested $250 million of that money, and about 150 million of it has already been disbursed to the states. 6:45 Senator Amy Klobuchar (MN): So, we have a bill, Senator Lankford and I along with Senator Harris and Graham and Warner and Burr, Heinrich, and Collins. It’s a bipartisan bill called the Secure Elections Act, and we have been working to make changes to it along the way and introduce it as amendment, but it really does four things. First of all, improves information sharing between local election officials, cyber-security experts, and national-security personnel. Second, providing for development and maintenance of cyber-security best practices. We all know, I think there’s five states that don’t have backup paper ballots, and then there's something like nine more that have partial backup paper ballots. And while we’re not mandating what each state does, and we do not want each state to have the exact same election equipment—we think that would be a problem and could potentially lend itself to more break-ins—we think it’s really important that we have some floor and standards that we set that given what we know, I don’t think we’d be doing our democracy any good if we didn’t share that and we didn’t put in some floors. Third, the bill will promote better auditing our election’s use of paper backup systems, which I mentioned, and finally, it’s focused on providing election officials with much-needed resources. As you all know, we were able to get $380 million to be immediately distributed to the state, not play money, money that’s going out right now to states across the country, based on populations. We didn’t have some complicated grant process that would have slowed things down. The money went directly to state election officials as long as the state legislature authorizes it to get accepted and get to work to update their systems. 11:50 Jay Ashcroft: But before we move forward, we should briefly look back to the impetus of why we are all here today: allegations that outside actors threaten the integrity of our elections during the 2016 election cycle. While these are serious allegations, it is vitally important to understand that after two years of investigation, there is no credible—and I could strike “credible” and just put “evidence”—there is no evidence that these incidents caused a single vote or a single voter registration to be improperly altered during the 2016 election cycle. It was not our votes or our election systems that were hacked; it was the people’s perception of our elections. 30:50 Matthew Masterson: For those voters who have questions or concerns regarding the security or integrity of the process, I implore you to get involved. Become a poll worker; watch pre-election testing of the systems, or post-election audits; check your registration information before elections; engage with your state- and local-election officials; and most importantly, go vote. The best response to those who wish to undermine faith in our democracy is to participate and to vote. 1:08:00 Senator Roy Blunt (MO): Should the federal government make an audit trail, a paper audit trail, a requirement to have federal assistance? Jay Ashcroft: I don’t think so. Jim Condos: I do think so. Steve Simon: I think there is a federal interest in making sure that there's some audit process. Sen. Blunt: Well, now, what I’m asking about is, should there be a way to recreate the actual election itself? And I don’t know quite how to do that without paper, even if you had a machine that was not accessible to the web. Jay Ashcroft: I believe states are moving to do that, without federal legislation. So that’s why I don’t think that federal legislation needs to be done to that. 1:23:30 Shane Schoeller: I do want to address one area that concerns Secure Elections Act, that is on page 23, lines three, four, and five. It says, “Each election result is determined by tabulating marked ballots, hand or device.” I strongly recommend for post-election auditing purposes that a state-marked paper ballots, because I believe the opportunity for fraud in electronic ballot-casting system that does not have a paper trail’s too great. *1:32:00 Shane Schoeller: Even if you do a post audit with the machine, how would you know if something’s been compromised if you can’t at least compare the results of the paper ballot. And I think that’s the assurance it gives. Clearly, the machine, when you have an accurate election, does do a better job of counting the ballots. I’m talking about in the case where clearly fraud has occurred, then the paper ballot is going to be the evidence you need in terms of if your system inside that machine is compromised. 