Category Archives: Security

Czech Gov Claims “Let’s Encrypt” Isn’t Good Enough

See if you can follow the logic, as reported by Lupa.cz.

The reasons for preferring the paid option over the free certificate are essentially two. Let’s Encrypt issues DV certificates with validity limited to only three months. Before the original expires, it’s necessary to deploy a new certificate, which means having a functional ACME client with automation elements set up so that, if possible, the system takes care of this obligation in time by itself. In contrast, commercial certificates are usually issued for at least one year. The IT department thus only needs to remember that once a year, the certificate needs to be replaced.

“In some environments, the implementation of automation through available ACME clients for Let’s Encrypt may not yet be fine-tuned for sufficient reliability, or may not be available at all,” adds the head of the Czech certification authority Alpiro, Antonín Kozan. And he adds a second reason why domain verification is often insufficient for clients.

“Many of our customers realize that in connection with SSL certificates, not only the encryption of communication itself is important, but also the added value in the form of higher credibility with an SSL certificate issued against rigorous verification of the organization. This is crucial for a wide range of organizations from financial or state institutions, established companies, online stores, and other entities that place high emphasis on the higher credibility of SSL certificates with OV or EV,” he concludes.

Sorry, that doesn’t check out for me. Haha, get it? Czech out? It’s the little bits of humor in these troubled times… anyway, ahem, seriously this doesn’t check out. If there’s one place in the world I expect people to use simple, reliable systems for tracking things, it’s Prague. Let me explain why.

First, for a 90 day rotation question the easy technology answer is a proxy or reverse proxy with automated renewal handling. Think of it like a piece of paper you put on your table that keeps track of things so you don’t have to. There are many tools that do this, so I’m hopefully not surprising anyone:

  • Traefik
  • Caddy
  • Nginx Proxy Manager
  • Certbot with cron jobs

All of these deal with Let’s Encrypt renewals even in legacy systems that can’t handle ACME. The proxy safely terminates traffic and safely front-ends systems that remain unaware of certificate management.

Second, with regard to a “need for higher trust” in OV/EV certificates, I’m not sure where they’re getting that from:

  1. Nobody notices or understands any difference in DV, OV, and EV certificates anymore. Is this like a local fan group or special circumstance? Like we only drink beer made from our local creek kind of thing?
  2. Modern browsers removed visual indicators for EV certificates so it’s not like anyone is expected to understand the difference anymore.
  3. The “big” traffic encryption sites like Google and Amazon run DV certificates, and as horrible as they are ethically, they do care about the actual strength of security.

This might all just be a case of doing things the “local” way. Like when I sit in a Prague cellar drinking twelve beers and … remember when I mentioned a piece of paper? The Czechs are known for their “čárky” marks, where the easy thing is the right thing to do apparently.

Tally marks track the beers you’ve had
Measure Čárky Let’s Encrypt
Purpose Track beer consumption Deliver website certificates
Philosophy Simple, transparent, accessible Simple, transparent, accessible
Status Traditional Standard
Alternative Paid vendor (disruptive) Paid vendor (unusual)
Cost None None
Complexity Minimal (pencil, paper) Minimal (automated scripts)
Renewal Every beer (server) Every 90 days (automated)
Resistance From POS vendors Certificate vendors
Effectiveness High value low cost High value low cost

So maybe there’s some kind of financial angle to certification authorities pushing paid products into lined pockets, rather than technical or security concerns? Who really loses what? Who stands opposed to using the standard high value low cost solution?

Properly automated DV certificates from Let’s Encrypt provide the same level of encryption security without the manual renewal overhead and cost. There’s more to this story, that’s all I’m saying. Czech it out.

Trump Calls out Tesla for Domestic Terrorism

“President” Musk has deployed his loyal White House occupant Donald Trump to announce today a shocking new initiative: Tesla deaths, apparently already worse than domestic terrorism, are to be officially increased.

