Ravi Nayyar
@ravirockks.bsky.social
Critical Software + CNI Law | PhD Candidate at the University of Sydney | Fellow @ASPI-org.bsky.social | Associate Fellow at the Social Cyber Institute | Blogging @atechnolegalupdate.substack.com | Cricket, #Bloods | #KalikaMataKiJai
Pinned
Ravi Nayyar
@ravirockks.bsky.social
· Jan 6
Tangos in the Tangled Web
Stuff Ravi's written on all things software supply chain x security x law
open.substack.com
G’Day,
Since folks are increasingly talking about software supply chain risks to national security, here's a collection of my work on the subject.
Going back to 2022.
Since folks are increasingly talking about software supply chain risks to national security, here's a collection of my work on the subject.
Going back to 2022.
'ASX's focus on short-term financial performance and shareholder returns has compromised its obligations to operate critical national market infrastructure
'ASX's strategy lacks the vision necessary for the critical role it plays
'ASX's strategy lacks the vision necessary for the critical role it plays
December 17, 2025 at 8:27 AM
'ASX's focus on short-term financial performance and shareholder returns has compromised its obligations to operate critical national market infrastructure
'ASX's strategy lacks the vision necessary for the critical role it plays
'ASX's strategy lacks the vision necessary for the critical role it plays
'He said the rebate was paid "per kilowatt hour, not per battery".
'He said this meant installers had every incentive to sell consumers the biggest possible batteries that were eligible for the scheme.
'He said this meant installers had every incentive to sell consumers the biggest possible batteries that were eligible for the scheme.
December 17, 2025 at 7:55 AM
'He said the rebate was paid "per kilowatt hour, not per battery".
'He said this meant installers had every incentive to sell consumers the biggest possible batteries that were eligible for the scheme.
'He said this meant installers had every incentive to sell consumers the biggest possible batteries that were eligible for the scheme.
'... Berlin had “clear evidence” linking an August 2024 cyberattack on Deutsche Flugsicherung — the state-owned company responsible for German air traffic control — to APT28, or Fancy Bear ...'
Not surprising, but again, sheesh.
therecord.media/germany-summ...
Not surprising, but again, sheesh.
therecord.media/germany-summ...
Germany summons Russian ambassador over cyberattack, election disinformation
Germany said it had "clear evidence" that a 2024 cyberattack on its air traffic control authority was the work of the Russian hacking operation known as APT28 or Fancy Bear.
therecord.media
December 17, 2025 at 7:47 AM
'... Berlin had “clear evidence” linking an August 2024 cyberattack on Deutsche Flugsicherung — the state-owned company responsible for German air traffic control — to APT28, or Fancy Bear ...'
Not surprising, but again, sheesh.
therecord.media/germany-summ...
Not surprising, but again, sheesh.
therecord.media/germany-summ...
'However, a future royal commission should not be limited to mechanical considerations. It will be imperative to examine the policies and attitudes that brought us to this place. This was not an act of nature—a bushfire, say, or a flood.
December 17, 2025 at 7:38 AM
'However, a future royal commission should not be limited to mechanical considerations. It will be imperative to examine the policies and attitudes that brought us to this place. This was not an act of nature—a bushfire, say, or a flood.
Screenshot 1: www.justice.gov/opa/pr/four-...
Screenshot 2: www.asio.gov.au/asio.gov.au/...
I fear that, since 7/10, Global North security risk landscapes have shifted back, in many respects, to the 1970s.
Screenshot 2: www.asio.gov.au/asio.gov.au/...
I fear that, since 7/10, Global North security risk landscapes have shifted back, in many respects, to the 1970s.
December 17, 2025 at 7:33 AM
Screenshot 1: www.justice.gov/opa/pr/four-...
Screenshot 2: www.asio.gov.au/asio.gov.au/...
I fear that, since 7/10, Global North security risk landscapes have shifted back, in many respects, to the 1970s.
Screenshot 2: www.asio.gov.au/asio.gov.au/...
I fear that, since 7/10, Global North security risk landscapes have shifted back, in many respects, to the 1970s.
Leaks:
'Following reports the Government was implementing a “blanket 5 per cent reduction in discretionary spending” across Commonwealth agencies, the AFPA expressed its concerns to Senator Katy Gallagher in her capacity as Public Service Minister.
