Lightnews — Scholar-powered news

LightNews

Ravi Nayyar

@ravirockks.bsky.social

490 followers 390 following 9.8K posts

Critical Software + CNI Law | PhD Candidate at the University of Sydney | Fellow @ASPI-org.bsky.social | Associate Fellow at the Social Cyber Institute | Blogging @atechnolegalupdate.substack.com | Cricket, #Bloods | #KalikaMataKiJai

Posts Media Videos Starter Packs

Pinned

Ravi Nayyar @ravirockks.bsky.social · Jan 6

G’Day,

Since folks are increasingly talking about software supply chain risks to national security, here's a collection of my work on the subject.

Going back to 2022.

Tangos in the Tangled Web

Stuff Ravi's written on all things software supply chain x security x law

open.substack.com

Ravi Nayyar @ravirockks.bsky.social · 6h

Bits from a great FPVs reality check by someone who fought for Ukraine: warontherocks.com/2025/06/i-fo...

Ravi Nayyar @ravirockks.bsky.social · 6h

Check it out - Canada’s CNI reform bill was sent to committee the other day, having gone through its second reading in the Commons!

Ravi Nayyar @ravirockks.bsky.social · 7h

From a fascinating piece on the case for integrating the PRC’s BeiDou into American PNT solutions: warontherocks.com/2025/05/a-si...

Ravi Nayyar @ravirockks.bsky.social · 7h

’It is essential that security professionals pay far greater attention to technical security. This includes physical controls, RF monitoring and detection, hardware hardening, and regular technical surveillance countermeasure (TSCM) sweeps’.
www.rusi.org/explore-our-...

Technical Security: Back to the Future

Technical security protects against an important range of threat vectors. It has been neglected by both business and government.

Ravi Nayyar @ravirockks.bsky.social · 7h

’All these trends are exacerbated by the growing collaboration between hostile intelligence services and organised crime groups, particularly in the space between theft, disruption, and economic advantage.

Ravi Nayyar @ravirockks.bsky.social · 7h

’… with improving cybersecurity tools and awareness, the cost of persistent, targeted cyber access is rapidly increasing and may, in any event, founder upon encryption both in transit and at rest. This makes technical security vulnerabilities look increasingly attractive …

Ravi Nayyar @ravirockks.bsky.social · 7h

’Many of these technical means can be used to facilitate cyber access and might leverage physical or personnel compromise. Thus, a technical attack can act as the tactical spearhead of a range of other attack methods.

Ravi Nayyar @ravirockks.bsky.social · 7h

‘Indeed, much of the equipment being used – projectors, phones, printers, screens, network equipment, etc. – in most organisations is provided through insecure supply chains and may, as the result of malicious interference, possess hidden or ‘undesired’ functionalities.

Ravi Nayyar @ravirockks.bsky.social · 8h

’… when we bully researchers … or turn a blind eye to using their work as marketing props—we threaten the strategic leaps and conversations for today and tomorrow’s technologies … Demanding this justification of value, in advance of release, is unfair’.
aff-wg.org/2025/03/13/t...

The Security Conversation

Is Offensive Security just security testing? No. Offensive security is a way of thinking about the current security context, predicting what’s next, exploring those hypotheses, and adding to the se…

Ravi Nayyar @ravirockks.bsky.social · 8h

’This common professional literacy [about offense] allows thinking about defense problems in an informed and thoughtful way. And, this literacy is a foundation that has enabled so many of the security gains in the last ten years. This is the benefit of the security conversation.

Ravi Nayyar @ravirockks.bsky.social · 8h

‘The analytical tradecraft and know-how was developed and expanded during simulated intrusions (red team exercises). Now? BloodHound Enterprise is a commercial tool …

Ravi Nayyar @ravirockks.bsky.social · 8h

’Security testers have understood this [privileged identities issue in AD] for a long time. And, one of the tools that came from their work is BloodHound … [which was] originally an offensive security tool.

Ravi Nayyar @ravirockks.bsky.social · 8h

‘… until Mimikatz and Windows Credential Editor demonstrated the problem (and its variations)—plain as day.

Ravi Nayyar @ravirockks.bsky.social · 8h

’Sometimes, the purpose of offense is to just demonstrate that something seemingly impossible is possible … the long path to harden our platforms and iterate on measures to defeat identity harvesting couldn’t happen …

Ravi Nayyar @ravirockks.bsky.social · 8h

’More broadly, the entire rise of EDR is the story of Microsoft exposing more and more telemetry to endpoint security products through standard interfaces in Windows.

Ravi Nayyar @ravirockks.bsky.social · 8h

‘But, exploration of the ideas for their own sake can sometimes have surprise benefits. Much of the work on rootkits in the past informed the underpinnings of some EDR technology and DRM.

Ravi Nayyar @ravirockks.bsky.social · 8h

‘But sometimes, it just comes down to how often engineering complains about security and how engineering views security: enabler or blocker?’
franklyspeaking.substack.com/p/security-h...

Security has an effectiveness problem

There's a lot of factors to consider, including engineering velocity

franklyspeaking.substack.com

Ravi Nayyar @ravirockks.bsky.social · 8h

‘Another idea is to count the number of features blocked by security.

’It might be worth looking at some DevOps metrics to see how they can apply.

Ravi Nayyar @ravirockks.bsky.social · 8h

‘A better metric might be to measure engineering velocity with and without a security engineer assigned to the team. Similarly, it might be useful to measure the time to ship versus the number of PRs a security engineer does.

Security has an effectiveness problem

There's a lot of factors to consider, including engineering velocity

franklyspeaking.substack.com

Ravi Nayyar @ravirockks.bsky.social · 8h

One for the OT people to check out.
csrc.nist.gov/pubs/sp/1334...

NIST Special Publication (SP) 1334, Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments

Portable storage media continue to be useful tools for transferring data physically to and from Operational Technology (OT) environments. Universal Serial Bus (USB) flash drives are commonly used, in ...

Ravi Nayyar @ravirockks.bsky.social · 8h

Aha, another chokepoint for the car dealerships targeted à la CDK, but not in a disruptive attack. Makes sense, given the money in the data.
www.securityweek.com/766000-impac...

766,000 Impacted by Data Breach at Dealership Software Provider Motility

Motility Software Solutions is notifying over 766,000 people that their personal information was compromised in a ransomware attack.

www.securityweek.com

Ravi Nayyar @ravirockks.bsky.social · 8h

‘Dealership software company Motility Software Solutions is notifying over 766,000 people that their personal information was compromised in a ransomware attack.

’… hackers accessed servers that support the company’s business operations’.

Ravi Nayyar @ravirockks.bsky.social · 8h

ASIC: ‘The review into the use of OSPs by financial advice licensees and responsible entities (REs) of registered managed investment schemes found that the quality of risk management arrangements relating to their use varied significantly …’
www.asic.gov.au/about-asic/n...

25-234MR ASIC flags risks in offshore outsourcing after review identifies governance gaps | ASIC

Fair, strong and efficient financial system for all Australians.

www.asic.gov.au

Ravi Nayyar @ravirockks.bsky.social · 8h

… dining with PRC officials: storage.courtlistener.com/recap/gov.us...

This ain’t a witch hunt, especially when he’s allegedly put files in trash bags.

Ah, well, excellent counter-intelligence work by the feds. Insider risk management is critical!

storage.courtlistener.com

Ravi Nayyar @ravirockks.bsky.social · 8h

My favourite part of this is that Dr Tellis allegedly didn’t realise his moves were being recorded, whether his renaming a classified file on USAF TTPs as ‘Econ Reform’, his hiding classified pages within pages of notepads, or his …