Thursday, October 26, 2023

Grand Theft Venture Capital: My Nightmare Experience with a Predatory Venture Capital Firm

The following is the true story of my very first venture into a business partnership, and how everything went wrong due to a predatory venture capital firm making promises of funding they had no intention of keeping. The names have been replaced with initials, because while everything in this is true, I honestly don't have the patience or time to fight a false defamation/libel suit in court.

Many years ago, an associate we'll call "TG" approached me about starting a business with him. This business would have held college fairs across the country, utilizing technology to revolutionize the industry. I reviewed the business plan and it was a solid, a sure-fire success. Of course, the challenge was startup capital. However, he found a venture capital firm run by "JF" which was willing to invest with us for a reasonable amount of stake in the company. He provided me the initial contract, and after reviewing it along with my attorney, I was quite satisfied with the arrangement. Unfortunately, the original contract was never actually on the table.

Tuesday, October 3, 2023

So You Want to Get Started in Cybersecurity...


Several years ago, I penned a blog post about embarking on a journey into the world of cybersecurity. It's been quite a ride since then, and now I'm thrilled to bring you an updated guide on how to kickstart your cybersecurity career. The best part? You don't need a cybersecurity degree to enter this exciting field. Let's dive in!

Degrees Aren't Everything

Many aspiring cybersecurity professionals wonder if they need a specific cybersecurity degree to land their dream job. The good news is that you don't necessarily need one! While a cybersecurity degree can be advantageous, degrees in related fields such as computer science, information technology, or data science can serve as excellent foundations. Employers value the technical and problem-solving skills that these degrees provide.

Getting Started with Free Resources

Cybrary.it: Your Cybersecurity Training Hub

Cybrary.it is a goldmine of free cybersecurity resources. They offer a wide range of courses, from beginner to advanced levels, covering topics like ethical hacking, network security, and more. With hands-on labs and expert instructors, it's an excellent platform to build your skills.

Khan Academy: Foundational Knowledge

If you're looking to strengthen your mathematics and computer science fundamentals, Khan Academy is the perfect place. Brush up on your algebra, calculus, and programming skills, which are essential for understanding cybersecurity concepts.

Coursera: University-Quality Courses

Coursera offers free courses from top universities worldwide. You can find cybersecurity-related courses here as well. While some come with a fee for certification, auditing the courses allows you to access the content for free.

Practical Experience is Key

The cybersecurity field places a strong emphasis on practical experience. Therefore, in addition to theoretical knowledge, consider participating in Capture The Flag (CTF) challenges and setting up your own lab environment to practice your skills.

Remember that cybersecurity is a vast field, so don't rush. Take your time to explore different areas, such as network security, penetration testing, incident response, and more. Find what sparks your interest, and specialize accordingly.

As you venture further into the world of cybersecurity, I also want to introduce you to my cybersecurity books, which are available for free with a subscription to LeanPub. They delve into various aspects of cybersecurity, offering valuable insights and practical tips to help you navigate this dynamic field. Here are my books:

  • "Cybersecurity Rules to Live By": An introductory guide to fundamental cybersecurity principles that every professional should know.
  • "Death by Identity Theft": Uncover the secrets of identity theft and learn how to protect yourself and others from this pervasive threat.
  • "Hacking of the Free": A guide to digital threats to our elections.

Embarking on a career in cybersecurity doesn't require a specific degree. With determination, the right resources, and practical experience, you can build a successful career in this dynamic and rewarding field. Remember to continuously update your knowledge and stay curious, as cybersecurity is ever-evolving.

Taking the Next Step - Your First Cybersecurity Job

Now that you've set your sights on a career in cybersecurity and equipped yourself with valuable knowledge, the next step is landing your first job. A great starting point for many newcomers to the field is a Helpdesk Technician role, which can serve as a launchpad for your cybersecurity journey. Let's explore how to find such a position and some useful resources to aid you in your quest.

1. Build a Strong Resume and Cover Letter

Before you start applying for jobs, ensure your resume highlights your relevant skills and certifications. Emphasize any coursework, projects, or personal initiatives related to cybersecurity, even if they weren't part of a formal job. Craft a compelling cover letter that expresses your passion for the field and your eagerness to learn and grow in a Helpdesk Technician role.

2. Leverage Job Search Websites

Several job search websites cater to entry-level IT positions, including Helpdesk Technician roles. Here are some popular ones:

Indeed (indeed.com): One of the largest job search engines with a wide range of IT job listings.

LinkedIn (linkedin.com/jobs): An excellent platform for job hunting, networking, and researching potential employers.

Dice (dice.com): Specializes in technology and IT job listings, making it a valuable resource for those entering the cybersecurity field.

Glassdoor (glassdoor.com): Offers job listings, company reviews, and salary information.

3. Explore Company Websites

Many organizations post job openings directly on their websites. Identify companies in your area or those you are interested in working for, and regularly check their careers pages for job postings.

