— I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in right wing extremism, information security and threat intelligence, you can subscribe here. —
Josh Hawley, renowned supporter of the Jan 6 insurrection, had some opinions on masculinity he felt he needed to air out on Monday. It’s not surprising: toxic masculinity and its approach to sexuality is a fairly foundational part of many fascistic belief systems.
Hawley said he believes men are watching porn and playing video games because their masculinity is being criticized. Masculinity itself is a fairly foundational concept within far right and fascist movements: the idea of the strong man dictator requires a very heavy emphasis on a very toxic form of dominating, aggressive masculinity. From Hitler and Mussolini to the Proud Boys and modern incel movement, you can see it just about anywhere.
It was written into the founding codes of the Proud Boys, a far-right, men-only club known for their penchant for political violence, that certain challenges involved in the swearing in of new members was to abstain from masturbation (as it supposedly affects your testosterone levels and means you are satisfying yourself without the ‘use’ of a woman) and to be beaten by existing members while you scream the names of breakfast cereals.
Trump was obsessed with the masculine aesthetic and masculine nostalgia, speaking of the good old days when political protesters would leave events in stretchers. He notably insisted on joining an incredibly odd conversation about the size of his hands, an ironically borderline homosexual conversation between grown men on the world stage that essentially discussed the size of the presidential candidate’s junk. He frequently spoke of making America Great Again, another nod towards masculine nostalgia that we were once a great, dominating and domineering nation and we have since slid into weakness. He questioned Hillary’s ability to govern the nation in terms that barely hid his blatant sexism. In short, Trump’s toxic masculinity was thoroughly unveiled, and it spread across his GOP and their followers in the form of terms like cuckservative and beta/sigma males.
The incel culture ate it up. The unhinged hatred toward women that pervaded that corner of the internet and society lapped up the masculinity-obsessed far right nonsense like it was water in an arid, sex-deprived desert. Here was something they could channel their anger through. They could join groups like the Proud Boys and even more angry, fascistic groups to find commonality in their fellow men. Even explicitly violent, fascist groups like Atomwaffen Division held blatantly sexist, overtly toxically masculine views in their chats online. Women whose husbands were part of those groups frequently supported the behavior, forming an avid conservative women’s movement whose core tenants were creating an environment where toxic masculinity could thrive on a foundation of subservient yet politically active and networked wives. ADL did a great job in this paper on misogyny and the far-right, with one quote by a former Atomwaffen Division member saying, quote, “I would vigorously bone the living hell out of my English teacher, like holy f. I don’t care if it’s miscegenation. That babe would be pregnant as f year after year, around the clock, acting as a hub of genetic imperialism…”
Sexuality, masculinity and all of the homophobia, transphobia, toxicity, misogyny and violent tendencies that come with the far right’s positions on those matters are becoming more and more foundational within the fabric of the far right in the West. One must look no further than the hysterically named “Men’s Rights Movement,” a political movement whose Venn Diagram with the incel movement is essentially a circle and whose relationship with the far right is well-chronicled here, to find evidence that sexuality, masculinity and sexual dominance play a major roll in modern far right circles. Caricatures of refugees and immigrants as rapists echo the “black beast” rhetoric of the racists of America’s past, and while the misogynistic view of needing to protect the purity of the white woman is prevalent in far right and fascist circles, a lot of it has more to do with the commentary over The Great Replacement than it does protecting women. Fascists are worried that pornography, video games, progressive culture and cultural representations of a non-white, non-cis world represent the disappearance of traditionally male dominated, conservative and white America and Europe. It is the fascist’s obsession with the female reproductive system and tendencies, who they are reproducing with and what skin color they possess, that keeps these supposed Alpha Males up at night.
So, you see, Josh Hawley’s weird opinions on masculinity aren’t an odd, quirky platform for liberal grifters like Brooklyn Dad Defiant to dunk off of. They aren’t an exception, they are the rule. Toxic masculinity, aggression, political violence and violence for its own sake as both an activity and as an aesthetic are core tenants of right wing extremism and fascist philosophy. As the saying goes, when someone chooses to tell you who they really are, you should listen. Josh Hawley has repetitively told us who he really is: a fascist supporter of the party seeking to overthrow the democracy of our nation.
This was originally supposed to be a short rant on social media between cups of coffee for my daily musings on LifeLog but I wrote a bit longer form than I expected and enjoyed the resulting post quite a lot, so I figured I would post it here as well. —
I blogged yesterday on Graeber’s Bullshit Jobs and how eye-opening it is to see that the foundation of the modern economy is built on nonsense and actively harmful jobs. In that book, Graeber talks about the idea of spiritual violence, which is an interesting term to me. Up until fairly recently, I’d only recognized the club-in-hand idea of violence, until I realized that academia recognizes many other, often more subtle forms of violence, and that due to their subtlety they often go unnoticed and therefore do far more harm over time.
Cal Newport talks about the idea of spiritual violence in his books, even if he doesn’t necessarily say it in the same way. In his book Digital Minimalism Cal talks about the harmful effects of social media and over-connection in general. He talks about how so many of us have been fooled into thinking that we’re having meaningful relationships with people when in reality we’re just connecting with them. This, to me, is a deep form of spiritual violence that has affected not just how we connect, but how we view connections.
One doesn’t have to look far to see agreement that social media has eroded society. In Cal’s book I mentioned before, he mentions only one study that looks at social media use in a positive light… and that study was done by Facebook employees. As a politically-plugged-in person, and as someone who has been working in the security space for the last several years, the 2016 campaign and election season, and all of the political fallout of the last several years, comes to mind. Social media played a huge role in the violence and division surrounding Trump’s election. As someone who has studied the far-right for years and years now, social media has played a huge role in the recruitment and organization of fascist organizations across the globe, often not just serving a logistical role in facilitating communication and connection but serving as an active bullhorn in amplifying the hateful ideology that has torn so many lives apart. Christian Picciolini talks about the role that social media plays in his (phenomenal) book Breaking Hate in amplifying hate and supporting fascist recruitment.
I say all of this acknowledging that I’m writing this post on a social media site. I have a good Twitter following and a decent YouTube subscriber count. I have two blogs as well. I am what I can only painfully call “extremely online.” Part of this is well-explained in Digital Minimalism as using social media for what it’s good for while (trying to) avoid its detriments, part of it is addiction, part of it is entertainment and part of it is the relationships I’ve built on these platforms. Do I think I would be a better person without social media? Probably. I would at least have a lot of my time back. Maybe I would have used that time to do something useful, maybe not. In terms of social media’s effects on society as a whole? They have been overwhelmingly negative.
I’ll leave this post with just two more book recommendations. Evgeny Morozov wrote a phenomenal book called The Net Delusion back in 2012 that was so good and influential to my outlook on the internet that I’m reading it again this year. In the book, Morozov talks about how we all viewed the internet with phenomenally opaque rose-tinted glasses, with heads of state including Bill Clinton saying that all the authoritarian countries of the world needed was more internet and they would open up all on their own. The Arab Spring was supposed to be an example of the transformative nature of the internet.
Instead, the internet has facilitated censorship, surveillance and a wholesale erosion of privacy and security both on and off the web. We saw it in Hong Kong, where the internet fanned the flames of revolution… and was used to suppress and surveil the protesters. During the Arab Spring, the internet was used to hack into the phones of protesters and organizers to surveil and often jail them and their friends. In China and Russia, the internet is used not as a tool to open the society up to more democratic ideals; it is used to control the information within the country to ensure that those democratic ideals don’t get the oxygen they need to blossom.
Finally, we have Shoshana Zuboff’s lengthy tome The Age of Surveillance Capitalism that truly is all one needs to understand the detrimental effects that social media has on society on a macro level. The book talks about how social media has wreaked havoc on society on an unbelievable scale with respect to our interpersonal relationships, mental health and more, all so they can erode our privacy and sell our data and screen time to advertisers. The capital behind social media, the billionaires it has minted, cannot be overestimated. As they always say, follow the money…
So, what to do?
Frankly, I don’t really know. I have grappled with my own relationship with social media quite a lot over the years, never really finding a great balance with it. I’ve gone good stints off of social media entirely and have missed the positive aspects of connecting with friends, publishing blogs, etc. and have come right back without really paying attention to the other side of the balance.