1:32:30 Senator Amy Klobuchar (MN): I think for a while people were talking about, well, why doesn’t everyone just vote from home, which is great when you can mail in a ballot, we know that, but vote from home just from your computer, and that would mean no paper records of anything. Could you comment about that? Noah Praetz: I think that’s 100% inappropriate for civil elections. Sen. Klobuchar: Got it. Shane Schoeller: I find it ironic because this is my first term, although I ran for this office in 2014, that was actually a common theme that I heard. Sen. Klobuchar: Right. I was hearing it, and I was—I kept thinking— Schoeller: Mm-hmm. Sen. Klobuchar: —about our state with, they’re not going to keep dwelling on it, with that high voter turnout. But, you know, that involved a paper ballot— voice off-mic: incredible integrity. Sen. Klobuchar: —and incredible integrity. But it involved people—they could vote by mail, and we’ve made that even easier, but they had actual paper ballots that they did, and then they were fed into this machine to count, with auditing. But you’re right. That’s what people were talking about. Why can’t you just do it from your home computer and have no backup, right? Schoeller: Right. And that was one of the things I actually had to disagree when that viewpoint was put forth, particularly in one city that I remember. And even after I became elected, I went to a conference of other elected officials, and there was a group of speakers, and they all were talking about this, and there was actually one speaker— Sen. Klobuchar: Like voting from Facebook. Schoeller: Correct. Sen. Klobuchar: Just kidding... Schoeller: But they actually disagreed, and I went up, and I think I was the only election official that day—this was prior to 2016—that didn’t think that it was a good idea. But I think we have evidence now from 2016 that clearly—that’s a convenience that we just can’t afford. 1:35:05 Noah Praetz: We’ve got a piece of paper that every voter looked at. Senator Amy Klobuchar: Mm-hmm. Praetz: So worst-case scenario, a Sony-type attack with full meltdown of all systems, we can recreate an election that’s trusted and true. Hearing: Election Security, Senate Judiciary Committee, C-SPAN, June 12, 2018. Witnesses: Adam Hickey - Deputy Assistant Attorney General for the National Security Division at the Department of Justice Matthew Masterson - National Protection and Programs Directorate at the Department of Homeland Security Kenneth Wainstein - Partner at Davis Polk & Wardwell, LLP Prof. Ryan Goodman - New York University School of Law Nina Jankowicz - Global Fellow at the Wilson Center 9:00 Senator Dianne Feinstein (CA): We know that Russia orchestrated a sustained and coordinated attack that interfered in our last presidential election. And we also know that there’s a serious threat of more attacks in our future elections, including this November. As the United States Intelligence Community unanimously concluded, the Russian government’s interference in our election—and I quote—“blended covert intelligence operations, such as cyber activity, with overt efforts by the Russian government agencies, state-funded media, third-party intermediaries, and paid social-media users or trolls.” Over the course of the past year and a half, we’ve come to better understand how pernicious these attacks were. Particularly unsettling is that we were so unaware. We were unaware that Russia was sowing division through mass propaganda, cyber warfare, and working with malicious actors to tip scales of the election. Thirteen Russian nationals and three organizations, including the Russian-backed Internet Research Agency, have now been indicted for their role in Russia’s vast conspiracy to defraud the United States. 39:40 Senator Mike Lee (UT): First, let’s talk a little bit about the integrity of our election infrastructure. We’ll start with you, Mr. Masterson. Were there any known breaches of our election infrastructure in the 2016 election? Matthew Masterson: Thank you, Senator. Yes, there was some publicly discussed known breaches of election infrastructure specifically involving voter-registration databases. Sen. Lee: Are there any confirmed instances of votes being changed from one candidate to another? Masterson: There are no confirmed instances of that. Sen. Lee: And were any individual voting machines hacked? Masterson: No, not that I know of. 42:55 ** Senator Mike Lee**: One approach to some of this, to the threat, the possibility of election infrastructure or voting machines being hacked from the outside is to go low-tech. Some states have gravitated toward that. For example, some states have started making moves back toward paper ballots so that they can’t be hacked. Is this something that’s helpful? Is it something that’s necessary that you think more states ought to consider? Matthew Masterson: Yeah. Senator, the auditability and having an auditable voting system, in this case, auditable paper records, is critical to the security of the systems. In those states that have moved in that direction have implemented means by which to audit the vote in order to give confidence to the public on the results of the election. In those states that have non-paper systems have indicated a desire—for instance, Pennsylvania—to more to auditable systems. And so at this point, resources are necessary to help them move that direction. Sen. Lee: By that, you mean either a paper-ballot system or a system that simultaneously creates a paper trail. Masterson: An auditable paper record. Correct, sir. 1:22:08 Senator Kamala Harris (CA): Will you talk a bit about what you have seen in terms of the risk assessments you’ve been doing around the country? I believe 14 states have been completed. Is that correct, 14? Matthew Masterson: I believe it’s 17 states have been completed— Sen. Harris: Right. Masterson: —thus far, as well as 10 localities. Sen. Harris: And what generally have you seen as being the vulnerabilities— Masterson: Sure. Sen. Harris: —in those assessments? Masterson: Thank you, Senator. Generally speaking, within the election’s infrastructure sector, we’re seeing the same typical vulnerabilities you’d see across IT systems, so managing software updates, outdated