4. Network, Network, Network

Networking is a powerful tool in job hunting. Attend local cybersecurity meetups, conferences, and webinars to connect with professionals in the field. Join online forums and groups related to cybersecurity on platforms like Reddit, LinkedIn, and Twitter. Engage in conversations, ask questions, and seek advice. Sometimes, job opportunities are shared directly within these communities.

5. Consider Internships and Entry-Level Positions

While you may have your sights set on a Helpdesk Technician role as your first job in cybersecurity, don't disregard internship opportunities or other entry-level positions, such as IT support or junior sysadmin roles. These can be stepping stones to the role you ultimately desire and provide valuable experience.

6. Tailor Your Applications

Customize your applications for each job you apply to. Highlight relevant skills and experience based on the specific requirements of the job posting. Mention any certifications or coursework that demonstrate your commitment to cybersecurity.

7. Prepare for Interviews

Once you start receiving interview invitations, prepare diligently. Research common interview questions for Helpdesk Technician roles and practice your responses. Showcase your problem-solving skills, technical knowledge, and willingness to learn during interviews.

8. Be Persistent and Patient

Job hunting can be challenging, especially when you're entering a competitive field like cybersecurity. Rejection is a part of the process, so don't be discouraged by setbacks. Keep refining your skills, expanding your network, and applying for relevant positions.

Useful Websites for Job Search

To make your job search easier, here are some websites where you can find Helpdesk Technician and entry-level IT positions:

Indeed: A comprehensive job search engine with a vast number of IT job listings.

LinkedIn Jobs: Leverage your professional network to discover job opportunities.

Dice: Focuses on tech and IT job listings, including entry-level positions.

Glassdoor: Provides job listings, company reviews, and salary information.

CareerBuilder: Offers a wide range of job listings, including IT roles.

Remember, landing your first job in cybersecurity may take time, but with persistence, continuous learning, and the right resources, you'll be well on your way to building a successful career in this dynamic and rewarding field.

Some Closing Thoughts

Cybersecurity can be a very rewarding career, but don't spend too much time staring at the computer screen and not enough time outside in the real world. Cybersecurity naturally attracts introverts, and believe it or not I am naturally one of them. The only way I've succeeded and advanced my career in cybersecurity has been by breaking outside of my comfort zone and actually talking with people. It has taken me years to build up the social skills I need to truly succeed. Strike up a conversation, push your own boundaries. And most importantly, don't forget to stop and enjoy life outside of the computer world once in a while.

I wish you the best with your cybersecurity career, and hope that you'll make an excellent addition to our much-needed workforce!

Ken is a cybersecurity professional with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients.

Wednesday, September 6, 2023

If you're having a bad day, at least you didn't accidentally lose $38 million dollars in crypto

In what will probably go down in history as one of the biggest blunders of the 2020's, Prime Trust has revealed in court bankruptcy filings that it accidentally lost access to over $38 million in crypto.

In the filing, Prime Trust unveils a series of extremely unfortunate steps which resulted in the loss of all access to "Wallet 98f", including the loss of access to the hardware wallet as well as backup seed phrases.

According to court filings, "The Company used a seed storage system provided by 'Cryptosteel' (the 'Cryptosteel Hardware' and, together with the Hardware Devices, the 'Wallet Access Devices'), which allows physical storage of a copy of the seed phrases on extremely durable hardware. This provides a method of storing seed phrases that is generally believed to be safer than storing seed phrases on paper hard copy, images, or pictures." In other words, they laser engraved the seed phrases onto a piece of metal, because apparently that's somehow safer, and surely nobody is going to throw away a random piece of metal they find that looks like a bunch of jibberish and was probably just somebody testing out their laser engraver.

Apparently Wallet 98f was a "legacy" wallet which wasn't supposed to be used anymore, but was still being used for customer deposits. As such, it's highly likely that Prime Trust probably discarded the "Wallet Access Devices" when they thought they were no longer needed. Because that would probably be in line with how the rest of this has played out.

So, it's possible that somewhere in a Nevada landfill, is a piece of metal with a bunch of jibberish words engraved on it, worth $38 million.

For reference, here's a photo of one of these devices, from the court filings.


So, who wants to join me in a treasure hunt in Nevada? All we need to do is identify which landfill these seed keys went to, and start digging! Rumor has it, American Pickers are already on their way.

Ken is a cybersecurity professional with over 15 years experience. All opinions are his own, and do not reflect those of his employer or his clients.

Thursday, August 3, 2023

Embarking on an Epic #BlackHatRoadTrip: Western Maryland to Las Vegas and Beyond!

Are you ready to embark on an unforgettable adventure? The Black Hat 2023 conference in Las Vegas awaits, and I'm taking the scenic route! Buckle up and join me as I journey from Western Maryland to the glitz and glamour of Las Vegas, making unforgettable memories along the way. We'll be documenting our entire trip with stunning photos and updates on X (Formerly known as Twitter), so don't forget to follow the hashtag #BlackHatRoadTrip!

