🚨NEW: The Solution to Cyber Mercenaries Is Not Export Control 🚨
My first ever op-ed in
@lawfareblog
is out! Wanna know more about NSO, the cyber mercenary landscape, what export control even is, and why it’s not enough? Read on 🧵/
Does the word “
#backdoor
” seem frightening? That’s because it’s often used incorrectly – sometimes to deliberately create fear. Watch to learn the truth about backdoors and other types of network access.
#cybersecurity
Life update: this week I moved across the country and started as a security engineer for
@google
’s Threat Analysis Group. Although I miss my incredible team at
@RecordedFuture
, I’m so excited for this new life chapter, learning opportunity, and especially the propellor hat 😂
So proud to announce the
@Harvard
@BelferCenter
National Cyber Power Index! Overall rankings below - Read on for some key takeaways.
*A THREAD*
Thanks to
@Cyberscoop
's
@shanvav
for her amazing coverage (+the below image):
Report:
🚨NEW - iSoon & the Chinese cyber mercenary ecosystem 🚨
Going back to my roots with some good old fashioned China cyber analysis
@Margin_Research
. How is iSoon related to cyber mercenaries, and the Chinese offensive ecosystem? 🧵/ 5 findings:
I’m at a loss for words.
@defcon
was an incredible time this year - thank you to the 500+ people who came out to DEFCON Hacker Court (and my first MainStage talk ever)!
I’m so grateful for the hacker community, you all make this work so worthwhile. 💕✨
🎉 Life Update: I’m starting a joint MPP/JD program between Harvard
@Kennedy_School
and
@GeorgetownLaw
this fall and am SO excited 🎉 🤩
Can’t wait to dive into cyber policy and law full time, and put my
#infosec
knowledge to good use!
🚨China’s offensive security firms - who are they? 🚨
Great paper by
@Margin_Research
showing who the big players are. (Hint: it’s not just Baidu/Alibaba/Tencent!) 🧵
Some good news during the pandemic, I got engaged! It happened a little while ago, but I’m still excited for a life with this privacy nut / my cyber security research partner in crime. 💕
🚨 NEW REPORT on surveillance vendors🚨
@LarsGjesvik
,
@olewillers
and I have found 80+ firms likely advertising interception/intrusion capabilities at arms fairs.
[It’s not just about NSO 😉 ]
🧵 1/
Aaaaah I’m going to be on
@defcon
MainStage!
Myself and an incredible team of hackers & lawyers (
@marilisdugas
@kurtopsahl
@HarleyGeiger
, Rick Salgado and others!) will be reviving Hacker Court at DEFCON31 right before closing ceremonies. Please come! 🔥🔥🔥
Career pivot from infosec -> infosec lawyering feels closer than ever.
1️⃣st day at
@Debevoise
’s summer associate program, hoping to do cyber security / natsec work! Wish me luck 🔥
🚨Linux Kernel Security Blog🚨
Corporate, automated bug-finders in the
#linux
kernel- how much do we know about them?
@daveaitel
@ian_roos
and I look @ closed source, corporate interests in the world’s biggest open source project. THREAD 🧵
Hackers on the Hill is today! So stoked to be on Capitol Hill briefing 20 offices with 100+ hackers the best team ever 🎉
@beauwoods
@SPowazek
@HillHackers
(TL;DR, thread on
#newyearsresolutions
and
#reading
): Growing up, I loved books 📚. After a college career that left little time for pleasure reading, I made a New Year’s Resolution to read 30 books in 2019. I am proud to say that as of December 1st, I’ve finished 31! (1/4)
We are thrilled to announce that
@__winn
has joined the
@wisporg
board! Winnona has been WISP’s ShareTheMicInCyber scholarship program manager and we are so excited that she will now be moving into a leadership role on the board! Please join us in celebrating 🎉💐🥳
Anyone going to DEFCON next week?
@DEFCONPolicy
Department is putting on some incredible events, check out our schedule below! 🌟
I'll be volunteering at the track all weekend, pls come and say hi 👋
Power suit on and ready to present for the very first time at
#CYBERWARCON
! Hit me and
@uuallan
up if you want to hear about
@RecordedFuture
’s super cool Yemen research 💣
This is the 3rd public Chinese
#CTI
report calling out US cyber operations, but the *first* with IOCs. Chinese firms seem to be turning “naming and shaming” against us.
