No guys, you have to understand that RON is right to question those logs, as i did and still do too.
I am enterprise IT engineer with over 15 years of experiences and deep hands in SecOps, and i have a lo of doubts as well on those captures, and i already expressed it a bunch of times
Few have idea of how capture and collection works, you need hardware probes and sensors on he whole perimeter of he network, subnetworks etc, it's a complex thing to do, you can't just install a software on a pc somewhere and wait the capture
Plus, you should be able o prove input and output traffic, eventual decryption, and much more, all of the fingerprint should have LEGAL values
PLUS, he thing that honestly made me thing it's bluff since the first is, he shows a map with 'connections and vote switched from China and the rest of the word' and a list of IP addresses, that's nice, but legal value is nothing
You can't just say ip x.x.x.x coming from China attacked me so it has been them, IPs can be stolen, spoofed, hijacked, a relay, malware, botnet, or any other kind of layers are used to obfuscate the real origin of the strike
So the question, for Mike himself is, can you keep for yourself those 5mln, and instead of people debunking the logs, you PROOF US from where those things came?
We'd need a honest explanation with detailed network logs (inner perimeter), probing hardware, and everything, otherwise for me, it's just another waste of time (as it has been with him since the first, still have to see something legit that makes sense about his claims)
Before judging, learn how a thing work (and i can ensure IT / SecOps on this level is not something you'll grasp in weeks or months but years) and stop to trust people just because they seems to be good, you'll never break free otherwise, time is running up, be smart and use your energies for useful things
With over a decade of networking experience myself, I'm glad you took the time to highlight what we're talking about isn't as cut-and-dry as "we have these packets".
A state side agency can indeed have all of that in place as they provide / handle the network, but not a private citizen, nor for forensics, can the entity provide that data to a private citizen
Yep but, the point here is in the topography of the network, as basically, there should be NO network ('device not connected') in a first place, then you have people that set ups local networks within the buildings (LAN), outer networks in big city probably (MAN), and the uplink to the 'internet' (WAN)
We should presume that, all of the sites where configured to be in the same networks, address classes, subnets, routes, etc, but this is a high complexity thing to do, and even if they did it (DS), you still have a problem: How you got legally access to TAP in the network and SNIFF the data?
Same applies if there was an upper level carrier ( ex standard ISP, thing i hope not ), if they had a TAP in their datacentres and somehow managed to sniff the various XP from there, still, legally and forensically has no value, opposite, would invalidate the data (as a private citizen that's high classified data, plus you would have had to hack into something, and other stuffs)
Thing would be, if there was a hidden company throw in under an EO or some special right has been given in the shadows, in that case if they have legally the right to do it, it's another thing, but still, you would use that data in courts, you wouldn't disclose the proofs with the world
Last thing is, to understand how a capture is done within the topology, you need to understand also how the www and networks are made, ex, he claims that he has the IP address of the attackers, but that has no value, an IP could be disguised in many ways, VPNs, Proxies, Cloud pools, Botnet, etc, and also the data he has, depends if that's encrypted or not, as you need anyway to have a corresponding action somewhere else (the 'packets' it's nothing else than commands, strings, values, etc, being encapsulated and sent, you need to relate it to the underlying system, ex you can see an HTTP or HTTPs packet (breaking down SSL with a MITM and downgrade), like a form data (login let's say), when you deep down in the packet, even if you can see it in clear text, you will see something like ID=userID or a full string id.loginID=[userID]&etc... (pseudocode, nothing real, just to give an example, as it depends on which type of packet / protocol it is and what is the content etc)
So let's say i can see a call incoming from an IP i'll say it's from China, as you see, depends on how the whole software things works after, it may be a login via UI (Dominion had the 'you switch folder' thing), or was a SQL injection on the database? O was just some kind of exploit that causes an exception or something to allow a higher level takeover? Understood this, you need to match it with the systems / networks logs, so normally a judge if you can proof an a similar attack, would ask the other side to provide the logs (systems, routers, switches, etc etc until the top level network/uplink), so that they can relate and match it with what happened on the system (i heard about logs with over 36k entries used to cover the tracks, in that case they can just proof that something was done to hide the truth)
I could even proof someone was flooding my servers with ping namp ddos rpc and whatever else, but if i can't proof they breached in and did something on my systems, there is nothing that i can do (Normally, should be the victim who has to proof an attack, with the help if you want of external forensic and specific cybersec companies, not a third entity in the middle on his own will)
Hope you got the point, it's still more complex as forensics in IT are tricky, but should give an idea
PS: to be clear, i'm not dooming, i just like to be realistic
No guys, you have to understand that RON is right to question those logs, as i did and still do too.