So, as I sit here drinking my second cup of coffee, eyes darting to the Twitter tab I’ll probably click on as soon as I publish this post, I don’t have much of a solution for you. Leave the social media sites that have no positive impact on your life, and be more introspective about your relationship with technology. Fight for strong encryption and data regulation policies to try to erode the dark money behind the screens, maybe read some of the books I’ve linked to in this post. We should all click with more caution.
— I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in information security and threat intelligence, you can subscribe here. —
I grew up in a teacher’s family. This had a profound impact on my childhood and my education, especially, in almost exclusively positive ways. If you had asked elementary-middle school me if I liked doing summer school with my mom and summer reading lists to complete by the beginning of the first semester of classes, I would have answered with a resounding no. Now, though, I have the benefit of hindsight, and I know how important those practices were to my education.
I also developed a resounding respect for teachers and their place in society. I recently watched an interview with James Simons where he said he believed that one of the reasons the US education system is so jacked up is that, relative to other countries, we as a society don’t respect teachers enough. They don’t have the place in society that they deserve as the teachers of the next generation. I completely agree with that assessment, and I think we would go a long way if we rewarded teachers with the respect and societal position they deserve, as well as a meaningful pay bump across the board.
Over the last several years, I’ve had the opportunity to teach in different ways. In college, I helped a lot of my peers with software development studies, usually in exchange for them helping me with math or physics. Afterwards, I started live-streaming my studies and research on Twitch, usually pertaining to subjects like malware development and reverse engineering, offensive security and things like that. Now, I’m developing a formal course on Udemy for scraper development (subscribe to my newsletter for updates and a discount code once it goes live!) and I’m teaching kids how to code in Scratch and Python. Teaching, for me, has been an incredibly rewarding experience. I’ve always taken the stance of learning by teaching.
What is learning by teaching?
Learning by teaching is a common, well-researched mode of learning in the classroom that encourages students to learn a subject matter and then teach it to others, either by preparing presentations to show the teachers and students or in tutoring their classmates. The idea is that you learn the skill yourself to a point that you can start teaching a layman, and the questions the layman asks or the concepts that come up during tutoring end up bettering the understanding for both the tutor and the person being tutored.
I started learning how to code in high school, at first by sitting next to a classmate that taught me what coding was, and then by researching it myself at home and during class. By the time I made it to college, I’d taught myself roughly 75% of the 4 years of curriculum in college, a fact that makes the amount of money I spent going to college all the more painful… However, one of the ways I did benefit from college was in tutoring my classmates and working through problems together.
There were and still are some things that are just intuitive to me about coding. Like, in the beginning, recursion just made sense to me. I didn’t really have to whiteboard it a ton, I just did a couple of examples and it just clicked I guess. I didn’t truly understand the idea of recursion, it was just something that clicked intuitively. What made it truly make sense, the thing that made me understand it from a base level and truly understand how to apply it, was when I started tutoring classmates on recursion and explaining it on the whiteboard. I realized that, while it clicked, I didn’t really understand how and why it works, or how to apply it, until I started walking others through it. Object-oriented programming principles were the exact same way for me.
Further application of learning by teaching
After college, I went on to start in the information security field as an analyst, and boy I had a lot to learn. There was only one infosec course in my college curriculum, and it was… limited. It ran through the basics of the OWASP top 10 vulnerabilities, taught the very basics of SQL injection and cross-site scripting, and had a very basic CTF at the end. So, I entered the infosec field with very little formal, foundational knowledge of security, essentially just what I’d taught myself.
I started livestreaming on Twitch partially as an alternative revenue stream (I actually did alright, all things considered) and partially to livestream my journey in learning security concepts. I did streams on CTF’s, malware reverse engineering and development, exploit research, etc. I can honestly say I’m not great at most of the aforementioned concepts, but it was a cool environment to learn in and I think I learned a lot more by focusing on teaching the audience, most of which new more than I did, than by just learning on my own. The reasoning was that I might understand the foundational, basic levels of a topic like buffer overflows or a specific C++ syntax quirk, but I’d truly understand it if I could explain it out loud, even if the first couple goes at that were just me saying the wrong things.
This is a method I’ve seen Thomas Randall, a game development YouTuber I’ve followed for a while, use in his livestreams. He literally reads over pages and pages of docs for a specific technology or concept, explaining it to dozens or hundreds of viewers while he studies, live on Twitch, and pairs down that experience for YouTube videos. Michael Reeves has done the same things in some of his livestreams of developing robots, flying drones and babies with lasers in their eyes. It’s a fairly common concept now, and I’ve found a lot of value in it.
Most recently, I’ve had a lot of experience in learning by teaching. I teach several classes of kids every week how to code in Scratch (a visual programming language geared toward younger kids with no coding experience) and Python, and just about every time I teach a class, a kid shows me a different way to code something or asks me a question that forces me to think about programming differently. A lot of times, it’s having a fresh set of nooby eyes to look at something and ask questions that you’d never ask yourself. For the Scratch classes, sometimes the kids just have worked with Scratch way longer than I have and show me a better way of doing something in that language. I might be the teacher, formally, but I pick up a ton from those kids every time I teach a class.
For the Udemy class I’m developing on scrapers and spiders, I’ve realized that some of my development flows are overly convoluted or inefficient by forcing myself to write out those processes in a script. I’ll write the code, then write the script explaining the code, and think to myself “wait, why do I do it this way?” The act of explaining, of walking someone else through my own processes, actually refines those processes by default. It’s been incredibly helpful for me.
Teach more to learn more
I recommend everyone use this approach more often. You pass knowledge on to other people and you gain tons of knowledge for yourself. It also goes a long way in combatting imposter syndrome by getting you out of your head and showing you that you do have things that you can teach people. You can be talking to an absolute expert in the field you’re talking about and they still might gain something from it.
Learning by teaching creates a more collaborative world, one where we can all work together and combine our years of experience in different aspects of similar fields to build and break some awesome stuff in awesome ways. I’ve gained a lot from it, and I plan on continuing to use it wherever I can to benefit myself and others.
— I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in information security and threat intelligence, you can subscribe here. —
I’ve long held that the vast majority of responsibility for securing our networks lies on the software developer, and default configurations are a fantastic example of how we keep screwing up.
Microsoft is in the news for a security lapse yet again as an insecure default configuration lead to the exposure of up to 38 million sensitive records, including vaccination appointments and status, social security data, emails and names. The vulnerability existed in the Microsoft Power App, a low-code application that gives users with little development and technical chops to create data-farming web applications.
I’m… genuinely at a loss on this one. Insecure configurations are a plague on the software development industry, but a titan of the software industry like Microsoft should know better, especially when developing a product that is explicitly marketed toward users with limited technical knowledge, who are likely more focused on deploying than deploying securely, and who likely don’t know to, don’t know how to or don’t know to research how to deploy with non-standard configurations.
Just last week we saw research by Nicole Fishbein and Ryan Robinson of Intezer reveal that Apache Airflow instances leaked thousands of sensitive credentials. The research reveals that the most common reason for said credential leaks was, you guessed it, insecure coding practices, including configurations exposed to the internet, hardcoded passwords left within easily accessible config files and code injection vulnerabilities in easily accessible Airflow variables. We’re not talking about galaxy brain, hardened targets with complex exploitation chains here, we’re talking about incredibly stupid coding errors that lead to vulnerabilities that are trivial to exploit by just about anyone with an internet connection.
Yes, users need to do better about reading documentation, about researching how to securely deploy software, but the onus of responsibility is on software developers to develop secure-by-default software that balances availability and accessibility with security. Security starts with software, and we as developers have to do better at securing our products instead of hoping users are going to do our jobs for us. I understand that coding is hard and secure coding is incredibly difficult, but we at least need to start doing the bare minimum, to set minimum standards for secure, default configurations to keep the easy vulnerabilities out of our code.
This isn’t the internet of the 90’s. We don’t have any excuse to play fast and loose with security. It’s time to start doing the bare minimum to secure the web.
