Notices by Martin Seeger (masek@infosec.exchange)

Kudos to @molly0xfff for this headline: https://www.citationneeded.news/issue-85/

@lauren @kims Furthermore Musk is significantly overestimating his clout and political acumen.

Sometimes I just want write on all channels:

Look here: $URL. So much data for you to grab. Have fun!

Being ethical is cumbersom 🤪. The logical behind it: if I act unethical, it is not the responsible who will suffer most, but innocent victims.

No matter how much effort I put into it, the storage remains online and accessible for everyone.

If you ask: Where do cyber criminals get all their information?

I can answer you that...

For a cyber criminal it is important to know, how much money (at least the order of magnitude) a potential victim has.

It would look bad if they try to cheat a poor bloke for some millions.

For that reason it is extremely nice (sarcasm) that a Colombian bank puts millions of documents about their customers (credit authorizations, creditworthiness reports, etc.) online WITHOUT any authentication or authorization required.

In order to fulfill their duty to the criminals of the world, they also put scans of the officials ID cards of those citizens online too (of course both sides).

On some days I cannot eat as much as I want to throw up.

Such is life in #infosec

Currently I am busy with my contacts in Colombia to find someone to take care of that. It would be much easier if said bank would follow RFC 9116. But alas, no such luck.

I will name the bank once the leak is closed.

Has anyone in my circles have any contact to sistecredito (https://www.sistecredito.com/) in Colombia?

No matter what I do, they still seem to be leaking data on millions of customers to anyone on the Internet.

I have been unable to establish a bidirectional contact with them. I informed the CERT in Colombia and tried to alert other officials. So far with little results (but lots of work for me).

What do I see:

• Letters of credit
• Reports on the status of credits
• Scans of ID cards

#sistecredito #colombia

Data is still online, trying to get more attention to the problem.

Got a email address for privacy problems at the org and emailed them. I am talking to some journalists in the background.

On the other hand: I notice the data is since 4 years in database for open buckets.

I am pretty sure, one day we will pay dearly for all this negligence.

This is not some cipher being broken by quantum encryption. It is a plain, simple, even trivial configuration mistake.

Every posture management solution will cry out loud about it. But nobody cares and very intimate data about millions of people stays online.

Bosch startet mal wieder eine Kampagne, Kunden vor den Gefahren der Cloud zu warnen:

https://www.golem.de/news/spexor-bosch-macht-alarmanlage-fuer-camper-zu-elektroschrott-2505-196570.html

Gerade bei Heimautomatisierung würde ich immer zu cloud-freien Installationen raten. Das erspart einem solche Schmerzen...

@jerry His handlers want Trump to be able to say, he brought the oil price down. A counterpoint to all else becoming more expensive.

Warning, long text

Solar energy comes out of your panels as direct current (DC). That’s all well and good, but homes and grids run on alternating current (AC). Enter the inverter – the humble box that turns solar wizardry into household juice.

Now, inverters aren’t just fancy plug adapters. They have to sync up with the grid – which means they generate exactly the same frequency as the rest of the system. No grid? No syncing. In that case, the inverter goes into what’s called island mode and produces power only for local use. So, if my solar system isn’t connected to the external grid, it can’t run the house – but it can still power two little emergency sockets. Cheers, I guess.

Normally, the grid runs at 50 Hz – that’s hertz, not some obscure Scandinavian metal band. But this frequency can wobble a bit. Physically and technically speaking, it rises when there’s too much power and not enough consumption, and falls when there’s a hungry grid and not enough electricity to feed it.

To keep the grid safe, inverters have an emergency shutdown feature: if the frequency goes over a set limit (apparently around 50.2 Hz), they also jump ship and go into island mode.

Spain’s energy mix is a bit unusual: lots of nuclear, lots of renewables – and a large chunk of those renewables are solar. Makes perfect sense in a country where “cloudy” means three fluffy cotton balls drifted by.

Now, nuclear energy comes with two charming quirks. First, you can’t change its output quickly – it’s not a dimmer switch, more like a cruise ship rudder. Second, nuclear plants cost nearly the same to run at half speed as they do at full throttle. So, naturally, you want to keep them purring along at max capacity.

Then came Monday, with weather conditions perfect enough to make a solar engineer weep with joy: loads of sun, plenty of wind. By 9 a.m., Spain’s energy needs were entirely met by nuclear and renewables. In fact, they had surplus electricity and began exporting it by the bucketload. They shut down everything easy to shut down – but nuclear? No chance. It stayed full steam ahead.

Then, two unfortunate things happened: one transmission line to France caught fire (as you do), and another developed resonances due to meteorological oddities.

So far, this is all well documented. Now we step into speculation territory.

