The CyberWire Daily Podcast 10.20.20
Ep 1197 | 10.20.20

International cyberespionage: China and Russia versus the Five Eyes and others. Google faces an anti-trust suit. Abandonware.


Dave Bittner: America's NSA reviews 25 vulnerabilities under active exploitation by Chinese intelligence services. The U.K.'s NCSC accuses the GRU of more international cyberattacks. The U.S. Justice Department brings its long-expected antitrust suit against Google. Ben Yelin examines overly invasive company Zoom policies. Our guest is Jessica Gulick from Katzcy with a visit to the Cyber Carnival Games. And a warning on abandonware.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 20, 2020. 

Dave Bittner: The U.S. NSA has just released an advisory warning that 25 vulnerabilities are under active exploitation by Chinese government cyber operators. All 25 vulnerabilities are well-known and have available patches and mitigations. You can find the discussions as the top entry today in the news section of 

Dave Bittner: The Guardian reports that the U.K.'s National Cyber Security Centre has disclosed that working with its Five Eyes partners in the U.S. NSA, NCSC discovered and tracked Russian plans to interfere with the postponed 2020 Tokyo Olympics. Foreign Secretary Dominic Raab said, quote, "the GRU's actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms. The U.K. will continue to work with our allies to call out and counter future malicious cyberattacks," end quote. 

Dave Bittner: The U.S. Justice Department didn't include any operations against the Tokyo Olympics in the indictment it unsealed yesterday and declined in its press conference to comment on the matter. But it seems of a piece with the Olympic Destroyer attacks mentioned in the Pittsburgh indictment, which Justice sneered, with some justice, "combined the emotional maturity of a petulant child with the resources of a nation-state," adding, "as this case shows, no country has weaponized its cybercapabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages and fits of spite," end quote. 

Dave Bittner: A second Guardian piece argues that if you want to see what unrestrained cyberwarfare looks like, the content of the U.S. indictment and the U.K. denunciation give you a pretty good idea. And while the activities the GRU stands accused of were damaging, they weren't particularly subtle. Fancy Bear has the reputation of being the noisiest of the Bear sisters, a reputation first earned after Fancy showed up in Leeroy Jenkins' (ph) fine fettle among the Democratic Party's emails back in 2016. 

Dave Bittner: Gadfly Bellingcat has an interesting observation - quote, "an example of how bumbling the Russian state is - of the six indicted hackers, three registered their cars to their military unit's address in Moscow. If you search for all of the people registering their cars to this address, you get 47 results, all probably GRU hackers," end quote. 

Dave Bittner: Well, Bellingcat's on a bit of a high horse here, but they do have a point. As they point out farther down in their Twitter thread, quote, "NSA workers don't register their vehicles to 9800 Savage Rd., Fort Meade. They register it to their home address," end quote. That they do. 

Dave Bittner: Any Department of Motor Vehicles is probably challenging enough, but imagining what it's like at the Moscow DMV would drive even the stiffest disciple of Jim Angleton (ph) into an OPSEC lapse or two. The Maryland DMV, we expect, is a lot better at customer service than the one in the Moscow Oblast. Our editorial staff has had good luck with the office up on Satyr Hill just off Joppa Road. You're welcome, NSA. 

Dave Bittner: But again, as we saw with Chinese operators yesterday, it's worth remembering that the opposition isn't really always 3 meters tall. 

Dave Bittner: A bit of a follow-up to the U.S. Justice Department's announcement yesterday that six Russian GRU officers belonging to Unit 74455, the group commonly known as Sandworm, have been indicted for cyberattacks that had global impact. The indictment alleges a wide-ranging conspiracy that wanders from Ukraine's power grid through NotPetya and all of its collateral damage to the Winter Olympics in South Korea and all the way to elections in France and other countries. 

Dave Bittner: Some of the reaction has been interesting. Johns Hopkins Professor of Strategic Studies Thomas Rid commented that since the report's incredible intel is apparently expendable, the Five Eyes, quote, "must have stunning visibility into Russia's military intelligence operations," end quote. Rid highlighted revelations that the group used a Pyongyang false flag, along with exploits allegedly developed by the U.S. National Security Agency - exploits that were eventually compromised. 

Dave Bittner: Although Moscow predictably downplayed the indictment as a poorly sourced smear, as The Washington Post reports, and the accused, of course, remain at large - they're in Russia, after all, where the American writ doesn't run - the charges serve as both a show of force and effectively a public service announcement to people considering enlisting in Russian military intelligence. The indictment also restricts hackers' access to Western markets and their ability to travel to countries that have extradition treaties with the U.S. 

Dave Bittner: This morning, the U.S. Justice Department also brought its long-expected antitrust suit against Google. Reuters reports that 11 states have joined in the suit, which it compares to the 1974 case against what we used to call, simply, the phone company that led to the breakup of AT&T's Bell System. The plaintiff says at one point, absent a court order, Google will continue executing its anticompetitive strategy, crippling the competitive process, reducing consumer choice and stifling innovation. 