equipment or hardware, as well as general upgrades that need to take place as far as what configuration management within systems to limit the damage that could be done if something were to take place. And so— Sen. Harris: Resilience. Masterson: What’s that? Sen. Harris: Their resilience. Masterson: Yeah, their resilience. Sen. Harris: Mm-hmm. Masterson: Exactly. Thank you, Senator. And so this sector is no different in what we see in the work we’re doing with them. 2:15:00 Senator Sheldon Whitehouse (RI): But what I want to talk about in my time is the problem of shell corporations, because for all of the emphasis that the witnesses have put on policing and prosecuting foreign influence in our elections, you can neither police or prosecute what you cannot find. And at the moment, we have both a shell-corporation problem, which was emphasized by Mark Zuckerberg in his testimony when he said their political advertisement-authentication program would only go to the first shell corporation and not seek any information about who was actually behind it. I don’t think Putin is stupid enough to call it Boris and Natasha, LLC. It’s going to sound more like Americans for Puppies and Peace and Prosperity. But it’s a front group, and it’s got Putin or whomever else behind it, and until we can know that, we cannot enforce effectively, period, end of story. Similarly, when our election system has these colossal channels for dark money, anonymized funding, if you can’t find out what special interest is behind anonymous money, you can’t find out if there’s a foreign interest behind that money. Darkness is darkness is darkness, and it hides malign activity, both foreign and domestic. And I’d like to ask each of you to comment on that. We’re concerned about trolling. Obviously, that’s facilitated by shell corporations. You talked about general propaganda campaigns. Obviously, facilitated by shell corporations. Campaign finance laws, you’ve called out for a need for effective disclosure. You can’t have effective disclosure if the only thing you’re disclosing is a front corporation and you don’t know who’s really behind it. So, if I could ask each of you three on that, then that’ll be the end of my time. Kenneth Wainstein: Sure, I’ll go first, Senator Whitehouse. And thank you for kind words, and good to work with you again. Always is. Sen. Whitehouse: We were good adversaries. Wainstein: We were. Adversaries who were working for the same goal. Sen. Whitehouse: Yes. Wainstein: Look, as a prosecutor, former prosecutor, looking at this issue, of course you want to know more about the corporations than less. There are obviously First Amendment issues and other concerns out there in the election context, but absolutely, there’s no way to sort of resist your logic, which is we’ve seen the use of corporations in a variety of contexts, whether it’s money laundering or otherwise, but we’ve seen here in the election interference and disinformation context, and a lot of that— Sen. Whitehouse: In fact, they’re widely used in the criminal context for money-laundering purposes and to hide the proceeds of criminal activities, correct? Wainstein: Absolutely. Sen. Whitehouse: So to the extent that what Putin is running is essentially a criminal enterprise of himself and his oligarchs. Why would they not look to what criminal enterprises do as a model? Wainstein: Yeah, it’s meat-and-potatoes criminal conduct. Sen. Whitehouse: Yeah. Wainstein: No question. And all intended to hide the fact of the source of this malign activity. Hearing: Election Security, Senate Armed Services Subcommittee on Cybersecurity, C-SPAN, February 13, 2018. Witnesses: Robert Butler - Co-Founder and Managing Director, Cyber Strategies LLC Heather Conley - Director of the Europe Program Center for Strategic and International Studies Former Dep. Asst. Sec. of State for EU & Eurasian Affairs in GWB admin, 2001-2005 Richard Harknett - Professor of Political Science and Head of Political Science Department, University of Cincinnati Michael Sulmeyer - Director, Cyber Security Project, Belfer Center for Science and International Affairs, Harvard University 7:15 Senator Ben Nelson: First, the department has cyber forces designed and trained to thwart attacks on our country through cyberspace, and that’s why we created the Cyber Command’s National Mission Teams. A member of this subcommittee, Senator Blumenthal, Senator Shaheen, we all wrote the secretary of defense last week that they, the department, ought to be assigned to identify Russian operators responsible for the hacking, stealing information, planting misinformation, and spreading it through all the botnets and fake accounts on social media. They ought to do that. That’s—the Cyber Command knows who that is. And then, we ought to use our cyber forces to disrupt this activity. We aren’t. We should also be informing the social-media companies of Russia’s fake accounts and other activities that violate those companies’ terms of service so that they can be shut down. 18:20 Heather Conley: You asked us what role DOD could play to protect the U.S. elections, and I think, simply, DOD working with Congress has got to demand a hold of government strategy to fight against this enduring disinformation and influence operation. We don’t have a national strategy. Unfortunately, modernizing our nuclear forces will not stop a Russian influence operation. That’s where we are missing a grave threat that exists in the American people’s palm of their hand and on their computer screens. 