@TheOnion
just submitted a brief to the Supreme Court on a First Amendment Case about parody on social media, and it is the best thing I have ever read. Buckle up: 🧵/
Today in Chinese
#threatintel
:
- 360CN nicknamed
#APT
-C-37 after
#DOTA
character "Ursa" (拍拍熊)
- The english translation of 拍拍熊 is also "Fuzzy Wuzzy"
- We now have an APT called "Fuzzy Wuzzy".
2 years ago I didn't think I could "make it" in
#threatintel
. This year, 2 pieces I co-authored made it to
@RecordedFuture
's
#top5
. I can't thank my mentors and colleagues enough for pushing and encouraging me, and can't wait to do even better in 2019! 💪
Spent my day off making a bar table out of old wine cases with the fiancé- it doubles as a display case for our nicer bottles. 🍷
Pretty proud of my second-ever woodworking project!
Was so great to debate cyber proliferation / spyware on the
#CYBERUK23
stage with
@ShaneHuntley
and
@k8em0
yesterday! Diversity of background and views are critical to solving problems in this space. 💯🙌
Link to the panel if you missed it:
Last week I drove down California’s Route 1 to sleep in a human sized birds nest under the stars. 🌌
Was it weird? Yes.
Cold with no wind cover? Also Yes.
Worth it? Absolutely. 🏕
Me, a student, 2013: “wow what’s cyber policy, let me take a free weekend to learn more about it”
Me, a student again, 2023:
“Damn can the cyber policy field just chill out for 2 seconds I have no time to read an EO, 2 joint statements and 10 malware reports”
TIL that teams competing in the
@CyberStatecraft
#Cyber912
challenge have made multiple meme twitter accounts, and the content is upsettingly applicable to real life threat analysis
me: “going to law school is a good investment and I won’t get out of date in the cyber policy realm”
My legal analysis prof during the Uber breach / Iran-Albania response: “ok class according to MA law, is a hot dog a sandwich?” 🥪
Partner and I finished building a smart mirror today!
#RaspberryPi
and some custom woodwork. Displays time, weather, and a daily compliment.
Living by the motto that couples who do
#sideprojects
together stay together 😍
Announcing the project I’ve been working on, led by
@JuliaVoo
at
@Harvard
! Thesis: The
@BelferCyber
Power Index reconceptualizes
#cyberpower
to reflect different objectives states pursue in national strategies, and their ability to achieve these objectives
There’s both a user security and US-China national security component here. The F35 ✈️ runs on Linux, and Huawei, a U.S. sanctioned entity, is contributing a *ton* of code to the kernel using a tool we don’t know anything about…
So excited to *compete* in
@CyberStatecraft
's
#Cyber912
today!
@BelferCyber
grad students (Ghost In the Shellcode) are coming in with a power team of women in cyber security and I'm here for it 🤩
Incredible points made on the checks and balances within NSPM-13 and how additional bureaucracy will hinder the defense of the American public in cyberspace re: ops and talent. 🔥
I spend so much time online that sometimes I need to prove to myself I can build something other than software. 😂
So last week my partner and I built a cabinet out of a wine barrel 💪🍷(before and after pics for context)
As someone with a fear of heights, scaling the Half Dome cables was the scariest day of my life. 🏔
18 mile trek ✅
Made it to the top ✅
Conquered my fears (at least for one day) ✅
Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing. No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement.
At the beginning of 2020 (despite 2020’s chaos) I made a goal to read more books 📚.
Today I’m proud to announce that I finished my 45th book, averaging almost 4 books a month!
(🧵 on lessons I learned while building this habit/ reading tips)
My college friend has a YouTube channel where he simultaneously bakes sourdough and talks about his love for compilers. This is the wholesome content I need in 2020 🍞
It's official! Bread-Eval-Print-Loop will have its first stream Oct 29, 5pm PT. We're going to learn how to mix a dough and get an overview of the compiler so far. Here is the livestream link:
Every year,
@Harvard
@Kennedy_School
MPP students spend their last 2 weeks of class in an immersive crisis simulation exercise at the National Security Council level.
This Spring Exercise, we learned a *ton* re:
#interagency
,
#natsec
&
#policy
. Some lessons: 🧵/
PSA from an animal shelter volunteer: ADOPTING A DOG IS A COMMITMENT THAT WILL LAST BEYOND THE PANDEMIC!! 📣
We’re all lonely, but please do not adopt without understanding you will need to accommodate your pet even after things begin to reopen.
*A THREAD*
To all of us doomscrolling on Election Day: here’s some pictures of my 6mo puppy, Blue, to provide a little sunshine into your feed. 💛
Tbh if others want to contribute to a pet thread I’d much appreciate it!