— I’m not active on Twitter anymore, for reasons I talk about in this blog post, but you can follow me on my Twitter page for new blog posts and announcements.
— I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in information security and threat intelligence, you can subscribe here. —
The Far Right is absolutely obsessed with martyrdom.
This week, we got another glimpse of this obsession with Trump’s commemoration of Ashli Babbit’s birthday. After the last five or so years, I’ve built up a sort of emotional callous to shock that usually protects me from the sort of almost daily, bordering on parodical political circus act that the American political non-system has become, but seeing this particular news gave me chills.
The Business Insider article details a Texas rally dubbed the “Texas Loves Ashli Babbitt” in which Trump, depicted in a pre-recorded video interview, calls for justice for Babbitt’s death, before Babbitt’s mother says, quote, “They squashed the movement that day… They killed my daughter and they jailed patriots, and they said ‘look what happens when you question us’… Fuck off and die, Nancy Pelosi.” Babbitt, whose death is being mourned by the former president who, for all intents and purposes, called her there, died after a Capitol Police officer shot her as she attempted to enter a door that lead to the House of Representatives on January 6th, 2021.
Former president Trump said “Together, we grieve her terrible loss… There was no reason Ashli should’ve lost her life that day. We must all demand justice for Ashli and her family. So on this solemn occasion, as we celebrate her life, we renew our call for a fair and nonpartisan investigation into the death of Ashli Babbitt.” Notably, there was a Department of Justice investigation, as well as investigation by the Capitol Police, both of which exonerated the officer that shot and killed Ashli Babbitt as she stood at the front of a mob that injured and killed multiple officers over the course of a single day. The mob that she had joined was one that explicitly called for the execution of politicians on multiple occasions throughout the day. So when she attempted to climb through a broken glass window to approach elected representatives, there was very good reason to believe that she, and the mob of insurrectionists behind her, were out for blood. Especially when accompanied by pictures like this.
We can whine all day about the hypocrisy of the right, or the dangers of martyring insurrectionists. Instead, I want to talk about the theme of martyrdom in the far right and its implications throughout the movement. Notably, the far right isn’t monolithic: it ranges from the benign fiscal and social conservatives who just believe that the market should remain relatively unregulated and that progressive agendas shouldn’t influence politics the way they are (perceptually) doing now, to the neo-fascist accelerationist Boogaloo adherents who believe in an increasingly violent mode of fascist insurrection against what they perceive as a totalitarian, anti-white government. There are right wingers to the left and to the right of those two poles, and many, many in between. However, it can sometimes be helpful to generalize the far right to view thematic elements that hold in the very general sense. So, understand that when I say “the far right” I mean it in the general sense, applied to a wide range of individuals, and when I am instead speaking about a more niche section of the far right, I will do my best to explicitly say so.
The Silly Martyrdom: The Myth of Christian Oppression and Genocide
Growing up in an extremely conservative, southern baptist church, you would think that much of the Christian world was being treated like the tiny minorities in Chinese underground churches were, or the Yazidi Christians in ISIS-held territories in the Middle East were. According to an endless stream of preachers, speakers, radio hosts, politicians, family members, youth pastors, and friends, Christians were among the most oppressed groups, constantly in an ongoing war, whether spiritual, emotional or physical, with enemies that run the faux-oppressive gamut: pornography and philandering women on every webpage and every corner, assaulting us with their omnipresent temptation and lustful gaze, totalitarian states constantly threatening to imprison the upright and moral Christian for their beliefs, extremists beheading Christians by the hundreds on a daily basis in mass genocides that the mainstream media is too woke to cover.
The true story, obviously, is quite different from the terror spread from the pulpit. Christians face oppression in totalitarian states and faced horrors unknown and unknowable by the average person in the West in ISIS-held territories over the last few years, but to say that this sort of violent oppression is even remotely typical of one of the most widespread religious beliefs in the world, one whose adherents hold most political offices in most established western countries across Europe, one whose sect in the Catholic Church is the most powerful religious political structures in the world, is, frankly, offensive to those who are facing systemic, violent oppression for their religious beliefs and identities. The obviously rampant misogynistic characterization of women taking ownership of their bodies in the form of their dress or decisions to enter into consensual sex work doesn’t even merit a response here, either.
The religious right, frankly, needs to be embattled. They need to be martyred like the Christ of their cross. It keeps the rapt attention of the drooling masses on the central figure in the pulpit, and not on their hundreds of millions of dollars of accrued wealth, built on the backs of the gullible tither who believes their hard-earned dollar will go to fund the next crusade against Obama’s gun-snatching Jade Helm brownshirts that haunt their every nightmare.
Martyrdom is a central theme to certain parts of modern Christianity, but instead of focusing on actual martyrs, biblical figures like Timothy or the brave (but, likely, overly brown) Yazidis who faced ISIS in Northern Iraq, they must make martyrs of every man on Main Street. Men are facing unparalleled horrors in the modern world, societal terrors not known in many centuries. These terrors aren’t a growing opioid epidemic, a shrinking middle class, the global rise of fascism or unending wars that have wiped out thousands of men and women across two decades with very little to show for it. Instead, modern men (and it’s always men having to face the evils of the world, not women, after all) must face the horrors of an empowered female and non-binary gender, growing recognition of the rights of previously marginalized classes and races, the growing and constant threat of Obama’s socialist takeover, the threat of the death of Christianity as an organized religion, which has nothing to do with the religion itself, after all, and has everything to do with The War on Christmas, and, most importantly, the great demographic shift.
What, you thought we weren’t going to touch on race here?
At least in the church I grew up in, the race issue was more or less clumsily danced around by the newest pious preacher of the pulpit. Speaking to an audience that, most Sundays and Wednesdays, was exclusively white and almost exclusively middle or upper-middle class, despite attending a church in the poorest and blackest part of our town, the preacher usually spoke of invasions of an unknown and unseen enemy, one whose culture is outright incompatible with a good, Christian country such as ours. The rhetoric often increased in volume and frequency in (surely coincidental) parallel to the rise of the Tea Party and other neoconservative groups and peaked during the Obama era. They spoke of the need for bravery in the face of a growing secular world whose values born of a life in sin and against the Christian God threatened to overthrow the natural order of things, where Christians are somehow simultaneously under threat and oppressed while also living in a “Christian nation” founded by Christian founders, despite many of the founders being more or less devout atheists and despite many of them believing in a strong divide between the church and the state.
Frankly, The Mysterious Other was an incredibly thin mask over a supposedly invading Central and South American refugee population, which was also supposedly a guise for an invading army of cartel members, gang bangers and terrorists, as well as a growing non-white demographic and a growing trend toward secularism. The martyrdom sought by many of the preachers in those days and into today was a martyrdom of a holy race war variety, one who seeks to do battle with the mysterious (and mostly brown) enemy, though if you choose not to read between the lines, this battle was to be fought primarily in the religious domain. Religious extremists didn’t care to entertain the dog whistling, though, as they attacked abortion clinics and physicians, innocent Muslim (or vaguely Arabic-looking) pedestrians and supposedly anti-Christian politicians and celebrities.
You don’t have to snicker silently about the obvious irony that the sect that constantly fanned the flames of xenophobic fear of hyperconservative Islamic Sharia law seeking to murder, enslave and oppress Christians were, themselves, obsessed with the idea of martyrdom, by the way. There are some ways that all religious extremists are the same.
Social Media Martyrdom and the Myth of the Embattled Right Wing Ecosystem
We could only wish…
None of us are strangers to the incessant argument that figures on the right are constantly being targeted for “shadow banning,” suspension and outright termination online. It didn’t matter that Trump spent a year of his campaign and four years in office consistently threatening and supporting political violence using Facebook and Twitter, only being deplatformed after the insurrection on the 6th: if the far right was the Messiah sent to rid the world of the leftist-controlled social media ecosystem, then Twitter suspensions would be the cross they bare.