Dave Bittner: The action seems to have bipartisan support, with progressives like Senator Warren, Democrat of Massachusetts, cheering from the sidelines, along with other colleagues, both Democrat and Republican. Reuters does note that the 11 states that joined the lawsuit all have Republican attorneys general. 

Dave Bittner: And finally, lest any media group hasten to consider deploying libidinal controls over its editorial conferences, Avast picks up last week's story on the malfunctioning of intimacy device - safeguard, aid? - the Qiui Cellmate, and they draw a lesson. Avoid abandonware, software that goes unmaintained because the vendors are unable to handle it, something the Internet of things seems more predisposed to spawn than other tech regions. Anyhoo, ask yourself this question - does this particular thing really need connectivity? 

Dave Bittner: Among the many things we missed out on in the summer of COVID-19 was the annual family trip to the county fair - the sights, the sounds, the smells of local 4-H-ers with their livestock, the midway rides, the fried and barbecued food, and, of course, the carnival midway, full of games of skill and chance. 

Dave Bittner: Jessica Gulick is CEO at Katzcy, a tech marketing and events company. All this month, they are running a virtual Cyber Carnival Games. The CyberWire is a media partner for the event. Here's Katzcy's Jessica Gulick. 

Jessica Gulick: We are big believers in utilizing games in order to stay motivated and keep your skills sharp as well as learn new skills. And with everybody at home and, you know, all the webinars that are going on, we wanted to do something different this October to bring a little bit of fun into everybody's lives. 

Jessica Gulick: So we reached out to our contacts at the various different game platforms and said, hey, why don't we come together and have a carnival - kind of a virtual carnival that would allow anybody and everybody to partake in some of the games throughout October? And we got a lot of excitement back from those game platforms. And so it made a lot of sense to see if we can't do this for the first time. 

Dave Bittner: You know, it struck me as I was considering this that I think everybody has their favorite carnival game. That's one of the things that I think people like about carnivals. As you make your way down the midway, pretty much everybody can find something that's for them. And I think you've set up something similar here. Can you take us through the - sort of the creation of having a variety of things that people can engage with? 

Jessica Gulick: Certainly. So we tried to make sure that we had enough games that would give variety, as you said, but also speak to different levels of skill, everybody from a normal employee who is just looking for some security awareness - what do I need to know - right? - so I can be a better employee when it comes to cybersecurity? - as well as to the hacker amongst us that is more expert-skilled and they want to just win, right? They just want to play. They just want to have fun kind of thing. 

Jessica Gulick: And so when you look at the different games that we have available to us, we have some like PacketWars. PacketWars is known in the community if you are in cybersecurity and you are a hacker. They do invitationals. They have a variety of games from very simple to very complex and more team versus team kind of "Battle Royale" style. 

Jessica Gulick: So when we were talking to Angus Blitter, who is the Packet Master, he said, why don't we have a staged event so that we can do kind of Stage 1, which is more puzzle-cracking, almost like an Easter egg hunt, if you will, and then we'll go to the second stage, which is more like find the flags, then we'll go to the third stage, which is more "Battle Royale." And then any level can start, but you've got to have expert level to make it to the end. And we loved that idea - right? - because that really allows us to tap into the most audience that we could. 

Dave Bittner: So what do you hope to take away from this? Is this something that perhaps could turn into an annual event? 

Jessica Gulick: Oh, definitely. We are expecting this to be an annual event. We've already got such a great response from the community. As of last night, we're over 400 players, and each player is playing an average of three games. So it's definitely tapped into a need in the market, if you will, a desire to play and have fun. And it's all walks of life, which is great. So we're looking forward to 2021 being a wonderful second year for the Cyber Carnival Games. 

Dave Bittner: That's Jessica Gulick from Katzcy. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: This article from the folks over at ZDNet caught my eye. The title is "This Company's Zoom Policy May Be The Worst I've Ever Heard" (laughter). It's written by Chris Matyszczyk. He writes the "Technically Incorrect" column over there. Ben, we talk a lot about policy stuff. This is a work policy issue here. What's going on? 

Ben Yelin: So I certainly agree with the headline here. And this is what nightmares are made of. 

Dave Bittner: (Laughter). 

Ben Yelin: Basically a - there's a workplace advice columnist in a New York publication called The Cut. And somebody wrote in to her - an anonymous employee from an anonymous employer - that this company's policy is that they have to be - every employee has to be on Zoom literally for the entire workday. And the rationale is that the boss can, you know, foster a collaborative effort. It's like being in a physical office. People don't have to send an email or a Slack message to ask questions of their coworkers, et cetera, et cetera. 