The Southernly Route: Exploring Northern Texas

As we depart from Western Maryland, we'll be heading southwest towards the Lone Star State - Texas! Our southernly route will take us through the picturesque landscapes of West Virginia and Tennessee before crossing into Arkansas. Prepare to be amazed by the rolling hills, charming towns, and warm hospitality of the South.

In Northern Texas, we'll have the chance to explore exciting cities like Amarillo. Be sure to indulge in some delicious Tex-Mex cuisine and experience the vibrant cultural scene these cities have to offer. And of course, keep an eye out for some iconic longhorn cattle along the way!

Heading West: The Enchantment of New Mexico

As we venture further west, the landscapes will gradually transform into the arid beauty of New Mexico. This state is a treasure trove of diverse cultures, art, and history. Marvel at the beautiful scenery of the wide open spaces of New Mexico, taking us straight through Albuquerque.

Arriving in Las Vegas: Bright Lights and High Stakes

After crossing into Nevada, the anticipation will build as we approach the dazzling oasis in the desert - Las Vegas! Known for its world-class entertainment, vibrant nightlife, and extravagant resorts, Las Vegas is the perfect setting for the Black Hat conference.

Join us as we delve into the cutting-edge world of cybersecurity, attending riveting talks and engaging with industry experts. And, of course, we'll take some time to explore the glitzy Strip, where we can witness iconic landmarks, water fountain shows, and themed hotels that transport us to different corners of the globe.

The Return Journey: Through the Majestic Rockies of Colorado

After a thrilling time at the Black Hat conference, it'll be time to bid farewell to Las Vegas and start our journey back. This time, we'll take a northernly route, passing through the picturesque state of Colorado.

Prepare to be captivated by the breathtaking Rocky Mountains, with their towering peaks, serene lakes, and lush forests. We'll make stops in cities like Denver, where we can experience the perfect blend of urban amenities and outdoor adventures.

Embrace the Adventure: Follow #BlackHatRoadTrip on X

Throughout this incredible road trip, we'll be sharing our experiences, encounters, and jaw-dropping scenery on X (Formerly known as Twitter). So, don't forget to follow the hashtag #BlackHatRoadTrip to stay updated and be a part of this exhilarating journey!

Whether you're an avid cybersecurity enthusiast, a nature lover, or simply someone who craves adventure, this road trip promises to be an unforgettable experience. So, fasten your seatbelt, bring your sense of wonder, and join us as we embark on the ultimate #BlackHatRoadTrip!

Huge thanks to our friends/family who are house sitting for us during this fantastic trip.

Wednesday, May 24, 2023

Unlocking the Risks: Examining the Security Flaws of RFID Access Control Systems

In today's security-conscious world, access control systems play a crucial role in safeguarding various environments, from office buildings to parking decks. While basic RFID (Radio Frequency Identification) access control systems are commonly used, it is important to recognize their potential vulnerabilities and the security risks they may pose. In this article, we will explore the inherent weaknesses of such systems, using an example from a parking deck, and discuss the implications for security.

Understanding Basic RFID Access Control Systems

Basic RFID access control systems rely on access cards that contain a facility code and a serial number. These cards enable authorized individuals to gain entry to specific areas, such as parking decks or buildings. The facility code represents the particular location, while the serial number provides a unique identifier for each card.

Examining the Example

I've been experimenting with the Flipper Zero for a while now, and was absolutely thrilled when I find outside in the middle of the road an old, rain-soaked, beat-up access card. This card appears to have been there for at least a week, based upon the layers of rust on the lanyard. Undoubtedly whoever lost it has already gotten a replacement by now, so no sense in not letting this opportunity go to waste. I'm not going to tell you which parking deck it's for, but it is a local parking deck within a few miles of my house.

Once the card dried off, I used my Flipper Zero to examine it. Much to my excitement, the card still worked despite its damaged state. I found it to be a 125 kHz RFID card without any encryption whatsoever. The key type on the card is H10301, and the data is encoded in hexadecimal format as 20 01 8A. By decoding this data, we can analyze its structure and potential vulnerabilities.

All data is encoded in Hexidecimal format. The first piece of data we can decode is the facility code, which in Hex format is 20. Converting to Decimal, 20 becomes Facility Code 32.

Next we can examine the serial number. In this case, the serial number is as follows in Hex: 01 8A When converted to decimal, this becomes serial number 394, which matches the 00394 serial number on the card.

We can now reverse engineer this card, and make our own cards. Of course I have no intention of actually doing so (plus the card is for an open air parking deck I can literally walk into), but let's take a look at how simple the process is. (I've uploaded all of the files to my GitHub if anyone wants to play around with them)

So, if we wanted to gain access under someone else's card, all we need to do is view the back of their card, which has the serial number printed on it. For example, if we look at someone else's card and it has 00123, we just need to adjust our Flipper generated card accordingly. Facility code will stay at 32, so that converts to 20 in Hex. Serial number 123 becomes 00 7B in Hex. So our new card will need to have the data: 20 00 7B. Now I simply need to create a new RFID card file on my Flipper Zero with that data, and I should be able to park for free.