From Marjorie Taylor Greene’s suspension from Twitter to Trump’s final, almost merciful banning from Facebook and Twitter, the far right is emblematic of the stick-in-bicycle-spoke meme. They spread mis-/disinformation, threaten violence, dox leftists and spread hate and bigotry and then whine incessantly at the eventual suspension or ban, throwing up their hands as if to say “see what I’m talking about? This is oppression!” Somehow, the marvels of the free market only extend to businesses that actively enable violence, harassment, and the spread of misinformation and stop short the second a wingnut is censored. If a Twitter suspension is the cross of the far right martyr, they very frequently nail themselves to it and beg for the sword of a Twitter timeout to be thrust between their ribs.
The list of martyrs flows long in this sector, and it doesn’t just include mainstream voices on mainstream platforms. The near full disappearance of Alex Jones from the face of the web after he was censored into oblivion for spreading conspiracies that included the Sandy Hook Hoax conspiracy, Obama birtherism conspiracies, rumors of satanic cabals that included the Clintons worshipping Moloch and sacrificing babies on an island full of the elite is still, even years after Jones’ online presence took a nose dive, frequently discussed in some right wing circles. Still more include Laura Loomer, the infamous attempted politician whose platform almost solely consists of Islamophobia, suspended from Twitter for, you guessed it, Islamophobia, and Proud Boys founder Gavin McInnes, who was suspended from YouTube for glorifying violence, a charge so laughably fitting that it makes one wonder how he was able to build up an audience in the millions in the first place.
It’s unbelievably petty, yes, but the constant virtue signaling surrounding the censorship of blatantly dangerous speech on private social media platforms is an important rallying cry for the right. Trump knows that he massively screwed up in hamstringing his greatest PR podiums in Facebook and Twitter after the 6th. He had a free platform to issue a press release from the toilet, something he very likely did, and he blew that in an almost comical way.
A Darker Martyrdom
The cover of the bible of the racist right
If one were to take a hard right turn from the aforementioned social media martyrdom frequently trumpeted by the far right and drive to a much darker corner of the movement, one would eventually arrive at compound in West Virginia that housed what might be modern America’s most hateful individual. William Luther Pierce was the author of what has been called “the bible of the racist right,” more formally known as The Turner Diaries.
I’m not going to devote as much space to The Turner Diaries as the tome deserves. It is, genuinely, one of the foremost works in the darkest, most violent and most well-read and philosophically adherent parts of the far right. It has been described as a literal how-to book on a genocidal, fascistic and white supremacist takeover of the national government. The conspiracy theories run the gamut, placing as the antagonist a global order of malicious, explicitly Jewish cabal that runs everything from the media to the military. The book is filled to the brim with violent rape fantasy, genocide, lynchings, race murders, terror plots with extremely specific and vivid detail and explicitly white supremacist, fascistic ideology that could only have been born of the ideological and formal founder of the National Alliance. If you need any more reference, it was also a book preferred by Timothy McVeigh and quite a few members of the Atomwaffen Division, a white supremacist accelerationist terrorist group that has actually claimed the lives of five people, including two members of the terrorist group.
The bible of the racist right is also full of themes of martyrdom.
Main thematic elements include the classic, fascistic trope of The Great Replacement, an idea recently echoed by Tucker Carlson, that there is an ongoing, sometimes intentional, replacement of whites in America and internationally with non-white persons of color. This is a critical element of far right martyrdom; The Great Replacement makes a martyr of any person willing to commit mass violence to reverse the supposed trend of disposition and oppression of white people across the nation and the globe.
Great Replacement Themes are present throughout the entirety of The Turner Diaries and are accompanied by more direct appeals to martyrdom, including the insistence of the protagonist and the racist army that they fight for that soldiers in the great race war need to be ready to die for the cause as it will bring about a resurgence of the white race and a new, clean world, devoid of leftists, people of color, LGBTQ persons and those with physical or mental disabilities. The plot presupposes the idea that this is a zero sum game: the white race takes over, or it disappears. This makes martyrdom a requirement, a prerequisite for being a genuine aryan.
The main character is at one point captured by “the enemy” and decides to undergo torture instead of taking the cyanide capsule that every soldier is given in case they are captured. Upon escaping, he is reprimanded by those in charge and is ordered to explicitly make a martyr of himself by engaging in a series of suicide missions against the enemy. These missions, including nuclear attacks against strongholds of the enemy and the outbreak of a more general nuclear war that sees Tel Aviv bombed into oblivion, make the main character a hero in the eyes of the eventually victorious white nationalist nation, a martyr in the great last race war.
Right Wing Martyrs Abound, Even Outside of Literature
An example of a meme commemorating the death of Duncan Lemp, the Boogaloo movement’s darling martyr
Finally, we arrive at the death of Ashli Babitt, after, admittedly, skipping many historical right wing martyrs in both literature and recent and past history. Ashli joins a growing list of martyrs held up by those across the spectrum of the far right as heroes, including Duncan Lemp, a self-titled member of the Boogaloo movement, whose name is spoken with honor and reverence for dying in a gun fight with law enforcement, and even Derek Chauvin, who adherents to the Blue Lives Matter flavor of the far right believe was set up as a fall-guy for an increasingly radically progressive political environment, as well as Kyle Rittenhouse who is viewed in a similar light to Chauvin as a protector of modern society from the savages on the left.
Trump is a martyr for losing the election, Alex Jones a martyr for being censored into irrelevance, Jusice Kavanaugh a martyr for being accused of rape, Trump again for being accused of rape, Jim Jordan for… being accused of covering up systemic rape.
Are you seeing some themes here?
The far right is beset on all sides by villains known and unknown seeking to remove them from the discussion and from power. With every scandal, there is a new martyr, a new cross-bearing Messiah screaming “forgive them, for they know not what they do” as they march through jeering crowds toward yet another torturous Twitter timeout. It would be humorous, if it didn’t work.
Andy Ngo, more aptly known as Milkshake Andy, has made significant sums of money after garnering massive amounts of attention for being beaten after being outed as a far right provocateur. It wasn’t enough to be beaten, he had to feign a brain injury and go on a national media tour exaggerating the extent of his relatively minor injuries. This lead to book deals and significant attention to The Post Millenial where he serves as the editor-at-large. Ngo’s entire schtick is serving as the constant martyr, the villified target of ridicule, assault and milk shakes.
Where to Go From Here
Milkshake Andy sporting gruesome injuries from his dairy-based assault
Frankly, the strategy of constant martyrdom is a good one. It frequently leads to advantageous media covereage, even only from right wing outlets like Fox and outlets that don’t (but likely should) know better. It gives a wide base a central pillar to gather around, leading to further opportunities to radicalize more centrist or peaceful members of the right. Victimhood is a fantastic motivator: if you think you are constantly beset by threats and forces far stronger than you, you are likely to stick with the pack for protection, and you’re very likely to fight back with force equivalent or greater than the perceived force brought to bare against you. It’s a good approach, and one that the far right has gotten fairly good at.
We do have several methods of fighting this strategy, however. To begin with, stop inviting provocateur’s like Milkshake Andy onto national and international news networks. Contrary to apparently popular belief, you don’t have to present every side equally. People who quite literally coordinated with the far right’s idiot attempt at modern brownshirts, also known as the Proud Boys, don’t need a massive platform to whine their victimhood. The less we intentionally or unintentionally amplify the constant victimhood, the better. The far right media is good enough at amplifying what they need to without our help.
Furthermore, call out nonsense. Every time you hear someone decrying the partisan nature of the DoJ’s investigation into the killing of Ashli Babitt, call the person out, loudly and firmly, politely if you can. Present facts and don’t let the conspiracy of martyrdom spread in your social circles. Stamp out the seeds of a political philosophy with a high potential for growing into fascism, even if only in your relatively small social circle. When you see a doctored video, don’t spread it. Prove that it was doctored to show a story that isn’t representative of reality.
We can’t stop the strategy of martyrdom in the far right, but we can do our part in slowing its spread and curtailing its effectiveness. It doesn’t take long for one’s pity for a far right provocateur’s banning from Twitter to turn into a more hateful longing to serve as a martyr themselves in a much more literal and violent sense. Do not let Ashli Babbit become the next Duncan Lemp or Earl Turner.
— I’m not active on Twitter anymore, for reasons I talk about in this blog post, but you can follow me on my Twitter page for new blog posts and announcements.
