Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? Well, last week we touched on the Bloomberg report around compromised super micro servers that may have gone to up to 30 different American companies and agencies. And well, didn't that story get nice and complicated over the weekend?
If it wasn't bad enough already, it is completely turned into just this ball of confusion. And I think that is a really important thing to address. Not necessarily this story specifically, which as every sort of moment passes, more and more evidence mounts against it.
Last night, late last night, Joe Fitzpatrick, who is the security researcher was apparently consulted on the story, actually raised questions to its veracity because it echoed very very closely, some of the things that he theorized about.
And again, there's no physical evidence presented for everybody else to evaluate. But I think more importantly, and this was actually the subject of a CBC radio column I did this morning. It's really important to understand how to evaluate these stories and this information as a consumer, as a technology person, maybe somebody in cybersecurity as well.
So, um especially given all the stuff that's bubbled up around this story. Vice President Pence in the US had said, you know, that China is upping its cyber crime and cyber activities against the US.
That there's been a number of sources that said, no, that's not the case. It's that and forth. There's conflicting reports absolutely everywhere. So how do you make sense of it? Well, for me, there is a golden rule.
And as a reminder, I'm coming at this from a cyber security professional standpoint, from a forensic science standpoint. Here's the thing. Any time anyone talks attribution. So who did it? You very, very, very, very much need to turn up your ears, alarm bells going off in the background.
You need to be concerned. The reason is attack, attribution is extremely, extremely difficult. So if somebody files criminal charges, then you can know that a certain amount of due diligence has been done because the prosecutor is not going to take on the case unless they think they can win it.
But even then it's not a slam dunk. But for the vast majority of these cases, especially when it's something like a report, you know, like the Bloomberg report, like what we've seen over the past few years around Russian related interference with elections and media manipulation and influence and things like that.
Any time you see any particular gang called out, you need to be concerned. And the reason is this, I'm not saying all attribution is wrong. The reason why you need to be aware and concerned is simple.
So right now, you know, this is me on video or at least you hope this is me and not a deep fake um giving you this information. But if I had typed it up and posted it on a medium article, um not attributed to my user name, how would you know it's me, right.
Really simple question. If somebody sends you an email that says it's from, you know, me@markn.ca, which is my email address, how do you know it's from me? We assume a lot of things we don't actually know.
And when it comes to cybercrime, when it comes to nation state level attacks, we really need to know. And that's sort of the heart of the matter here. So if I'm sitting at a computer and typing something out, that's my typing action before typing something out.
How do you know that came from me? You might be able to through thorough investigation and a good view of the network, trace the activity back to that system. But do you know, I was sitting at the keyboard at that time, do you know what my motivations were?
That's really the difference here. So let's, let's walk through a completely different unrelated example. Let's say there is a piece of malware on a computer system on my computer system that is attacking your computer system.
So, you know, um, you've traced it back from my, uh, to an IP address that's associated currently with my ISP account. Um, and you know that something from this IP address has then attacked something, uh, at yours, your system.
Ok. So you've got some evidence, you've got IP trail, you've got some logs in your system that says an attack came inbound from this IP. Well, right away, even though I said, you know, it came from my system.
Now we're talking IP addresses, which means that's a network space of network address. I'm at my home office right now. The IP address is associated to everything in the house because it goes through my router.
So that means any device in the house could have done it or anyone connected to my home network could have done this attack. You don't know that last step even if you did, do you know I was sitting at my computer or the device that was on that IP at that time.
Do you know it was me that sat down and typed it? You probably can't prove that to a court of law. Any forensic witness could shoot that down. Anyone who's worth their salt because you say, well, this IP address attacked me.
Well, you know what? Maybe someone hacked my Wi fi maybe someone hacked my computer, maybe it was someone who was in the house, not me. Right? Someone we trusted a friend. You can't trace that back without additional evidence.
It might be enough for a search warrant, but it's not enough to do a conviction. And this is where attribution really comes into a problem. You can say that the evidence points to a system at this IP address conducting this attack.
But was it Mark? And what was his motivation? You can't say that. And this is the challenge when you scale that up to the nation state level. We've seen the Bloomberg report cited 17 unnamed sources and various us government officials and investigations but then every company denied it.
So who do you trust? Well, there's no evidence supporting this. Beyond that Bloomberg report, there's no photos of the implants, the pictures and the imagery was all drawn up for that report and say so in the report.
And there's no like, hey, this is the hardware implant that was found and here's where it was found. So there's no hard evidence, there's a statement from 17 sources and you would hope that Bloomberg went through journalistic rigor.
They have a lot of lawyers, they have a great reputation that they, you know, believe this to be true. But how do you as a reader interpret it? Well, you need to take it with a grain of salt.
You need to take the denials of the grain of assault because there's a lot at stake here. But really, for me, any time somebody says, you know, takes that extra step of attributing the attack without visible and verifiable evidence, then you really need to raise a lot of questions.
Now, if they just said this attack had happened and the motherboards and systems were manufactured in China, that's consistent with the evidence that they had presented. But to say that it was a particular part of a particular government of a nation state that's taking a leap without evidence.
And that makes it really hard for us to verify. And more that comes out around this story, it raises serious questions, but also in general consuming cybersecurity news. Anytime somebody says Mark did it, you really need to be on guard.
It's not that that necessarily happened, but making that attribution is extremely, extremely difficult. So hopefully you're still consuming all this news, you're still bringing it in, but you're adding some healthy skepticism and looking for verifiable evidence.
It shouldn't be that much of an ask, but apparently it is, but verifiable evidence is the key. So just some food for thought for today, I'll be writing some of this stuff up to go on.
Uh markn.ca along with um the radio segment from this morning when it gets posted in the meantime, hit me up online uh at Mar NC A Happy to chat about this and everything else.
Uh For those of you on the vlogs down below in the comments and as always by email me@markn.ca, I hope you have a fantastic day, talk to you online and I'll see you on the show tomorrow.