I wish I were kidding. Tesla products causing an alarmingly high-rate of deaths are to be deployed more widely as a matter of some kind of federal priority? We’re hearing a Trump initiative that will kill more Americans, and damage more property, as near as I can tell.

What could possibly be behind this cruel misdirection from the White House, where Trump seems increasingly comfortable serving as an oligarch’s spokesperson instead of an American president? Does anyone remember the style and history of their campaign messaging going back to 2016?

Source: Twitter

The results from this original tryst (2016-2020) have been very clear, given how Tesla “Autopilot” was deregulated enough to go on and kill more people than even domestic terrorist vehicle attacks:

Let’s go now to the Trump stage of 2025 to hear the exact latest clown-around performance.

Donald Trump said he will label violence against Tesla dealerships domestic terrorism as he appeared with Elon Musk, the Tesla CEO, to show support amid recent anti-Tesla protests and the slump in the company’s stock price. Several Tesla vehicles were parked in the driveway of the White House for the US president to pick from, accompanied by Musk and his young son.

The irony is impossible to miss: Trump is ready to label protests against potentially dangerous Tesla vehicles as “domestic terrorism” while standing next to the very man whose products the data suggests might be the bigger threat. But who’s really calling the shots in this bizarre press conference?

Imagine if the White House proudly displayed VBIEDs (Vehicle-Borne Improvised Explosive Devices) in the driveway while American troops were being killed by the same weapons in combat zones.

Teslas notoriously “veer” uncontrollably and crash for “unexplained” reasons. Design defects (e.g. Pinto doors) trap occupants in the explosion that burns everyone to death as horrified witnesses and emergency responders can only watch in horror.

This isn’t just dangerous political theater, it’s moral abdication. When Tesla vehicles are claiming more American lives than domestic terrorism according to statistics, why is our government criminalizing those who raise concerns rather than addressing the clear and present Tesla death danger?

The Trump jelly platform seems disturbingly clear: American lives are apparently worth less than protecting Musk’s fake wealth from his fake stock price.

Furthermore, when I hear Trump talk about a worry that people freely throw “Molotov cocktails” at the authoritarian Tesla brand, a certain history fact comes immediately to mind.

The “Molotov” label comes from Soviet Foreign Minister Vyacheslav Molotov, who had brazenly claimed that bombs exploding in Finnish civilian neighborhoods in 1939 were “humanitarian food deliveries.” The Finns, in their cold and bitter irony, named improvised bottles of fuel lit on fire as “Molotov cocktails”, because they said it was just a “drink” to go with the explosive authoritarian “bread baskets.”

The Soviet “bread basket” bombs of WWII were “cluster” incendiary technology, almost exactly like the Tesla “cluster” of explosive batteries that in effect are incendiary bombs threatening cities around the world now.

Fast forward to today and Trump fills the driveway with machines implicated in hundreds of American deaths saying they deserve special government protection as if Molotov’s bread baskets, while those who protest them with cocktails are “domestic terrorists.” See what I mean about history?

Orwell would recognize Trump’s corrupt use of language immediately. Hopefully it also should be recognized by anyone still able to read 1984 (e.g. Trump’s Secretary of Defense Hegseth has literally ordered Orwell’s books urgently axed from military libraries and reading lists).

I’d say the cruel White House performance of domestic terrorism doublespeak has tell-tale smells of Russia’s Putin influence, but the security community surely by now knows the awful “Musk” of such autocratic theater.

Swasticars: Remote-controlled explosive Musk “bread-baskets” being stockpiled outside major cities around the world. No really, incendiary cluster bombs really are about delivering food to the needy. Really. Molotov promised.

Tesla Cybertruck Door Failure Killed Three in Piedmont Crash

As has been the case for years with Tesla, in a nod to clear regression into defects known from 1970s-era door designs that don’t open in a fiery crash, the recent Piedmont Cybertruck tragedy is investigated best and explained clearly by local journalism.

The Highway Patrol’s investigation into a November Cybertruck crash in Piedmont where three college kids died is finding two very Tesla problems: the vehicle immediately caught fire, and its doors would not open.