Obsidian: A Productivity App from the Threat Intelligence Gods
Introducing Obsidian: A Gift from the Threat Intelligence Gods
— I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in information security and threat intelligence, you can subscribe here. —
I’ve been on a productivity kick recently.
I know, weird start to a blog about threat intelligence, but it’ll all come full circle in a second, just bear with me.
I did all of the typical things that come with a productivity kick, and right now I can just hear the optimistic part of my brain saying “Noooo, this time it will be different!” It might be! I did the trip to the Productivity Mecca in reading Atomic Habits (affiliate link) and Deep Work (affiliate link) and changed quite a few things around to help out with setting and destroying some habits I’ve been meaning to change for a while. Those two books were actually extremely helpful in changing some habits and rewiring my brain to think about work and productivity differently, but that’s probably not the reason you’re reading this blog, so I’ll shut up after telling you to go read those books if you haven’t already.
Part of this “productivity journey” let me find the “second brain” philosophy. Essentially, the idea is that we should use technology for all of the things that technology is good at, and our brains for all of the things that our brains are good at. Computers are great at remembering things, analyzing large volumes of data, visualizing graphs, and repeating automated tasks very quickly. Our brains are really good at analysis of the “intelligence” variety, coming up with ingenious, unique ideas from scratch, writing blogs (well, some of our brains, at least, maybe not my own) and creating analytical works based on data analyzed by computers. The “second brain” is a way of offloading ideas created by the brain, as well as raw data that may be usable in the future, into a place where it can be stored, backed up, and analyzed by all of the features and mechanisms that make computers helpful for humans.
During this period, I came across the PARA Method, detailed in this blog by Tiago Forte, its creator. The idea, put very simply, is to organize your thoughts, files, projects and digital life around Projects, Areas, Resources and Archives. Projects are tasks with due dates: intelligence reports you’re working on, investigations or incidents that you’re looking into, financial goals with specific end times, etc. Areas are defined as running projects, essentially: things that you’re going to constantly be working on long-term, so things like continued development, financial freedom, fitness, areas of study like Math, and work-related subjects that you’ll be studying long term, such as specific threat actors or geopolitical areas. Resources are references that support your Projects and Areas, so individual reports, videos, podcasts, or self-made notes based on what you saw.
Now, all of this sounds like a quirky and troublesome method of tracking your life. It took me a fair week or two to get a lot of my more mission-critical research transferred over to this system, and I’m still moving a lot of my right wing extremist research over. However, the real value of the PARA Method comes when you pair it with a smart note-taking app like Obsidian.
An example graph of my Far-Right research alongside my Russia-related research
Introducing Obsidian: Linked Smart-Note Taking
Obsidian is a smart-note app. It allows you to record and display notes in Markdown just like many other, similar apps, but its power comes in its backlink feature. I can link disparate notes together into webs of linked ideas, all organized under the PARA Method. So, for example, I have a folder under ‘Areas’ called ‘Russia’. In that folder, I have sub-folders, say ‘GRU’, ‘FSB’, ‘Notable Politicians’, etc. that are all potentially interesting subjects to study over time. When something like the recent treasury sanctions occur that implicate the GRU and a couple of private businesses, I save a copy of that sanction document and link together that copy with the notes that I have on the private businesses, the GRU and the units that were implicated.
Over time, you can open your master-note on the GRU and have a central document on the GRU that is linked to all of the sources and references you’ve used over time. You can then link other entities, such as Fancy Bear, to the GRU and include references that tie the two together linked to both the Fancy Bear note and the GRU note.
An example graph containing information pertaining to the GRU
This translates into an easily searchable repository of entities (usually tracked in the ‘Areas’ section in the PARA Method) and references (tracked in the ‘Resources’ section in the PARA Method) that link to one or more entities. It also leads to some pretty incredible looking graphs that you can use for link analysis, or just making you feel highly productive as you stare at your beautiful, aesthetic creations.
It lends itself extremely well to automation as well. Markdown, to me, is a great medium between aesthetic readability and parseability: using a simple syntax, you can make readable notes with linked images that can also be parsed and created by automation very easily. I created a simple Python script that parses for IOC’s within a note (think a threat intel blog copy/pasted from a vendor site) and creates individual files per each IOC with associated metadata.
An example IOC file related to Gamaredon
These IOC files are then tied to the individual report, which you can then associate with individual threat actors with further, trivial automation. The IOC extraction script took me… maybe 15 minutes to write, and can benefit from all the power available to Python, such as regex, third-party API integrations, etc. You can literally write a script that extracts IP addresses from a report, automatically look up their WHOIS information, ping the IP using proxies to check if they’re alive, and look them up in Shodan, then dump all of that information into an IOC file or files and associate the individual pivots together and integrate it with Obsidian’s graphing functions incredibly easily.
So, with Obsidian, you can integrate in-depth analysis in IR notes, third-party vendor reports from OSINT or private sources, write automation layers on top of it for automatic or semi-automatic enrichment, and have all of that in one easy-to-use interface, while benefiting from a built-in graphing interface that you can navigate with ease. The organizational methodology is file-system based, so if you don’t like the PARA Method, you can use your own. The interface also has some great hotkeys built in that allow you to make use of templates, so if you want to manually create, say, an entry for a third-party vendor report, you can easily create a template that you can insert with a couple of keystrokes.
Conclusion
My workflow has massively benefited from Obsidian. I can keep my rich text notes with analysis I write myself alongside raw data and third-party vendor and application reports all in one place, with custom automation available with a pretty trivial amount of effort. Obsidian may have been designed for academics in mind, but its power and capabilities lend themselves very well to the average threat intelligence analyst and researcher. I highly recommend checking it out, watching some videos on it and implementing it in your everyday threat intelligence workflow.
By way of disclaimer, I’m not in any way affiliated with Obsidian. I don’t even really know who makes it. I genuinely love the software and have enjoyed the insights and capabilities it gives me as a researcher.
— I’m not active on Twitter anymore, for reasons I talk about in this blog post, but you can follow me on my Twitter page for new blog posts and announcements.
— I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in information security and threat intelligence, you can subscribe here. —
I was digging through the recent indictment of political operatives Jesse Benton and Doug Wead today on my lunch break, as one does on a Friday with the ever-rare perfect Mississippi weather, and grew increasingly annoyed at the objects that were frequently censored by DoJ indictments. Like, I know there’s a legal reason they have to do things this way, but filling a public indictment with Company A, Company B, Company C, Political Committee A, Political Committee B, Political Committee C… it’s exhausting. Just give me the facts, dammit!
The obviously juicy bit of information is “who is Foreign National 1?” Who is the person who contributed $100,000 to Benton and Wead, just for $25,000 of it to make it into the 2016 campaign and the rest to be pocketed by the perps? Honestly, I set out to find that information, but I had one lunch break to go at it before I had to get back to work, so I opened up Google and got to working.
Base Facts
Foreign National 1 (we’re just going to call him The Russian) wired money from his bank account in Vienna, Austria to a company owned by Jesse Benton, who made the contributions to Political Committee C (PC-C) via a fundraising event in Philly on September 22, 2016. Evidently, there was some delay in the money making it to PC-C, and Benton ended up just paying on his credit card (wow, to have a limit high enough to say “eh, screw it, I’ll just put this $25,000 contribution on a credit card”) and the funds were received on or around October 10, 2016. Also, oddly, there was a typo that lead to the contribution being made by “Jesse Bentor” which… is kind of random.
So, we have The Event in Philly, a $25,000 contribution made around October 10 to PC-C via a Jesse Bentor, and one Doug Wead, who apparently is some sort of business associate with The Russian. The money made it to Benton via a wire to Benton’s business from an account in Vienna, Austria.
Now to Google we go!
Enumerating Starting Points
As mentioned by the indictment, the FEC has to publicize all donations made to federal political campaigns. So, we can pop right over to the FEC website and search for contributions made during the 2015-2016 time period by a Jesse Benton OR Jesse Bentor. Hit search and… We’ve got the name of PC-C, the well-known Trump Victory fundraising committee.
The transaction is dated October 27, 2016, which roughly fits the timeline that we’re working with since the contributions were delayed.
