And I can't stress this enough. I do not want this to be seen as a hit piece against anyone at the NCSC, NSAC, An Garda Síochána, the Irish Defence Forces or anyone else in the national security apparatus of Ireland. I have met several of them over the past few years and while they are passionate and deeply care about the mission of protecting Ireland from cyber threats it is not their fault that they collectively work hard on information security issues and are plagued by issues like being under paid compared to others in the private sector and international colleagues and under resourced and having to deal with successive governments who have had no vision or care for information security and it's importance in the modern era.

This is a long post, so if you want the gist of my thoughts and you want to skip the detail, the final section has a summation of my thoughts and some form of a conclusion.

2: Vision

The vision of the document is pretty standard. It is based around Protect, Develop and Engage which you will see in other cyber security strategy documents. The protection aspect is based around protecting the State, the people of Ireland and the critical infrastructure of the State. It's pretty standard aspirational language to say this is where we would love to be in 2024 in an aspirational document. Not much more to add.

Personally I would love to see how we plan to find a balance of risks and costs because historically, the Irish Government has chosen to choose the cheap option that does not account for risks.

I would also love to know more details about developing the capacity of the state in the 5th Domain because everyone that I have talked to about this, be they cyber security students, lecturers, industry professionals or friends elsewhere think working for for the government on information security matters is insanity when I could be working elsewhere doing my best work and getting better paid for my work too. How do you plan to develop the capacity when only those who see the mission of protecting the state as more important than pay when people who would look at the world that way are few and far between?

Finally to engage others nationally and internationally on a free and open cyberspace. This is a goal I'm 100% behind because alone, we will not be able to solve all the issues we face. Working internationally will also allow us to develop key skills and finally, another goal is to integrate cyber into our diplomacy where we have secure missions to other nations that have the capacity to help other nations develop some of the capabilities that we have.

3: Objectives

• To continue to improve the ability of the State to respond to and manage cyber
  security incidents, including those with a national security component

• To identify and protect critical national infrastructure by increasing its resilience to cyber attack and by ensuring that operators of essential services have appropriate incident response plans in place to reduce and manage any disruption to services

• To improve the resilience and security of public sector IT systems to better protect data and the services that our people rely upon

• To invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers

• To raise awareness of the responsibilities of businesses around securing their
  networks, devices and information and to drive research and development in cyber
  security in Ireland, including by facilitating investment in new technology

• To continue to engage with international partners and international organisations to ensure that cyber space remains open, secure, unitary, free and able to facilitate economic and social development

• To increase the general level of skills and awareness among private individuals
  around basic cyber hygiene practices and to support them in this by means of
  information and training

As goals in an aspirational document, these are fine. Personally, the key to this is the educational component. The pipeline of students doing cyber security is incredibly narrow, in part because of a small number of lecturers to teach the courses and in part because until very recently, ITB, now TU Dublin was the only place to get a solid education cyber. You could have a single module on it from various different colleges and universities, but you skimmed a huge area in a semester or went places like Trinity and Letterkenny which have societies to fill the gap that they both see in their education. And when Zero Days CTF comes around every year, the vast vast, vast majority of people taking part in the competition are current and former students from TU Dublin @ Blanchardstown, Trinity College Dublin and Letterkenny IT which is no coincidence.

Staying on education, educating all sectors of the economy of issues that they face will also be key. I don't know how best to accomplish this, but we have an economy where the vast number of people employed are employed in small and medium enterprise and these companies in the modern era are built on data. If anything were to happen to the database that stored this business critical information like a ransomware attack, it could shut down companies and that's no hyperbole. It's already happened. And not just that, if you follow ransomware, it's happening, all day, every day, everywhere and we're potentially one catastrophic zeroday away from having sectors or industries come to a halt. And there are very few companies that can handle something like, I believe historically it's been Saudi Aramco, Merck, Maersk Line and the NHS that have weather such a storm and done so not only because they had the know how to deal with such an issue and were somewhat prepared, but also because they had the cash reserves on hand required to deal with such attacks.

Education will also be key to dealing with the issues the general public faces from general cyber crime threats as in my personal experience, across nearly all age ranges there is very little conception of the threats they face, and arguably worse, what to do about such threats. And as someone who has tried to educate those who are not familiar with cyber security, the biggest problem I have personally found and I think it will be a major headache is going to be giving actionable information to people so that they can proactively raise their defence posture.  It's all well and good telling a 60 year old to use a password manager, but it's one thing to tell someone to use it and to explain why they need to use it and how they should use it as simply as possible.

And this actionable information, what ever it is, is going to create narrow, technical, sniping arguments in the community because this is how we have operated as a discipline for the longest time which means that even if it works for the threat model, people may ignore the advice as noise rather than signal. But as professionals, we also need to be aware of the threat model that others are using and not apply it to ourselves and we need to stay abreast of the latest information and how that applies to threat models as advice like not writing down passwords is garbage advice in the modern era.

Finally on education, we also need to start adequately funding third level. It's good that we are putting computer science into second level, but there is a shortfall in spending on third level that some say is approaching crisis levels and since our economy is built on knowledge, this in general is not something that we can allow to happen.

With a start on the education, and a wider pipeline of people coming into the industry, then we can start to look at other goals we have in mind. The major issue is that there will be a lag time that we cannot afford between now and education coming online. The only solution to this is to attract the talent needed from the private sector and the bottom line, like it or not, is that there is a huge pay gap between what the private sector can afford and what the government will pay you. When I graduate at the end of this semester, my starting wage as a graduate in cyber security roles exceeds what a public sector wage would be by a significant margin. While it is a pay cut I would be willing to make in the national interest, I am in a very small minority.

4.1: Strategic Risks

While I have been quite critical up to now, this is where for a brief moment things look up. There is actually an element of strategy here. The government is aware that Great Power Politics is back in vogue again and that this creates certain threats and risks at a global geopolitical level and it has an impact on international relations and international security. Specifically the threats to Ireland are on trade and the impact of influence over technology vendors which for Ireland, which has a small, open vulnerable with a lot of multinational technology vendors, we are vulnerable to a change in trade or technology winds.

All of these technology vendors in Ireland host a large proportion of European Citizens data and the infrastructure required to host all of this data. This data we host means that we will have to secure some of the most important critical infrastructure in Europe and be aware that are critical to the functioning of our economy.

Ireland is also aware and makes it extremely clear that;

Recent years have seen the development and regular use of very advanced tools for cyber enabled attacks and espionage, and, likely for the first time, the physical destruction of Critical National Infrastructure by cyber enabled means. As such, the field of cyber security is characterised by an ongoing and high stakes technological arms race, ...

We are aware that other nations are flexing their cyber muscles with cyber tools like the Great Cannon, Stuxnet, Flame, BlackEnergy and Triton and that this is part of an ongoing arms race between the actors that are leading the charge of great power politics and also that these tools generally go after critical infrastructure. Though curiously, while we call it an arms race, and we mention no tools, we do not call them arms or weapons when reasonably under some definitions, you could.

What is unfortunate is that while we are aware of the great power politics and the ongoing arms race;

... that any single State can only exercise a degree of control over the operation of the network in its territory

While this is indeed true, this misses a critical point in that while in an open, liberal nation like Ireland, it is difficult to dictate how private industry should do procurement of their infrastructure, but this does not mean that the role the government can play in advising the the private sector in what infrastructure they buy or even use the sovereign powers of a government to prevent the purchase of infrastructure or level the market playfield if it is uneven or if it does endanger national security;

“We're committed to Huawei, they have been a good supplier”

Yes, because the Chinese government are subsidizing your cheap business model via them and the trade off is you let their shitty product spy on your customers. https://t.co/DD6QtuyAyw

— Defence Ireland (@DefenceIreland) January 31, 2020

So the Chinese government subsidize them, and they subsidize @eir who then put their shitty product in their network so they can compromise their customers. Customers like the Guards. pic.twitter.com/W1sMmQszEj

— Defence Ireland (@DefenceIreland) January 31, 2020

What’s worse is that the @eir CEO @carolan_lennon is going around citing that they have the Garda mobile contract when asked about Huawei security concerns by @adrianweckler as if its an endorsement. How long have they got the contract and was it before Huawei concerns arose?

— Defence Ireland (@DefenceIreland) January 31, 2020

It does not mean the government has a fig leaf for allowing the stupidity that is the body charged with protecting the national security of Ireland, from using subsidized, cheap Chinese network equipment on the Eir network. An issue so grave in the UK that Huawei's equipment placement in the network is extremely restricted and are effectively banned on networks in the United States, both for national security concerns related to what they know about Huawei. While you can argue about how much risk the UK is taking onboard vs the US approach, at least the UK had a discussion on the pros and cons on settled on an approach for good or ill. We didn't and we just let it happen and that has really mortgaged our future national security for a cheaper present installation of infrastructure, didn't discuss the risks and adopted it, no questions asked into the body charged with protecting our national security. That is a travesty that we cannot let continue if we are to take our national security seriously.

In some cliff notes, the government is aware of the issues that IoT devices could cause to security on a broad scale. That the government is not willing to pursue an intrusive system of monitoring, that there is a general issue around the openness of publicizing cyber attacks, even to the government and finally, the Government has set up the National Security Analysis Centre (NSAC) to assess technology in national security area'so that the government can receive good advice on the strategic threats we face as a nation.

4.2: Hybrid Threats

Hybrid Threats are;

... multidimensional, combining coercive and subversive measures, using both conventional and unconventional tools and tactics (diplomatic, military, economic, and technological) to destabilise the adversary.

In simpler terms, they are disinformation campaigns aimed at destabilizing and in general are difficult to counter by their nature. While they can use various techniques, the most common is the hack and dump method that Russia used extensively during the US Presidential Election of 2016.  The EU is much closer to Russia than the US and countries like Estonia have been dealing with such hybrid war going back as far as 2007.

While I am by no means an expert on electoral security or hybrid warfare, I do see this as a massive threat. Ireland has, even throughout the Great Recession, had a mostly stable, open, liberal democracy and that could be a major factor in continuing to attract companies to come to Ireland in the wake of Brexit and if there is to be a more unified tax policy in Europe. It is good to know that at least we have a working group thinking about these issues and that we are contributing to European efforts to fight off disinformation and hybrid warfare and I hope that we are doing more than thinking and issuing a report with some thoughts in it and that if there are recommendations, they are followed as this is crucial to the future of our small nation.

Though someone on twitter who does know a great deal more about this is far from impressed;

The nod towards hybrid threats is frankly either pretty lazy or pretty incompetent. Nothing in here suggests the #Irish state is prepared to put in place the structures necessary to build intelligence on, analyse and counter false narratives and disinformation etc. pic.twitter.com/E07iVQDvxg

— Rory Byrne (@roryireland) December 27, 2019

4.3: Critical National Infrastructure and Public Sector Systems and Data

The Governments strategy until now has been that of risk reduction in the area's of

energy, transport, banking, financial market, health, drinking water supply and distribution and digital infrastructure

Which are defined in Annex II of EU's Directive on security of network and information systems (NIS Directive). And also online services, listed below, which are defined in Annex III of the same document

online marketplace, online search engine and cloud computing service

While the Irish Government's document does not make clear what they mean by reduction of risk, it isn't an information security term, the NIS Directive makes clear that it is the common risk mitigation strategy. It is also clear that while the NIS Directive covers certain sectors of importance, there is awareness that mitigating risks does not eliminate risk nor does it account for unknown unknowns. And that while the NIS directive does cover these sectors, it appears that an inventory of infrastructure has been done so that they are aware that the NIS directive does not cover all the infrastructure deemed critical and that some critical infrastructure is interdependent on other critical infrastructure such as the energy sector powering most of the other NIS sectors.

It's disappointing that the only real paragraph they have on securing public sector systems says that some departments and agencies are ISO 27001 compliant while others aren't and there's no mention of doing anything about the other departments and agencies. There are governance issues around classified information, be it Irish, shared with Ireland or stored in Ireland for whatever reason and that plans are underway to deal with this issue.