I am enterprise IT engineer with over 15 years of experiences and deep hands in SecOps, and i have a lo of doubts as well on those captures, and i already expressed it a bunch of times
Few have idea of how capture and collection works, you need hardware probes and sensors on he whole perimeter of he network, subnetworks etc, it's a complex thing to do, you can't just install a software on a pc somewhere and wait the capture
Plus, you should be able o prove input and output traffic, eventual decryption, and much more, all of the fingerprint should have LEGAL values
PLUS, he thing that honestly made me thing it's bluff since the first is, he shows a map with 'connections and vote switched from China and the rest of the word' and a list of IP addresses, that's nice, but legal value is nothing
You can't just say ip x.x.x.x coming from China attacked me so it has been them, IPs can be stolen, spoofed, hijacked, a relay, malware, botnet, or any other kind of layers are used to obfuscate the real origin of the strike
So the question, for Mike himself is, can you keep for yourself those 5mln, and instead of people debunking the logs, you PROOF US from where those things came?
We'd need a honest explanation with detailed network logs (inner perimeter), probing hardware, and everything, otherwise for me, it's just another waste of time (as it has been with him since the first, still have to see something legit that makes sense about his claims)
Before judging, learn how a thing work (and i can ensure IT / SecOps on this level is not something you'll grasp in weeks or months but years) and stop to trust people just because they seems to be good, you'll never break free otherwise, time is running up, be smart and use your energies for useful things
With over a decade of networking experience myself, I'm glad you took the time to highlight what we're talking about isn't as cut-and-dry as "we have these packets".
A state side agency can indeed have all of that in place as they provide / handle the network, but not a private citizen, nor for forensics, can the entity provide that data to a private citizen
Yep but, the point here is in the topography of the network, as basically, there should be NO network ('device not connected') in a first place, then you have people that set ups local networks within the buildings (LAN), outer networks in big city probably (MAN), and the uplink to the 'internet' (WAN)
We should presume that, all of the sites where configured to be in the same networks, address classes, subnets, routes, etc, but this is a high complexity thing to do, and even if they did it (DS), you still have a problem: How you got legally access to TAP in the network and SNIFF the data?
Same applies if there was an upper level carrier ( ex standard ISP, thing i hope not ), if they had a TAP in their datacentres and somehow managed to sniff the various XP from there, still, legally and forensically has no value, opposite, would invalidate the data (as a private citizen that's high classified data, plus you would have had to hack into something, and other stuffs)
Thing would be, if there was a hidden company throw in under an EO or some special right has been given in the shadows, in that case if they have legally the right to do it, it's another thing, but still, you would use that data in courts, you wouldn't disclose the proofs with the world
Last thing is, to understand how a capture is done within the topology, you need to understand also how the www and networks are made, ex, he claims that he has the IP address of the attackers, but that has no value, an IP could be disguised in many ways, VPNs, Proxies, Cloud pools, Botnet, etc, and also the data he has, depends if that's encrypted or not, as you need anyway to have a corresponding action somewhere else (the 'packets' it's nothing else than commands, strings, values, etc, being encapsulated and sent, you need to relate it to the underlying system, ex you can see an HTTP or HTTPs packet (breaking down SSL with a MITM and downgrade), like a form data (login let's say), when you deep down in the packet, even if you can see it in clear text, you will see something like ID=userID or a full string id.loginID=[userID]&etc... (pseudocode, nothing real, just to give an example, as it depends on which type of packet / protocol it is and what is the content etc)
So let's say i can see a call incoming from an IP i'll say it's from China, as you see, depends on how the whole software things works after, it may be a login via UI (Dominion had the 'you switch folder' thing), or was a SQL injection on the database? O was just some kind of exploit that causes an exception or something to allow a higher level takeover? Understood this, you need to match it with the systems / networks logs, so normally a judge if you can proof an a similar attack, would ask the other side to provide the logs (systems, routers, switches, etc etc until the top level network/uplink), so that they can relate and match it with what happened on the system (i heard about logs with over 36k entries used to cover the tracks, in that case they can just proof that something was done to hide the truth)
I could even proof someone was flooding my servers with ping namp ddos rpc and whatever else, but if i can't proof they breached in and did something on my systems, there is nothing that i can do (Normally, should be the victim who has to proof an attack, with the help if you want of external forensic and specific cybersec companies, not a third entity in the middle on his own will)
Hope you got the point, it's still more complex as forensics in IT are tricky, but should give an idea
PS: to be clear, i'm not dooming, i just like to be realistic