These instabilities meant Spain couldn’t get rid of its excess electricity. The grid frequency rose past that critical 50.2 Hz mark – and boom: many solar systems switched to island mode. At that moment, they were providing nearly 15 gigawatts – around 60% of the national supply. And just like that, poof – they were gone.

Suddenly, two-thirds of the electricity vanished. Wind, nukes, and batteries couldn’t keep up – quite the opposite, in fact. To prevent damage, the nuclear plants initiated emergency shutdowns. Not great. (More on why that’s bad in a bit.) Within seconds, the entire grid collapsed. The solar systems were poised to help – but there was no grid left to sync with.

Everything went dark.

Portugal and southern France were also knocked offline, as they’d been happily sipping from Spain’s excess power. The European grid wasn’t amused and unceremoniously kicked Spain out of the club. France, with a bit of backup and a stiff upper lip, restored its network fairly quickly. My home automation system even picked up the moment the frequency dipped and France cranked up its own generation.

Portugal got the rough end of the stick. With fewer reserves and being smaller in size, they couldn’t help themselves – and no one else could help either, since Spain’s their only neighbour.

Restarting a collapsed grid isn’t just a matter of flipping a giant switch. It’s tricky for two reasons:

• Generation and consumption have to be in perfect balance. If not, we’re back to square one.
• Nuclear power plants can’t just be turned back on. After an emergency shutdown, they suffer from something called xenon poisoning (yes, one of the very same issues that made Chernobyl a household name). You’ve got to wait for that to wear off – which means the reactors were still offline two days later.

The fix? You split the grid into smaller bits. For each chunk, you build up some capacity, bring it online, then move on to the next. Rinse and repeat. This takes hours. Meanwhile, the sun moves across the sky – and even if you do reconnect the solar arrays, they won’t produce nearly as much as before. Come 8 p.m., they’re more or less useless.

So Spain needed outside help. They were gradually reconnected to the European grid – in small, careful steps. Without that assistance, large parts of Spain would probably still be in the dark. That’s why electricity came back first in places like Barcelona, close to the French border, while Portugal endured the longest wait.

• Considering the scale of the event, the recovery was impressively quick. In San Sebastian, power was back within 2 hours. (For comparison: Wismar in Germany had a 45-minute outage last year because one substation had a wobble.) Portugal got its power back after 23 hours. I had expected one to two days.
• This was the largest blackout in Europe in 40 years. If, as suspected, climate-related factors helped spark (pun intended) the situation, then modernising the grid to better handle volatility is absolutely essential. That includes implementing the long-debated power zones in Germany.

Achtung, langer Text

Solarenergie kommt als Gleichstrom aus den Solarpanels. Das bedeutet, sie muss in Wechselstrom umgewandelt werden. Diese Aufgabe übernimmt ein sogenannter Inverter.

Inverter müssen sich dabei auf das Stromnetz aufsynchronisieren, das heißt, sie erzeugen exakt die Frequenz, die das Netz vorgibt. Gibt es kein externes Netz, ist das nicht möglich – die Inverter wechseln dann in den sogenannten Inselmodus und erzeugen Strom nur für den lokalen Gebrauch. Wenn meine PV-Anlage beispielsweise keinen Netzstrom hat, kann sie das Haus nicht versorgen, aber Strom über zwei Notstrom-Steckdosen bereitstellen.

Die Frequenz im Netz beträgt in der Regel 50 Hertz. Diese schwankt jedoch – mal etwas mehr, mal weniger. Aus physikalisch-technischen Gründen steigt die Frequenz, wenn zu viel Strom das ist, also zu wenig Strom verbraucht wird, und sinkt, wenn zu viel verbraucht wird.

Um das Netz zu schützen, verfügen Inverter über einen Notabschalt-Mechanismus: Steigt die Frequenz über eine festgelegte Grenze (meines Wissens bei 50,2 Hertz), wechseln sie ebenfalls in den Inselmodus.

Der spanische Energiemix ist ungewöhnlich: viel Kernenergie und viel erneuerbare Energie. Ein Großteil der erneuerbaren Energie stammt wiederum aus der Solarenergie – logisch bei dem Klima.

Kernenergie hat zwei wesentliche Eigenschaften: Zum einen sind Lastwechsel nur sehr langsam möglich, zum anderen produziert ein Kernkraftwerk auch bei Teillast nahezu dieselben Kosten wie bei Volllast. Das bedeutet, man möchte diese Kraftwerke möglichst konstant mit voller Leistung betreiben.

Am Montag ergab sich nun eine besondere Situation: viel Sonne, guter Wind. Schon ab 9 Uhr konnte der gesamte Energiebedarf Spaniens durch Kern- und erneuerbare Energien gedeckt werden. Es wurde sogar mehr Strom erzeugt als benötigt, sodass man begann, so viel wie möglich zu exportieren. Alles, was sich einfach abschalten ließ, wurde abgeschaltet – aber die Kernkraftwerke wollte man aus den oben genannten Gründen nicht drosseln.