And finally;

The nature of these networks and technology is relevant also; being software defined and virtualised means that new types of security measures will likely be required in this sector to ensure the security of both the 5G network and of the services dependent on it.

At least the government appears aware that traditional threat models and defensive mechanisms will not work for 5G.

Appendix 1: Actions

This has been an extraordinarily long post by my standards so I'm not going to go point by point across all actions proposed, only the ones that I think are worth mentioning, but you can read them if you so desire in the document. Though I may not discuss the timeframes as I know that they have slipped already given the release date of the document.

Measure 1: The National Cyber Security Centre will be further developed, particularly with regard to expand its ability to monitor and respond to cyber security incidents and developing threats in the State.

Great idea and I really hope that it gets up and running sooner rather than later. Monitoring attacks in the state and gaining visibility into the threats that the state faces, as well as being able to fuse our data with that of international partners is key to protecting even the most basic of services provided by the government and is essential in staying abreast of emerging threats internationally. I worry though what 24/7/365 staffing of such an organization would look like and how it is intended to be staffed.

Measure 2: Threat intelligence and analysis prepared by the National Cyber Security Centre will be integrated into the work of the National Security Analysis Centre.

This is a common sense measure, but an important one and one that should have been done when both bodies were set up. If we have a bodying working analysing threats to national security, you need to feed them adequate intelligence so that they can accomplish their mission. This is also probably benefits from Measure 6 which will further develop threat intelligence efforts at the NCSC.

Measure 4: The NCSC, with the assistance of the Defence Forces and An Garda Síochána, will perform an updated detailed risk assessment of the current vulnerability of all Critical National Infrastructure and services to cyber attack.

This is basically a plan to deepen the vulnerability assessment of critical infrastructure which is well warranted as living in a post-Triton world as we have had the threat landscape expanded to include devices that were previously considered systems that would not be attacked.

Measure 5: The existing Critical National Infrastructure protection system will be expanded and deepened over the life of the Strategy to cover a broader range of Critical National Infrastructure, including aspects of the electoral system.

Measure 3 is not worth mentioning as it's basically just complying with an EU Directive but it feeds into this measure which is to say that while the NIS misses some aspects in infrastructure which we deem critical, we should assess the risks to all of our critical infrastructure.

Measure 7: Government will introduce a further set of compliance standards to support the cyber security of telecommunications infrastructure in the State.

Well, that vague... It's based on Directive 2018/1972 from the EU and the key thing that needs to be done at a high level is the following from paragraph (94);

Security measures should take into account, as a minimum, all the relevant aspects of the following elements: as regards security of networks and facilities: physical and environmental security, security of supply, access control to networks and integrity of networks; as regards handling of security incidents: handling procedures, security incident detection capability, security incident reporting and communication; as regards business continuity management: service continuity strategy and contingency plans, disaster recovery capabilities; as regards monitoring, auditing and testing: monitoring and logging policies, exercise contingency plans, network and service testing, security assessments and compliance monitoring; and compliance with international standards.

That may come from EU law but my god, there's more strategy in what the major issues are in that paragraph than nearly the entire document released by the Irish Government and that directive covers more of the wide spectrum of threats we face.

And a little late if you're worried about Huawei 5G equipment, it's a shame that the Irish Government is adopting regulations designed to deal with security of supply, access control to networks and integrity of networks and security incident detection capability, security incident reporting and communication AFTER such equipment has been adopted and when it is unknown if such equipment has a secure supply chain, can maintain network integrity or has adequate logging because the UK, even though they have allowed Huawei to operate at a restricted capacity in the 5G network, the UK NCSC are by no means impressed with Huawei gear.

Measure 8: The NCSC will develop a baseline security standard to be applied by all Government Departments and key agencies.

Is this a case of XKCD 927 or is this adopting ISO 27001 across the board? Measure 10 also covers this where the heads of IT in each dept will work with the NCSC to deploy this security baseline, whatever it is.

Measure 9: The existing ‘Sensor’ Programme will be expanded to all Government Departments, and an assessment will be conducted by the same date as to the feasibility of expanding Sensor to cover all of Government networks.

This genuinely scares me. When I was doing CCNA Cybersecurity Operations, sensors are defined in 5.2.1.8 as;

IDS and IPS technologies share several characteristics, as shown in the figure. IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices:

• A router configured with Cisco IOS IPS software
• A device specifically designed to provide dedicated IDS or IPS services
• A network module installed in an adaptive security appliance (ASA), switch, or router

I have also though seen sensors as honeypots or canary tokens but I really hope it's not the traditional definition I know as a sensor because the thought that in 2020, we have government networks that have no IDS or IPS whatsoever is a scary thought... Does that extend as far as firewalls also?! I can't imagine that's the case but I would consider the deployment of both mandatory in this day and age.

Measure 11: The NCSC will be tasked by Government to issue Recommendations with regard to the use of specific software and hardware on Government IT and telecommunications infrastructure.

100% on board with this! But as I said before, maybe we should have thought about this just a little earlier when it came to telecommunications and this might be a great opportunity to look into FOSS and what it could offer as well as what other vendors have to offer.

Measure 12: Government will continue to ensure that second and third level training in computer science and cyber security is developed and deployed, including by supporting the work of Skillnets Ireland in developing training programmes for all educational levels and supporting SOLAS initiatives for ICT apprenticeship programmes in cyber security.

There's not much more to say here. Integrating cyber across all second level and above education, in as broad a spectrum as possible is a commendable initiative! I just wish we had more in the way of detail.

Measure 13: Science Foundation Ireland (SFI) will promote cyber security as a career option in schools and colleges by means of their Smart Futures Programme.

The fact that we aren't speaks volumes.

Measure 14: Science Foundation Ireland along with DBEI and DCCAE, will explore the feasibility through the SFI Research Centre Programme, the Research Centre Spoke programme or other enterprise partnership programmes to fund a significant initiative in Cyber Security Research.

This shouldn't be to explore the feasibility of a Cyber Security Research Centre. This should just simply be to set up a Cyber Security Research Centre. End of. It shouldn't be a question because we want to promote a cyber as public sector, private sector or academic career path, you can't think about it in terms of maybe. It has to be in terms of doing. A combination of this with Measure 15 and Measure 16 could be beneficial as links between the public and private sectors with academia to design and built the technology and do research into what is needed going forward is an important step.

Measure 17: We will reinforce Ireland’s diplomatic commitment to cyber security, including by stationing cyber attachés in key diplomatic missions and by engaging in sustainable capacity building in third countries.

I genuinely think this is fantastic! Hire people to work in a diplomatic capacity to share out skills with the rest of the world! I would drop my life to work on something like this I believe in it so much. It's the cyber equivalent of Peace Keeping and it's a genuinely commendable initiative. I just hope that we can have enough staff so that we can staff all the posts we will need to in Ireland and working on diplomacy globally.

Measure 18: We will create an interdepartmental group (IDG) on internet governance and international cyber policy to coordinate national positions across Departments.

Can we lead a global Arms Control initiative for cyber like we did for nuclear weapons? There's already the start of a framework for this in Microsoft's Digital Geneva Convention and I will totally go and get a Master of Arts in Nonproliferation and Terrorism Studies! I've kinda already been accepted into the course I want to do;

YES!

— Jeffrey Lewis (@ArmsControlWonk) January 16, 2020

Measure 19: We will deepen our existing engagement in international organisations, including by joining the Cyber Security Centre of Excellence (CCD-COE) in Tallinn, Estonia.

I think Rory says all that's need to be said here and I hope we do get a volunteer corps of some kind, though I do think this is a welcome development and something we should do more of. Working alone on the same issues as everyone else

Joining CCD-COE is a welcome development. Sending one person is hardly that revolutionary. An opportunity for the state to doing something really farsighted and leap ahead by embracing the Estonian Cyber Volunteer concept was missed. https://t.co/KPjp5M9g6h pic.twitter.com/POhWzgGSHn

— Rory Byrne (@roryireland) December 27, 2019

What's Missing?

You could say a lot is missing but really... The only thing missing the human factor. There's ideas and technologies that could be implemented, but to run the JSOC, you need people to sit in chairs and analyse events as they arise and you need them there all of the time. There needs to be a rapid scale up in the numbers of people working at the different bodies across the nation on cyber security and national security issues and the only way you're going to get that is by getting the people to work the problem.

And I'm not alone though, I've used Rory Byrne's thread on twitter already in this but the whole thread is worth the read rather than the select few tweets I have shown but I do want to show some more from him as well as others on more stuff that's missing;

There is no mention of recreating the very successful model of the UK NCSC Cyber Security Information Sharing Partnership (CiSP). So a key way to broaden and engage stakeholders from the wider business, NGO etc community on day to day threat sharing is lost.

— Rory Byrne (@roryireland) December 27, 2019

There is no mention of reconfiguring and enhancing state structures such as the Garda and Defence Forces to be able to increase their large gaps in recruitment, training and retention of staff.

— Rory Byrne (@roryireland) December 27, 2019

Regarding education and building the cyber experts of the future. The strategy is lazy and fails to even bother looking at some of the oustanding initiatives across the water. We are patting ourselves on the back for some pretty mediocre resources compared to UK Cyberfirst etc. pic.twitter.com/dkxJISeQo6

— Rory Byrne (@roryireland) December 27, 2019

Wrapping This Up

What I find really frustrating about this strategy is that it appears that behind the scenes that a lot of work has been done by the right people to identify the problems and lay them out in a coherent fashion including an annex of actions, you could almost say I had a glowing review of most elements with all but a few items, like the Guards contract with Eir, where I was at least constructive in my criticism.

But the wheels come off the strategy bus is when you look at the ambition the plan shows in the annex of actions. Some of them come down to just following the law, basically defeatedly saying that we have to because we don't have a choice. Or that we recognize that X is an issue and this will be solved with public information campaigns or with more third level graduates but does not account for the lag time between those graduates coming online and now and how that gap is to be plugged or the recognition that educating the general public on general cyber security matters is a difficult challenge that even experienced professionals fail at a large majority of the time.

And on the education front, maybe we need to look at what other nations are doing like the Cybersecurity Maturity Model Certification (CMMC) in the US. It's a way in which you can begin the process of building a cyber capability within an organization through bootstrapping and adding capabilities over time and requires formal certification to make sure you meet the requirements of each level of the certification. This kind of approach will gradually raise the bar security across the whole sector of defence contractors over time in the US.

There's no mention of how we could even consider the cost of this or where the money should be raise for it. Or if it's worth using something like the Ireland Strategic Investment Fund to provide funding some of the grand scale, long term projects listed in this. The strategy isn't aware that this might need a strategic funding source that isn't from the daily budgets of the Department of Defence of or the Department of Department of Communications, Climate Action and Environment or the Department of Justice and Equality.

It is a strategy, but it lacks ambition and arguably a grounding in realities of how dynamic information security is and how statically we seem to see the problems at a national level. We realize they are there but we think that they can be solved with little change when historically the implementation of deep and far reaching operational security measures have required organizational sea changes. Or how we plan to integrate cyber into more of what we do since that's what we really need to do, to effectively tackle this issue head on and to be able to think about these issues in the modern, broad sense since it is an issue that effects everyone.

Maybe it's too short term to accomplish wider goals? Maybe I expect too much of what's politically possible in Ireland? Or maybe I see issues like the fact that these missions are spread out across multiple bodies being the issue but the civil service does not? Maybe we should look at utilizing the Department of Defence more fully and make it a full cabinet position again with it's remit being that of National Security and move bodies like the NCSC, NSAC, the Defence Forces and the national security elements of An Garda Síochána all in under one roof? I don't know what all the answers are, but what I do know is that we need to start looking for better answers.