Ben Yelin: There are a couple problems I have with that right off the bat. First of all, working from home, even if you are working 7 1/2 out of the eight hours in a day, is going to capture some things that wouldn't be captured otherwise in a workplace. People have spouses. People have kids. People have pets. You know, so that would bother me. I would not want people to see what's going on in this work-from-home situation... 

Dave Bittner: Right. 

Ben Yelin: ...For all eight hours of the day, even if I, you know, am actually working for those eight hours. So that's problematic. 

Ben Yelin: And then just, you know, the stress of it. To have to be - you know, to feel like you're being watched over by your boss when it seems like this employer didn't actually have all of its employees in the same physical workspace pre-COVID just seems to me to be an excessive policy. I don't know how you feel about this, but it seemed excessive to me. 

Dave Bittner: Yeah, I agree. And I think this goes to - there's a philosophy that I tend to think is outdated, which is that, you know, if you work for me, you know, I own you from 9 to 5. And, you know, and it's one thing if you're an hourly employee and I'm paying you for your time, right? 

Ben Yelin: Right. 

Dave Bittner: But if you are a salaried employee, my philosophy is, you know, am I paying you for your time or for your talent? And I would say for a salaried employee, I'm paying you for your talent more than the number of hours that you put in. 

Dave Bittner: So this notion that - and I think having an office enabled employers, whether intentionally or not, to know where their employees were. They could keep an eye on them. They can walk by. You know, is Bob or Jane at their cubicle? Where are they? What are they doing, you know? And so I can see from a boss' point of view how that would be a desirable thing to be able to keep track of employees. 

Dave Bittner: But I think one of the things that all this work-from-home stuff has sort of laid bare is that maybe that wasn't necessary, that we're not seeing drops in productivity. We're not seeing - you know, giving people more freedom to choose their own hours and even choose where they work and how they work and, you know... 

Ben Yelin: Whether they're wearing underwear, yeah. 

Dave Bittner: Right. I was going to say pajamas, but, yeah, underwear is good, too (laughter). 

Ben Yelin: All right, all right. Yeah, yours is a little more G-rated, yeah. 

Dave Bittner: But, yeah. So this - I guess the bottom line for me is that this strikes me as an old-school and I think potentially outdated notion, particularly given what we've learned from this pandemic situation where everybody's working from home. And I think the thing that many bosses feared, which is that if I couldn't keep close eye on my employees, you know, they're just going to be running around and not getting any work done, well, that hasn't come to pass. We haven't really seen that. I think the evidence doesn't support that notion. 

Ben Yelin: Yeah, I think that's absolutely right. Another thing they mention here is if you are a boss that wants to know what your employees are doing at all times, there are less-intrusive tools you could use. I mean, people who are on Office 365, Microsoft Teams, you can monitor who's logged in at any given time. You know, I guess if you wanted to record keystrokes or something severe like that, there's probably a way you could do that. You know, if we're talking about a law firm, they're always billing a client, so you can, you know, look at how many hours in a given day a client was billed. 

Dave Bittner: Right. 

Ben Yelin: This just seems like an unfair extension of that type of logic where you're peering into somebody's home, which is just such a sacred space from both a policy perspective and a legal perspective that I do think it's overly intrusive, even if you grant that bosses have the right to know what their employees are doing at all times. 

Dave Bittner: Yeah. Well, and I think about, you know, for example, my son Jack. You know, he's doing school from home right now. They're doing remote learning. And the teachers are not allowed to require that the students have their cameras on because of privacy issues. 

Ben Yelin: Yeah. And I think that's extremely wise. We have the same policy at the University of Maryland School of Law. I think it's a very wise policy. You never know what a person's home situation is. And that home situation can be very personal. They could be taking care of kids or elderly relatives. There could just be something in a room that you don't want your boss to see, and I think that's completely justified. So, yeah, I mean, I think I completely agree with that critique. 

Dave Bittner: Maybe if the company wanted to pay to have an addition put on my house or (laughter) a little workspace... 

Ben Yelin: Yeah, exactly. Create your own room at my house. 

Dave Bittner: Yeah. 

Ben Yelin: Then maybe you can - yeah, then maybe you can peer in on it. 

Dave Bittner: Build a little home office in the backyard - you know, a little outbuilding or something like that. Then maybe we can have a conversation. But you're - if I'm working from home, you're a guest in my house. And I don't think you have the right to have unlimited access to me even during work hours. It just seems to me - it just seems like a bad management policy. It's just a bad boss, in my opinion. 

Ben Yelin: Yeah, yeah. It's a way to get your employees to strongly dislike you. Let's put it that way. 

Dave Bittner: Right, right. Exactly, exactly. 

Dave Bittner: All right. Well, again, the article is titled "This Company's Zoom Policy May Be The Worst I've Ever Heard." It's over at ZDNet. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it's magically delicious. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.