Dann geschahen zwei Dinge: Eine Leitung nach Frankreich fiel aufgrund eines Feuers aus, und auf einer anderen Leitung kam es wetterbedingt zu Resonanzen.

Bis hierhin ist das alles belegbar – nun folgt die Spekulation:

Diese Instabilitäten führten dazu, dass der Strom nicht mehr ausreichend abfloss. Die Frequenz im Netz stieg an – und überschritt die kritische Grenze von 50,2 Hz. Viele Solaranlagen schalteten deshalb in den Inselmodus. Zu diesem Zeitpunkt machten sie fast 15 GW Leistung aus, knapp 60 % der Gesamtenergie – und waren schlagartig weg.

Plötzlich fehlten zwei Drittel der Energie. Weder Windkraft noch Kernenergie oder Speicher konnten das auffangen – im Gegenteil. Um Schäden zu vermeiden, gingen auch die Kernkraftwerke in eine Notabschaltung. Das ist besonders problematisch – dazu später mehr. Innerhalb von Sekunden brach das gesamte Netz zusammen. Die Solaranlagen waren bereit, konnten sich aber auf kein Netz mehr synchronisieren.

Alles war dunkel. Auch Portugal und Südfrankreich wurden vom Netz genommen, da sie bis dahin vom spanischen Export profitiert hatten. Das europäische Stromnetz reagierte und warf Spanien aus dem Verbund. In Südfrankreich konnte das Netz dank eigener Reservekapazitäten und Hilfe anderer Länder schnell wiederhergestellt werden. In meiner Heimautomatisierung konnte ich beobachten, wie die Frequenz dort kurz abfiel, bevor die eigene Leistung hochgeregelt wurde.

Portugal traf es härter: Das Land verfügt nicht über die Reserven Frankreichs und ist zudem deutlich kleiner. Von außen konnte niemand helfen – Spanien ist der einzige Nachbar.

Ein solches Netz wieder hochzufahren ist kompliziert – aus zwei Gründen:

• Erzeugung und Verbrauch müssen stets im Gleichgewicht bleiben. Andernfalls droht erneut ein Zusammenbruch.
• Kernkraftwerke lassen sich nicht sofort wieder hochfahren. Nach einer Abschaltung leiden sie unter anderem an einer sogenannten Xenonvergiftung (eines der Probleme beim Reaktorunfall von Tschernobyl), die erst abgebaut werden muss. Deshalb sind sie auch zwei Tage später noch offline.

Die Lösung besteht darin, das große Netz in viele kleine Abschnitte zu unterteilen. Für jedes Teilnetz wird zuerst Kapazität aufgebaut, dann wird es ans Netz genommen – und so weiter. Das dauert Stunden. In der Zwischenzeit zieht die Sonne weiter, und selbst wenn die Solaranlagen wieder ans Netz angeschlossen werden, liefern sie längst nicht mehr so viel wie zuvor – und ab etwa 20 Uhr gar keinen Strom mehr.

Spanien brauchte also Hilfe aus dem Ausland. Man verband das Land schrittweise wieder mit dem europäischen Netz – zunächst nur mit kleinen Teilregionen. Ohne diese Hilfe wäre Spanien vermutlich noch immer ohne Strom. Der Strom kam daher zuerst in grenznahen Regionen wie Barcelona zurück, während Portugal am längsten unter dem Ausfall litt.

• Für die Größe des Incidents war die Behebung insgesamt schneller als ich erwartet hatte. In San Sebastian war nach 2h wieder Strom (zum Vergleich: Es gab in Wismar und Umgebung letztes Jahr 45min Stromausfall, weil ein Umspannwerk gewackelt hatte) und nach 23h in Portugal. Ich hatte mit 1-2 Tagem gerechnet.
• Es war der größte Stromausfall in Europa seit 40 Jahren. Wenn die Annahme stimmt, dass er durch Klima-Ereignisse mit ausgelöst wurde, ist eine Modernisierung des gesamten Stromnetzes für besseren Umgang mit Schwankungen unumgänglich. Dazu gehört auch die geforderte Einführung von Stromzonen in Deutschland.

An interesting day in #Barcelona it was...

I expected it to be one as I was scheduled to do a presentation with the "Autoritat Catalana de Protecció de Dades" on the risk of S3 buckets and other data leak. For me it was a special presentation because the first time in my life I would do a presentation in Spanish. Put a lot of preparation into it but was nervous anyway. But it went fine and we wrapped it up at about 12:00 local time.

As we (Directora Meritxell Borràs i Solé and me) were debriefing, suddenly the lights went out. I expected a small localized hiccup, so we didn't think much about it and started our journey to the scheduled lunch. A taxi was waiting for us.