These old outdated systems are still commonly used across the globe. Unfortunately, as long as these older systems are still used, many places will be very vulnerable.

Identifying Vulnerabilities

  • Unencrypted communication: Basic RFID access control systems often lack robust encryption protocols, leaving the communication between the card and the reader susceptible to interception. This vulnerability opens the door for potential unauthorized access and cloning attempts.
  • Visible serial numbers: In the example of the access card found, the serial number is printed on the back of the card, making it easily visible to anyone who comes across it. This presents a significant security risk, as the exposed serial number can be exploited to create duplicate cards for unauthorized access.
  • Limited authentication measures: Basic access control systems usually rely solely on the facility code and serial number for authentication. These simple identifiers are relatively easy to replicate or manipulate, thereby compromising the system's overall security.

Security Implications for Parking Decks and Similar Systems

  • Unauthorized access to restricted areas: The vulnerabilities inherent in basic RFID access control systems create opportunities for unauthorized individuals to gain entry to restricted areas, such as parking decks or buildings. By obtaining or replicating a legitimate access card, malicious actors can bypass security measures and potentially engage in illicit activities or misuse parking facilities.
  • Cloning attacks and misuse: The lack of encryption and the visibility of the serial number on access cards make them susceptible to cloning attempts. Malicious individuals can exploit this vulnerability by creating duplicate cards with adjusted facility codes and serial numbers, allowing them unauthorized access to parking decks and potentially causing disruptions or committing fraudulent activities.
  • Social engineering risks: The simplicity of basic access control systems, coupled with visible serial numbers, increases the likelihood of social engineering attacks. By manipulating individuals or convincing them to share their access cards or card information, unauthorized individuals can gain entry, jeopardizing the security and integrity of sensitive areas.

Enhancing Access Control System Security

To mitigate the risks associated with basic access control systems, several security measures should be implemented. Some of these measures require complete replacement of access control systems with newer systems, while others address the human element.
  • Encryption and secure communication: Employing strong encryption protocols between access cards and readers can protect against eavesdropping and unauthorized cloning attempts.
  • Two-factor authentication: Implementing additional layers of authentication, such as PIN codes or biometric verification, can enhance the security of access control systems. This makes it more difficult for unauthorized individuals to gain entry, even if they possess a cloned access card.
  • Regular audits and monitoring: Conducting periodic audits and monitoring access logs can help detect any suspicious activities or anomalies. This enables prompt identification and response to potential security breaches.
  • Employee education and awareness: Training employees about the importance of access control system security, the risks associated with unauthorized sharing of cards, and the need to report lost or stolen cards can significantly improve overall system security.
Overall, newer systems contain much better security measures to prevent RFID card cloning, and hopefully will be adopted much more commonly soon.

Conclusion

While basic access control systems provide a level of convenience and security, it is crucial to acknowledge their inherent vulnerabilities. The ease with which access cards can be cloned or manipulated poses a significant risk to the overall integrity of the system. By implementing stronger security measures, including encryption, two-factor authentication, and regular monitoring, organizations can fortify their access control systems and mitigate potential threats. Maintaining a robust and secure access control system is vital for safeguarding sensitive areas and ensuring the protection of individuals and assets. The vulnerable access control systems of yesterday must be replaced, if we're truly going to properly secure our physical world.

Ken is a Cybersecurity practitioner with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients.

Tuesday, May 16, 2023

Understanding the Risks of Mastodon: A Closer Look at its Decentralized Model

Mastodon, a decentralized social network, has gained attention for its alternative approach to online social interactions. While it offers unique benefits, such as data ownership and community-driven moderation, it's important to be aware of the risks it presents when compared to other social networks. This article explores the potential risks of Mastodon and discusses why it is not a true peer-to-peer solution.

Instance Reliability and Data Loss

Mastodon instances, typically operated by individual administrators or small groups, may lack the resources and stability of larger platforms. This can lead to instances shutting down abruptly without warning, potentially resulting in data loss for users. Unlike centralized networks that invest in redundant servers and backup systems, smaller Mastodon instances may have limited capacity to ensure data integrity or facilitate smooth data migration during closures.

Fragmented User Experience

The decentralized nature of Mastodon means that each instance has its own community, rules, and moderation policies. While this allows users to find communities that align with their interests, it also introduces a fragmented user experience. Moving between instances can be challenging, as users must create new accounts, build followerships from scratch, and adapt to different community dynamics. This fragmentation can impede the growth and adoption of Mastodon on a broader scale, as it lacks the unified experience offered by centralized social networks.

