View profile

The Cybers Are Weird - Issue #1

Ian Campbell
Ian Campbell
Notional spaces have always been weird. Artist Juliette Aristides described a notional space as “the rectangle formed around an object when you find its height and width. Imagine the notional space as being a clear box that perfectly fits around your object.”
Humans build them by default, probably for a number of reasons. They’re a way to clarify and enhance classification - something we’re largely hard-wired for as a way of understanding. And they’re also a way to limit. They allow us to impose mental borders around a thing not just to understand it better but also to segment objects and spaces off from each other. In this way, we use perception as a kind of self-protective measure: we impose neat lines where there are none in the attempt to quarantine overlap, to pretend spaces can’t creep into each other.
We enjoy imagining and visualizing, but we also enjoy limiting in order to make things simpler and protect ourselves from further anxiety. That tension will persist as long as imagination does.
But, as Thomas Rid states, "at some point a metaphor will begin to fail, and at this point of conceptual failure we may learn the most important things about the subject at hand, how it differs from the familiar, how it is unique—analogies are also testing devices.” So it is with cyberspace - the very epitome of a notional space of speculation, imagination, and self-protective limitation. We don’t want to acknowledge the leering creep even as enhanced connectivity makes our lives undeniably easier or more accessible. And even moreso we avoid the Weird, the strange and the unique, because it often threatens our worldview in subversive ways. Complexity challenges the narratives we tell ourselves in order to keep focus on what we deem true or important or joyful.
And the information security landscape is nothing if not complex.
There are ten thousand people writing about top news in cybersecurity. There are a thousand neatly trimmed roundups sent out weekly. Those are important and good, but this space is not that.
Instead I’ll be writing from the perspective of exploring the Weird and unexpectedly complex. I’ll be pinpointing a few unique stories instead of the headlining ones in an attempt to both explore the notional spaces we perceive around security and to blur the edges of that glassy rectangle we like to think keeps things contained.

Item 1: Stop Snitchin'
Vigilante malware rats out software pirates while blocking ThePirateBay – Sophos News
So let me explain a little: the websites you visit are all IP addresses at their core. The domain names you type (like “google.com”) are mapped to the IP addresses by the Domain Name System; a massive system of “resolver” servers receive an inquiry from your computer when you type in a domain name, and send your computer the right IP address. BUT you can also do this internally on your own computer thanks to something called the HOSTS file. HOSTS allows you to override that inquiry process by pointing a domain to a particular address manually - one of the more common uses these days is to sinkhole Windows 10’s attempts to phone-home with your info (something Windows started detecting last year or so). For a long time, viruses used this as a way to redirect users to malicious websites or for other purposes. I haven’t really seen it in a while, though.
In this case someone started infecting folks who were downloading pirated copies of popular software. The program instead adds a bunch of entries to the user’s HOSTS file effectively blocking many software piracy sites, as well as reporting their IP address.
This is an extremely weird result, a strange complexity that very much constitutes malicious/“black hat” hacking while not causing outright damage or demanding payment. It’s an unlawful sequence of events aimed at a seemingly lawful - if annoying - consequence.
How would you classify it? Where does it fit?
Item 2: Avaddon't Tase Me Bro
Avaddon ransomware shuts down and releases decryption keys
It’s not unheard of for a ransomware group to shut down and release decryption keys for its victims, as a few have done so in recent years. But it’s a weird edge case that I love tracking; what’s the real motivation? They had a bunch of people in extremely vulnerable positions and not only did they walk away, they did something vaguely altruistic first by releasing the keys.
Avaddon hanging up their black hats came on the heels of the DarkSide ransomware group biting off more than they could chew ransoming the Colonial Pipeline and making themselves a national security threat. Shortly after DarkSide realized they were in just about the hottest seat imaginable the US Department of Justice recovered most of the bitcoin that Colonial had paid in ransom. While DOJ explained the seizure away as “the private key to that bitcoin address was found online” (something I’d guarantee is a parallel construction), given the amount and speed by which it was seized there’s been some speculation that DarkSide handed over the affiliate group directly responsible for Colonial’s hack. According to this theory the bitcoins seized were less than the amount ransomed partly due to it only being the affiliate’s earnings, minus DarkSide’s cut.
I doubt we’ll ever know for real.
But to circle back to Item 2 above, Avaddon’s self-shutdown came right on the heels of all this. I can’t help but wonder if Avaddon had substantial connections to DarkSide and saw the writing on the wall about the latter possibly informing on associates. A thoroughly blatant act of imagination on my part, but that’s what both reality and fiction are made of.
And to be sure these things aren’t always complex. The amount of “brand name” churn among cybercrime groups is huge - they accumulate too much heat, announce a “shutdown” and rebrand and resurface to continue. But the timing…
Item 3: I'm Sorry Dave, I Can't Allow You To Redeem That
The Meltdown of IRON. How Polygon’s first billion-dollar… | by Irony Holder | Jun, 2021 | Medium
Okay, stay with me here, because this one’s funny.
In the context of cryptocurrency, smart contracts are just code - they’re programs or protocols that transactions are processed through without human intervention.
IRON was meant to be a “stablecoin” - avoiding the normal volatility of cryptocurrency markets in part by eschewing undercollateralization. IRON theoretically retained $0.75 in USDC (an anchored 1:1 US dollar stablecoin) for every $1 worth of IRON. The other $0.25 was in a more volatile asset - TITAN. Then TITAN and IRON crashed, and a fantastic bug was discovered in the “smart contract” - the developers never anticipated nor coded for a situation in which the coin value dropped to zero.
Because the smart contract was coded with share_price > 0 instead of share_price >= 0, the contract began rejecting every attempt to redeem the remaining collateral, which was stored in dollarcoins. This means the automated system cannot release the remaining $232 million stored in reserve.
Maybe the next time someone mentions automating weapons systems, think of this (or the sad tale of Knight Capital, told in excellent style here).
Links that didn't make the cut
Lumen's Black Lotus Labs uncovers hacktivist attack | FierceTelecom
FBI sold phones to organized crime and read 27 million “encrypted” messages | Ars Technica
US Soldiers Expose Nuclear Weapons Secrets Via Flashcard Apps - bellingcat
Thousands of Tor exit nodes attacked cryptocurrency users over the past year - The Record by Recorded Future
Wrapup
Thanks for reading, folks. Please feel free to hit me up on twitter or email me at igcwrites at gmail with thoughts or suggestions. No pitches, no ads.
As best I can tell I have no conflicts of interest regarding anything above, but if I write up something where I do, I’ll make sure it’s clear.
Please keep yourselves safe, stay masked up, get vaccinated when you can, and be kind where you can.
-ian
Did you enjoy this issue? Yes No
Ian Campbell
Ian Campbell @neurovagrant

Unique items of note in information security/cybersecurity, privacy, and technology

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.