And just to show that I'm not some arsehole on the internet throwing stones at glasses houses, this is an issue I really worry about and I think we are not doing enough on, nor are we really prepared for at a national level and for the betterment of the nation, I will happily give 5 to 10 years and maybe even more, to the NCSC, the NSAC, the Defence Forces, An Garda Síochána, being a CCD-COE representative or working as one of the cyber attachés mentioned in Measure 17, working on these issues in Ireland or with international partners at home or in far flung postings and accept whatever pay cut I have take compared to my fellow graduates when I graduate from college at the end of the current semester because this is the hill I intend to die on.

I have said something to that effect every time I have made this commitment to the above agencies, every time I have met them throughout my time in college and have always been referred to Public Jobs where they never seem to hire anyone. So I will look forward to Slándáil 2020 where I will continue to meet people in these bodies and continue to attempt to join their efforts.

While the regular hosts of the pod were aware that we were investigating, they were no aware of the extent of the investigation we had done and when I opened my big fat mouth on twitter and documented the scale of what we had done in the thread below, well... They asked me to go on and talk about some of things we got up to in our investigation

If you're interested in hearing me talk about the investigation and what other things we get up to on Slack, you can grab the pod in the tweet below and listen

I've been playing with Honeypots/nets for the best part of three months to see what kind of data I could usefully get out of them and to be honest, the vast, vast majority of what I've seen has either not been so interesting because its a low effort, low cost, opportunistic attacks and of the few that have stood out, upon digging deeper, they turn out to be much ado about nothing. The largest attacks I've seen have been just spammed out across the internet and have been noticed by many large and small security companies and been analyzed to death, like the 5,201 samples of WannaCry I picked up of which the only discernible difference is that they have a different crypto wallet address to deposit your ransom in or they have a different packer version.

Thinking I spent an age working on something, only to have nothing again, I took a chance and looked at something I wouldn't normally look at. What people were trying to do over SSH to my poor honeypot. And ohh boy did I find something interesting!

Now it's not particularly weird to see an attack look for who user they are or system information as they are useful to know your next steps. But it's weird to see someone curl OR wget a script and pipe that to bash while sending all feedback to /dev/null and not just that, running it in the background! This was kind of irresistible and I kinda spend nearly every waking hour if not thinking about this, but working on it and verifying that I was right and that I wasn't crazy

Above is a snippet of the text that the command try's to execute and essentially, if a number of conditions are met it will reach out to to a number of image hosting sites and pull down an x32 or x64 "png" file and failing that it also reaches out to another site and pulls down a second script

This second script goes to two more "png" files and failing that, it just cuts and runs to a malware distribution point to download the x32 or x64 versions.

If you try and look a the images, you get warnings such as above from image hosting sites that say that the image cannot be displayed because it contains error, which would be unusual for an image... If you download the image though and open it with a text editor, you get an ELF header which is not the expected behavior for an image.

Using sha1sum I got the hash and uploaded it to Virus Total and I'm not sure if it was me who found it or not, but if it wasn't me, I was dam close to finding it! Using the Relations tab I was able to get domains associated with malware and map things out. The associated domains are the same domain three times though which isn't of much use but looking at the domain in VT Graph did allow me to see that it is related to other variants of Linux Coin Miners:

Also using VT Graph I was able to map out a mental picture for me of how the attack worked in an end to end fashion. I know that's not for VT Graph is necessarily for, but if you ever have to present your work in an easy to understand way for less digitally literate people or if you want great pictures for professionals to describe attacks, VT Graph is perfect!

So if I can detect the command they are executing, can I see how they are logging in? Splunk Can give me useful information, but as useful as it is, there's a slight problem:

If I get the IP's that the attackers are using and search for the usernames and passwords used, I get zero results:

Now I have two theories as to why this is. The first and most likley is that my Splunk command is wrong and I need a logical operator before the first src command. The second is that there is a small gap in Cowrie's abailty to log. I'm not exactly sure where this gap exists though. My working hypothesis is that since one of the connections issuing the commands is using the SSH-2.0-Go client, that either Go is doing sometime unusual or the attacker is doing something unusual and the only unusal thing I could think of was directly appending a command to the SSH login. So I tried that:

And I was able to successfully able to execute this in bash and have everything run as inteneded in the background while trying to get it to execute as root but its never that simple is it...

Cowrie didn't detect any of it, at all... Which leaves me with more questions about how than answers. I was hoping to dig deeper into the why this is the case, but while preparing a presentation on this research, I noticed that I forgot to save a copy of the pygo script and ohh boy am I glad I didn't becuase the attackers cleary weren'y happy that myself and some other individuals had dumped their work into Virus Total and had updated their pygo script t0 be a serioes of  char variables that are coupled to make the script when executed.

And of course i had to go and burn this too because you just can't not leave them like that. And I left links to Virus Total along with hashes, a list of all the domains and also the details on the C2 servers and anywhere I used a VT Graph I made, I left a link to the graph in the caption too. Happy digging if you want to!

Going forward, I've been thinking a lot more about honeypots for specific, targeted information such as EternalPot by Kevin Beaumont though tailored to something else more interesting to me personally and using something that has a much better capability than I can see Splunk has for packet captures such as QRadar or The Hive and playing back what attackers do like in Azure Sentinel or having a better capability for Malware Analysis or having better ways to automatically send data to Virus Total, Malice or MISP to get reports back or help do a deeper analysis that I currently can with the limited time and resources I have. Or maybe just a further dive into either automating the Malware Analysis or doing some datamining to make further work on this less time intensive for me since it did consume 5 full days I really couldn't afford to give to it... Failing that, I've also been reading a lot about how to fool Computer Vision systems can be fooled or how you can defeat facial recognition systems using commodity hardware.

So I guess I've ton's of idea's to work away on, I just need to find the time

SHA1 Hashes:
a64/b64/c64/urlx64/urlx642 Malware dec3575c3630d0c16841b559875bc5d572459691 https://www.virustotal.com/gui/file/1efd1a187db6790c236e3db0fa73be2924959c2da280ec00b179291fcf65b370/detection
a32/b32/c32/urlx32/urlx322 Malware 132f8a76587f7c1d2a424be948b01ac704b820e9 https://www.virustotal.com/gui/file/440562a2ff84a52a6cbdbdd2a963867c0d2d00fc04c1e5f258260aadd5192e2a/detection
pygo script 1dd32cb1bcf7f871d9eca24c2c60860153f189b6 https://www.virustotal.com/gui/file/77ec02d1ebb04935bbdf0f317a6625c6c6775999ebb96c1f56c2ffad94a75302/detection
pygo char() script 253f9302de8b353c0d08d64edebcbe2cc00e3a56 https://www.virustotal.com/gui/file/e719a6bb65edc3f6a9dd024a9a57327fdc81980a11b320fabad38f94d4b69185/detection

Suspected C2 Servers or Coin Mining Pools:
cron.iap5u1rbety6vifaxsi9vovnc9jjay2l.com https://www.virustotal.com/gui/url/4c9c06df85940ab045d9a4e583d344b69a34f25a9160c246e1e8a1c04ce93fd7/detection

Domains:
lsd.systemten.orghttps://www.virustotal.com/gui/domain/lsd.systemten.org/details
aliyun.onehttps://www.virustotal.com/gui/domain/aliyun.one/details
aliyun.one/pygohttps://www.virustotal.com/gui/url/cbd1151c0b3eda9a6aaa406fdebba0cc9ff7f53224b63d1775bccec0eeaa3261/detection
a64https://www.virustotal.com/gui/url/e5333430394ff002fcb5042372aac5feb8fa3f24965f8740cb00ab07ea187fe9/detection
a32https://www.virustotal.com/gui/url/b410a5d4e138ea0f4880bc0f122d30be4e25f36c424e42fb6a44c859d5852b03/detection
b64https://www.virustotal.com/gui/url/bcc829325505145528d628c49ae431f5938bcb2f245a0e6a4db5cf741700d70e/detection
b32https://www.virustotal.com/gui/url/ac1742f757f9de8e10758f8839eba7ef314e2ff9579e99284a02131f589a032d/detection
c64https://www.virustotal.com/gui/url/20e9224e177a9b1ad20313935511f69e6c89967325d3ac9768e42bca1ba35572/detection
c32https://www.virustotal.com/gui/url/23a2c261ca05be58eb7eff49c586df412bf025abcb379a016c6310442e3c4d30/detection
urlx64 https://www.virustotal.com/gui/url/e5333430394ff002fcb5042372aac5feb8fa3f24965f8740cb00ab07ea187fe9/detection
urlx642https://www.virustotal.com/gui/url/14f6e80115b1a54e64716df0c0769eaacb8d12055a3f5173dc8dc061f7248c9a/detection
urlx32 https://www.virustotal.com/gui/url/b410a5d4e138ea0f4880bc0f122d30be4e25f36c424e42fb6a44c859d5852b03/detection
urlx322https://www.virustotal.com/gui/url/bdb2c12b7106ad3863457ddb06e17490ac9dc9bdcc5dbd60fc6e18ee50121a65/detection

*** YOU'RE A LITERAL CRAZY PERSON IF YOU TAKE ME SERIOUSLY ***

Myself and a few friends on Slack like watching certain indicators and gleaming something resembling insight from them and since the Yield Curve inverted several days ago there's been a back and fourth about what next given that the Yield Curve is the single best predictor of recessions in the United States since the 60's, and I thought I'd get all of my indicators together in one place and give a bit of an explanation of the what and why of their predictive power and then make some pages with all the data so that we can track what's going on and spark some discussion with friends

If you want to gleam some insight from the following indicators, ignore one out of sigma or one day events. For example, the Yield Curve's trend is down and has inverted BUT to be effective in predicting recessions, there needs to be a sustained inversion over roughly a quarter or two to predict a recession in the next 4 quarters.

Also even if say the Yield Curve remains inverted, no indicators is perfect therefore, you need to look at the longer time frame across several indicators and since me and some friends like to talk on Slack about this exact thing, I thought I'd put together some of the things that I look for in

This project is in its early stages and for the moment, there will be this explainer on the different pieces of data and what to interpret from them as well as a few pages displaying the data sources by country or maybe also region since a whole page for the Euro Zone might be interesting. Hopefully in time I will start every page have a composite of all of the data with a graph of the past composite number and a simple indication of if we're on for a recession somewhere or not.

The Currently completed Models are below

The United States

Major To-Do Models

1. Ireland
2. North Korea

What Indicators and Why

Generally, indicators can be broken into the following three categories, Leading, Coincidental or Coincident and Lagging indicators. In the US and some other nations like Japan, Germany and the UK, they are made easily available by The Conference Board, who have a page that breaks down what all of them mean and why they are important. As well as details about the current indicator, past indicators and details on calculating it yourself. Below I will try to break down in the simplest terms, why they are important and useful. Note though that I will not be using all of them in every model.

For the moment I will not be including most of Lagging indicators because I don't think they are that useful at predicting a recession since they can only be assessed after a fluctuation in the data. I will be including the Average duration of unemployment indicator though as I think employment figures are generally good, though the overall employment figure is not.

Leading Indicators

These are indicators that change prior to a change in the economy as a whole. These are generally seen as the following

1. Average weekly hours (manufacturing)

Over the long term you get a baseline of the average weekly hours worked in manufacturing. As a recession approaches, employers will tend to cut hours prior to cutting the workforce.

2. Average weekly jobless claims for unemployment insurance

People filing for unemployment can be a volatile number but getting the average over a period of weeks, for example 4 weeks, indicates the overall strength of an economy. If the graph is trending down, less people are filing for unemployment whereas if the graph is trending up, more people are filing for unemployment.

3. Manufacturers' new orders for consumer goods/materials

These are goods primarily used by consumers and adjusted for inflation. If the number is trending up, there is demand for more consumer goods while if it is trending down, demand is dropping off, which is indicative of a slow down in consumer orders for goods.

4. ISM New Order Index

This index reflects weather the surveyed participants are reporting increased or decreased orders over the previous month. Readings greater than 50 reflect that orders have increased while orders lower than 50 reflect that orders have decreased, which is indicative of a slow down in consumer orders for goods.