Now, we pop on over to the Trump Victory website to confirm some stuff. The indictment left some information in about the fine print that you see when you contribute.
From the text of the indictment
“Contributions to [Political Committee C] are not tax deductible and will be used in connection with federal elections. Federal law requires us to use best efforts to collect and report contributors’ names, mailing addresses, occupations and employers…Contributions from individuals (multicandidate PACs in parentheses) shall be allocated sequentially to the following formula: $2,700 ($5,000) to [Political Committee A]; $33,400 ($15,000) to [Political Committee B].”
Now, why does this matter? Well, we’ve found PC-C. If we can locate the quoted text, we might be able to unveil Political Committee A (PC-A) and Political Committee B (PC-B). Sure enough, pop on over to the Trump Victory website, and you’ll find the fine text with at least very similar amounts:
“Contributions from individuals (multicandidate PACs in parentheses) will be allocated sequentially according to the following formula: (i) $2,800 ($5,000) to DJTP primary election account; (ii) $2,800 ($5,000) to DJTP general election account; (iii) $35,500 ($15,000) to the RNC Operating account; (iv) $106,500 ($45,000) to the RNC Headquarters account; (v) $106,500 ($45,000) to the RNC Legal Proceedings account; (vi) $10,000 ($5,000) to Ohio Republican Party State Central & Executive Committee; (vii) $10,000 ($5,000) to Republican Party of Florida; (viii) $10,000 ($5,000)”
By observing the similar amounts, we can ascertain that PC-A is either the DJPT general or DJPT primary election committee and PC-B is the RNC.
Now, in the indictment, we find that The Russian wanted to attend a certain political fundraising event in Philly on September 22, 2016. Luckily, or perhaps unluckily, the media had a conniption every time Trump so much as sneezed, so his travel record was well recorded. On this site we find that Trump had three events on that day in Philly: a speaking event, a fundraising event, and a rally. The fundraising event is the likely event of interest: it was held in an upscale club called the Duquesne Club in Philly. Notably, this particular event was very heavily protested. Now, this seemed to be a more or less closed door event, and most of the media attention was paid to the protests outside of the event, so I couldn’t find footage or pictures of the goings on on the inside… but this is likely where an unknown Russian national got a photo op with soon-to-be president Donald Trump after using American political operatives to illegally donate to his campaign and gain access to his presence on that day.
So, just by some simple Google searching, we’ve found all three of the censored political committees from the indictment, as well as the likely event The Russian attended. These can serve as incredibly valuable jumping off points for further research. What else can we find?
Well, by searching for businesses owned or operated by Doug Wead, we find that a company that he is the president of, and likely the Company B from the indictment, is Wead Enterprises, Ltd. The indictment mentions that The Russian is a business associate of Wead’s:
so chances are, he had some sort of formal or informal relationship with this business.
Scarily, we can also find Doug Wead’s home address in public business filings. I won’t post the location of the home, because that just sounds like trouble, but it sold last month for just over $1.1M and is a whopping 8300 square feet… sheesh.
In Conclusion… OSINT is Rad.
We didn’t find the identity of The Russian, listed as Foreign National 1 in the indictment. We found a series of solid jumping off points, including the fundraising event that The Russian attended to get a photo op with Trump, the company The Russian is likely associated with, and the political committee that Benton et al. donated to. This was genuinely all done over a lunch break in my back yard with some Google searching and my dumb brain.
I didn’t have special access and I didn’t have to reach out to anybody. As people working for Bellingcat have shown, time and time again, some brainpower and Google searching can do some incredible things. So, if your mind is itching to know more details, go out and search yourself.
— I’m not active on Twitter anymore, for reasons I talk about in this blog post, but you can follow me on my Twitter page for new blog posts and announcements.
It was 2014. I was finally nearing the end of my undergraduate computer science coursework, which meant the oft-dreaded senior project. My university was notorious for softballing the senior project assignments, requiring a very loose academic write-up and oral presentation of a very open-ended project assignment, watched over by a usually unenthusiastic advisor board and equally unenthusiastic graduates-to-be.
This was… hardly a fraught, terse and professional thesis defense, and I’d been looking forward to this project for quite some time. Most of the coursework over the past 4 years had been incredibly mundane and hardly real-world applicable, so I was looking forward to being able to show off my work in a more practical manner.
I’d fallen (literally) one hour short of a degree in Mandarin Chinese, a slight that had left a bitter taste in my mouth considering how much work I’d put into the program. The program itself was more or less designed to put students in that position if they chose not to travel abroad for a year after graduation, but that’s a rant for another time… The point was, I wanted to some of that hard work I’d put into my language studies to do something cool, something of merit, in my senior project.
So, the Hacking the Great Firewall project was born. My fellow classmates and I had put a fair bit of use into a specific Chinese social media site during my Mandarin coursework, and it seemed a good place to apply my language and development skills. Zhihu is essentially a social media site combined with Yahoo Answers, a place where conversations began with questions on all sorts of topics, including social issues, computer science, anime series and art. As with all things, I’d noticed a suspicious lack of conversation surrounding certain topics, and the discussion of censorship had come up from time to time throughout my coursework, usually to the chagrin of the professors, who often tried to keep things relatively non-political in the classroom.
My plan was, at first, pretty simple: develop a platform that can scrape, search and spider the Zhihu social media sites, starting from “root” nodes of topics I thought would likely be censored, as well as a sort of “control group” of likely benign, mostly uncensored topics. Root nodes of likely controversial topics included the politics sections, the section on foreign affairs and American politics, the section on social issues, etc. Control group topics were ones about popular Chinese soap operas and sports events and such.
The output of the project: a list of censored topics, such as the high rate of suicides in academic settings in China, political subjects surrounding freedom of speech and foreign affairs topics.
This blog post, though, isn’t about that output… It’s about the time I spent developing the scrapers themselves, and the empathy it gave me toward an unlikely demographic in my current work: foreign hackers and online criminal groups.
An introduction to scraping
I’m currently developing a course on scraper and spider development, and one of the topics I’m covering is common problems in scraper development. Most specifically, certain kinds of scrapers can be incredibly fragile: one simple change to a site can break the scraper.
Web page scrapers are relatively simple: they pull down raw pages of HTML and parse them, looking for the data that interests the developer. If I have a simple web page that just has an H1 tag and an H3 tag that contains, say, stock price data, I make a request to the page and pull out whatever data is in the H3 tag. The problem, then, comes if the developers decide to change the H3 to an H1 tag. If I’m looking for a tag with a certain class name, say “stonkprice”, and the developer changes the class name to “stonkPrice” with a capital letter, my scraper will possibly break since it doesn’t find what it’s looking for.
This can be exceedingly frustrating, even without the developer of the site changing anything. You have to develop a parser to be more resilient, which means programming error checks and constantly playing whack-a-mole with edge cases. In some circumstances, the site maintainer may change larger site design layouts, changing the web design schema to put certain pages in different places than what they had initially, leading to… more whack-a-mole.
Sometimes, though, you get to deal with the most fun (read: frustrating) site administrators that are actively trying to keep you from scraping their site. This is what I dealt with in Zhihu, and they had some interesting ways to make my life more difficult. They created, whether automatically or manually, a series of hurdles as my days scraping the site turned into weeks: CAPTCHAs, random timeouts, user-agent detection and blocking, locking random content behind user registration requirements, IP blocking, etc. I had to spend more time building in functions to create random timeouts and user-agents, scrape sites that offered free, open web proxies, creating new user accounts that would just get banned in a few days, and finding ways around the always annoying CAPTCHAs. I could have written an entire paper just on ways to evade scraper detection, but my university advisors were already getting somewhat nervous about the fact that I was majorly pissing off site admins on the other side of the world, so I kept those details relatively scarce.
I had to constantly change the design of my scrapers to evade detection and mitigation. It was constant work, and I was worried that the next “fix” that would come from Zhihu’s site administrators would be the silver bullet that would finally kill my project. I can somewhat proudly say that the silver bullet never came. I would sit up late at night running a multi-threaded scraper on my laptop in my apartment bedroom, watching for errors like a hawk. They came sometimes in the middle of the night (many times during working hours in Beijing) and I would spend the next hours of the morning building fixes and documenting the newest detection and mitigation methods.