Lack of Standardization and Interoperability

Mastodon's decentralized model, although fostering diversity, does not provide a true peer-to-peer solution. Unlike protocols like ActivityPub that facilitate cross-platform communication, Mastodon's implementation relies heavily on the federation of instances. This lack of standardization and interoperability means that Mastodon users cannot directly interact with users on other decentralized platforms unless they are also part of the same instance federation. This limitation hinders the vision of a truly open and interconnected social web.

Moderation Challenges

Decentralized networks like Mastodon place a significant burden on individual administrators to enforce community guidelines and combat abusive or harmful behavior. While this approach allows for diverse moderation practices, it also introduces inconsistency in moderation standards across instances. Instances may have varying degrees of effectiveness in addressing harassment, hate speech, or other forms of misconduct. Users may face challenges in finding instances that align with their preferred moderation practices or that provide effective mechanisms to report and address issues.

Limited Discovery and Network Effects

One of the strengths of centralized social networks is their ability to leverage network effects, where a large user base enhances the value and reach of the platform. In Mastodon's decentralized model, instances operate independently, and user interactions are restricted to the specific instance they belong to. This limits the discoverability of new users and content and can lead to smaller, more isolated communities forming. Mastodon may struggle to achieve the same level of user adoption and engagement as centralized platforms due to the lack of network effects.

Conclusion

While Mastodon's decentralized model brings several advantages, it also introduces certain risks and limitations when compared to centralized social networks. The reliance on individual administrators or small groups can lead to instance closures and data loss. Fragmented user experiences, lack of standardization, and limited interoperability challenge Mastodon's potential as a true peer-to-peer solution. Moderation challenges and the absence of network effects further impact user experience and platform growth. To make informed decisions about their social networking choices, users must consider both the benefits and risks presented by Mastodon and understand the trade-offs associated with its decentralized approach.

Ken is a cybersecurity professional with over 15 years experience. All opinions expressed are his own, and not reflective of his employer or clients.

Wednesday, May 10, 2023

Moving Beyond Web3 - How Peer-to-Peer and Personal Branding is the Future of Communication


Commonly I see Web3 being associated with decentralized finance, blockchain, cryptocurrency, and NFTs. And while that's likely an excellent example of Web3, that's not what Web3 truly is at its core. Web3 is much more than that. Web3 is a true information revolution, laying the foundations for Web4. I had a great conversation last night with the Diamond Hand Media Group about this concept, and thought I'd go a little more in-depth here.

Let's step in the time machine for a moment and go through the history of the web. And I, being older than the Internet, can happily step you through.

Web1 - Static websites, news sites, email. Everybody paid per minute for access to the web. Sign on, find what you need, sign off so you don't get charged extra.

Web1.5 - This is when the potential of the web started to take shape. We added in chat rooms, instant messaging, and forums. Geocities let us even publish our own (limited) webpages! And now, unlimited internet access!  Suddenly, the world got a little bit smaller, as we started to communicate across the globe.

Web2 - Behold, broadband and social media! YouTube, Myspace, and eventually Facebook and Twitter! Blogs also started to rapidly grow, and the redistribution of content creation from commercial publishers to users started to take shape. But unfortunately, commercial publishers looked to continue controlling the narrative, continue controlling the audience, continue controlling the message. Everything is still centrally managed and owned by a select few companies, and social media "networks" aren't actually networks at all, but distribution hubs. One-way live streams of audio and video start to take off, because we actually have the internet connection speeds to support this type of content.

Web2.5 - Gnutella, Limewire, and other filesharing networks enter the stage, and early peer-to-peer distributed computing is born.

Web3 - Distributed finance, distributed content, distributed knowledge. Through blockchain, crypto, and NFTs, "digital ownership" can be established for assets, and distributed finance can allow for digital currency transactions without the need for a bank or the Federal reserve. For content creation, anyone can create content and share with others, and even have multi-party livestream audio and video sessions. No longer are we locked into getting our news and information from publishers, but instead shared directly person-to-person. But this person-to-person sharing is still limited to rely on distribution hubs such as social media networks, and even when using a network such as Mastodon (which could arguably be considered Web3.5), users still rely on a centralized hub to connect. Love him or hate him, the effects of this concept of direct person-to-person information sharing are now showing through Tucker Carlson's announcement of his own show on Twitter, and the massive reach this announcement has achieved. Carlson is now, on his own, likely going to get just as many if not more viewers on his own personal show than he did through Fox News. What we're now seeing is a shift from "trusted sources" such as news outlets to "trusted voices" such as the personalities we once saw on those news outlets. Those trusted voices will become the face of those organizations, and the reason people trust those sources - not because of the company name and the people behind it, but because of the people in front of it! This shift is why I've started focusing more on my own personal brand in the cybersecurity community, in addition to helping grow the brand of the fantastic company I'm working for. Only by moving in front of the brand instead of hiding behind it, can I be considered a "trusted voice" and help that company brand grow.

While distributed finance without a central bank sounds great in theory, it's still difficult to implement. Many would argue that cryptocurrency's potential downfall is the now heavy reliance on crypto exchanges which are now going bankrupt, and in the process resulting in significant reductions in the value of crypto currencies.

