Big Balls Big Picture
So back in February I was looking at Big Balls’s network and I noticed that there was a Prometheus instance open to the public.
I noticed i could just walk log into the web panel actually i didn’t need to login at all there is no password and i was able to see a series of ip addresses that are responsible for proxy in traffic around the world period and i could see that there was an average of about twenty gigabytes going in and out of the network each day by the logging settings where disabled for just twelve hours of time which is unusual
I analyzed his private company with the assumption that it should remain separate from and of his work with the us government
But given the totality of what we know and how active big balls was as a central figure with any doge and monkey branching to have a bunch of different federal agencies and demanding god level access to sensitive data the had nothing to do with financial auditing calmer in fact any legitimate auditor would not request for logging to be turned off because that violates the most basic principle of transparency
The natural tendency as a scientist is to try to disprove my own hypothesis and find any just confirming evidence to support the status quo by over the course of this investigation since january i’ve found that my hunch is have been correct and i’ve never found evidence to disk confirm where i believe to be true witches big balls is using his private company packet were two deliver web traffic all around the world to obscure it’s origin and destination and so what would that look like from an attacker level first of all it normally and cyber security when we’re looking at these sorts of widespread intrusions federal agencies which have higher levels of protection ah in place we’re looking at it from cybercrime perspective or a nation state intelligence perspective how do we defend ourselves from adversarial nations like russia and china from penetrating our networks and stealing important information period for example china chinese intelligence hacking groups ah carried out the biggest intelligence hack in history and that was disclosed to the public and december twenty twenty four were at least eight major american telecoms agencies were hacked by china the affiliated intelligence groups period since then we’ve learned about a series of vulnerabilities in a federal cloud service provider known as com bolt in it april of this year twenty twenty five a major remote code execution vulnerability was found and size a sent an advisory to all federal civilian executive branch agencies to patch and upgrade any use of this product we later learned around the same time researchers informed com fault that they identified two separate attack chains which on their own could allow an attacker to move to different parts of the government cloud meaning if they infiltrate agency a they could use this attack flow or attack chain to jump over to agency be period so while sighs i issued advisories and the company issued patches for the first wave of vulnerabilities they were alerted to a second wave of vulnerabilities by researchers in april yet they tried to downplay the findings and say that it would not be technically feasible for attackers to exploit because they would require valid admin credentials in order to hop over to and other agencies network period however in september calm vault did issue a patch and disclose this vulnerability from april while assuring their customers that they wouldn’t be impacted period there must have been some exploitation that happened to prompted them to release this patch
The first Wave of commvault vulnerabilities was exploited by a series of chinese state backed intelligence actors some of which were also involved in the major telecoms breach of twenty twenty four period they also were able to access classified information sorry unclassified information on treasury workstations in december as well and so going back to april we find out that the same chinese actors have exploited a third party vendor that is relied upon by federal agencies for cloud services
This the on simply the public information which tends to lag behind what’s really going on behind the scenes we know that chinese state backed intelligence groups carried out the largest intelligence cyber attack in history that was discovered slash disclosed in december twenty twenty four and they also penetrated the treasury department’s network and accessed workstations period we found out in may that the chinese intelligence actors involved in these previous hacks had also exploited calm fault and all they needed to jump to another government agencies cloud why is one set of valid admin credentials period on april fifteenth twenty twenty five a whistleblower at the national labor relations board disclosed to congress that doge had visited his agency and xl treated a giant stack of encyclopedias worth of data from their internal database now why would doge be interested in labor disputes and union organizing and investigations into the shady business practices well i think the answer is obvious their that musk is actively involved in union busting and is the fox guarding the henhouse when it comes to hoovering up all of the sensitive data beyond the purview of a normal and legitimate financial audit and farming out that work two teenagers highly inexperienced teenagers with hacking backgrounds ah who are incapable of understanding all of the data that they are pulling in and we’re also duplicating the efforts that the services the already exist for example federal spending dot gov sam dot gov there are a variety of very well organized public dashboards that already inform the public about us government The best case scenario we are looking at is that mo mass is just using don’t to enrich his own financial interests which in and of itself is ironic considering he’s leading this crusade with the stated goal of rooting out corruption yet we’ve seen him secure government contracts from agencies that he’s actively taking over and it’s also highly likely i don’t have any evidence to disk confirm that he’s feeling all of this sensitive data from your social security number from your medical records from how much you get and social security whether you’re on reddit cave whether you are engaged in a civil rights litigation against unfair business practices or discriminatory housing or whether you’re even a domestic violence survivor the best case scenario is that musk is sucking up all of this data and just feeding it into rock musk recently announced that he’s unveiling rock for government and he was supposed to get a contract with the government but the mecca hitler thing happened so they waited a few days before quietly announcing the awarding of of contract during trump’s second administration musk mosques companies have secured contracts with the faa, dod and others
The darker and more disturbing scenario which is that members of doge or doge itself could be directly colluding with russia and china perhaps it’s some sort of business arrangement that they’ve come to wear must gets the data for rock and he sends other stuff to china and russia if this were true be devastating for the us economy it weird to kill innovation just like we saw with the see we’ll see china copying american intellectual property and having full insight into any of our intelligence operations against china for example when doge requested the five bullet points email it ended up exposing the identities of cia agents who were training in the fight against china now their identities i’ve been compromised similarly in july we learned about a massive cyber attack on the us federal court system that has since been attributed to russia of particular interest to them were mid level national security investigations into russian nationals