19:05 Heather Conley: As one of the most trusted institutions in the United States, the Department of Defense must leverage that trust with the American people to mitigate Russian influence. Simply put, the Department of Defense has to model the bipartisan and fact-based action, behavior, and awareness that will help reduce societal division. This is about leadership, it’s about protecting the United States, and as far as I can see, that is in the Department of Defense job description. Hearing: Cybersecurity of Voting Machines, House Oversight Subcommittee and Government Reform Subcommittee on Intergovernmental Affairs, C-SPAN, November 29, 2017. Witnesses: Christopher Krebs - Senior Official Performing the Duties of the Under Secretary National Protection & Programs Directorate, Department of Homeland Security Tom Schedler - Secretary of State of Louisiana Edgardo Cortes - Commissioner of the Virginia Department of Elections Matthew Blaze - Associate Professor, Computer and Information Science at the University of Pennsylvania 4:24 Representative Robin Kelly (IL): In September of this year, DHS notified 21 states that hackers affiliated with the Russian government breached or attempted to breach their election infrastructure. In my home state of Illinois, the hackers illegally downloaded the personal information of 90,000 voters and attempted to change and delete data. Fortunately, they were unsuccessful. 5:05 Representative Robin Kelly (IL): Earlier this year, researchers at the DEF CON conference successfully hacked five different direct-recording electronic voting machines, or DREs, in a day. The first vulnerabilities were discovered in just 90 minutes. Even voting machines not connected to the Internet still contained physical vulnerabilities like USB ports that can be used to upload malware. Alarmingly, many DREs lack the ability to allow experts to determine that they have been hacked. Despite these flaws, DREs are still commonly used. In 2016, 42 states used them. They were more than a decade old, with some running outdate software that is no longer supported by the manufacturer. 20:30 Tom Schedler: In terms of voting-machine security, remember that with the passage of the Help America Vote Act in 2002, states were required to purchase at least one piece of accessible voting equipment for each polling place. 23:55 Edgardo Cortes: Virginia has twice has been put in the unfortunate position of having to decertify voting equipment and transition to new equipment in a condensed timeframe, based on security concerns of previously used DREs. These steps outlined in detail in my written testimony were not taken lightly. They place a financial and administrative stress on the electoral system. They were, however, essential to maintain the public’s trust and the integrity of Virginia elections. The November 2017 general election was effectively administered without any reported voting-equipment issues. Thanks to the ongoing partnership between the state, our hardworking local election officials, and our dedicated voting-equipment vendors, the transition to paper-based voting systems on a truncated time line was incredibly successful and significantly increased the security of the election. 25:45 Edgardo Cortes: To ensure the use of secure voting equipment in the future, Congress should require federal certification of all voting systems used in federal elections. This is currently a voluntary process. Federal certification should also be required for electronic poll books, which currently are not subject to any federal guidelines. 28:20 Matthew Blaze: Virtually every aspect of our election process, from voter registration to ballot creation to casting ballots and then to counting and reporting election results, is today controlled in some way by software. And unfortunately, software is notoriously difficult to secure, especially in large-scale systems such as those used in voting. And the software used in elections is really no exception to this. It’s difficult to overstate how vulnerable our voting infrastructure that’s in use in many states today is, particularly to compromise by a determined and well-funded adversary. For example, in 2007 our teams discovered exploitable vulnerabilities in virtually every voting-system component that we examined, including backend election-management software as well as particularly DRE voting terminals themselves. At this year’s DEF CON event, we saw that many of the weaknesses discovered in 2007, and known since then, not only are still present in these systems but can be exploited quickly and easily by non-specialists who lack access to proprietary information such as source code. 38:40 Matthew Blaze: The design of DRE systems makes their security dependent not just on the software in the systems but the hardware’s ability to run that software correctly and to protect against malicious software being loaded. So an unfortunate property of the design of DRE systems is that we’ve basically given them the hardest possible security task. Any flaw in a DRE machine’s software or hardware can become an avenue of attack that potentially can be exploited. And this is a very difficult thing to protect. Representative Gary Palmer: Do we need to go to, even if we have some electronic components to back it up with paper ballots because your fallback position is always to open the machine and count the ballots? Blaze: That’s right. So, precinct-counted optical-scan systems also depend on software, but they have the particular safeguard, but there is a paper artifact of the voter’s true vote that can be used to determine the true election results. DRE, paperless DRE systems don’t have that property, and so we’re completely at the mercy of the software and hardware. 