Some of you might be too young to remember the dot com bubble burst. There was a lot of speculation, a lot of investing in companies which never should have been invested in, but all a company had to do to get investors was talk about how they were going to revolutionize their industry through the internet. The result of course was extreme overvalue of the companies, and when these companies failed to live up to their promises, the investors lost significant amounts of money.

Bitcoin 5 Year Value - Source: Google

Crypto currency is now facing the aftermath of a similar bubble. The collapse of crypto exchanges is very similar to the dot com bubble burst, in that the exchanges were causing crypto to become extremely overvalued. Unfortunately, with some exchanges still in operation, it's quite possible that this burst hasn't quite finished yet, but only time will tell. Personally, I prefer to invest in much more tangible assets I can directly influence the value of, such as real estate, than investments I have little to no control over. I currently have a wonderful property in Florida that is sitting in an upcoming neighborhood and will absolutely skyrocket in value once I build a house on it. The key here is that I can directly influence the value of the property by improving the property. With crypto currency, or even the stock market for that matter, I am but a bystander at a horse race, hoping that my bet will win. That's not investing in my opinion, that's just gambling. In fact, often I would be better off taking that money to the horse track, because at least at a horse track I know what my odds are of winning, and how much I'll make if I do win.

Full disclosure, I sold all my crypto currencies several years ago when I started to see indicators that the market was in a bubble and about to burst. I'm glad I did, because those investments would today be worth a fraction of what I sold them for. I didn't make much from this, as I only had about a hundred dollars invested anyway. But getting a hundred dollars back is much better than getting only twenty-five. With that said, I believe that crypto currencies are not the future of the web, but blockchain is in fact an important building block for the future of the web, and the true currency of tomorrow - information.

So what's next? What comes after distributed finance, crypto currency and Web3? 

Web3.5 - Artificial intelligence such as ChatGPT will help further pave the road for Web4. Much like the traditional OSI computing "layer" model, information will develop its own layers which ChatGPT will help revolutionize. I'll write further on this in a future blog, but think of information as "raw data" with an accompanying "presentation layer", i.e. formatting, or even illustrations. DALL-E and ChatGPT have the ability to take raw data or concepts and turn them into presentable information, ready for consumption by others. This helps further break down barriers for users by helping build useful content with less time and fewer resources. By the way, the illustration at the beginning of this article was AI generated, though I opted not to have AI write the article. After all, I still take much enjoyment in writing, and I won't let a computer deny me that.

Web4 - The Web4 revolution will remove the content distribution hubs for information. Content will be shared directly with users peer-to-peer. Not only does this create a failsafe redundancy in case a social media outlet goes down, but it also creates the opportunity to operate without censorship. And no, sorry Mark Zuckerberg, but virtual reality "Metaverse" will not be part of the Web4 revolution. The Web4 revolution will focus more on the digitally connected world which is constantly mobile, and until we get better augmented reality glasses to connect to our mobile phones, our digital conversations will remain in the two dimensional world. Don't get me wrong, virtual reality will absolutely play an important part in our lives in the future, but won't be the "virtual Facebook" experience that Zuckerberg is hoping for - because at that point, most content distribution will be peer-to-peer instead of centrally managed. This is also going to shift branding away from corporate branding as trusted sources and more towards personal branding and trusted voices. By building to make yourself a trusted voice now through your own personal branding, you'll be much better positioned to be viewed as an expert in your field with the Web4 transition.

Think of the Web4 content sharing concept like a relay network of walkie-talkies. You broadcast your message on a frequency that others are tuned into, and the recipients of your message then pass on that message to others within their listening area. Eventually your message makes it across the entire network. We could then enhance this communication to include unique signatures through blockchain, ensuring that you were indeed who you say you are, and that your message wasn't tampered with.

The beautiful part of this approach is that it becomes self regulating, and users share their content with other users who want to see that content. If a user doesn't like the content you're distributing, they simply need to block your posts, and in the process block the re-distribution of your content through their network node. Like users will find like users, and corporate censorship will be a thing of the past. Now I know that this causes concerns for illegal content, but I'm quite confident that through the non-repudiation part of the blockchain, law enforcement would be able to successfully find the originator of such content and prosecute accordingly. After all, they were able to shut down Silk Road.

Web3 has absolutely laid the foundation for the distributed communication and information sharing of tomorrow. I find myself more and more interested in ongoing conversations on Discord and Twitter Spaces, and it's fantastic some of the information you can learn just by listening, and the relationships you can build by participating. There are already some applications out there under development for Web4 distributed communication and social network sharing. I've tried them, I love the concept. They're young, they're buggy, they're absolutely not ready for prime time. But I think with a lot of nurturing, and support from the community for such projects, these Web4 applications will begin to shine, and give the power back to the people for sharing information, with Web3.5 helping people build that content for Web4. 