5. Manufacturers' new orders for non-defense capital goods

This index is the same as 3, but includes aircraft purchases and as such should be read the same way.

6. Building permits, new private housing units

This is the number of residential building permits issued in the prior month and is an indicator of construction activity. While trending up, more residential buildings are under construction whereas if trending down, construction activity is dropping. Construction generally leads to other forms of economic production and activity so a long term downward trend is indicative of a recession.

7. Stock prices of common stocks

Tracks the movement of prices in a board selection of common stocks. An increasing price trend shows broad economic growth while a decreasing price curve shows a board economic slowdown.

8. Interest rate spread/The Yield Curve

This is the spread between a government 10 year bond and 3 month bond or 10 year and 2 year bond. When the curve is trending up, investors are confident that they can make returns on investments into the future, while if it is trending down, or inverted, it shows that investors are not confident they will make a return in the short term, be that 3 months or two years.

This is the single most effective predictor of recessions and is backed by piles of data with an impressive track record that has yet to fail.

9. Consumer Confidence Index

Is a measure of how confident consumers are in the coming 6 or 12 months and if they are positive, negative or unchanged about future economic conditions. Trending up or flat means that consumers are confident whereas if it is trneding down, consumers are not confident in the future.

Coincidental Indicators

These are indicators that change as a change occurs in the economy as a whole.

1. Employees on nonagricultural payrolls or Net Employment

This is the net net hiring and firing rate of all but agricultural employees. When this is trending up, firings are down and more people are being hired, while when trending down, more people are being fired rather than hired.

2. Personal income less transfer payments

The value of the income received from all sources adjusted inflation to measure the real salaries and other earnings of all persons. Income levels help determine both aggregate spending the general health of the economy, so trending up is healthy while trending down or flattening to, or below inflation is not as wage growth will have stopped.

3. Index of industrial production

This is the total output of a number of manufacturing, mining, and gas and electric utility industries and it covers physical product counts, values of shipments, and employment levels. Though this is a small fraction of the total economy, it has historically captured a majority of the fluctuations.

4. Manufacturing and trade sales

This is the total, inflation adjusted spending in business to business transactions. A drop off in business to business spending is indicative of reduced investment due to low confidence in the economy.

Lagging Indicators

1. Average duration of unemployment

The average duration, in weeks, that a person is counted as unemployed. This index is inverted and thus when the trend is downwards, people are spending less time unemployed whereas if it is trending up, people are spending more and more time unemployed.

Extra Indicators

While all of these indicators are useful, there are also some personal indicators that are not covered, that I also think are crucially important to to understanding what is going on in an economy at any given time and all of these are market indicators.

1. Over Night Indexed Swaps

These indicators are extremely good at showing credit risk in markets as it is a direct representation of the difference between safe government bonds and what interest rate a bank is willing to offer another bank. If the spread is large enough, it is indicative of a credit crisis as banks are not willing to lend to other banks without the other bank paying a premium.

2. High Yield Bond Spread/Junk Bond Spread

This is the spread between safe government bonds and low quality bonds that are not of investment grade. These indicators are also good at showing credit risk as investors are demanding a premium and it shows their risk tolerance as the size of the spread shows that they will only invest for big returns to match the perceived risk

3. Market Volatility indicators

These indicators do not in themselves indicate a recession but they let you know how volatile a market is and recessions are extremely volatile times for markets, so lots of volatility along with numerous other indicators is hugely indicative of a crisis.

4. The Economist Intelligence Unit's Yield Curve to GDP spread

The Economist had a fantastic piece about the predictive power of the yield curve as outside the US, it is not a predictor of recessions at all, in fact it has not predictive power whatsoever. The team at the Data Unit decided to see if they could come up with a method to have the same predictive power and noticed that for ever percentage point the Yield Curve flattens or inverts in a given nation, GDP tends to drop by half a percentage point

A note on Data Sources

I would love to have the same kind of data that the US has so easily available to an idiot like me who's just good at google and research, but sadly it's harder to find. Generally the US will have basically all it's data coming from the St. Louis Federal Reserve FRED and other nations will probably use a combination of Trading Economics and Trading View until I figure out how to properly identify and use data in places like ECB Data Warehouse.

Other Indicators I Like

The Indicator from Planet Money
This is probably my favourite daily podcast. It's generally less then 10 minutes, and covers some of the most interesting things happening in the world of economics for JOBS DAY to the Yield Curve. Also Stacey and Cardiff are great for a back and fourth on twitter! Though I'm still annoyed the TED Spread isn't an indicator since that's the original Indicator from back in 2008

Planet Money Podcast
This is what got me started into thinking about predicting recessions by having daily and sometimes several times per day podcasts, with time stamps so you knew exactly what was happening, as it was happening in 2008. Post 2008 they have reported on why it all happened, got some of the assets responsible and started coving more general economic stories but they are no less interesting! I just hope their coverage will be the same in the next major crisis

Calculated Risk blog by Bill McBride
Comprehensive, in depth analysis of an astonishing array of topics related to the US Economy with the odd prediction about where we are going and a track record of being right

The Economist
A Brilliant Magazine and Podcast provider with interesting stories as well as having in depth analysis of what's going on from day to day in the world, in financial markets, in tech, or Data.

Trade Talks
A Podcast about trade from trade wonks. Simple. Also includes bad jokes about double underscores.

In Part 1 I had a guesstimate at the production capacity of North Korea to make fissile material and other relevant materials for their nuclear weapons. I wanted to talk a little about their testing regime and also about some considerations about bomb design, missiles and missions, and I've been working on that, but some things have come to light that I want to discuss first.

First and foremost, I missed a really, really important pdf from David Albright at ISIS on Kangson and it's production capacity based on his figures and on US Government figures that's he's privy to. And secondly, I'm not happy with my HEU numbers and I think I made a mistake. I don't think it's right to stealth edit out my figures so I'm going to keep them and cover Albtight's figures as well as my new production numbers.

Albright's Numbers

As I said above, I think Albright has a very interesting pdf filled with new data. Personally if anyone is close to knowing their stocks of fissile material, it's Albright so with that in mind, I want to look into what he has, discuss it and take it into account for further discussions on estimating how many pits North Korea is capable of producing.

HEU

Albright accepts, though with some skepticism, the numbers of his US Government sources, giving an estimate of "6000-12000 or more P2 centrifuges" which I think is A LOT and given that he thinks it's capable of 600Kg to 1000Kg of HEU production, I'm way off. Even my wrong numbers in my last post don't come cose to that. Even with my fixed estimates I'd come more around 240Kg to 480Kg.

Now Albright's a much smarter guy than me, and I'm more inclined to believe his numbers rather than mine, but I'm having trouble squaring this circle since I can't verify his numbers. Is he talking in terms of cascade's or centrifuges? Or interchangeably using cascade and centrifuge? Because if Kangson is packed with a cascade per square meter rather than a centrifuge per sqm, then all of a sudden, you have a lot more centrifuges and a lot more production bringing those numbers into closer to my current new estimates below.

Pu

Albright has a hard cap on 30Kg of Pu processed from unloaded fuel at the 5MWe reactor. I'm inclined to believe this as Chris mentioned that Reprocessing is a dirty, nasty, and very visible process and the reprocessing facility at Yongbyon has been quiet in imagery and pretty cold in thermal signatures implying that there is very little going on in terms of reprocessing. Also interesting to note that Albright doesn't think that much has gone on in the way of reprocessing since 2007 when he estimated that North Korea had 28Kg to 50Kg of Pu 239 that was usable.

Other Notes

One of my goals with this series of posts was to either verify the DIA's estimate of having 60 pits but more importantly, that North Korea was making enough fissile material for 12 more each year. The report "assumes the use of composite pit core designs". Albright had some thoughts on this;

In one report, the U.S. indicated that North Korea had up to 60 nuclear weapons. In our analysis, I would interpret this value as not including losses and being in the upper tail of the first distribution.
I would stress that in our analysis a value of 60 represents a worst case.
And I would also stress that our base estimate is 14-34 nuclear weapons, reflecting on-going uncertainties about the status and operation of an older centrifuge plant.

This would be where my thinking is going. It doesn't seem that North Korea has that kind of production capacity. Albright says that it's an absolute worst case, which may imply a third site, which is the other goal of this series. If I can't find a way to verify the DIA's estimate, then that's because they know more than they are letting on about North Korea's capacity which opens up routes for further analysis on suspect sites at locations like Hagap, Bakcheon, or Taecheon to name just a few as the NTI database has many suspected nuclear sites with unknown uses from reactors to enrichment facilities.

Correcting My Numbers

As much of a valiant effort as I made, in making my numbers, I believe that during the first drafts of of the first post, I had estimated a LOT higher numbers of centrifuges for Kangson's capacity, and maybe I was right given what Albright and the US Gov estimated, but I never changed my estimates after rounding down the number of centrifuges. So I want to correct that. I also think that unless the P-2 centrifuge is between 0.5x and 0.75x smaller than the P-1 it's highly unlikely that at 1 square metre per centrifuge, that there are 6000 to 120000 centrifuges in that building. But as I have said it's unlikely that I'm right and Albright is wrong.

The long and short of it is that Sig Hecker say's that Yongbyon is capable of making 40Kg of 90% HEU with it's 2000 centrifuges. That's 40 grams per centrifuge. If that's the case, then the total amount of capacity from my estimate of 6675 centrifuges is 267Kg total and for Kangson with 4475 centrifuges, that's 187Kg. As I also said above, if cascade and centrifuge are being used interchangeably, then there's reason to believe this is the case, but then we're looking at 3 or 4 centrifuge's per sqm, which makes the numbers make sense, but that again requires that cascade and centrifuge are being used interchangeably.

Though if you think these numbers are straight up wrong, ping me with an @legendarypatman on twitter or on the ACWP Slack thread or contact me via the About page because as close as my original numbers seem, I don't think I can justify them.

New Totals for Yearly Production

Finally, an updated table of production. Pu is still a static number as the 5MWe reactor is still seems unused or has been running very minimally and the ELWR doesn't seem to be ready to run just yet.

This post wouldn't have been possible without a great conversation that Peter started in the ACWP Community Slack as well as help from Peter, Andrew, Retin, Chris, Nathan, Kieran and Dylan. Massive thanks to you guys for the entertaining conversation, facts, fact checking and finding awesome sources!

Nearly a year ago, a report leaked from the DIA said that the DPRK had enough fissile material for 60 pits and was making enough fissile material for 12 more each year. A few days ago, the OSINT Team at MIIS had a slam dunk analysis of where DPRK has a second HEU enrichment facility and reporting from Ankit Panda confirmed the analysis. This site has been covertly been operating from maybe as far back as 2003. If that's the case, this place has been operating for 15 years producing HEU. This got me thinking, what kind of manufacturing capability does DPRK have when it comes to making the materials required for these pits?

The DIA report "assumes the use of composite pit core designs" so let's examine what composite can mean. It's an important distinction as it is an indicator that Pu-239 is scarce and as I'll lay out later, it is in very short supply for North Korea. Composite cores are made of a combination of HEU and Pu but I think with DPRK it is worth examining some other options given how low some estimates of North Korea's stockpile of Pu-239 is. I believe the DIA maybe using composite to mean a combination of fissile material with a second gas or solid used to "boost" the bomb. Below is a list of potential candidates available to North Korea for their pits;

1. HEU/Pu composite
2. HEU and/or Pu/3H composite
3. HEU and/or Pu/DT(2H3H) composite
4. HEU and/or Pu/6Li2H composite

Production

With a list of potential candidates for their pits, let's have a look at the production capabilities for each of the listed materials.

HEU

To make HEU, you need to enrich U-235. The three main techniques are Gas or Thermal Diffusion, via Centrifuge or via Laser Separation. Diffusion is highly unlikely as both methods generate a lot of heat and would be readily visible in thermal imagery from satellites. North Korea does have a Laser Research facility that is suspected as a laser enrichment facility but little is known about it in the open source as to whether it has been successful or if it was, it's scale. This leaves North Korea with just Centrifuges which they use at both their known facilities in Yongbyon and Kangsong.

