A

Hey everyone and welcome along to Seriously Risky Biz. This is our podcast all about cybersecurity policy and intelligence. My name is Amberly Jack and in just a moment I'll bring in Tom Urian who is our policy and intelligence editor. And we're going to chat all about the Seriously Risky Business newsletter that he has put together this week. You can of course read that and subscribe to it over at our website, Risky. And this week's show is also sponsored by Dropzone, so you can find them at DropZone AI. Big thank you to them for that. G', Day, Tom. It's great to see you.

B

G', Day, Amberly. How are you?

A

I'm good, thanks Tom. And I want to chat to you about Google and in particular Google's new cyber disruption unit that has made a bit of a splash recently. Its first big splash, I understand, and has disrupted a residential property network IP idea and condensing, what you say a lot, you basically say job well done and please can we have more of this. But I guess first up, Tom, what is IP idea and how exactly did Google mess with their day?

B

I don't know how you pronounce it. You say IP idea. I guess that makes sense. So it's what's known as a residential proxy network. So these are in some way the dark matter of cybercrime in that they're used a lot by malicious actors to avoid block lists. And so the idea is that somebody, in this case the company IP Idea, collects a whole lot of devices that basically proxy traffic around for paying clients. And the whole business is shady. And so this particular company, it would pay developers to put its software development kit into their applications. And typically unbeknownst to the end user, those applications would then start proxying traffic for IP Idea and that gets sold to whoever wants to appear to be coming from a legit residential address. And so Google talks about that. It says that people using this network were overwhelmingly criminals or threat actors. It was overwhelmingly malicious. The kinds of things, espionage, cybercrime, information operations, threat actors, disinformation actors. And they found in just one week over 550 different threat actors using this particular network. And there have been different ways that groups construct these networks. One way is that they just get people to install trojanized applications. So applications that do something, but again, unbeknownst to the end user, they put proxy traffic or in malware and sometimes they even get, they just pay people to install it. And you know, I've heard it, seen it described online as air quotes, passive Income from sharing your bandwidth, which just seems like a terrible idea because it's from a security point of view, it's bad because it's giving someone else a point of presence in your own internal network. So that's what residential proxies are. IP idea was one of the bigger ones. And so what Google did, it kind of had, I think of it as two prongs. One is just the technical analysis and understanding. You know, how does this work? What are the domains that are involved? How is it incorporated into software development kits, where do these go, what apps are using them? And all that work is great. And Google has shared that with other platform providers and research firms. And the idea is that they can then take this information and use it to kick those apps off their app stores and prevent them from coming back. Because now they've got kind of fingerprints, I guess, for that software. The other thing they did was they went to a court and got a order to say take down all these domains. And some of those domains are involved in actually running the proxy network. So they've kind of disrupted its actual operation right now. And some of those domains are involved in marketing of the service. So it's stopped what they're doing now. It's made it harder for them to reconstitute because all their marketing's been taken offline. And they've made it harder from a technical point of view to put their software back into app stores. Now app stores aren't the only place that this software comes from. So there's other. It's not just the Play store. And also IP Idea had software for iOS, Windows, Android and even LG's operating system. So now the action, they estimate that it will take just in Android, it will take millions of devices off the network. So really quite effective. Yeah. And so the, to me, the, you know, this is great. It's a enabler of cybercrime. They've taken a big swipe at a very significant player in the network. How do we get more of this? So when it comes to big companies taking these kinds of actions, so lawful or court ordered takedowns coupled with technical actions, there's actually not really that many examples. So Google's done, I think less than 5, maybe over like its entire time as a company. Microsoft's done more, but still not that many. So these are rare, exceptional events. They don't occur very often. They're impactful when they happen. But if you look at cybercrime, I think you'd be hard pressed to find many people who would say that yes, the good people are winning. We're cracking down on cybercrime and we're fighting a good fight and things are getting better. And so if.

A

What do you mean, Tom? That's the gist of our show every week.

B

Yeah, good people are winning. And so how can you get the private sector? Because these companies, Google's, the Microsoft's, the Facebooks, like they have tremendous influence over the Internet. How can we get them to do more of these sorts of actions now? Well, I guess is it. The risky business view is that we want more hacking, but of course hacking isn't the solution for everything. And so I spoke to Susannah Seymour who wrote a paper about enabling civil takedowns, court ordered takedowns. And our view was that there's already a process. We know it works. I mean, this action is a good example where Google got like complementary civil takedowns and technical action that's. Is it synergistic? It's a better package than just one or the other. And so we've got a law, a legal process that works. It's just not fast enough. And so rather than talking about things like hacking back and allowing the private sector to hack to try and deter adversaries, like the simplest, easiest thing to do is just to make that process easier and quicker for companies. Because right now it's a huge legal hurdle. And when you've got just a small handful of the biggest companies in the world doing this kind of thing, one step would be just to make it easier for them so that they can get it done faster. And so that's basically what she recommends.

A

So that sounds great, making it easier. But Tom, how exactly do we make that easier? Because if the legal process is hard and expensive and time consuming enough that we kind of see Google and Microsoft do it a few times, how do we make that process easier?