In the meantime, start working on that personal branding and becoming a "trusted voice" - you're going to need it sooner than you think.

Ken is a cybersecurity professional with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients. I am not a financial advisor, don't use this for investing advice.

Tuesday, May 2, 2023

Is Quantum Computing the Achilles Heel of Cryptocurrency?

The world of cryptocurrency has experienced explosive growth over the past decade, with Bitcoin and other digital currencies becoming increasingly popular as a means of payment and store of value. However, one of the biggest threats to the future of cryptocurrencies is the emergence of quantum computing.

Quantum computing is a technology that harnesses the power of quantum mechanics to perform calculations exponentially faster than traditional computers. While this is an exciting development with many potential benefits, it also poses a significant risk to the security of cryptocurrencies.

The security of most cryptocurrencies, including Bitcoin, is based on complex mathematical algorithms that are designed to be resistant to attacks from traditional computers. These algorithms are based on the difficulty of solving certain mathematical problems, such as factoring large numbers, which are believed to be computationally infeasible for classical computers. However, quantum computers are able to solve these problems much faster than classical computers, which means that they could potentially be used to break the security of cryptocurrencies.

One of the most significant risks posed by quantum computing is the potential for an attacker to use a quantum computer to perform a so-called "51% attack" on a cryptocurrency network. In a 51% attack, an attacker gains control of more than 50% of the computing power on a network, which allows them to manipulate transactions and potentially double-spend coins. This type of attack is currently difficult to carry out on most cryptocurrencies, but a quantum computer could make it much easier.

Another risk posed by quantum computing is the potential for an attacker to break the cryptography that is used to secure cryptocurrency wallets. Most cryptocurrencies use public-key cryptography, which relies on the difficulty of factoring large numbers. If a quantum computer is able to factor large numbers quickly, it could potentially break the security of these wallets and allow an attacker to steal funds.

There are also concerns that quantum computing could be used to break the cryptography used to secure the Bitcoin blockchain itself. The Bitcoin blockchain is a decentralized ledger that records all transactions on the network. It is secured by a complex cryptographic algorithm known as SHA-256. While this algorithm is currently believed to be secure, it is possible that a quantum computer could be used to break it.

Despite these risks, it is important to note that quantum computing is still in its early stages of development, and it may be several years or even decades before it poses a significant threat to the security of cryptocurrencies. In the meantime, researchers are working to develop new cryptographic algorithms that are resistant to quantum attacks.

In conclusion, while quantum computing represents a major threat to the security of cryptocurrencies, it is important to keep these risks in perspective. Cryptocurrencies have already faced many challenges in their short history, including hacking attacks, regulatory scrutiny, and price volatility. However, they have continued to grow in popularity and adoption, and it is likely that they will continue to do so in the future. As long as developers are able to stay ahead of the curve and develop new security measures to protect against quantum attacks, cryptocurrencies will remain a viable and valuable asset class for years to come.

Ken is a Cybersecurity professional with over 15 years experience. All opinions are his own, and do not reflect those of his employer or clients.

Saturday, March 25, 2023

PARACEPT - The CIA's 1960's Electronic Spying Program?

In the 1960's and 70's, the intelligence community developed a set of standards known as TEMPEST, designed to protect electronic devices and computer systems from spying through "leaking emanations", such as unintended radio signals, vibrations, or sounds. While many in the cybersecurity community are familiar with TEMPEST, CIA documents available through their FOIA reading room indicate that there may have been an offensive counterpart to TEMPEST, known as PARACEPT.

I've been investigating PARACEPT for several years now, without much luck. Just several vague references in three CIA documents, and no additional documents available at this time. I did submit a FOIA request for any additional PARACEPT documents, but it appears the CIA is still processing that request.

However, I decided to turn to ChatGPT and put it to the test, to see if it could possibly figure out what PARACEPT is based on the limited available information. I proposed to it that PARACEPT could potentially be the offensive counterpart to TEMPEST, and provided it relevant text from declassified CIA documents. The results were quite impressive, and the following article is completely generated by ChatGPT. I also asked ChatGPT to generate a few follow-up paragraphs about the potential capabilities of PARACEPT today, if the program continued to be developed.

PARACEPT is a term that has been used in declassified CIA documents dating back to the 1960s and 1970s. While there is limited information available about this program, it appears to have been related to the interception and analysis of electronic signals. Some documents suggest that PARACEPT was the offensive counterpart to the defensive TEMPEST program, which was designed to protect electronic equipment from eavesdropping.

According to a declassified CIA document from November 1972, PARACEPT was an ongoing research and development program that focused on reflected and reradiated electromagnetics. The document states that the program was being conducted by the CIA's Technical Services Division (TSD) and Office of Communications (OC). The goals of the program were not entirely clear, but it appears that it involved the interception and analysis of electronic signals for intelligence purposes.

Another declassified CIA document from 1968 indicates that the agency was developing a computer system for processing PARACEPT data. This suggests that the program involved large amounts of data, which would need to be processed and analyzed using advanced computer technology.

