Fourteen years of online conflict have left me with a variety of pursuers, ranging from absolute crackpots to well funded ideologues. Part of this trouble includes some folks with “operations technical” skills. There are a couple who would use free DNS exploration tools, find something on a domain connected to me, then there’d be a round of twittering, as if things hosted today on an IP address that was briefly mine ten years ago is some sort of HUGE DEAL!!

That isn’t even a little deal, but schooling people who fail that hard is good clean fun. So I made a nice puzzle for them …

Attention Conservation Notice:

Rather technical and intentionally silly, but there IS a good lesson at the end.

Forming & Swarming:

Here’s how that puzzle came together.

• Got my domains on Cloudflare cleaned up.

• Found a list of binomial names for 146 theropod dinosaur species.

• Spent an afternoon poking around Shodan finding funny IP addresses.

• Each domain got a random list of dinosaur name and IP.

• Cron jobs kept things moving in terms of passive DNS.

• And then I just forgot about it for three years.

Five years ago SOCOM’s Sovereign Challenge let their sovereignchallenge.org domain slip. I’ve made it known I’d be happy to swap it for some cool swag, but nobody cares enough to make the effort. So it resolves to an unused Tumblr and there were many funny passive DNS entries for the domain. Sorry for the potato screen shot, I can’t figure out how to do a fixed width font here.

Extinction:

I happened to be in Cloudflare this evening, so I decided to fire up RiskIQ and see how my herd of two legged carnivores were doing. There are a dozen subdomains still showing for sovereignchallenge.org, but they’re from an earlier effort where I carefully inspected IP addresses from Shodan before using them.

But some sort of digital asteroid got all the rest of them …

Lessons Learned:

There was about a decade of windup that led to this project. Some of my … observations .. from that time are:

• What hunts you? - this comes first, last, and a couple times in the middle.

• Paranoia: Pathological or Professional? - the worst thing that happens if I overestimate an adversary is I learn some new stuff about pursuit and evasion.

• You might self describe as blue team defender or red team aggressor, but if you want to be the best you’ll take the time to switch hit so you understand the size and shape of the overall envelope.

• An enormous burst of noise has its uses, but there’s nothing like quietly digging a rabbit hole every few hundred yards along your path to make a capable pursuer so frustrated they go find someone else to bother.

• I talked about this along the way specifically to tweak those followers, I was hoping to punk a couple of them after some foolish expose. As a rule deception is best when the methods and motives are left opaque.

Lessons For You:

• Compartmentalize your stuff by project; entanglement is what leads to your efforts being forcibly untangled at the worst possible moment.

• When you think you see something, make sure the tools you’re using aren’t giving you a keyhole view. RiskIQ was the primo environment for that - you’d get back just fifteen domains even if you’re looking at a Cloudflare IP that hosts 2,500.

• When something is done you clean house. Or you leave it as it is. But which ever you choose must be a MINDFUL choice, not happenstance. The judgment needed to do this comes from actual work, which must be a mix of both red AND blue team duties.

• If you’re chasing something and you start getting Angoraphobia, there’s a procedure to climb down from that. First, sleep on it. Then ignore it for a couple days. Never hurts to get someone else to look. If it still won’t resolve, get your long term alerts and stuff going and just check periodically. Maybe they’ll slip.

Conclusion:

I haven’t written anything about the implications of AI yet. Part of the reason is that there are already a host of really smart people doing that, and those that are maybe not so smart will still be expert AI hot take producers, that is once they’re finished being Mideast conflict resolution experts. I am not at all sure what Q1 2024 is going to bring. The only specific thing I have in mind is a review of The Online Operation Kill Chain with an eye on recasting it into tactics, techniques, and procedures that make sense for small ISR nodes, which is how Q4’s exercise has evolved.

All that’s certain is that there are three more phases to consider in December. And given my work backlog it’s not out of the realm of possibility that December will wrap clear around to Valentine’s Day.