The paper and presentation were met with a pretty high amount of interest, considering my talk was towards the latter end of the last day of presentations, to a crowd of seniors who just wanted it all to be over with, and advisors who wanted to begin their summer just as bad as the students around them. The feedback was enthusiastic and positive.
Empathy toward the attacker
I think back to those days building out detection evasion methods and mitigation workarounds fondly. It was a blast, somewhat thrilling knowing that I was pissing off people who were stomping all over freedom of speech online. One lesson I would end up learning much later, just last week, honestly, was empathy toward attackers who spend quite a bit of time in shoes very similar to mine.
I was reading over some information security blogs to wrap my head around the enigma that is Russian operations in cyberspace when I had an odd thought:
It must be incredibly frustrating for the attacker when they see a new blog post come out!
I’ve had enough development experience to know that even the most rudimentary malware takes hours and hours to develop. Malware that targets niche machines like ICS/SCADA systems, or even more “basic” malware targeting normal user or enterprise machines, can take months or years to develop, test, and maintain. Operators spend hours upon hours, building and testing detection and mitigation evasion mechanisms, error handling, and a wide array of feature sets in their malware to make it work as intended. They test it on their own infrastructure or against small-fry targets to ensure their tools work and work well. It’s a labor of love to develop anything, especially something as intricate as a highly-functional, modular trojan…
Then comes the cat and mouse game with investigators and network administrators. They often peer over their shoulders when they finally land boots-on-network, constantly watching for an overly paranoid network admin or help desk clerk moonlighting as an infosec professional. At any moment, their screens could go dark, their shells could hang and the precious data, the honey flowing from their precariously positioned honeycombs, run dry.
Then, some jerk decides to write a blog, and the whole thing could be burned in an instant!
When those blogs drop, when those Tweets flow about the latest discovery on VirusTotal, they could potentially burn years, certainly months, of often laborious effort on the part of the developers and operators. There is quite a bit of talk from many in the information security space about “imposing cost” on the operators. The cost is often described monetarily, or in terms of wasted operational efforts, or just in making it more difficult to maintain access and exploit breaches. The cost that I hadn’t thought enough about, though, was the emotional cost. I know how difficult it is to spend hours and hours developing something, only for the silver bullet to be launched by site administrators in the form of CloudFlare protection or major site changes. It can be infuriating, especially after playing cat-and-mouse for hours and hours on end, writing updates and bug fixes, constantly checking logs to find streams of errors flashing red at you from the terminal.
It’s obviously forefront in our minds, the constant cat-and-mouse whack-a-mole game that is “blue team” defense of networks and information assets. Many of us, as defenders or threat intelligence experts, face burnout in our careers as the treadmill of almost endless threats to our safety and security buffet us like an endless monsoon of gale-force winds. This week, though, I pondered the endless surge of discoveries, detections and mitigations that plague our enemies on the other side of the aisle, the attackers that spend their early mornings and late nights developing the next new “sexy” or mundane threat to lob at our networks, hoping for at least initial success and some exploitable access before their access is burned and they start anew, with a blank IDE screen and a new target set.
So, if you’re an operator out there and some marketing team just burned your op with a blog or a researcher killed your trojan with a tweet, just know that I understand the turmoil. I’m going to keep working against you, but know that there’s a part of me that truly does empathize with that frustration.
— I’m not active on Twitter anymore, for reasons I talk about in this blog post, but you can follow me on my Twitter page for new blog posts and announcements.
If you’re interested in the scraper class I’m developing, you can find out more on my GitHub page that will host some of the code and details about the class or my YouTube channel where I’ll post about updates for the class and the announcement when it’s done.
— I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in information security and threat intelligence, you can subscribe here. —
Years ago, I embarked on a journey going in a completely different direction from where I ended up. I created a Twitter account and, shortly thereafter, an account on SteamIt, a blockchain-based blogging platform that I ended up hating for various reasons. I was in a particularly rebellious stage in life and grew up looking up to the complicated figure that was Anonymous, a hacking collective with what I didn’t realize were anti-capitalist views sticking it to the man in cyberspace. I internally and externally fought back against the idea that the group was hardly a dim shadow of what I thought they were, and that in reality it was just a group of untalented, unimaginative and largely uneducated highly-online personas seeking new ways to stab each other in the back and gain fame. No, in those days I was naïve, and had fallen fully for the often flashily produced but usually cheaply and hastily made uber-hacker propaganda.
I became their embedded historian, in a sense, and I did it horribly. I recorded all the stories I was told in IRC chatrooms and Twitter DMs and released them on my blog. It was a rush, being recognized by people who I thought at the time were making a difference. They weren’t, but it was a formative time in my life. As I studied Chinese, I started to do my first works on the Chinese hacking scene based largely off of The Dark Visitor. Not long after, the group I was embedded with semi-doxxed me, irritated at some depiction or another of the group. Some poor, middle-aged woman in Memphis was possibly swatted because they believed they had traced my IP to her house, and my name was released to the internet. That chapter of my journey online had ended, in an unforeseeable and irritating way.
I’d read The Net Delusion (Affiliate Link) in that time and had started to try to grasp the potential importance, and the nuanced discussions of the importance, of social media. I’d only recently stumbled upon the intelligence space, and was mulling over a potential move into some sort of intelligence career. Funnily enough, after my brief and unimportant foray into Anonymous, I was seriously considering a career in the intelligence community and had joined and quickly left Air Force ROTC. Social media began to take on a certain level of importance in that time, as a method of publishing my blogs and interfacing with people I was studying during my times vaguely associated with Anonymous and now, as a real-name-tied persona online, for networking and trying to figure out what I was to become professionally.
Since then, I’ve met almost every friend I have now via Twitter. I’ve amassed over 11,000 followers on Twitter and almost 2,000 subscribers over my odd and sputtering forays in publishing on YouTube, and I’ve made a not-insignificant amount of money from social media contacts, especially considering that every job I’ve ever had has been found from recommendations or help from people I networked with on Twitter.
That being said, my relationship with Twitter especially has changed.
Before, I got a lot out of Twitter. I met my friends on there, learned tons of new things and found brilliant resources to better my understanding of intelligence, computer science, Chinese and the fusion of all of the above. The networking was exhilarating: a small-town Mississippi kid getting to rub shoulders with some of the giants that have built the modern information security space in many ways. That feeling is still, occasionally, exhilarating.
However, now it has become draining. I find myself visiting just to see what blue and white number adorns my notification icon, not really to see what kind of meaningful human interaction I will be met with upon clicking it, but really just for the dopamine satisfaction. Even now, as I think about releasing this blog, I’m thinking about view-counts and SEO. Pleasant interactions with strangers more and more have turned into disappointing revelations of the deep flaws that inflict humanity, interesting political debates turned into screaming matches whose only true purpose is to signal one’s own virtuousness over The Other Side. As the adage famously goes, nobody’s mind has ever been changed on the internet. Hyperbolic? Yes. Anecdotally? Also yes.
I’ve also begun to read Deep Work (Affiliate Link; I love this book and it’s changed a lot about how I view work) as I’ve more and more come to the conclusion that my relationship with social media has changed. In Deep Work I’ve realized that the mundane shallowness of social media is the antithesis to my lofty ambitions to make and break important things. I keep it around, saying it will be an excellent marketing platform for this product or that product, but I’ve continuously realized that the time I’m spending doom-scrolling and arguing with people whose braincells can be counted on one hand could be spent actually developing those products or producing that research or simply spending more time with my growing family. It’s keeping me from doing more deep work, or at least doing more useful shallow work.