…the Bay Area News Group has been going through the testimony of the CHP investigation. And the deaths appear to be more the result of the vehicle fire… troublingly, that testimony also showed the Cybertruck’s doors could not be opened in the aftermath of the crash, preventing Riordan from pulling the other three victims from the flaming wreckage.

Roirdan said that when he approached the burning vehicle, and tried to open the doors, they would not open. He said he “pulled for a few seconds, but nothing budged at all.” He also said “I then tried the button on the windshield of [survivor Jordan Miller’s] door, then [victim Krysta Tsukahara’s] door.”

He said he then pounded the windows with his fists, which did not work, and then struck the windows with a thick tree branch around a dozen times until he was able to crack and dislodge a passenger-side window. That was how he was able to pull Jordan Miller out of the vehicle.

But when he attempted to pull Tsukahara from that same window, Riordan testified, “I grabbed her arm to try and pull her towards me, but she retreated because of the fire.”

Two very Tesla problems” is exactly right.

There’s no other negligence like we see in an obviously flawed and regressive Tesla design. And we know this because past lessons and litigation were supposed to permanently change the car industry in a way that nobody would attempt such deadly “efficiency” again.

Here’s typical Ford Pinto analysis, which for decades exposed deadly management design decisions. Note “doors jam shut” right at the top of the image.

The fact that Tesla can do this known wrong thing intentionally, can ignore industry standards and instead kill so many people with fire due to management decisions (as if the Ford Pinto lessons never happened), is truly shocking.

The uniquely Tesla fire deaths are being reported all the time in local news, and yet… somehow the court systems around the world aren’t able to prevent the very clearly preventable deaths.

Although the fire brigade arrived quickly and extinguished the fire within 10 minutes, the male driver in his 30s inside the car was already buried in the flames. Korean media reported that the driver seemed to have tried to open the door several times, but failed for unknown reasons.

Immediate response. Witnesses on scene helping. Fire doused in 10 minutes. And then… for “unknown reasons” Tesla “failed” repeatedly. Many people are dead because of this sequence repeating. The bottom line seems obvious, as a question of whether any other brand of car would have meant these people survived, or maybe not even crashed at all.

German courts called out negligent homicide by a Tesla driver, and yet called the car a “death trap” design while not holding Tesla itself accountable?

In the dock, the awful shadow of a car manufacturer loomed large. The expert’s verdict was damning: Tesla’s automatic door unlocking system failed in the crash. The result? The rear doors were incapable of being opened either from inside or out in the crucial moments after the crash. Laura and Noel, both aged 18, were alive yet tragically were trapped and burned to death as first responders could only watch in horror.

The awful shadow of a car manufacturer loomed large. Expert verdict was damning. That’s the German press for you. So dramatic. Still not enough to get a Tesla CEO convicted.

There are dozens of cases with similar tragedy. We still don’t see the kind of necessary attention the Ford Pinto generated even though it had far fewer deaths over a much longer period.

Naval Integrity Breach: Chinese Hackers Crash Second U.S. Military Ship in a Month

A catastrophic demonstration of information warfare: The Solong container ship’s unnatural trajectory into a U.S. military oil tanker bears all the hallmarks of sophisticated navigation system compromise

The USS Harry Truman collision on February 12th appeared to be just an isolated incident. Now we know it was merely the opening act.

The Nimitz-class aircraft carrier USS Harry S. Truman (CVN 75) was involved in a collision with the merchant vessel Besiktas-M at approximately 11:46 p.m. local time, Feb. 12, while operating in the vicinity of Port Said, Egypt, in the Mediterranean Sea.

Barely a month later, a far more devastating crash has unfolded off England’s coast—this time targeting a chartered U.S. military fuel supply line.

Just before 10 a.m. local time (6 a.m. ET), a Portuguese-flagged container ship called the Solong careered into the oil tanker, called the Stena Immaculate, which was at anchor in the North Sea about 10 miles off the English coastline, according to the ship tracking tool VesselFinder.