Yongbyon

Sig Hecker is one of the few people to have ever been inside Yongbyon and he reported that they are P-2 centrifuge's and that there are 2000 of them at the complex, capable of producing 40kg of 90%.

Kangson

Assuming that Kangson is using the same setup as Yongbyon, it's safe to say that the centrifuges are P-2 as well. P-2 centrifuges are similar to P-1 as seen at Natanz but the internal rotors are made of Maraging Steel instead of Aluminium. Since they are similar to the ones at Natanz we can assume that they took up 1sqm of floor space. And knowing that Kangson facility is 110m wide and 50m long, giving a total area of 5500 sqm. In that space, the maximum number of centrifuges, if the building is absolutely packed is roughly 5500. Iran wasn't using the total floor space of their facilities, only 83% of floor space, so I think we can assume that the DPRK is using a similar number so there is space for staff, control equipment, power etc, lets say 85% giving them roughly 4675sqm of centrifuges or 4675 centrifuges.

Total

Estimating the capacity of 6 675 centrifuges at both facilities, given Sig Hecker's numbers would be 534Kg of 90% U-235 per year, at 100% capacity or 374Kg 90% U-235 at just Kangsong as all of the capacity from Yongbyon may be required to make LEU for the ELWR reactor at Yongbyon. These numbers are likely not correct as they are estimates if the facilities are running at 100% capacity and that is currently an unknown.

Pu

Pu-239 is made by breeding U-238 in nuclear reactors and then processing the fuel after unloading to separate the Pu-239 from the U-238. North Korea has access to two ways of breeding Pu-239. The first and what I believe is the less likely option is in their IRT-2000 Reactor and the second is the 5MWe Reactor, both are at Yongbyon. David Albright has a paper that estimates as of 2007, North Korea had 46 Kg to 64 Kg with 28 Kg to 50 Kg for use in weapons.

5MWe Reactor

Using the same paper from Albright, he estimates that North Korea could produce 10Kg to 13Kg every 20 months and in the 11 years since then, North Korea had the capacity to produce an astonishing 4092Kg IF there were core changes, but I haven't been able to verify core changes outside of 1994, 2005 and 2007, as listed in the paper. There MAY have been a fuel loading in 2016 or 2017 which may bring them up to as much as 56Kg to 77Kg though it's very hard to verify unless they are covertly loading and unloading fuel though there is no evidence of that.

IRT-2000

It isn't really feasible to use the IRT-2000 to produce Pu-239 as it's "has operated only intermittently due to North Korea’s inability to obtain new fuel" since the collapse of the Soviet Union. Though it appears that North Korea has been able to manufacture it's own fuel to keep this reactor running. According to Albright's paper, it is capable of producing " at most a few hundred grams", though the U.S. Department of Energy estimates that it could have been used to produce up to 1 Kg to 2 kg of Pu-239. I find it is unlikely that the IRT-2000 is used for this purpose since it's not able to produce much, and it has two other purposes. One is in another paper by Albright and it is the production of iodine 131 for treating thyroid cancers while the second is something I will cover later, the production of 3H.

Total

Assuming that the 5MWe reactor hasn't been loaded it is safe to assume that they have approximately 56Kg to 77Kg total Pu-239, not accounting for Pu-240 contamination. If as claimed in 2013, North Korea restarted operation of the 5MWe reactor, they would have 66Kg to 90Kg and if it was loaded again in 2016 or 2017 may have happened, they would have a total of 76Kg to 103Kg of Pu-239

A Note on the ELWR

North Korea has been building a 25 MWe to 30 MWe ELWR at the facility at Yongbyon. "While a light-water power reactor can be used to produce plutonium, it is not optimal for this purpose, so it must be assumed that the Experimental Light Water Reactor (ELWR) is intended to develop techniques and train personnel to lay the foundation for much larger reactor program ..." It is plausible that this is a peaceful use of nuclear power to generate electrical power, though it may also be used for the production of Pu-239. This is easier to monitor as LWR's have batch reloading which is harder to hide and though not optimal, "While the reactor seems designed to produce electricity for the civilian economy, it will have a residual capability to produce plutonium that can be used for nuclear weapons."

2H

2H or Deuterium, sometimes abbreviated to D, is a stable isotope of Hydrogen used as heavy water in some nuclear reactors, like North Korea's 5MWe reactor at Yongbyon and also can be used to boost and store weapons as it is a stable gas. It is produced via distillation or electrolysis of seawater to extract naturally occurring 2H. This is also relatively easy to hide as it would just be a plant next to the sea, though lacking output. It can also be produced by with Lasers which North Korea could be looking into at their Laser Research Institute but there is no evidence of this.

Total

Currently there is no known estimate of North Korea's production capability for 2H. Given their access to the sea however and their potential future need for 2H in a Pu production HWR reactor, it's safe to say that they have a reasonable capability that most likely is not a limiting factor for their pit designs.

6Li

6Li is a stable isotope of Lithium that naturally occurs and is around 7.5% of Lithium deposits. When a neutron splits it, it creates 4He but more importantly, 3H which can boost weapons. Information about the production of 6Li is extremely controlled information as it has very little use out of boosting fission weapons or as a neutron absorber in fusion weapons. ISIS has an article stating that mercury-based column exchange process (COLEX) and procured this around 2012. ISIS notes; "... the purchase of mercury in combination with lithium hydroxide is a strong indicator that North Korea is using the chemicals in a mercury-dependent lithium 6 production process."

Total

Currently there is no known estimate of North Korea's production capability for 6Li. North Korea attempted to export 10Kg of 99.99% 6Li per month in 2016 and given those figures, it's safe to assume that they are processing at least 120Kg per year of 6Li and this is just for the export market and does not account for how much 6Li they may need internally for its own uses. This is a substantial amount of 6Li production and I think it puts to bed the rumour of the Lithium shortage in North Korea, especially when coupled with news reports that North Korea might have trillions of USD in untapped mineral wealth

3H

3H is a radioactive isotope of hydrogen and crucially, it has a half-life of 12 years. There are two main ways for North Korea to access 3H, importing and breeding it in a rector. Importing is unlikely given that no producer of 3H would export it to them and China, who does produce 3H, has been cutting down on sanctioned exports. They can also 6Li2H as listed above but this is a less efficient method of for the production of 3H as it needs to be incorporated into the pit and during fission, the 6Li2H steals a neutron from the chain reaction slowing it down.

IRT-2000

6Li is easily breed in the control channels of the IRT-2000, that run though the core and are exposed to the maximum neutron flux. To quote extensively from the above link;

Over an eight-month operating cycle, this cubic centimetre target of lithium-6 could generate about 80 milligrams of tritium. To generate three grams of tritium (an approximate amount used in modern boosted weapons), North Korea would therefore have to irradiate approximately nineteen grams of lithium-6 over an eight-month operational cycle.

A single target containing nineteen grams of lithium-6 (equivalent to a slug roughly 3cm in diameter and 5cm in length) could potentially generate enough tritium for a single nuclear weapon in one yearly operational cycle.

Assuming that only four of the IRT’s experimental channels are located within the reactors core, North Korea would be able to generate enough tritium for twenty ‘DT’ boosted nuclear weapons per year by irradiating five such slugs in each channel.

Total

Given the data above, one 19g slug can generate 3g of 3H. Exposing 20 slugs as described above would allow for the production of 60g of 3H over the yearly operating cycle, giving North Korea a significant amount of 3H for use in pits.

Other boosting compounds

6Li2H

Is a solid, low density compound that is made by treating 6Li with 2H gas. The reaction can occur at as low as 29 Celsius, though it only has a yield of 60%, which may be ideal for North Korea as it hides the activity. Though more temperature and pressure do speed up the process. I can't find solid numbers for what mass of material can be processed per hour or per day, given that you can treat 6Li with 2H in 2 hours, at 600 Celsius and get a yield of 98%, it seems to be an issue of how much 6Li and 2H North Korea has and not how long it takes. All temperatures and yield are in this paper.

2H3H/DT

Being a gaseous compound, it's not difficult to manufacture when you have the raw materials and it just requires a form of sealed storage with a top up every 12 years to maintain the supply of 3H. It has been estimated that "... North Korea would be able to generate enough tritium for twenty ‘DT’ boosted nuclear weapons per year ..."

Lets just recap our total yearly production

Below are yearly production figures with the exception of Pu, that is their total stockpile of Pu.

In Part 2, I'm going to examine what designs North Korea is using for it's pits so I can better project how many pit's of what type they have in service and how many they are capable of making per year.

This post wouldn't have been possible without a great conversation that Peter started in the ACWP Community Slack as well as help from Peter, Andrew, Rethin, Chris, and Nathan. Massive thanks to you guys for the entertaining conversation, facts, fact checking and finding awesome sources!

The OPCW Fact Finding Mission has reported on the technical details of the attack and there are some key takeaways from my previous post

I speculated based on imagery evidence at the time that Chlorine Gas and Sarin Gas were used.What the FFM reported was;

The results show that no organophosphorous nerve agents or their degradation products were detected in the environmental samples or in the plasma samples taken from alleged casualties. Along with explosive residues, various chlorinated organic chemicals were found in samples from two sites, for which there is full chain of custody

Which is to say that there was no Sarin or the compounds it breaks down into found in the environment or in blood sample from victims. Even if imagery shows injuries consistent with Sarin usage. This makes a lot of sense since the canisters dropped from the two Mi-8 helicopters are only consistent with the use or Chlorine Gas.

As well as this, the FFM says that "various chlorinated organic chemicals were found in samples from two sites" which is to say that Chlorine gas was used and was found in samples at both sites, which I assume means in both environment and blood samples.

What I find interesting is that the OPCW recently voted to attribute CW attacks but there was no attribution of who committed the attack in either Douma on the 7th of April or in Al-Hamadaniya on 30 of October 2016 and Karm al-Tarrab 13th of November 2016 which were also included in this report.

A few weeks ago when North Korea "Disabled" their Nuclear Test Site at Punggye-ri, I had a talk with some of my friends at the Slack Channel for the Arms Control Wonk Podcast about some of the measures that the North Korean's were taking to preserve the secrecy of the their program, with some rather extreme measure like taking dosimeters off of journalists and I had some things to say about that on twitter. That conversation happened again after NBC published an article on what the US IC was expecting and people at the ACWP Slack thought some of the measures were pretty nifty instead of tweeting some short form idea's, I'd write a bit about what to expect and why

So what did the article mention?

There are three main points that the article mentions:

U.S. officials are concerned China has recruited informants among the waiters and other staff in Singapore’s restaurants and bars, who are paid to eavesdrop on American customers and report back to their Chinese handlers.

This isn't surprising at all. Hotel staff at the Capella Sentosa Hotel and the surrounding area in Singapore are going to by default have a lot of access to both Trump and KJU as they will be serving drinks and food, cleaning rooms and have general proximity to buffets, tea/coffee and water coolers etc where they may just so happen to over hear someone talking about something they shouldn't be talking about either in person or on the phone.

This is HUMIT 101. This should be totally expected. Yes, the US IC might be more worried about China's capability's but this is something that at a minimum everyone should expect. Especially when this is a capability that is so easy to build. It just requires money and a strategy. You blanket a key area that you want to target with you're informants and have the provide you information in exchange for cash. You find your informants by either staying at the location and following staff after work to find people who need the money. Alternatively you could hack into systems to find employee time tables etc but they won't give you a full profile of who is the right people for an informant. That requires more leg work.

Officials also expect electronic surveillance of the summit meeting sites. Americans will sweep for bugs in rooms at the Capella Hotel that could be used for side discussions, and could erect tents inside hotel meeting rooms to block any concealed cameras from viewing classified documents.