B

Yeah, so Seymour wrote a paper which came out earlier this year. Actually I didn't write it about the time, but I definitely saw it and it was, you know, the, the gold standard, like in my eyes anyway, is Congress should legislate for a special court that deals with these issues. And like that makes sense for a lot of reasons because there's a kind of technical. What exactly is the Internet? What are domains? How do you take them down? They're all these technical pieces of information that it's good to have experienced people dealing with the issues and things like, you know, what are the risks? What could go wrong? I think that's because that doesn't exist in a Specialized court right now. It takes time to get people up to speed. So I think that would be the gold standard. But she also suggests that there's a lot of incremental things that could be done. So one of them, for example, is just to come up with like, example templates of how you would structure your argument or your evidence to make it easier to get it in place rather than trying to have to reinvent the wheel every time. So it feels like these actions are so infrequent, like one every year or two, like in the past, that no one gets enough time and practice and expertise in really dealing with them. And so she suggests, like, there's a lot of things that could be done to speed up that by just smoothing process rather than necessarily coming up with new laws. So there's a, I guess a range of measures that could be taken that don't rely on the big bang of legislation, the big bang and the slow one, because that'll obviously take time.

A

I want to move on now, Tom, to your second story. And Starlink has deployed some countermeasures to sort of prevent Russian forces from using its satellite communications service for long range drones in Ukraine. And it all kind of happened very fast, but it took a very long time for that very fast thing to happen. Tell me a little bit about what's going on there.

B

Yeah, yeah. So the immediate news is that as of middle to late December of last year, so not that long ago, the Russian military started to put Starlink terminals on what are called Molnya drones. So these are drones that you fly along by basically looking through a camera. So you get a drone's eye view and you direct it with, you know, a remote control. And originally these drones, they're made of plywood, so they're super cheap. Originally they were just controlled over a radio frequency link. So you get like an old analog TV view of the from the drone's perspective. And then because of things like jamming, they started to use, like, amazingly, they would just trail fiber optic cable behind, so they would have a spool of tens of kilometers of fiber optic cable. And that avoids jamming, but it reduces your payload. And so the latest innovation as of like mid to late December was to stick a Starlink terminal on top and then you like, effectively get worldwide range. That's obviously very bad because it allowed them to then have much further range into Ukraine and to strike well into Ukrainian territory. So they were targeting vehicles and it looks like maybe trains as well that were well behind the front line. And so the Story is that the Ukrainians reached out to SpaceX and basically within a week they'd implemented a speed limit on terminals in Ukraine. So the speed limit reportedly at 75km an hour, so if you're traveling faster than that, the terminal just doesn't work. And so that immediately stops that use of Starlink terminals on those kinds of drones. Now the problem from a Ukrainian point of view is that also stops any fast moving Ukrainian terminals. And so the second step is that they're implementing an allow listing process where you, according to the Ukrainian Ministry of Defence, easily and quickly register your terminal with authorities and then that'll be allow listed by Starlink. And so only authorized terminals will work. That part struck me as, wow, it's three. Is it three, four years into the war and this has actually been a problem the whole time. So the way that it had been implemented was just a geofence where, you know, if the terminal's on the right side it works and if it's on the wrong side, it doesn't. But of course the front line's fluid. Both Russian and Ukrainian forces have been trying to use Starlink around the front line. And there's a story from like 2024 about how there's a black market in Starlink terminals that are basically funneled through to the front for use by the Russian military. And so this solution could have been implemented anytime probably in the last couple of years, I'm guessing. And so it's wonderful illustration of how when SpaceX wants to move very quickly, it can, and it can do all sorts of things, but unless it kind of appears that unless it catches Musk's eye, it doesn't happen. So the counter example to that, the rapid response to the drones, is that Starlink was used for quite a while, many months, if not years, as a backup Internet lifeline for scam compounds where tens of thousands of people are. The authorities in the area started to cut communications lines. And as a response you got like hundreds or thousands of Starlink terminals popping up. And like Starlink could have done anything, could have just switched off those terminals. I think like pretty much at any time. Like, it's like they just had to implement a geofence around the term the compounds. And yet they didn't. It took many, many months and it wasn't until there was a threat of a congressional investigation that it like they did anything about them. And you know, then it's like thousands of terminals get disabled all at once.

A

So, Tom, we've obviously got this history of Musk owned companies kind of acting when it's in their best interests or when it piques his interest or when he gets enough government pressure. So is that kind of the answer here? If governments want him to do whatever it may be, they just need to layer on enough pressure or it needs to be something that he's personally interested in?

B

Yeah. So I think that there are times when Musk's interests and government's interests overlap. They're not that often, so. Or perhaps those aren't the contentious issues. And so the latest example, I guess, is that Grok has had some controversy recently. And like my take, looking back at all the times that Musk has responded to issues that governments are concerned about, like all sorts of governments, it's. It's when they bring the big stick. So I guess a classic example was X in Brazil. It didn't comply with a court order and eventually a judge said, well, we're going to block X and we're going to freeze Starlink's financial assets in Brazil until you comply. And within a couple of days, Musk had folded. And I think that for issues that government really cares about and the SpaceX or Starlink or Musk doesn't, that's the answer. You just need to be prepared to bring a big stick. And so that's not a, you know, that's not an ideal way of doing business, but I think that's just the way it is.

A

All right, Tom, we might actually leave it there, but thank you so much once again for joining me for a chat. You can, of course, read and subscribe to Tom's Seriously Rescue Business newsletter over at our website, Risky Biz. But, Tom, I will catch you same time next week. And thank you so much.

B

Thanks a lot, Amberly.