What demands our immediate attention: Weather reports from nearby coastal stations indicated misty conditions with limited visibility that morning, potentially making the ships’ crews even more reliant on their electronic navigation systems. The 2005-built Portuguese-flagged Solong was traveling at full cruising speed—16 knots—when it slammed broadside into the anchored Stena Immaculate. Let me be absolutely clear: such a collision at 8.23 m/s directly into the 183-meter length of a stationary high-sided oil tanker is beyond negligence—it represents a catastrophic systems-level breakdown or, more likely, deliberate external manipulation.

Following the COLREGS (International Regulations for Preventing Collisions at Sea), the Solong would need “ample time” for avoidance, which in this case was around 12 minutes before the crash (3.2 nautical miles away). Without getting too far into the weeds Rule 5 logically requires maintaining a proper lookout by all available means, Rule 7 requires determining if risk of collision exists, and Rule 8 mandates taking action to avoid collision early enough. Rule 18 says Stena Immaculate had an absolute right of way and Solong is required to take ALL measures to avoid.

The mystery isn’t a mystery

Let’s consider the huge violations at play here.

  1. Vessels are required to have continuous visual and radar watch
  2. Vessels have redundant navigation systems (AIS, ECDIS, radar)
  3. Vessels follow clear procedures for giving way and avoiding collisions

There’s zero ambiguity, such that a broadside crash at full speed (hitting the side of the anchored tanker) suggests serious failures across watchkeeping, navigation, and vessel control systems. This does not appear to be merely coincidental navigational failures, given the severity and scope of the multi-level system failure and a decision point so far away as to make it seem intentional.

In other words visual lookouts should have had view of a 183-meter vessel from 12-14 miles away on a clear day, without any doubt in their direct path like a huge wall blocking their plotted route. On March 10th visibility was apparently limited to two miles. STCW requirements for vessels of Solong’s size mandate a minimum of one qualified officer of the watch and a dedicated lookout at all times while underway, so this isn’t a hypothetical. Radar systems would have detected the Stena Immaculate as a clear hazard. AIS (Automatic Identification System) would have clearly shown the stationary hazard. ECDIS (Electronic Chart Display and Information System) would have clearly shown it as well.

Therefore what we are dealing with seems almost certain to be sophisticated electronic warfare defeating container ship navigation systems. Two things are particularly interesting.

First, military vessels run heightened security and navigation protocols. However, a chartered military vessel is a known giant loophole in regulations that is exploited by the U.S. military specifically to avoid high standards of safety (to lower cost of operations). Upwards of 90% of Military Sealift Command logistics depend on chartered commercial vessels.

This somewhat explains why the first attack on a Navy vessel was minor, foreshadowing more attacks, whereas the second attack targeting a chartered military vessel was catastrophic. Defense Logistics Agency’s tanker fleet operates with minimal security protocols compared to actual Navy-run combat-ready vessels, clearly resulting in a huge difference in outcomes from these two military targets.

Second, container ships like Solong are potentially staffed irregularly, maybe even illegally, and of minimum maintenance levels meaning systems often are degraded (competition degrades safety). Panama “topped the list” of worst safety practices. You can hopefully understand how the ships and their crew become soft targets riddled with vulnerabilities for sophisticated electronic warfare.

…shipowners were trying to “get away with treating seafarers like some sort of modern-day slaves”. Panama topped the list of abandonments by flag states with 23…

Ship abandonment is a huge safety problem, as signaled by the flag the Solong was flying underway. Panamanian-flagged vessels typically have 15-20% smaller crews than comparable vessels under European flags, with less stringent qualification requirements. What we’re talking about today is directly related to ship crew being in a state of degradation and even abandonment.

To be even more clear, hopefully without saying too much, any poorly-staffed ship built in 2005 also means an ECDIS running on Windows XP without patches. GPS spoofing would have meant fake signals gradually poisoning legitimate data, and navigation systems showing altered positions. For example, back when I worked with a team of military experts testing the woefully insecure Tesla designs, the car thought it was driving through the ocean instead of on land yet continued accelerating to full speed. Careful observers of this blog may remember I gave a keynote presentation in 2016 about these exact integrity breach problems of “automation”.