Similarly to above, this isn't surprising at all. SIGINT should be expected since it is so easily available with the proliferation of computers. For example, a suite with one of the leaders will most likely have air conditioning. But in the modern era, there are no air conditioners, there are computers that cool air to keep a space at a comfortable temperature. An implant in the aircon prior to the summit could allow you to capture video or audio with camera's and microphones or the TV's or phones in the room could have had exploits used on them so the software captures data or voice conversations, even if the phones are not in use.

Bug sweeps of the rooms should catch 99% of physical bugs, but finding out if a computer has been exploited isn't so easy. This is also standard practice of modern Espionage and again, is something that should be totally expected given the proliferation of computing devices.

Interestingly, the article mentions "tents", this is a SCIF or Sensitive Compartmented Information Facility. The whole point of these tents is that you can read and access TS//SCI information in a secure manner that maintains the confidentiality of the information in the documented.

Chinese intelligence agencies have shown the ability to penetrate mobile phones even when they are off, and U.S. officials are now told to take their batteries out when they are concerned about eavesdropping, according to a U.S. intelligence official.

But the article also mentions some interesting other scenarios:

The Chinese, who have been known to bug everything from hotel keys to the gifts given to American visitors,

This is again, is something to be expected. It should surprise no one that bugs will planted or exploits will be implanted in hostile environments be they physical or electronic environments.

According to three U.S. officials, in one recent case a top U.S. official working in China repeatedly had trouble with his hotel key card. He had to replace it several times at the front desk because it wouldn’t open his door.
He brought one of the key cards back to the U.S., where security officials found a microphone embedded inside, according to the U.S. officials.

Ok, this is kind of amazing! I'm not entirely sure how exactly this was done but I'd assume there is some form of local storage to store data, a power source for the microphone and form of flat microphone. You can even recycle the method the card uses to unlock the door via NFC or SmartCard Chip to relay data back to it's Masters.

Chinese intelligence agencies have shown the ability to penetrate mobile phones even when they are off

This is also something that should be of much surprise if you have been keeping an eye on exploits related to Intel's ME/AMT system over the past few years and it's been demonstrated that when you device is "off" it's really just in a hardware sleep. Intel themselves even admit this isn't a bug but a feature where they state:

Intel® AMT stores hardware asset information in flash memory that can be read anytime, even if the PC is powered off

Since there are known problems with Intel ME, it is possible that you could use something like a Rubber Ducky to run some exploit code, if you get close enough to a computer, you can exploit the system and have persistent access to data on the system. Informants may also be useful for this as they will have the access and may be able to get close enough to access the system.

Granted no phone runs an X86 System but regardless, similar things are in ARM chips by design that allow ARM chips to only run when instructions are received. I don't know specifically if this is what phones do when they are "off" but even if it doesn't, the chip will need something to do power management that that chip will be running, similar to Intel's ME/AMT.

What wasn't mentioned?

Curiously, I thought it was super interesting that drones where not mentioned. I don't think that we will see macro scale drones, but the technology has existed from the 70's for Micro scale drones like the CIA's Dragonfly Drone

There's also a technology called the Laser Microphone that allows you to use a laser to turn smooth flat surfaces or even the window's themselves into microphones to record conversations. If you're interested and don't have the money to spend on the kind of solutions you might expect from actors in the Espionage space, there's guide's online to build your own!

Finally there was no mention of how data communications will be achieved since officials may not be able to use phones or get internet connections though regular sources. I woundn't be surprised if we see a US satellite dish pop up somewhere on site as well as some Harris radio's that can do both voice and data connections. This would allow US Officials to continue to have safe, encrypted access to classified data in SCIF's as well as lesser classified data. We may not even see a satellite as we could see the Harris Falcon III AN/PRC-152A which has the ability to do satellite voice and data as well as local line of sight tactical radio operations

Also, don't expect China to be just doing this. Anyone with an interest will be doing similar things. I would expect at a minimum that Japan, South Korea, France, Germany, the UK, Russia and probably Israel are for sure going to be doing something similar. And this should be expected. This is what Espionage is for. You want to confirm that what you hear from the Official is what is actually happening.

Holy shit! Yesterday, Victor, Kim, Rob and myself came second at ZeroDaysCTF as part of the SpontaneousWindowsUpdate Team!

It's crazy that last year I did my first ever CTF and came 29th as part of Team Irelanstein. Since then I've done two more and improved gradually but coming second, at the third largest CTF of it's kind is kinda crazy! Working since September with the guys has been awesome and I'm really glad I got to meet the guys and work with them! <3

For the record, my costume was a dragon. Dragons are giant lizards with wings. Dinosaurs are giant lizards. Therefore, dinosaur onesie + fairy wings = dragon. The wings chose me and I looked fabulous!

Team SpontaneousWindowsUpdate are loving #ZeroDaysCTF Huge thanks to all the sponsors @itbdublin @edgescan @Integrity360 @wardsolutions @Deloitte @bhconsulting@amazon @skillnetcourses @ppentestlabs @ReliaQuest pic.twitter.com/tgEREEnUJN

— DJ Rob Gero™© (@_RobGeraghty_) April 26, 2018

I also just want to say a huge thanks to the two Mark's behind ZeroDays, the @_BUCSS team's from Bournemouth, Peter from our friends at @CyberSecurityLI , as well as the Polish, Russian and German teams who made the effort to come from so far away! But most of all, thanks to the Trinity team who are alwalys great fun and compeitition! Finally thanks to the memelords who hijacked the #ZeroDaysCTF hashtag and spammed it with some brilliant images!

For the most part, it was harder than other years, espescially in Reverse Engineering but all that does is who me where we have to improve for next year and I'm really looking forward to that!

Write up's are coming and they will be on the ITB HackerSoc GitHub so keep any eye out there if you want a read of them or to try them for yourself!

I was planning on a differnt post after a break from the blog, including posting some backlogged posts from my time away and at least one talk I've done, but I've a lot of friends who have a lot of idea's about the commited the Chemical Weapons attack in Douma, Eastern Ghouta, Syria on the 7th of April and none of them are correct. So I though I would break down the why I'm confident in my assertion that it was the Assad Regieme and not some flase flag conspiracy theory

I think first and most importantly, anyone who has been following the conflict for a while knows that this isn't the first time Chemial Weapons have been used in 2018, not only that, but it's the fifth time in 2018 in Eastern Ghouta alone that an attack has happened The following attacks have happened:

1. January 13th
2. January 22nd
3. February 1st
4. March 15th
5. April 7th

So I'm going to examine the evidnce that shows me, without a shodow of a doubt that the Assad Regieme was behind the attack and I'm even going to be kind and ignore some evidence that looks really bad for the Syrian's and the Russian's

1. A UN reconnaissance team, escorting the OPCW Inspectors came under small arms fire and an explosive was detonated while in Douma on April 18th, which is an aera under the total control of the Assad Regieme and Russian Forces
2. Gen. Gerasimov, Chief of the General Staff of the Armed Forces of Russia, basically predicted the attack, in detail. He could have put the districts under some form of greater protection as he knew the attack was coming in the form of Air Defence or boots on the ground, or called the OPCW to investigate the coming incident for credibility or raise the issue with the US and it's allies along with evidence to prove he was right to completly discredit the coming attack. But he did literally nothing at all, other than mention it. This to me reeks of dezinformatsiya

So lets get on with it and examine the evidence we have from Open Sources

Imagery Evidence

1. We know what the munition looked like

CBS journalist Seth Doane visited Douma and on April 16th, published a piece with and image of munition which looks strikingly similar to the pressure vessels that Human Rights Watch have been keeping track of, as used for Chlorine Gas munitions in Aleppo by the Syrian Government.

2. The delivery method is consistant with other chlorine gas attacks

Bellingcat mentions that @Sentry_Syria observers had seen two Mi-8 Hip helicopters headed in the direction of Douma (though I am unable to find the tweet as I don't speak arabic):

Aircraft observers that are part of the Sentry Syria network observed two Hip helicopters heading southwest from Dumayr Airbase, northeast of Damascus, in the direction of Douma, 30 minutes before the chemical attack in Douma, and two Hip helicopters were observed above Douma shortly before the attack. Hip transport helicopters have also been linked to previous aerial chlorine attacks.

3. The injuries we see are consistant with a Chlorine Gas and potentially a Sarin Gas attack

This is going to be graphic. You have been warned. I will also correctly reference information so you can see the exact information I'm working from.

Chlorine

Exposure to Chlorine Gas is identified by coughing/wheezing and a runny noise(rhinoreha) and symtopms consistant with a runny nose is visible in imagery taken from the scene

Chloirine readily disolves in the moist mucosa of the upper respriatory tract. The resulting reaction with water causes rhinorehea, hyperventalation and may cause laryngeal edema. In the lower respratory tract, the reaction causes coughing, wheezingabd pulmonary edema.
(Weapons of Mass Casualties and Terrorism Response Handbook, 2000)

As well as this, high concentrations of Chlorine gas cause Chemical Burns which are also potentially visible on a victims face and arms at the scene

High concentrations of of chlorine gas will produce chemical skin burns
(Weapons of Mass Casualties and Terrorism Response Handbook, 2000)

Sarin

A key telltale that Sarin was used is foaming at the mouth, which is visible from video taken at the scene. The U.S. Army Medical Research Institute of Chemical Defense has a Field Manual on the treatment of casualties on Chemial Weapons and discribes the effects of Sarin on victims with the following quote:

If the damage is severe, the casualty will start coughing up a clear, foamy sputum, the plasma from his blood that has leaked into his alveoli.
(Field Management of Chemical Casualties, 2006)

As of yet, it is unclear that Sarin was used, as Bellingcat points out

With allegations of Sarin use, it is important to note that these yellow gas cylinders are not associated with the use of Sarin, and as Sarin is a liquid a compressed gas cylinder seems an unlikely method of delivery for Sarin. Possible explanations for the allegations of Sarin use may be a result of the severity of the symptoms presented, of an undocumented munition being used, or another chemical agent being used that presents symptoms that could be confused with Sarin use.

Though, that said, there is a report from NBC that US Intelligence has blood samples showing the presence of Chlorine and an unnamed nerve agent

So lets conclude before moving on. We have imagery of the munition that is consistant with used in previous attacks by the Assad Regime. The helicopters reported in the area are consistant with previous attacks by the Assad Regime. The injuries of the victims are consistant with victims of clorine gas attacks and also potentially Sarin attacks. It walks like a duck and it quacks like a duck, it's a duck. It's an attack commiteed by the Assad Regime

Emmanuel Macron

I've seen a lot of people rage against the establioshment and claim that it was a false flag to get the US to stay in Syria by just about everyone from Trump, who wanted to leave Syria just days before hand or by Defence Contractors who saw their stocks rise. Basically anyone under the sun who wasn't Syria. But Macron is no establishment stooge. If anything he's also an outsider. He was also initially skeptical of reports, even though there was verifiable open source information that showed the use of Chemial Weapons after this statement. Though he has seen the evidence of the most recent attack and is convinced by it. The evidence that the US has is clearly so credible that the skeptic was convinced that Chemical Weapons were used.

The Robert Fisk Article

Robert is a journalist with the Independent and he published an article on the 17th of April that a lot of people are digging way to deep into and letting confirmation bias take over. The most common thing I have heard is that Fisk reports that the attack didn't happen. He didn't. He reported a claim from a docter who reports that the attack didn't happen:

War stories, however, have a habit of growing darker. For the same 58-year old senior Syrian doctor then adds something profoundly uncomfortable: the patients, he says, were overcome not by gas but by oxygen starvation in the rubbish-filled tunnels and basements in which they lived, on a night of wind and heavy shelling that stirred up a dust storm.