47:00 Christopher Krebs: When you characterize these things as attacks, I think that is perhaps overstating what may have happened in the 21 states, as was mentioned, over the course of the summer. The majority of the activity was simple scanning. Scanning happens all the time. It’s happening right now to a number of probably your websites. Scanning is a regular activity across the web. I would not characterize that as an attack. It’s a preparatory step. 58:15 Matthew Blaze: There is no fully reliable way to audit these kinds of systems. We may get lucky and detect some forensic evidence, but ultimately the design of these systems precludes our ability to do a conclusive audit of the voter’s true intent. That’s why paperless systems really need to be phased out in favor of things like optical-scan paper ballots that are counted at the precinct but backed by an artifact of the voter’s true intent. 1:02:42 Tom Schedler: The system that we’re looking at, we’re not out for bid yet, would be one that would produce, even though you would vote on an electronic machine, it would produce an actual paper ballot that you could hold in your hand—Representative Paul Mitchell (MI): My concern with that— Schedler: —and then cast ballot only with that point when you put it into a secure box. Rep. Mitchell: My concern with that, and Dr. Blaze makes the point, is that if you produce a paper result after you put something into the machine, if in fact the machine is tampered with, you could in fact end up with just confirming the tampered information. Schedler: Yes, sir. Speech: Hillary Clinton on National Security and the Islamic State, Council on Foreign Relations, November 19, 2015. 12:35 Hillary Clinton: So we need to move simultaneously toward a political solution to the civil war that paves the way for a new government with new leadership and to encourage more Syrians to take on ISIS as well. To support them, we should immediately deploy the special operations force President Obama has already authorized and be prepared to deploy more as more Syrians get into the fight, and we should retool and ramp up our efforts to support and equip viable Syrian opposition units. Our increased support should go hand in hand with increased support from our Arab and European partners, including Special Forces who can contribute to the fight on the ground. We should also work with the coalition and the neighbors to impose no-fly zones that will stop Assad from slaughtering civilians and the opposition from the air.   Hearing: Electronic Voting Machines, House Administration Committee, C-SPAN, September 28, 2006. Witnesses: Edward Felton - Computer Science Professor at Princeton University Keith Cunningham - Board of Elections Director of Allen County, Ohio Barbara Simons - Association for Computer Machinery, Public Policy Committee Co-Chair 19:54 Edward Felten: Two weeks ago my colleagues, Ari Feldman and Alex Halderman, and I released a detailed security analysis of this machine, the Diebold AccuVote-TS, which is used in Maryland, Georgia, and elsewhere. My written testimony summarizes the findings of our study. One main finding is that the machines are susceptible to computer viruses that spread from machine to machine and silently transfer votes from one candidate to another. Such a virus requires moderate computer-programming skills to construct. Launching it requires access to a single voting machine for as little as one minute. 1:45:23 Keith Cunningham: Can they be improved? Absolutely, and I think throughout my comments I was very definite to say that these machines, as they currently sit, are not reliable. My question back to you, though, in that regard is, who’s going to pay to fix it, because one of the problems we have right now is in the last 24 months every election jurisdiction in this country has spent the $3 billion we spoke about earlier on new election equipment, and that’s what’s in place. So without somebody stepping forward to fund that enterprise, I don’t know how we’re going to improve them ourselves. 1:51:00 Barbara Simons: I wanted to remind the panelists of what happened in Carteret County, North Carolina, in, I believe it was, ’04, where paperless DREs were used and over 4,000 votes were lost. I mean, there's this concern about being able to reprint paper ballots or paper VVPATs. When you lose votes in a DRE, which has no paper, there is nothing you can do, and in fact, there was an election for—the statewide election—for agricultural commissioner, where the separation between the two candidates was such that the results could have been reversed by those missing votes. And it went to court, it went to two different courts, where they first tried to hold a recount just for the county itself. That was thrown out. Then it went for a statewide recount, and that was thrown out because we had no laws to deal with what happens when DREs fail. And finally, there were a number of people who submitted subpoenas or petitions say they had voted for one of the candidates, and based on those submissions, it looked like the judge was going to declare that candidate the winner, and so that was how the election was decided. This is not a way to hold elections in this country. Community Suggestions See more Community Suggestions HERE. Cover Art Design by Only Child Imaginations Music Presented in This Episode Intro & Exit: Tired of Being Lied To by David Ippolito (found on Music Alley by mevio)  