2016 BSidesLV Ground Truth Keynote: Great Disasters of Machine Learning

Opening slide from my 2016 keynote talk about Tesla “driverless” being a manslaughtering threat to society, starting from a naval gazing perspective.

Satellite communications (SATCOM) operate out-of-date protocols vulnerable to man-in-the-middle attacks. Someone who wanted to fake election results or corrupt vote numbers might hook up a polling station to the SpaceX Starlink, as the most obvious example of this class of vulnerability. And then maritime navigation systems don’t use any integrity controls, such as package signatures, when they connect to the raw Internet for software updates… need I go on?

Perhaps you can see why as soon as I saw a 16 knot container ship broadside crash under a Panamanian flag, I got even more knots in my stomach.

The deliberate driverless crash vector

From a technologist sailor’s perspective the broadside collision in misty conditions suggests the Solong’s navigation systems were showing completely different information than reality. With visibility potentially limited to just two miles, the crew would be highly dependent on easily compromised electronic systems.

Dangerous confusion on the bridge would be enabled by underqualified or unqualified obedient crew, who chose not to override the system. Crew members probably lacked training or experience to understand how to react to discrepancies, they likely were fatigued (reduced reaction capacity), and honoring a hierarchical bridge culture (overly compliant workers) that discouraged any human challenge to automated systems.

This is not novel, but rather the past lesson from known electronic warfare tactics that exploit “automation bias” in humans who misplace trust in machines. It’s why Tesla has been killing up to 20 people a month as if that’s the new normal, versus the Ford Pinto killing around that many in its entire production run and getting labeled as unsafe at any speed.

Even when contradictory information is available, false faith in electronic data comes from a culture of outsized promotion by “automation” conmen like Elon Musk coupled with screen-addiction in a way that induces poor decision-making.

The progression from minor incident (USS Harry Truman) to catastrophic collision (Stena Immaculate) fits with how threat actors typically escalate, testing capabilities, learning from outcomes, and adjusting tactics. The fact that both targeted US military interests within a short timeframe strongly suggests deliberate action rather than coincidence.

To counter such threats would require both technical measures (signal authentication, system redundancy, electronic countermeasures) and human factors solutions (better training, revised protocols, enhanced watchkeeping). However, the economic pressures in commercial shipping work directly against implementing many of these protective measures.

This has to be China

And now for some pure speculation about China being the most likely threat. That’s right, I’m calling it out now.

  • Technical capability: China has demonstrated sophisticated electronic warfare capabilities, including GPS spoofing, radar jamming, and cyber intrusions. They often hint with technology about battlefield dominance strategy.
  • Target selection: A military fuel tanker specifically hit suggests understanding U.S. Navy logistics in a very symbolic way. China always been uneasy about the “long lines” of U.S. naval power projection using at-sea replenishment and global fuel supply chains.
  • Signals pattern: A progression from minor test on a major warship (symbolic aircraft carrier) to a catastrophic attack on a random commercially operated logistics infrastructure fits with Chinese strategic thinking about sending a signal pattern about full capability while targeting lesser support systems rather than combat platforms.
  • Maritime flex: China has been rapidly developing both conventional and asymmetric naval capabilities related to sea dominance.
  • Plausible deniability: Electronic warfare attacking integrity of commercial vessel systems provides easy obfuscation and fog, making attribution nearly impossible yet also obvious, a hallmark of Chinese asymmetric psychological operations.

The focus on a container ship colliding with a military tanker is particularly telling. Military planners around the world know the underbelly of U.S. naval logistics vulnerabilities. Global reach always depended on refueling capabilities and supply chains, as I’ve written about many times before. Using a container ship to strike a military charter tanker, the hackers demonstrated they’re thinking strategically about how every container ship in operation now has to be seen as a weapon to limit U.S. naval power projection without direct confrontation.