'Following reports the Government was implementing a “blanket 5 per cent reduction in discretionary spending” across Commonwealth agencies, the AFPA expressed its concerns to Senator Katy Gallagher in her capacity as Public Service Minister.
December 17, 2025 at 7:16 AM
Leaks:
'Following reports the Government was implementing a “blanket 5 per cent reduction in discretionary spending” across Commonwealth agencies, the AFPA expressed its concerns to Senator Katy Gallagher in her capacity as Public Service Minister.
'Following reports the Government was implementing a “blanket 5 per cent reduction in discretionary spending” across Commonwealth agencies, the AFPA expressed its concerns to Senator Katy Gallagher in her capacity as Public Service Minister.
'The official warned ASIO had a compartmentalised approach to analysing different threats, such as Russian sabotage and Islamic radicalism, and did not have the systems to cohesively integrate with big data sets such as firearms and motor vehicle licensing.
December 17, 2025 at 7:13 AM
'The official warned ASIO had a compartmentalised approach to analysing different threats, such as Russian sabotage and Islamic radicalism, and did not have the systems to cohesively integrate with big data sets such as firearms and motor vehicle licensing.
'... what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined ... enables the same operational outcomes ... while reducing the actor’s exposure and resource expenditure'.
December 17, 2025 at 7:00 AM
'... what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined ... enables the same operational outcomes ... while reducing the actor’s exposure and resource expenditure'.
Home Affairs consulting on the CIRMP rules (that flesh out the pt 2A risk management obligations of CNI people under SOCI) for certain classes of CNI assets.
Some excerpts attached: www.homeaffairs.gov.au/help-and-sup...
Some excerpts attached: www.homeaffairs.gov.au/help-and-sup...
December 17, 2025 at 6:55 AM
Home Affairs consulting on the CIRMP rules (that flesh out the pt 2A risk management obligations of CNI people under SOCI) for certain classes of CNI assets.
Some excerpts attached: www.homeaffairs.gov.au/help-and-sup...
Some excerpts attached: www.homeaffairs.gov.au/help-and-sup...
'TfNSW currently hosts the systems in a hybrid environment, spreading platforms and applications across both its own data centre and cloud.
'... seeking to replace includes tools for incident response and recovery, network orchestration and knowledge sharing among teams ..
'... seeking to replace includes tools for incident response and recovery, network orchestration and knowledge sharing among teams ..
December 17, 2025 at 6:40 AM
'TfNSW currently hosts the systems in a hybrid environment, spreading platforms and applications across both its own data centre and cloud.
'... seeking to replace includes tools for incident response and recovery, network orchestration and knowledge sharing among teams ..
'... seeking to replace includes tools for incident response and recovery, network orchestration and knowledge sharing among teams ..
'Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award.
December 17, 2025 at 6:21 AM
'Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award.
December 17, 2025 at 6:19 AM
'... admitted to executing 679 trades between four share trading accounts he controlled ...
'... up to 73% of the total daily trading volume in the relevant shares, creating a false or misleading appearance of active trading ...
'... up to 73% of the total daily trading volume in the relevant shares, creating a false or misleading appearance of active trading ...
December 17, 2025 at 6:15 AM
'... admitted to executing 679 trades between four share trading accounts he controlled ...
'... up to 73% of the total daily trading volume in the relevant shares, creating a false or misleading appearance of active trading ...
'... up to 73% of the total daily trading volume in the relevant shares, creating a false or misleading appearance of active trading ...
'In doing so, he would have remotely used the equipment of his business partners, apparently to send the police on their roof. From an investigation into the suspect's laptop, sim boxes, desktop and phone, ...
December 17, 2025 at 6:14 AM
'In doing so, he would have remotely used the equipment of his business partners, apparently to send the police on their roof. From an investigation into the suspect's laptop, sim boxes, desktop and phone, ...
I-Soon and Integrity Tech sanctioned by the UK.
But then there's this bit at the end of the statement which made me furrow my brow:
But then there's this bit at the end of the statement which made me furrow my brow:
December 17, 2025 at 6:11 AM
I-Soon and Integrity Tech sanctioned by the UK.
But then there's this bit at the end of the statement which made me furrow my brow:
But then there's this bit at the end of the statement which made me furrow my brow:
'It has now emerged that a second ransomware attack took place last February, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the midlands'.
www.breakingnews.ie/ireland/hse-...
www.breakingnews.ie/ireland/hse-...