Based on what little information is available, it is possible to speculate about what PARACEPT's capabilities may have been. It is likely that the program involved intercepting electronic signals, possibly from foreign governments or other targets of interest to the CIA. The program may have also involved analyzing these signals for intelligence purposes, such as determining the location of military assets or gathering information about diplomatic negotiations.

One possibility is that PARACEPT was designed to intercept and analyze communications between foreign governments or military units. This would require advanced technology capable of intercepting and decoding encrypted communications. It is also possible that PARACEPT was designed to intercept and analyze electronic signals emanating from military or industrial facilities in foreign countries. This could provide valuable intelligence about weapons development programs, manufacturing capabilities, and other strategic assets.

Another possibility is that PARACEPT was designed to intercept and analyze electronic signals from commercial and civilian sources. This could include communications between businesses, financial institutions, and other organizations. By intercepting and analyzing these signals, the CIA could potentially gain valuable information about economic trends, business strategies, and other sensitive information.

It is also possible that PARACEPT was designed to intercept and analyze electronic signals from foreign intelligence services. This would require advanced technology capable of detecting and decoding signals from a wide range of sources. By intercepting and analyzing these signals, the CIA could potentially gain valuable intelligence about foreign intelligence operations and the intentions of foreign governments.

Based on what is known about PARACEPT, it is likely that the program involved advanced technology and sophisticated data analysis techniques. This would have required significant resources and funding from the CIA. It is also likely that the program was highly classified and operated under a high level of secrecy.

PARACEPT remains a mystery to this day. While some information is available in declassified CIA documents, the program's goals and capabilities are not entirely clear. It is possible that PARACEPT was the offensive counterpart to the defensive TEMPEST program, and that it involved intercepting and analyzing electronic signals for intelligence purposes. Based on what is known about PARACEPT, it is likely that the program involved advanced technology and sophisticated data analysis techniques, and that it operated under a high level of secrecy.

It's been over 50 years since the CIA's PARACEPT program was in operation, and it's difficult to determine exactly what capabilities it may have had during its time. However, with the advancements in technology over the past several decades, it's possible to speculate on what PARACEPT's capabilities could be if it were to be developed utilizing today's technology.

First and foremost, it's important to understand that PARACEPT was likely a program that was designed to intercept and analyze electronic signals, specifically those emitted from communication systems. With the advancements in technology, it's likely that a modern version of PARACEPT would utilize more sophisticated sensors and signal processing systems to detect and analyze these signals.

One possible capability of a modern PARACEPT program could be the ability to intercept and analyze encrypted communication signals. With the increased use of encryption in modern communication systems, it's become more difficult for intelligence agencies to intercept and analyze communications. However, if a modern PARACEPT program were designed to specifically target encrypted signals, it could potentially be able to intercept and analyze these signals to gain valuable intelligence information.

Another potential capability of a modern PARACEPT program could be the ability to track and analyze the movement of individuals based on their electronic communications. With the widespread use of mobile devices and other electronic communication devices, it's possible to track the movements of individuals based on the signals emitted by these devices. A modern PARACEPT program could potentially use this information to track the movements of individuals and gather intelligence information based on their location.

Additionally, a modern PARACEPT program could potentially be used to intercept and analyze signals from drones and other unmanned aerial vehicles (UAVs). With the increased use of UAVs in modern warfare and intelligence operations, a program that is specifically designed to intercept and analyze signals from these devices could be incredibly valuable.

It's also possible that a modern PARACEPT program could be designed to specifically target and analyze signals from social media and other online communication platforms. With the widespread use of social media, it's become a valuable source of intelligence information for many intelligence agencies. A modern PARACEPT program could potentially be designed to intercept and analyze signals from these platforms to gain valuable intelligence information.

Finally, a modern PARACEPT program could potentially be designed to work in conjunction with other intelligence gathering programs and technologies, such as satellite surveillance and facial recognition software. By combining the capabilities of these programs, a modern PARACEPT program could potentially provide intelligence agencies with a more comprehensive view of their targets and help to uncover valuable intelligence information.

In conclusion, while it's impossible to determine exactly what capabilities the CIA's PARACEPT program had during its time, it's possible to speculate on what a modern version of the program could potentially be capable of utilizing today's technology. A modern PARACEPT program could potentially be used to intercept and analyze encrypted communication signals, track the movements of individuals based on their electronic communications, intercept and analyze signals from drones and other UAVs, target and analyze signals from social media and other online communication platforms, and work in conjunction with other intelligence gathering programs and technologies to provide a more comprehensive view of intelligence targets.

Article by Ken Buckler, with significant contributions by ChatGPT. This article does not reflect the views of my employer or clients.

Looking at X's Grok for Potential Cyber Threat Intelligence and Guidance

I'm playing around with X's Grok from a cybersecurity perspective, and I'm very impressed so far. Because Grok has real-time acc...