Sound wild or it might sound like a conspiracy theory ah but cyber security experts know that the digital battlefield is the front lines of conflict between these emerging powers and both russia and china are constantly hammering our defenses from the healthcare sector to energy and critical infrastructure in order to steal or information and power this is bigger than your party affiliation this is bigger than who you voted for this is every single aspect about your life that the federal government touches that you interested them to keep your information safe out the window you probably worry about having your identity stolen whoa what if the government facilitated every one’s identity being stolen and so i know that collusion is a big charge and honestly it’s a fool’s errand you try to prove collusion response to a really good at covering their tracks but one of the most compelling parts of the whistleblower disclosures at the nlrb was evidence that someone from russia justin minutes after doge created a new admin account had the exact same username and password and tried to log in to the system so let’s pick apart for a second to the is it possible that a hacker the vpn to make them look like they were coming from russia in order to hack us government on the off chance that someone would throw away their entire career to make this disclosure honestly that outcomes razor says that doesn’t make any sense if you’re going to bother trying to hack we’re going to try to hack another possibility would the oh well maybe the network was already compromised if that’s the case they wouldn’t need to try to log in so that brings us to the third possibility which is that don’t created an admin user account and immediately sent those credentials to a cyber criminal gang in russia working on behalf of the referencing and yeah well russian intelligence is highly sophisticated they also they also contract lower level cyber criminal gangs to do patriotic hacking or the russian state and this is by design to create plausible deniability so some experts might stop and think it’s too heavy handed why would a hacker just forget to turn on their vpn well they’re not all perfect we’ve seen from don’t just behavior they’re barely competent best and even if they did get caught it adds to the mystery and their mythos
Because was he owns packet ware, a small hosting company, which has two ip address rangers
The way that global web traffic is grounded to create the appearance that is servers were distributed around the world and therefore wouldn’t be detected by a federal final normal federal fast generally look at what’s coming in nor do they really do a lot of deep inspection so my theory is that when packet where is suddenly announcing hundreds announcements per hour that’s the time period in which he’s inside a federal network and trying to send our data elsewhere oh the federal cloud where it’s more content so he would need to have somewhere to send it to well in february there are more than six servers in germany the exact type of services necessary to steel tons and tons of data through an encrypted tunnel so a network administrator how much do but not what it is also the automatic intrusion detection systems and firewalls would just and how going and action well distributed number it wouldn’t raise any red flags the same way as it he just tried to send it to germany without any extra steps period so this is where kubernetes containers come in. He has a network of servers around the world that bounced traffic between them which makes it very difficult to follow the exact path between and the and his network shows a variety of indications that something like this is going on between is hijacking of bgp roots and in announcing ip addresses that are allocated to him to create the impression that these are legitimate hosts on initial claims when it bounces around like a ball in a pinball machine eventually it pops out somewhere else and just like laundering money makes it all together and it breaks the link which mean a the federal government system and his attacker control servers were it is going but let’s think about this for example he is a known hacker or better to say script kiddie he’s not really that good a coating and he was handed a top level security clearance by president trump themselves on inauguration day or shortly there normally this background check process takes a year or more but he was working day one he was also the main doge point of contact at the sources qt administration when doge demanded to create their own private instance away from any sort of oversight or prying eyes to put all americans data inside and if you think i’m wrong i love to be wrong i’m just an open source investigator i don’t have access to network mods but i know the done and i know there are more whistleblowers out there who are afraid to come forward legitimate because of threats to their career and the whistleblower from april manchin that for the day before he released his whistleblower disclosure to congress a drone stopped him at his house and the following day he had a threat letter to to store pictures of him taken from internal workings don’t so it’s legitimate that people are afraid this is my challenge right now for don’t to prove me wrong and make me eat my hands show us the lawns don’t show is doctor shows any kind of evidence whatsoever that exculpatory explain with all the transparency you talked about exactly what you need all of our medical intervention all of our social security information what you need it for when you can’t even analyze a spreadsheet i believe i have enough evidence that it rises depravity copies for in arrest and an indictment and i’m not just talking about this i was talking about this handling classified information that’s critical us national security i’m talking about the systems that are extremists saints and americans like nuclear weapons freedom we all live under because of our advanced nuclear roman about our economy and our ability to to revive manufacturing in america the scientists you’re being our greatest minds i’m talking about the fact that there are no more guardians left there is no and left huh and you’ll read a lot of articles that say oh well your congress get out right now emerging the streets and i’m saying it’s not either while you’re going to start donating and stuff his i mean your life i mean the life for them will be determined i mean every every day organized public organizing find out stop bending over backwards to let billionaires runner country and if you’re a republican ask yourself why our president answers to put more than his own people as tax on tips and then he gave you tariffs, which are taxes
We continue to be the only developed country that has a mass shooting epidemic and when each new mass shooting happens it’s easy for either side to politicize it say oh they were right wing terrorist oh there are trans luck winter but there should not be anything political about keeping americans and our kids safe it should be a joint effort and when you try to fit something is big and important as national security and to meet ideological categories you’re going the wrong direction