Neste episódio, Paulo Sant’anna recebe Alan Oliveira, que é um dos tradutores do livro Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon de Kim Zetter. Além disso, ele comenta sobre a relevância do Stuxnet como a primeira arma digital, e como essa primeira arma pode levar à criação de outras e o que podemos esperar deste novo cenário. Em adição, correlaciona os fatos ocorridos com a maneira como o ataque foi realizado e o que ele representa no contexto da segurança da informação de sistema cibernéticos. No livro, a jornalista especializada em cibersegurança conta a história por traz do vírus que sabotou os esforços iranianos para criação de um programa nuclear, mostrando como sua criação inaugurou um novo tipo de guerra, em que ataques digitais podem ter o mesmo poder destrutivo de uma bomba física. Sobre o livro O livro Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon descreve o funcionamento do malware Stuxnet, que atacou centrífugas de enriquecimento de urânio do Programa Nuclear Iraniano, mas também discute todos os aspectos táticos e estratégicos associados àquela que é considerada a primeira arma digital de guerra já usada numa ação contra um Estado nacional. O livro contém todos os elementos de um thriller que captura a atenção do leitor desde a primeira página. O livro trata do surgimento da primeira arma digital do mundo, o Stuxnet, desde suas origens nos corredores da Casa Branca  até a execução do ataque a uma usina atômica no Irã. Sua existência começou a se tornar pública em 2010, após inspetores da Agência Internacional de Energia Atômica (IAEA) perceberem  que as centrífugas de uma usina iraniana de enriquecimento de urânio estavam falhando em um ritmo sem precedentes por razões absolutamente desconhecidas. Cinco meses depois – em um evento aparentemente não relacionado -, uma empresa de segurança em Belarus foi chamada para solucionar problemas em computadores no Irã. Nesses computadores eles encontraram um malware que, inicialmente, pensaram se tratar de uma ameaça simples e rotineira; mas análises mostraram se tratar de algo misterioso, e de complexidade sem precedentes. O livro cita em detalhes o trabalho realizado por analistas de segurança da informação e analistas de sistemas de controle industrial (SCADA) para dissecar e desvendar esse malware. Além disso, “Countdown” fala sobre a Guerra Cibernética, seu desenvolvimento e o mercado de compra e venda de códigos maliciosos. Sobre o entrevistado Alan Oliveira é Engenheiro, mestre em Engenharia Eletrônica na área de sistemas inteligentes e doutorando na UFRJ. Atuou por 7 anos como oficial da marinha nas áreas de sistemas de armas e comunicações. Atualmente é professor na Marinha do Brasil, onde ministra as disciplinas de controle de sistemas, guerra eletrônica e sistemas de comunicação. Desenvolve em seu doutorado uma pesquisa voltada para a segurança de sistemas de controle e automação.

Award-winning security journalist and author Kim Zetter talks about her work tracking cyber-espionage campaigns, why she uses an old school cassette player to record sensitive interviews and the dramatic changes sweeping the security industry.

IP expert Stacey Dogan joins us to discuss: the merits and demerits of trademark law, values and stock characters of IP, non-interference and design choice, antitrust and IP optimists and skeptics, BU’s new clinics and collaborations with MIT for law and innovation. This show’s links: Stacey Dogan’s faculty profile (https://www.bu.edu/law/profile/stacey-dogan/) and writing (https://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=87890) Barton Beebe, Intellectual Property Law and the Sumptuary Code (https://harvardlawreview.org/2010/02/intellectual-property-law-and-the-sumptuary-code/) Smith v. Chanel (https://scholar.google.com/scholar_case?case=16887560236890964726) Stacey Dogan and Mark Lemley, Parody as Brand (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2170498) Stacey Dogan, The Role of Design Choice in Intellectual Property and Antitrust Law (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2862594) INS v. AP (https://scholar.google.com/scholar_case?case=16577297531712180725), Berkey Photo v. Eastman Kodak (https://scholar.google.com/scholar_case?case=9338840886663363935), Sony Corp. v. Universal City Studios (https://scholar.google.com/scholar_case?case=5876335373788447272), and MGM v. Grokster (https://scholar.google.com/scholar_case?case=8647956476676426155) About the Microsoft Antitrust Litigation (https://en.wikipedia.org/wiki/United_States_v._Microsoft_Corp.) Kim Zetter, Federal Judge Throws out Gag Order Against Boston Students in Subway Case (https://www.wired.com/2008/08/federal-judge-t) Peter Dizikes, New Legal Program to Support Students (https://news.mit.edu/2015/support-students-business-cyber-law-0909) About the BU School of Law’s Entrepreneurship and Intellectual Property Clinic (http://sites.bu.edu/elawclinic/about-the-clinic/) And about the school’s Technology and Cyberlaw Clinic (http://sites.bu.edu/tclc/about-the-clinic/) Special Guest: Stacey Dogan.