HSE confirms second ransomware attack but 'no evidence' patient data was stolen | BreakingNews
It has now emerged that a second ransomware attack took place last February
www.breakingnews.ie
December 17, 2025 at 6:04 AM
'It has now emerged that a second ransomware attack took place last February, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the midlands'.
www.breakingnews.ie/ireland/hse-...
www.breakingnews.ie/ireland/hse-...
'The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password.
December 17, 2025 at 6:00 AM
'The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password.
Cf The Optus CEO's resignation being leaked in advance to the AFR following an unrelated 000 outage (which was borne from Optus's catastrophic governance failures) a year after the data breach.
www.koreatimes.co.kr/business/com...
www.koreatimes.co.kr/business/com...
Coupang CEO resigns over data breach - The Korea Times
Coupang Corp. announced on Wednesday that its CEO Park Dae-jun has resigned amid mounting public outrage over a recent massive data breach that com...
www.koreatimes.co.kr
December 17, 2025 at 5:57 AM
Cf The Optus CEO's resignation being leaked in advance to the AFR following an unrelated 000 outage (which was borne from Optus's catastrophic governance failures) a year after the data breach.
www.koreatimes.co.kr/business/com...
www.koreatimes.co.kr/business/com...
'All NSW police are trained for an active shooter scenario ... a review of incidents from America found waiting was useless; most incidents lasted less than five minutes, while it might take half an hour or more for the Tactical Operations Unit to arrive from Surry Hills.
December 17, 2025 at 5:05 AM
'All NSW police are trained for an active shooter scenario ... a review of incidents from America found waiting was useless; most incidents lasted less than five minutes, while it might take half an hour or more for the Tactical Operations Unit to arrive from Surry Hills.
‘Because when people talk about Russia and its war in Ukraine, none of it metastasises into graffiti on Russian restaurants. Into harassment of Russian students. Into boycotts and firebombings. Or bullets on beaches’.
archive.today/bFOgc
archive.today/bFOgc
December 15, 2025 at 11:04 AM
‘Because when people talk about Russia and its war in Ukraine, none of it metastasises into graffiti on Russian restaurants. Into harassment of Russian students. Into boycotts and firebombings. Or bullets on beaches’.
archive.today/bFOgc
archive.today/bFOgc
Please pray for Bondi.
For the victims, families and first responders.
This is horrible.
Please pray. Hari Om.
For the victims, families and first responders.
This is horrible.
Please pray. Hari Om.
December 14, 2025 at 9:06 AM
Please pray for Bondi.
For the victims, families and first responders.
This is horrible.
Please pray. Hari Om.
For the victims, families and first responders.
This is horrible.
Please pray. Hari Om.
'... follow the transition of HESTA’s administrative services to a new provider, finalised in June 2025, which ... caused direct harm to members.
December 12, 2025 at 4:34 AM
'... follow the transition of HESTA’s administrative services to a new provider, finalised in June 2025, which ... caused direct harm to members.
'The problem impacts any model built after 2013 that is fitted with an anti-theft Vehicle Tracking System (VTS).
'When there is a loss of satellite connectivity, the VTS interprets it as a potential theft attempt and immobilises the engine'.
'When there is a loss of satellite connectivity, the VTS interprets it as a potential theft attempt and immobilises the engine'.
December 12, 2025 at 4:22 AM
'The problem impacts any model built after 2013 that is fitted with an anti-theft Vehicle Tracking System (VTS).
'When there is a loss of satellite connectivity, the VTS interprets it as a potential theft attempt and immobilises the engine'.
'When there is a loss of satellite connectivity, the VTS interprets it as a potential theft attempt and immobilises the engine'.
'... can be used for visibility in many systems, including legacy or niche systems, but without a clear strategy organisations risk deploying tools that generate noise rather than insight.
December 12, 2025 at 4:08 AM
'... can be used for visibility in many systems, including legacy or niche systems, but without a clear strategy organisations risk deploying tools that generate noise rather than insight.
'... falsely represented that security controls were implemented at the FedRAMP High baseline and at Department of Defense Impact Levels 4 and 5, despite repeated warnings that the system lacked required access controls, logging, monitoring, and other security capabilities.
December 12, 2025 at 3:59 AM
'... falsely represented that security controls were implemented at the FedRAMP High baseline and at Department of Defense Impact Levels 4 and 5, despite repeated warnings that the system lacked required access controls, logging, monitoring, and other security capabilities.