As Dr Assim Rahaibani announces this extraordinary conclusion, it is worth observing that he is by his own admission not an eyewitness himself and, as he speaks good English, he refers twice to the jihadi gunmen of Jaish el-Islam [the Army of Islam] in Douma as “terrorists” – the regime’s word for their enemies

He wasn't an eyewitness and he openly declares a pro government bias. He could be right, but given that he wasn't a witness and is pro government, I find that hard to stomach. Not only that, he only got one side of the story, as the doctors who were treating victims where giving oral testimony to the Organisation for the Prohibition of Chemical Weapons , which Fisk also lets people know:

By bad luck, too, the doctors who were on duty that night on 7 April were all in Damascus giving evidence to a chemical weapons enquiry, which will be attempting to provide a definitive answer to that question in the coming weeks.

What is interesting is that he was given video of such hypoxia that was mentioned above by the doctor:

I was with my family in the basement of my home three hundred metres from here on the night but all the doctors know what happened. There was a lot of shelling [by government forces] and aircraft were always over Douma at night -- but on this night, there was wind and huge dust clouds began to come into the basements and cellars where people lived. People began to arrive here suffering from hypoxia, oxygen loss. Then someone at the door, a ‘White Helmet’, shouted ‘Gas!”, and a panic began. People started throwing water over each other. Yes, the video was filmed here, it is genuine, but what you see are people suffering from hypoxia – not gas poisoning.

What I find really interesting is that somewhere, someone is lying becuase in the same article

Of course we must hear their side of the story, but it will not happen here: a woman told us that every member of the White Helmets in Douma abandoned their main headquarters and chose to take the government-organised and Russian-protected buses to the rebel province of Idlib with the armed groups when the final truce was agreed.

So the Whte Helmets were both there and not there, simulataniously, a Schrödinger's Whte Helmet if you will, and the artilery barrage caused hypoxia, to such an extent that it caused the injuries seen above and not just that, this is to my knowlege, the first ever, reported case of artilery causing hypoxia that isn't from chemical weapons. Including all of the worst Hurricane bombardment's devised by Durchbruchmüller for der Kaiserschlacht.

Someone somewhere is not telling the truth. It could be the info about the White Helments not being in town, it could have been the doctor, I don't know. But it's poor reporting from a great journalist who didn't get the whole story.

The Grand Conspiracy

Finally, a lot of people would have been needed to pull of a conspiracy of this size, over multiple countires Governements, Inteligence Agencies and Militaries. That level of coordination is totally possible, but building it on a lie is impossible to sustain. It has been studied and all conspiracy's are mathmathically destined to fall apart under their own weight. Dr. Steven Novella summed it up best:

Grand conspiracies can only exist in a fantasy world in which individuals can have preternatural competence, in which it is possible for a few people to secretly have tremendous reach and control, and in which these powerful and brilliant people also make ridiculously stupid mistakes that expose them to the enlightened few who can see through the conspiracy.

So why is any of this important in any way shape or form?! Simple. There has been a taboo on the use of Chemical Weapons since WWI and ever since then any use of Chemical Weapons has caused massive international backlash. This taboo is sliding away before our eyes as we care about other things that aren't nearly as important and worse, as you can see above, we aren't even really talking about the use of Chemical Weapons but we are talking about who had what motive and why. We aren't even talking about the use of Chemical Weapons anymore, we're caught up in a game of Whodunit and Whataboutism and this is a deeply disapointing and frustrating problem. It's an all too common problem in Arms Control too as you see, Arms Control is like Fiat Currency, it's worth the value you place in it. We are demonstrating though actions and words that Russia and Syria espescially, but everyone is guilty of not caring and moving on, while we witness, and now ignore monthly uses of these horrific weapons

References

Weapons of Mass Casualties and Terrorism Response Handbook. (2006). 1st ed. [ebook] Jones & Bartlett Learning, pp.37-39. Available at: https://books.google.ie/books?id=7ZnXZfwWwgcC&source=gbs_navlinks_s [Accessed 18 Apr. 2018].

Field Management of Chemical Casualties. (2000). 2nd ed. [pdf] U.S. Army Medical Research Institute of Chemical Defense (USAMRICD), pp.33-35. Available at: https://www.rke.vaems.org/wvems/Libraryfiles/Dis/E_04.pdf [Accessed 18 Apr. 2018].

I gave a talk to the ITB Hacker Soc about OpSec. I don't have video, but I do have the slides. This is a talk that's going to go though a serious workthought becasue a friend of mine pointed out that not everyone has the tinfoil hat that I have... So taking on her advice, I'm going to change it up to show that what I am giving you is a set of tools that you can use, if you so choose to protect yourself to a level you find useful

A report has come to light from the recently retired Gen Sir Richard Barrons who was the Commander of the Joint Forces Command, or the big cheese in the British armed forces. His report is a haul down report covering the issues in the military for the next commander and it raises some interesting issues that are worth talking about in different contexts.

So the first thing that's striking from the report is

could not withstand attack by major power like Russia

This is regarding the entire British armed forces. To some people, like me, this isn't so much of an issue as it is a known fact. If we break down some of the issues that Britain has, it quickly becomes apparent that this is going to be a problem for GB in the event of an attack.

So if we look at the big trends globally in militaries the two big things are EW and A2AD. Britain's access to EW isn't great, as the report highlights,

no electronic warfare capability

But not only that, the only training facility in Europe is the Polygon between Germany and France. Which is a Joint EU/US project. And guess who's leaving the EU... Yup, GB. So they lack a capability and can't train it's offence and defence.

And on A2AD

UK air defence now consists of the [working] Type 45 [destroyers], enough ground-based air defence to protect roughly Whitehall only, and RAF fast jets.

So the Type 45 Destroyers, listed as working, is debatable... They look cool as fuck and futuristic as all get out! But GB cheaped out on the engines and they keep breaking down... So, in reality they're not great! They are based on Aegis Combat System which is a big plus, but if you compare the capabilities of a Type 45 to a French La Fayette or a Dutch De Zeven Provinciën, which is arguably the BEST Air Defence ship on the seas as we speak! But there's more. The ground-based air defence is basically what's referred to as RAF Fast Jets, which are Eurofighter Typhoons, which are arguably the best jets in the skies right now, but they are being replaced with F-35's as we speak. And the ground-based system for Whitehall, I know nothing about and the rest of the system, CAMM, is an idea at present...

So where do we stand? No access to EW and no real working A2AD... And Russia exploits that all the time by flying Bear's, and I've heard Blackjacks into GB airspace until they are intercepted.

But it's worse than that.

The current army has grown used to operating from safe bases in the middle of its operating area, against opponents who do not manoeuvre at scale, have no protected mobility, no air defence, no substantial artillery, no electronic warfare capability, nor – especially – an air force or recourse to conventional ballistic or cruise missiles.

That quote is a scathing criticism of the British Army. It says that the Army only knows how to fight targets who have no real modern hardware who don't maneuver like like say a Russian Maneuver Battalion kitted out with T-14's and BTR's. And even if it could fight them, it can't fight the supporting troops who use Artillery, EW, Air Forces and conventional and ballistic cruise missiles. It's a fancy way to say that they can't fight for shit in more polite political language.

But my favourite part of the entire report is this line in reference to the brand spanking new Queen Elizabeth class Aircraft Carriers and other small but hugely expensive pieces of equipment that dominate the UK Military like the F-35 and the Vanguard-class submarine's or the hilariously expensive Trident Missile System which both are in Scotland, which may no longer be in GB if the SNP have their way!

we cannot afford to use fully, damage or lose

And this part of the report is dead right! If GB does loose a carrier in conflict, that's the Pride of the British Navy and the Armed Forces in general. That's HMS Tiger all over again. That's a huge loss to morale! And it's a very costly loss! And it can so easily happen as the CVN USS Theodore Roosevelt and it's escorts found out in 1999 when a Dutch Walrus-class submarine sunk a training exercise called JTFEX/TMDI99 in the Atlantic Ocean. The Dutch sub got into the Task Force, sunk it all and got out without being detected and left because it ran out of torpedo's.

And one last thing.

lack of manpower across the military

The British Army has been at war for 100 years on the trot with no breaks. It's had no recovery time. It has great institutional knowledge of fighting and how to fight, but it lacks the man power to do so and the manpower isn't trained well enough to do so since more and more troops are needed to keep working on operations

And just to end as Brexit was mentioned... GB hates the idea of an EU Army or European Defence Pact/Colation/Corps because it's the end of NATO. Europe will form it, pay for their force and not NATO's. It will be GB, USA and a few non-EU nations and the US will likely with the current political climate look at NATO as a waste of resources and a boone for US Isolationists. And that right there is the end of the UK/USA agreement or the end of the "Special Relationship".

So I've been rater silent.. I've been working on two blogs, one on Ireland during WWII and how we were so neutral we weren't neutral at all. I was working on that in the run up to Brexit and of course, that took a lot of my attention as both someone who will most likely be affected by it in the future and as a Europhile thinking rater gloomily about the future of the Union. But we're back and we're talking about Weapons Systems again today and the specific future of BVR weapons.

The main reason I'm thinking about this is the Lockheed-Martin and the USAF's PR push for the Lockheed-Martin F-35 Lightning II. They are now making a lot of noise about how much they've improved so many aspects of it, how much more maneuverable it is, how many software bugs have been fixed and so on. Now some or all of that may be true, I've heard from many several places about how good or bad things have gotten, but the one thing that's not really talked about all that often is how god damn hot the thing runs!

It runs so hot that to stop of the fuel from combusting in it's tanks that refueling has to use pre-cooled fuel and Lockheed-Martin and the USAF are redesigning the inerter that keeps the levels of oxygen in the fuel tank at a low level. This is super important because J1 Jet Fuel is at it's most combustible as a vapor. It also means that it's super important not to fly too close to a thunder storm or Lightning could down a Lightning..

But none of that is what we're here to talk about today. We're going to talk about the Engine. The giant hot engine that that has one giant exhaust that also gets very hot. And hot things have big IR Signatures. And if the wings get so hot it vaporizes the fuel and the rear is hot because of the giant engine, it's going to have a GIANT IR signature.

But what kind of range can you detect an IR Signature from? Well the AIM-9 Sidewinder is the IR missile with the greatest range that I know of and that is out to 30-35 Km. There exists IR Radar but that is shockingly new and basically designed to counteract stealth aircraft. Being so new, it's operational range is highly classified..

So my theory as to where anti F-35 weapons will either have a giant acronym like Beyond Visual Range, Lock On After Launch, Infrared Red Missile or BVR LOAL IRM. Or it will if the F-35 isn't as good as Lockheed-Martin and the USAF think for first look, first kill aircraft since the missiles it will be using for BVR combat are AIM-AMRAAM 120's which can have a launch detected at maybe 30 Km range from some probably unreliable sources. But that's boring and can all be solved by stuff that all ready exists! So we're going to look at the first option!

So how do we find an F-35 or any Stealth aircraft at range since it is a "First look, First Kill" and designed to engage at Beyond Visual Range? Well to see something like that at range you need an early warning radar, something akin to the Over the Horizon RADAR at Chernobyl known as Duga 3. It's frankly gigantic and completely and completely unrealistic as something that could fit in the nose of a plane or a missile. But that kind of RADAR is really only good for say, bouncing a signal off the ionosphere. If you take the L-Band, UHF or VHF, and can process the signal enough to reduce noise in the RADAR then you can find and hit the plane as the USA found out in 1999 when the Serbian's shot down an F-117 Nighthawk Stealth Aircraft.

So we know this can be done. But didn't the F-117 get shot down by a S-125 that locked on when the bomb bay doors opened up? Yeah.. And that's the thing. That's a super small window to hit something and unless you can cover 100 Km in a few seconds, BVR is out of the game. So we can find the plane at range, but how do we hit it? We have a giant IR signature. So the missile is fired and doesn't lock on. It goes in the general direction of the aircraft. When it gets to within 30 Km, it can start to detect it with IR and lock on like an AIM-9 Sidewinder.

So since so much technology exists already but isn't in one package, can we squeeze all that RADAR and IR detection tech into a small enough package that we can put in a 230mm package to fit on the wing of a Flanker a Fulcrum or a PAK-FA? Or say a 203mm package to be used on a Chengdu J-20? Or even 180mm package suitable to fit on a NATO to be used on an F-22 or F-35 as a replacement for an AMRAAM 120 against other stealth aircraft? That is a whole other question.