Working on helping
@girlscouts
in my area obtain their
#cybersecurity
badge, and found that
@PaloAltoNtwks
did a fantastic job making the materials accessible to young girls. I wish I had this badge when I was a girl scout! 💪
Dear men in
#infosec
: please don’t utilize your OSINT skills to get dates. If a girl doesn’t match with you on
@Tinder
, it means she doesn’t want you to “shoot your shot”. 😬
So excited to *compete* in
@CyberStatecraft
's
#Cyber912
today!
@BelferCyber
grad students (Ghost In the Shellcode) are coming in with a power team of women in cyber security and I'm here for it 🤩
My first technical analysis piece at
@RecordedFuture
! TL;DR:
1) Chinese backdoor with a daily 180 second entry-window found in Tibet
2) Qinghua University infrastructure, connected to backdoor, scanning
#BeltandRoad
partners/ US gov entities denouncing
#USChinaTradeWar
.
Recorded Future’s Insikt Group uncovers new
#cyberespionage
operations by Chinese attackers against potential and current trade partners worldwide, emanating from the infrastructure of a top Chinese university:
#ThreatIntelligence
#Analysis
We made a cyber policy podcast! 🎉
This semester, I sat down with my 5 best female/NB friends at the
@BelferCenter
to make a podcast on issues we care about/interview experts we admire. And it’s finally out!
Check out the limited 11 ep series here:
Been working on this piece with our
#InsiktGroup
for a while, so worthwhile to see it come out!! Good read for anyone interested in commodity malware and underground criminal forums ☺️
#ThreatIntel
In this new
#analysis
, Insikt Group reveals that underground communities in different languages focus on different
#malware
, malware categories, and attack vectors:
#ThreatIntelligence
So excited that we at
@wisporg
partnered with
@offensive_con
on a scholarship to give 7 free tickets, training & travel to women in security! Applicants will be reimbursed up to $2k worth of travel costs to Germany. 🎉 Apply here for scholarship by 11/27:
So excited to be grabbing coffee with
@saffronsec
before
@HagueTIX
- pumped to hear her off the record talk on Iranian actors later tomorrow 🤫🔥
#DEFCON30
is over! Was so good to catch up with old and new friends.
Shout out to the
@DEFCONPolicy
team for organizing such incredible conversations, and for being the
#infosec
policy family I’ve always wanted. Y’all are the best.
See you next year, Vegas 💞✌🏼🏴☠️✨
2 things I’ve learned in grad school so far:
1️⃣ My classes this year cost 8 dollars a minute.
2️⃣ $40 worth of minutes each day is hijacked by classmates who have a “question, but it’s more of a statement really”
I talk more about cyber mercenaries on the latest
@lawfarepodcast
episode about Biden's new Executive order. Thank you
@EugeniaLostri
for the awesome interview! 🔥🔥🔥
reposting this bc on the day of my final exam DOJ announced a defend forward takedown of Turla malware, the EU finished its spyware inquiry, and my cyber reading backlog has reached 20 books 🥲
Me, a student, 2013: “wow what’s cyber policy, let me take a free weekend to learn more about it”
Me, a student again, 2023:
“Damn can the cyber policy field just chill out for 2 seconds I have no time to read an EO, 2 joint statements and 10 malware reports”
Explaining the differences between Russian and Chinese hackers is difficult: I've been working on this piece for a while now with my Russian analysis counterpart and am excited it's finally published! 🤩
In this new research, Insikt Group analyzes posts and interactions on criminal forums that reveal insight into the organization of Chinese and Russian
#hacking
communities:
#DarkWeb
#Analysis
Friday musings: what would be a good infosec name for a cocktail? I’ll start:
Cozy Bear 🐻: a White Russian with Cinnamon
EternalBlue: a Tiki drink with Blue Curaçao
Friends, my
@GirlSecurity_
mentee Anna is in high school and loves
#infosec
. She’s already in college security classes, but her old computer can’t run a VM!😢
She has a gofundme to get better hardware- anything helps! If we can’t help our future who can 💕
Day 3 of
@GeorgetownLaw
- putting all my
@defcon
/
@DEFCONPolicy
stickers on my free law school water bottle to ✨differentiate myself✨💅
…(also to try and find any law school friends interested in infosec 👀)
Come to
@BSidesNH
next weekend to listen to me rant about Chinese/Russian criminal underground’s with my
@RecordedFuture
partner in crime, Dan Byrnes 🤗
Sitting next to some security luminaries at the Forbes
#Under30Summit
!
@WeldPond
is speaking at 4pm, my panel is at 4:40-
@0xmchow
will hopefully be live tweeting some of the better sound bytes 🤟