In this episode, we took advantage of the new world-wide federal holiday to watch the sci-fi action blockbuster Independence Day (the good one from 1996). How effective are nuclear weapons against 15 mile wide spaceships? Are aliens keeping tabs on Earth’s nuclear stockpiles? How did Jeff Goldblum write a computer virus that works on alien technology? Tim and Joel answer these questions and more. Before Elvis left the building, we recommend reading -Michael Rogin, Independence Day, or How I Learned to Stop Worrying and Love the Enola Gay, (British Film Institute, 1998) http://www.worldcat.org/title/independence-day-or-how-i-learned-to-stop-worrying-and-love-the-enola-gay/oclc/39547508 -James Harris, “The Oral History of the President’s Speech in ‘Independence Day,’” Complex Media, June 23, 2016, http://www.complex.com/pop-culture/2016/06/presidents-speech-in-independence-day-oral-history -Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown publishers, 2014) Also check out the sources below to learn more (you can also access these links on our SoundCloud page): -Robert Kennedy, “A Rocket Scientist’s Reaction to Independence Day,” The Ultimax Group White Paper, 1996 http://www.ultimax.com/whitepapers/1996_3.html -Kelly Fonda, ““You Want to Blow Up the White House?”: An Oral History of the Film Independence Day, We Minored in Film, April 28, 2015, https://weminoredinfilm.com/2015/04/28/you-want-to-blow-up-the-white-house-an-oral-history-of-the-film-independence-day/ -Janet Burns, “16 Earth-Shattering Facts About ‘Independence Day,’” MentalFloss, July 3, 2016, http://mentalfloss.com/article/76231/16-earth-shattering-facts-about-independence-day -Joe Skrebels, “Independence Day Director Roland Emmerich Mocks Marvel Movies,” IGN, June 28, 2016, http://www.ign.com/articles/2016/06/20/independence-day-director-roland-emmerich-mocks-marvel-movies -ID4 Deleted Scenes, https://www.youtube.com/watch?v=4rf3eB5bFe4 -U.S. Air Force Capt. Robert Salas - UFO's Are Real, https://www.youtube.com/watch?v=zjbhq4P_sZI -Eric Julien, The Iron Skeptic, http://www.theironskeptic.com/articles/julien/julien.htm -Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, November 3, 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ -Andrew Futter, “The Dangers of Using Cyberattacks to Counter Nuclear Threats,” Arms Control Today, July/August 2016, https://www.armscontrol.org/ACT/2016_07/Features/The-Dangers-of-Using-Cyberattacks-to-Counter-Nuclear-Threats -“'Independence Day' Producer Finally Explains Infamously Inept Hacking Scene,” Yahoo Movies, December 8, 2014, https://www.yahoo.com/movies/independence-day-producer-explains-hacking-scene-104676447332.html -Jakob Nielson, “Excessive Interoperability in Independence Day,” NN Group, December 18, 2006, https://www.nngroup.com/articles/independence-day-interoperability/ -Russ Wellen, “Alienating Aliens: Do Nukes Make Them Go Ballistic?,” HuffingtonPost, May 25, 2011, http://www.huffingtonpost.com/russ-wellen/alienating-aliens-do-nuke_b_414394.html -Atomic Bomb Test – Survival Towns, https://www.youtube.com/watch?v=tr76hNngqts -Teapot Apple 2 Nuclear Test, https://www.youtube.com/watch?v=ztJXZjIp8OA We aim to have at least one new episode every month. Let us know what you think about the podcast and any ideas you may have about future episodes and guests by reaching out at on Twitter @NuclearPodcast, GooglePlay, SoundCloud, TuneIn, Stitcher Radio, Facebook, SuperCriticalPodcast@gmail.com, and YouTube. Thanks to bensound.com for some of the background music used in this episode. Enjoy!