The straw that broke the camel’s back was yesterday morning. I’d fallen asleep trying to figure out what to do to structure my life in a way that allows me to work more deeply on more important things, and I woke up doing the thing that stands in the way of that deep work: scrolling to see the latest on Twitter. I refuse to link to the video for reasons that should be abundantly apparent, but the first thing I saw that morning was not my daughter’s face or a full coffee carafe. It was a known right-wing account sharing footage of men, women and children clinging to the outside of a military plane as it took off, many of them falling to their death from dozens or hundreds of feet in the air as it ascended from an airbase in Afghanistan. The person shared the video of horrified people in a world across the ocean in the deepest pit of desperation, terrified of the situation they were being thrust into by the Americans sudden absence, falling to their death as they tried to escape, purely to win political points and score a dunk on the libs
My workday was shot. My output was almost nonexistent. The wave of depression that has held me just barely above the surface since the pandemic began threatened to swallow me under. It was very similar to my mind’s reaction to watching the Christchurch video. For a fair bit of the day I just stared at a screen, motionless. I talked to friends, all of which were having an even harder time than I, and came to the realization that this wasn’t healthy anymore. Between silly and pointless drama, constant violence, the constant and unneeded reminder that the world is killing itself with guns, germs and fossil fuels, social media hadn’t been a positive place for a long time for me. The people I liked on social media could talk to me on Signal, Slack or EMail. My input to the space had waned in both quality and quantity: a blog or video can show far more than a hastily written tweet, and has far more potential to inform or persuade. I looked back at my graveyard of dead projects and realized each one’s potential to actually move the needle, to make a difference, and then looked at the blue screen projecting word vomit of precious little import back at me.
I realized I had to leave.
So, I’m going to release this blog and, just after, create and record a secure, lengthy hash to replace my current password for Twitter and write it down somewhere for safe-keeping. I don’t want someone to take over my account and use it for malicious purposes, and some people may find value for my old tweets. After resetting my password and setting this post as my pinned tweet, I’ll be functionally leaving Twitter, either for good or for a very long time. I’ll log out of it and get back to much more important work, including reviving this old, dead blog of mine.
I’ll leave some contact information below if you need to contact me, but understand that a large reason why I’m leaving is to disconnect more, not connect more with specific people, so I’m specifically limiting it to email so that I can make the choice to ignore who I want. If I don’t answer, don’t take offense, but I’m choosing to take more care of my own time to focus on things that matter to me.
This year is the year I’m determined to actually break into the offensive security research space, and as such I’m going back to the basics with a series of write-ups on HackTheBox, my favorite training and learning platform on the web. Since this is the first article in the series, I’ll start with a bit of an introduction to what HackTheBox is before going into the write-up for “Lame.”
A Brief Introduction to HackTheBox
If you’re learning piano, you may spend a bit of time watching videos and learning music theory and basic ideas on how to learn the piano, but eventually you’ve just gotta sit down in front of the keys. If you’re learning martial arts, you eventually have to spar. If you’re learning baseball, you eventually have to go out and pick up the ball.
HackTheBox is where theory meets practice, where you get to sit down in front of the keyboard and hack away at relatively realistic targets without threat of jail time and without having to set up your own virtual lab full of vulnerable machines. The interface is sleek, the set-up is easy and the service is pretty cheap. It’s incredibly accessible for beginners as it has vulnerable machines, or “boxes,” that can be hacked by researchers and students of all skill levels, perhaps best exemplified by the box we’ll cover in this article named “Lame.”
Setting Up HackTheBox
Setting HTB up is incredibly simple. After you’ve created your account by hacking your way into the invitation code (not covering that, as it’s a rite of passage 😉 ) you get a VPN file to download and open with OVPN which comes installed by default, at least on Kali Linux. I personally use a virtual machine for HackTheBox stuff, so it’s as simple as downloading the file to the VM and running `openvpn` from the commandline with the .ovpn file as the sole argument.
Go on HackTheBox and find any live box and copy and paste the IP into the commandline following the command ‘ping.’ If you see packets coming back confirming that they’re returning from the box, you’ve successfully connected to the HackTheBox network!
Now, HackTheBox is awesome enough to allow write-ups on the challenges on their site, but they request (understandably so) to keep write-ups and video tutorials limited to “retired” boxes. HTB cycles boxes out on a pretty frequent basis, so once boxes have been online for long enough, they’re “retired” and you can write up blog posts and make videos explaining them. This is to keep the challenge alive by creating a group of boxes that don’t have answers available for a while, so don’t spoil live boxes!
Hacking Lame
Lame is perhaps the oldest of the retired boxes, at least the oldest one that I know of, and I don’t think you could create a box easier than Lame without giving a user anonymous root login with no password. If you’re following along, go to the ‘Retired Boxes’ page and find Lame down the list. Now, since Lame is old, it may take some searching to find it and you may have to spin up an instance to hack on, but HTB makes this pretty damn easy.
Copy and save the IP that you get for Lame and get all organized to tackle this box. I typically set up a directory named after the box and save the IP in a temporary text file. Next, I open up CherryTree, which is a pretty awesome note-taking app that comes with Kali, and set up a notes file for the box. You can also use OneNote or any other text editor really, I plan on using CherryTree for HTB writeups just because it’s already there and I’m lazy.
Reconnaissance
The best first thing to do against most HTB or CTF machines is to run a basic NMap scan. We aren’t worried about stealth and we know the machine will be online, so I generally go with the command
nmap -A -Pn $IP
We find a wealth of potential starting points from the initial NMap scan.
I like to save the initial scan in CherryTree as a sub node and then enumerate my findings in a second child node. Specifically, I noted the following potentially interesting bits from the scan:
Potentially anonymous FTP login on port 21 with full version info
SSH running on port 22 with full version info
Hacker’s best friend SMB running on ports 139/445
OS information divulged by SMB and SSH showing this is a Debian Ubuntu box.
This is a great starting point. With a pretty simple scan, NMap has given us information related to the operating system and several potentially vulnerable services to take a closer look at. Let’s try to confirm some of the details from above, starting by checking for anonymous FTP login.
We’re able to successfully login with user anonymous with any password. Checking the ls and pwd commands give us nothing useful, though, so we can chalk this up to a useless access, but it’s something you’d definitely note on a penetration test report.
Next, we can try checking the SSH banner grab to confirm the information we got was accurate, but just from previous experience with the Lame box I know we don’t really need to worry about it.
Metasploit
We’re going to skip to the skiddies’ best friend: good ole’ Metasploit. I won’t waste too much time on it here, but by way of introduction, Metasploit is the premiere modular exploitation framework that comes pre-packaged in Kali. Metasploit allows you to develop and use special-built exploits, written in Ruby and Python, and combine those exploits with custom payloads, including Metasploit’s own Meterpreter console. Metasploit is incredibly powerful… but it can often be a crutch for new security researchers and is full of its own quirks and instabilities. Since this is such an easy box, though, we’re going to keep it simple.
We know our target is running Samba 3.0.2 on a Linux operating system, so after launching Metasploit with the command msfconsole we run searchsploit Samba | grep 3.0.2 to find potentially useful exploits. The first on the list looks perfect, and we can look up more information on exploit-db.
This is a remote exploit, meaning we don’t need access to the box to exploit it. Since this is a CTF, we don’t need to worry too much about running an exploit without any kind of testing to make sure we don’t take anything down, but beware! Running exploits against boxes you don’t own is not only probably illegal, but it’s also potentially harmful: some exploits cause systems and services to become unstable or unavailable, even causing some operating systems to bluescreen. In a real world environment, an exam or a more complex CTF, test your exploits in a stable environment you own before you run them. As for us, we’re going for the YOLO.
We can see from the top of the exploit on exploit-db that the exploit is named usermap_script. Running search usermap_script gives us the full location of the exploit. The use command tells Metasploit which exploit or module we want to use, and show options shows us the only option we need to feed the exploit is the RHOSTS option, which corresponds to the IP or domain of the box we want to exploit. We set this option with set RHOSTS $IP and we should be good to go to run the exploit using the command exploit.
And just like that, we have a root shell!
To complete the CTF, we would cd ~, grab the root flag which is usually in the root.txt file, and input the flag to HackTheBox.
Words of Warning
This is essentially the “Hello World” for HackTheBox. It’s the easiest box you’ll come across on the platform. The rest will test you, they’ll be difficult and require more effort and more research. Many will need privilege escalation once you get your first, initial shell. Many will seem impossible. This one is a good way to test your ability to connect to the VPN, run reverse shells and run basic Metasploit exploits. Don’t be discouraged if the rest are significantly more difficult: you’ve been warned!