1/7

At that point I had only terrible mobile phone coverage. My evaluation showed:

• I could do outgoing calls in terrible quality, but not receive incoming calls
• Text messages could neither be sent nor received
• Internet was completely down

I would love to read the post mortem from the mobile phone companies. That should not have happened within the first hour of the outage and is a big "no no" from my PoV.

As I was already three weeks in Barcelona, I noticed an unusual pedestrian traffic pattern. There were a lot more people on the streets than there were usually at this time of day. All the large stores and restaurants had closed and the patrons were pushed to the streets. People were no longer using their phones in the usual way. Usage in unsual ways was mostly shouting or staring frustrated at it.

4/7

As it turned out (after four floors upwards on ramps), the restaurant was completely out of commission. While they still had gass to cook, no light made the kitchen inoperable and the beverage dispenser were out of commission as well. So we went four floors down again.

At that point I presented my opinion that we would be dealing with hours of outage. Small outages can usually be fixed quickly, but nation wide is a totally different game. I said that I would be very happy, if we had electricity before sundown. I recommended to my hosts to make their way home as traffic would not get better and that I needed not to be taken care of. My hotel was about a mile away from the restaurant so we split up. This was about 13:30.

At that point I started some actions of my own:

• Phone was set to power saving mode and brightness reduced to "barely legible"
• At the next open stoor I bought non-alcoholic drinks and food to get me through two days
• I asked my colleagues in the SOC to go to an higher alert level

I am kind of a pessimist in such things...

3/7

On the way to the taxi we got the news, the outage was city wide. That was giving me bit of a worry for our lunch as I don't expect restaurants to keep working without electricity. This turned out to be right and wrong at the same time.

Traffic in Barcelona is a mess at best times and these weren't. But a total collapse was avoided as most traffic lights kept working, a thing a reliability enthusiast like me noted positively. But I also saw a fraying of the mobile network that frankly shocked me. I would have expected problems, but not that soon. During our 15min drive to the restaurant I had everything from excellent connectivity to no reception at all.

By the time we arrived at the restaurant, it was clear that something big was happening. We had reports of outages from Portugal, all over Spain and from Southern France at well.

2/7

At 17:30 I was back at the hotel and in my room. Around 18:50 the lights came back on. One could hear cheering in the streets through the closed window. The mood on the streets shifted immediately. My thoughts are with the people in Madrid and Lisbon who reportedly still are in the dark.

Whoever worked on repairing the damage, you have my thanks.

In order to be able to sleep, I have to get the thoughts out of my head, therefor this post.

Good night, an interesting day is ending

7/7

At about 16:30 I noticed a significantly improved mobile network. I could get Internet through 5G again. This was a great relief and I tried to use the service as much "text only" as possible.

I went to stroll through the streets and check the connectivity down there. On the streets it was still pretty bad. Also I noticed a significant change in the composition. There were far less women on the streets and there were a lot more young men in small groups looking bored. If the outage persisted after sundown, looting would not surprise me and I discussed my observations with the hotel staff. It turned out they were way ahead of me concerning that curve and they had quietly started preparing for it.

Another observation was: if I am ever short on hardy men and women, I would recruit them among the small store operators and tapas bar staff in Barcelona. They kept the city operating, come what may. They had no light, no cash register, no credit card terminals, but they kept going. Food was improvised and payments were handled cash only.

6/7

Due to my ruined knee, it took me quite some time to get to the hotel. I arrived at about 14:30 there. At the hotel rumors were flying: Marocco, Italy and Belgium were said to be down as well and someone even said that Ireland was affected.

Connectivity was practically zero at that time. Nobody could get any web site.

I climbed 8 floors up to the rooftop bar (and explored the emergency stairs in the process), expecting the best chances for any reception there. To my surprise, the rooftop bar was operating. There were no warm dishes, but most drinks were available and cold snacks. My kudos to the staff and I will fill the tip jar very generously.

I managed to get a voice call through to @isotopp (in about 7 attempts) to get a rough briefing. That didn't look good. Expected time to recovery was 6-10 hours. Especially 10 hours would have been very bad because that meant no power till past midnight.

Over the next two hours, I scanned the WIFI spectrum. And it was awing. My hotel is located about 50m from "Las Ramblas" and usually I could get more APs than my phone could show. Now there was NOTHING AT ALL.

During that time a hotel about 400-500m from mine seems to have brought up their emergency power generator and their free WIFI went up. I managed to connect to it twice for about 5min during the next 2 hours. Whoever operates the SSID "Liceu_Opera" in #Barcelona. You have my thanks and respect.

5/7

Why do such things keep happening to me? Went out in #Barcelona to buy a book on Saint Jordi day and came back with a sword.

#Orcrist #sword