KIM ZETTER har skrevet boken om verdens første digitale våpen: STUXNET. Det beviste at ener og nuller kan ødelegge demninger, turbiner og strømnett, sier hun.  Så har kulturredaktør ESPEN HAUGLID bestemt seg for å lenke seg fast for å redde Galleri Oslo. Vi har tatt en tur innom hovedstadens forsømte postmodernistiske perle. See acast.com/privacy for privacy and opt-out information.

Paulo Sant’anna recebe pela primeira vez Alan Oliveira, um dos tradutores do livro "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon" de Kim Zetter. No livro, a jornalista especializada em cibersegurança conta a história por traz do vírus que sabotou os esforços iranianos para criação de um programa nuclear, mostrando como sua criação inaugurou um novo tipo de guerra, em que ataques digitais podem ter o mesmo poder destrutivo de uma bomba atômica. Do que trata o livro? O livro trata do surgimento da primeira arma digital do mundo, o Stuxnet, desde suas origens nos corredores da Casa Branca até a execução do ataque a uma usina atômica no Irã. Sua existência começou a se tornar pública em 2010, após inspetores da Agência Internacional de Energia Atômica (IAEA) perceberem que as centrífugas de uma usina iraniana de enriquecimento de urânio estavam falhando em um ritmo sem precedentes por razões absolutamente desconhecidas. Cinco meses depois - em um evento aparentemente não relacionado -, uma empresa de segurança em Belarus foi chamada para solucionar problemas em computadores no Irã. Nesses computadores eles encontraram um malware que, inicialmente, pensaram se tratar de uma ameaça simples e rotineira; mas análises mostraram se tratar de algo misterioso, e de complexidade sem precedentes. O livro cita em detalhes o trabalho realizado por analistas de segurança da informação e analistas de sistemas de controle industrial (SCADA) para dissecar e desvendar esse malware. Além disso, "Countdown" fala sobre a Guerra Cibernética, seu desenvolvimento e o mercado de compra e venda de códigos maliciosos. Você pode citar outros destaques do livro? Para o ataque do Stuxnet ser bem sucedido, não poderia haver erros. O livro descreve suas etapas de criação com detalhes, desde a contratação de pessoal especializado em centrífugas de usinas nucleares, até a simulação em ambientes com centrífugas iguais às iranianas para que o código fosse lançado em campo com a máxima eficácia. Além disso, nosso entrevistado conta como o livro revela detalhes desconhecidos do grande público sobre o mercado ilegal (ou cinza), obviamente não regulamentado, de vendas de códigos maliciosos para pessoas que agem em defesa da segurança nacional de diversos países. O preço desses códigos (0-day) é variável, dependendo da exclusividade e do programa, podendo chegar até U$ 200.000. Alan finaliza a entrevista contando histórias reais sobre ataques cibernéticos que ocorreram em países como Estônia e Geórgia. Quando o livro será lançado? O lançamento do livro está previsto para novembro deste ano. Alan Oliveira é Engenheiro, mestre em Engenharia Eletrônica na área de sistemas inteligentes. Atuou por 7 anos como oficial da marinha nas áreas de sistemas de armas e comunicações. Atualmente é professor na Marinha do Brasil, onde ministra as disciplinas de controle de sistemas, guerra eletrônica e sistemas de comunicação. Desenvolve em seu doutorado uma pesquisa voltada para a segurança de sistemas de controle e automação.

New America's Peter Singer and Passcode's Sara Sorcher chat with Bruce Schneier, prolific author and chief technology officer at Resilient Systems, about the challenges of publicly blaming countries for cyberattacks – and whose job it should be to defend private companies against sophisticated nation-state attacks.  They also hear from Nate Fick, the CEO of Endgame, a venture-backed security intelligence software company, about how he's leveraging cybersecurity solutions once produced just for the government into the private sector.   Wired's Kim Zetter, author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, joins the panel discussion to talk about how the cyber operation on Iran's nuclear facilities launched a new era of warfare; the vulnerability of US critical infrastructure to Stuxnet-like weapons; and the gender diversity issues bedeviling the cybersecurity industry.