Starting with the USS Harry Truman, the aircraft carrier that represents the pinnacle of American naval power projection, and then progressing to a logistics vessel, shows a loud and proud messaging strategy with more red flags than a Chinese military parade.

We’re looking at a bright warning flare on a calm sea against the black of a moonless night, lighting up not just technical capabilities but America’s entire strategic awareness and institutional response capacity.

Hey Trump, we can hit your crown jewels, and we can cut off your legs. Make a move on Greenland and maybe watch as we make Taiwan disappear. We could take Hawaii and Alaska while we’re at it, thanks to your doctrine of distracted degraded defense.

Who’s really asleep at the wheel here?

As defense resources and attention are completely diverted into literally ordering all hands on deck just to find the word “gay”, and censor “gender” and dismiss non-white troops… attacks against critical naval infrastructure reveal the true nature of devastating blind spots developing rapidly in American security.

Books have been pulled off the shelves at U.S. military schools around the world pending a “review” for diversity concepts and language. …among those that disappeared from the shelves of Ramstein High – Fahrenheit 451, 1984, To Kill a Mockingbird and Catcher in the Rye.

Imagine being a high school student at Ramstein who must now learn Chinese to read “1984” — a novel explicitly warning against totalitarian thought control — because their own American military has banned it. The devastating irony cuts deep: as Chinese hackers demonstrate the ability to crash U.S. military vessels at will, America’s defense establishment busies itself with purging literature that could help the next generation recognize and resist exactly this kind of authoritarian manipulation. This isn’t just censorship; it’s strategic self-sabotage.

It’s not an exaggeration to say the Department of Defense now operates under a headless-chicken leadership lurching from crisis to crisis, attacking its own students, troops, and veterans while simultaneously alienating allies in Mexico, Canada, Europe, and Ukraine. This self-sabotaging chaos has created the perfect opportunity for China to demonstrate its capability of neutralizing all U.S. naval power projection through precisely targeted asymmetric information warfare.

The question looms: who would even stand up for an erratic, unreliable “crazy chicken” America against these attacks on global shipping safety? Allied deterrence has evaporated. And what of nuclear deterrence? Can it possibly remain credible when delivery systems—planes, ships, and missiles—can’t navigate, can’t target, and remain vulnerable to debilitating supply-chain attacks from multiple vectors, including from within our own harbors and airports? We’ve entered an era where America’s military supremacy faces checkmate not by direct confrontation, but simply by corrupting integrity of our vulnerable information systems.

Hackers have announced a new security paradigm of devastating integrity breaches: every commercial vessel can potentially become a guided weapon against essential military targets. This multiplies the challenge for naval protection exponentially, perfectly aligned with the Chinese People’s Liberation Army “systems destruction warfare” doctrine that targets critical node vulnerabilities of support systems rather than direct engagement.

The obvious question is whether an utterly distracted President Musk can recognize and respond to this long-time emerging modern technology threat that he himself can be blamed for facilitating. At least 54 people have been killed in by his lack of integrity control in Tesla Autopilot navigation systems (that I’ve warned about since 2016), far more than even domestic terrorism.

What these two maritime incidents expose to the trained eye isn’t just a technical vulnerability—it’s the Tesla effect of strategic blindness in American “business knows best” cultism. We’ve built a military doctrine on overwhelming force projection while neglecting its fragile information architecture hidden behind a Potemkin village of technological showmanship. China isn’t demonstrating anything new to security professionals—they’re simply exploiting what we’ve known for years: integrity matters most in the navigation systems that direct every vessel, every mission, every supply line.

This is the inevitable culmination of a decade prioritizing dazzling “driverless” fantasies over fundamental safety protocols. The tragic irony: as America’s military leadership scrambles to purge words like “diversity” and “inclusion” from its vocabulary, they’re effectively dousing themselves in jet fuel while China stands ready with matches.

The writing has been on the wall for years. I’ve been pointing to it since 2016. But reading requires critical thinking—something increasingly difficult to cultivate when the DoD is literally removing books that teach it from military school shelves.