__ __ _ _____ _ _ _
| \/ | ___| |_ __ _| ___(_) | |_ ___ _ __
| |\/| |/ _ \ __/ _` | |_ | | | __/ _ \ '__|
| | | | __/ || (_| | _| | | | || __/ |
|_| |_|\___|\__\__,_|_| |_|_|\__\___|_|
community weblog
Systems built during crisis 1 determine whether you survive crisis 4
Every major attack in this analysis started the same way: a person. Kyivstar: likely a compromised employee account. Viasat: a VPN misconfiguration someone didn't catch. The GRU exploits from 2018 and 2019 still work because someone hasn't patched systems that have had fixes for five years. Nation-state attackers don't need zero-days when humans provide the access. from The First Full-Scale Cyber War: 4 Years of Lessons [From the Trenches]
posted by chavenet on Jan 25, 2026 at 1:15 AM
---------------------------
Not only was that an excellent read, the whole site seems strong. I like the way he starts with an infographic...and, as someone with a performance review next week, let me tell you I appreciated the "Annual reviews that don't suck" post.
posted by Calvin and the Duplicators at 2:56 AM
---------------------------
interesting as hell: Preparation compounds. Vulnerability compounds.
posted by From Bklyn at 3:31 AM
---------------------------
Thank you, bookmarked for my human-factors-infosec course.
posted by humbug at 5:31 AM
---------------------------
Microsoft Starts Sharing Your Location With Your Employer
posted by jeffburdges at 6:07 AM
---------------------------
Poland's energy grid was targeted by simwhat similar [Russian] cyberattacks
posted by jeffburdges at 6:26 AM
---------------------------
CISA to cease participation at RSAC conference after Biden-era cyber leader (Easterly) named CEO (theregister.com)
posted by jeffburdges at 6:33 AM
---------------------------
This is a good analysis. It's all tradeoffs tho'
e.g. The western - basically US - cloud is your friend when you are friends with the hegemon, not so much when you are legally investigating their corrupt friends. No Amazon, No Gmail: Trump Sanctions Upend the Lives of I.C.C. Judges (archive link). The US cloud isn't infallible from political attack either.
posted by lalochezia at 6:39 AM
---------------------------
I too am thoroughly impressed by putting the infographic upfront. That in itself is a lesson in effective communication management.
I'm in Finland, and our university just turned on 2FA for library access. That's how it goes living next door to Russia.
posted by infini at 7:30 AM
---------------------------
Note: the link in the FPP is a substack hosted blog.
posted by tclark at 7:33 AM
---------------------------
The author previously discussed how AI is degrading software exponentially, something he tracks, and it appears that the vulnerability between cyber attack and self-inflicted incompetence is erased to a point where we may not know what went wrong.
posted by Brian B. at 7:58 AM
---------------------------
The company I'm at just went through a split/merger, and it's interesting to see how this is playing out. Most of the IT staff went through a major security incident a few years ago and is committed to building and maintaining a more resilient infrastructure.
Most of the IT leadership comes from the other half of the merger and did not have that experience, and they are kinda wishy-washy about actually making decisions and spending money on hardening.
The result is that the staff with the most institutional knowledge about how to prevent and deal with attacks are getting frustrated and finding new jobs.
I'm sure everything will be fine.
posted by clawsoon at 8:01 AM
---------------------------
Every major attack started the same way
There's an art I refer to as passive social engineering. In active social engineering, you work on convincing some user of the system to give you access. In passive social engineering, you start with the realization that one or more users have already given you access, and you set to work figuring out which ones.
posted by jimfl at 8:08 AM
---------------------------
Brian B.: The author previously discussed how AI is degrading software exponentially, something he tracks, and it appears that the vulnerability between cyber attack and self-inflicted incompetence is erased to a point where we may not know what went wrong.
I wonder if "shipping broken code" is the new "buy IBM". As long as everybody else is doing it, including all of the industry leaders, you can't be blamed for doing it yourself.
posted by clawsoon at 8:09 AM
---------------------------
...or to put it another way, maybe "having an outage" is now "industry best practise".
posted by clawsoon at 8:20 AM
---------------------------
Note: the link in the FPP
archived
posted by HearHere at 9:10 AM
---------------------------
Microsoft Starts Sharing Your Location With Your Employer
When we started requiring people to come into the office, one of the things that my director emphasized is that they can tell who's connecting via the local network vs VPN or WAN.
For that matter, our switches can differentiate between work and personal laptops, and only provide intranet access to work laptops. We've had issues with grad students going from desk to desk with their personal machines, leaving a trail of "dead" ports in their wake.
If your bosses aren't tracking you, when you're using their equipment, then they don't care.
posted by Spike Glee at 9:20 AM
---------------------------
Also, just because a patch exists, doesn't mean that it's easy to apply, even if you know about it. Back in the early aughts, MS SQL Server was hit by the SQL Slammer virus. There were patches available to mitigate the vulnerability, but knowing which one to use was such a byzantine affair that MS released a utility to tell you which one to use. They took a lot of flack for that, and it's one of the main reasons that MS made patching a lot easier.
More recently (like this month), my department got dinged for a Java vulnerability in our Oracle client. So I grabbed the latest full client from their web site and tried it. Still had the vulnerability. So I contacted the Oracle people in central IS. They had a later client (which didn't fix the problem) plus patches (which did). So, as an individual, even if I knew about the vulnerability, without a service contract, I'd be screwed.
posted by Spike Glee at 9:57 AM
---------------------------
Public-Private Partnership. Microsoft: $400+ million in aid. Google: Project Shield on 150+ websites. Cloudflare: ~130 government domains. AWS: Snowball devices shipped to Poland within 48 hours.
Carnegie Endowment: "delivering cyber defense at scale could only be achieved by private sector entities that owned, operated, and understood the most widely-used digital services."
It's amazing how fast capital will move to protect capital.
posted by slogger at 11:41 AM
---------------------------
Interesting to me is that I read articles like this and when they get to quoting any federal US agency I just skip it. (I just assume it's a compromised agency stuffed full of incompetent MAGAhats these days, and odds are whatever they have to say is 180 degrees from the actual truth.)
posted by maxwelton at 12:32 PM
---------------------------
It's amazing how fast capital will move to protect capital.
First, they'll sling poo at one another, but yeah.
posted by Token Meme at 12:40 PM
---------------------------