But what I really want to do is to see if I can build such a thing and make it work! And can it be done with things I have lying around my bedroom and garage.. IR camera connected a Raspberry Pi to control the sensor and detech targets. Then an arduino to turn movement commands from the RPi into attitude changes from an amateur rocket motor. It will be missing an IFF system but that requires having friendly signatures so you can identify who's who and that's the job of a real defense contractor when the time comes for someone to make one for real operational use.

So as I'll get my head around this problem that really isn't a problem and have updates in time

That's a rather ambitions title don't you think? Well to be honest with you, I think it's the truth! I think what we will see from AMD will be beneficial to everyone, be they enterprise or consumer, scientist or gamer or even the neglected market of the third world.

Why is this the case? Well lets take a look back at the recent past. In the CPU market, Intel have reigned supreme after AMD's disastrous Bulldozer architecture. Intel did what any good company would do and really capitalized on the situation! The released just before that the cracking i5-2500K and then then the iX-4XXX series CPU's which even 4 years later are awesome! But AMD floundered and improved some what on Bulldozer with Piledriver, but you can only dress shit up so well. And in a market with only two compeititors, you can see where this is going to go and who it will effect the worst.. The Consumer. And it did recently with the release of the Broadwell E chips from Intel. You can get a 10 core chip for a whopping 1700 USD! And not only that, but there are "cheaper" versions of the Broadwell E series with 8 cores but they are hugely expensive compared to their counter parts from the previous generation.

Around the same time, is what I remember Nvidia really getting their hype machine going too. So much so that even I would say I fell victim to buying a GTX 560. Which, not a bad card, but the Radeon HD 6870 was a better card and really held up better in the long run. Nvidia used it's position quickly to start to sign developers up to using it's proprietary system of developing games which has the dubious nick name of Gimpworks since it appears to gimp it's competitors card. Not that AMD's cards were in any way better or worse, they were generally on par, but they had what I at least would call better technologies , if you were will to have a bigger, beefier PSU like FreeSync, which is Open Source and free, compared to Nvidia proprietary and expensive G-Sync. But Nvidia had the market and the hype train and we all know the internet loves a good hype train!

This has all recently come to a head as I mentioned that Intel released it's 10 core processor and Nvidia released their GTX 10XX series of GPU's nicknamed Pascal. Intel charging 1700 USD for a processor costing that much when you can get better Xeon processors for cheaper is just blatant price gouging. Intel are basically seeing how much money they can get out of the consumer for a little performance gain as possible. Nvidia did something similar where they released the GTX 1070 and GTX 1080 recently with big price tags in what was a paper launch. But if you really wanted to, you could by another 100 USD to get a reverence version direct from Nvidia. If you read the tech press reviewing the cards and benchmarking them to Nvidia's Benchmark guides, vs what say, reddit users are getting, they differ wildly.

So why will AMD change this? Well there are a few reasons. Firstly and I think more importantly they have showed off their new Polaris GPU's at Computex and E3. The best so far of them is the RX 480 and at 199 USD it looks like a beast and should compete with the GTX 1070 for about 1/2 the price. And AMD isn't coming back out of it's corner swinging on the GPU front. They have a new CPU's coming too and are taking aim at Intel's big profit margins for high end chips and making what look to be only 8 and 16 core monsters that are on par with Intel's Skylake processors. We don't know pricing yet but they are expected to be again about half the price. And these products are not like Nvidia's cards that are the old architecture scaled down to 16nm or Intel's Broadwell E which is a generation old, but matured process. Neither of those things are bad necessarily, and AMD is guilty of product refreshes as we see with the R9 3XX being a refresh of the R9 2XX GPU's.

Secondly, the developers who make games generally don't just make games for one audience like PC gamer's. They make games for Console too and if you look at what the Hardware of current and future consoles are, they are all built on AMD powered hardware. The developers know exactly what they are doing with AMD systems. Not only that, the XBox One uses a variant of Windows 10 running D3D12 which uses extensive low level coding to get the most out of the system. Playstation uses a variant of AMD's Mantle ported to work with Playstation's modded FreeBSD/BSD OS and Mantle is the basis of Vulkan and both also use extensive low level coding too. So the developers making the games we will be playing in future, are using the API's of the future and are all using AMD hardware. Why would a dev use Nvidia's Gameworks development environment on Intel CPU's when they have been using AMD's GPU open on AMD CPU's behind the scenes?

Thirdly is the technology front. In all honestly, I think that Intel are head and shoulders ahead of AMD in the processor front but, they do have one advantage. In both D3D12, Mantle and Vulkan you have the ability to scale compute across processor cores as needed in a sort of dynamic provisioning. Intel are still on 4 cores and AMD are going 8 core minimum. If you compare some of the AMD Piledriver 8 core FX processors to Intel's most recent 4 core Skylake CPU's in a compute intensive game like Ashes of the Singularity, which admittedly is an AMD Gaming Evolved title, the 4 extra cores can be used can bridge the decide caused by the poor Bulldozer architecture.

Not only that but on the GPU front Nvidia's dominance of the D3D11 era came to a quick end when every D3D12 game showed huge improvement with the exception of the Tomb Raider which, was an Nvidia Gameworks title. Most of this performance improvement comes from a little feature called Async Compute where the hardware can dynamically and asynchronously and diviy up what shaders are doing between graphics and compute tasks thanks to a command processor. Nvidia claims the same can be done with a driver and in software but how you emulate a command processor and expect it to preform the same as bare metal is beyond me and to be honest, I'd love to see what Nvidia bring to the table! That said, with the gains that AMD has made by including it's its design over the years, it gives a lot of life to the the card that have it, something that can not be said for Nvidia's cards in the long run

Finally, AMD are doing something different and are targeting everyone rather than enthusiasts. AMD are looking at overall reducing the cost of computing and opening up the market. AMD are looking towards China, India and Africa as well as the western world. They see a giant market of people who would love to be playing games and they want to make as much hardware as possible available to them and do it giving the best experience possible. And unlike both Intel and Nvidia who are chasing short term profits, AMD are playing the long game.

So in short, Intel and Nvidia have spent the last few years of market dominance price gouging the consumer, but over the next few quarters when we see AMD's new GPU's and CPU's targeting the masses with great technology and the return of AMD's CPU's, it should make the market really competitive. And that can only be good for all.

When one decides to write a blog, it's probably a good idea to have a topic that you want to write about in advance since you know, that's what blogging is.. I on the other hand started doing this just to play around with build a website so that I can have email and since then, things have changed drastically. I have a website that's probably been over designed, no email and a blog.

So for my first post lets take a look at something that I despise. It's a word. It's Terrorism. It's used all the time, the world over by law makers the world over to justify overly powerful bills, militaries, intelligence agencies and law enforcement for larger budgets and by pundits on the media we consume to basically spread fear rather than report. Most of those statements are what some may call opinion and that's fine and they will probably result in other blog posts. But I'm going to take issue with one of those groups today the intelligence agencies of the world.

In the wake of the attack there were unconfirmed statements from an unknown sources inside French Intelligence, the Greek Military & the Egyptian Security Services (I'm lacking a source, but regardless I can also debunk media speculation) that the that the attack on Egypt Air MS-804 was terror attack. And ohh boy did that statement add petrol to a fire in the media. So how do I, a random guy in who doesn't work in intelligence some how know this? Simple, I have my own intelligence that is drastically different from their intelligence.

The AV Herald, a great resource for all things aviation crash related, managed to get hold of the ACARS messages that were sent by the plane and they are as follows;

00:26Z 3044 ANTI ICE R WINDOW
00:26Z 561200 R SLIDING WINDOW SENSOR
00:26Z 2600 SMOKE LAVATORY SMOKE
00:27Z 2600 AVIONICS SMOKE
00:28Z 561100 R FIXED WINDOW SENSOR
00:29Z 2200 AUTO FLT FCU 2 FAULT
00:29Z 2700 F/CTL SEC 3 FAULT
no further ACARS messages were received.

Now that is Grade A Gibberish to anyone who doesn't understand how to read ACARS messages. But luckily we have reddit for that! And /u/Jackal___ delivered with this gem, an Airbus Accident Information Transmission that outlines what the ACARS messages mean.

So what we can tell from the AIT is that at 0026 2 cockpit temperature sensors in the right hand side of the cockpit failed and also a toilet smoke sensor detected smoke. At 0027 we know a smoke sensor detected smoke in the Avionics Bay. 0028 another temperature sensor failed in the cockpit. Finally at 0029 we know that computers in the Avionics Bay failed before no other messages were received.

So how do I know that it wasn't a terrorist attack. Well that's pretty simple. The ACARS messages are standard computer logs and they are time series logs. This means that the first log is the first event to happen. So knowing that if we reexamine the logs again in a simpler format;

1. 00:26Z 3044 ANTI ICE R WINDOW
2. 00:26Z 561200 R SLIDING WINDOW SENSOR
3. 00:26Z 2600 SMOKE LAVATORY SMOKE
4. 00:27Z 2600 AVIONICS SMOKE
5. 00:28Z 561100 R FIXED WINDOW SENSOR
6. 00:29Z 2200 AUTO FLT FCU 2 FAULT
7. 00:29Z 2700 F/CTL SEC 3 FAULT
no further ACARS messages were received.

Doing this we can see that the first sensor to fail was a cockpit temperature sensor, then another and then the toilet smoke sensor detected smoke and all this happened in the 60 seconds that makes up 0026. So flat out we can see that it simply can't be fire in the toilet. The fire had to start in the cockpit.

Ok, so how do I know a pilot didn't start the fire? Well that's also pretty simple. In the wake of Germanwings Flight 9525 the Two Man Rule was made law in Europe. Now Egypt isn't in Europe but because of Egypt Air flight 990 in 1999 when it's believed that the crash was caused deliberately by a pilot and made law in the USA, Egypt Air instigated the Two Man Rule. So one of the pilots managed to subdue the other, and noiselessly at that and then started a fire in the cockpit, seems unlikely since anyone who's ever been in a fight or flight situation knows you have a tendency to freak out just a little and yell or scream.

So what caused the fire?! Wouldn't that be the first Airbus A320 to EVER have an on board component fire?! Yes, yet it would. But the cockpit is filled with something that can catch fire and fast and generate a lot heat and smoke, Lithium Polymer batteries. They are used when the plane is on the ground, with the engines off and with no generator attached to keep systems running.

So if we examine what we know and apply some critical thinking, what we know as a fact is that the fire started sometime around 0026 in the right hand side of the cockpit causing two temperature sensors to fail. After this we know there was smoke detected in a toilet, most likely one close to the cockpit. At 0027 we know that there was smoke detected in the Avionics bay. At 0028 we know another right hand side cockpit temperature sensor failed. Finally at 0029 we know 2 computers in the Avionics bay failed before transmission ceased. We know the flight went down around 0033 so the SDU must have failed or been damaged since there are no further messages.

But that's not really satisfying is it? What would Mythbusters do? Try and loosely recreate the myth for fun! So how would I get through Airport secure and start a fire on a plane? Pretty simple actually, Airport Security is largely a farce and it's very easy to make explosives after airport security. Evan Booth's Terminal Cornucopia is probably the best example of this but there is also a lot of really great security bloggers and researchers that cover the issue as well as some pilots too.

So how would I start a fire after airport security? Simple. Buy a bottle of water, some kind of device to hold the water, a Swiss Army Knife/Screwdriver/Tweezers/Scissors, any electronic device at all that has a battery and lastly some Hydrogen Peroxide contact lens cleaner. If you combine them, in the magic order you can start a fire and spread it very quickly. If you're really good, and can make it burn quick and clean, there's a small chance you can do it without smoke. Then all you have to do is break down the cockpit door and throw the burning mixture all over the place.