Newsletter from Kushal

Containing random links to read about privacy, security, programming and FOSS in general. Sometimes about life.

Critical infrastructure is generally not connected to the public Internet. And then, there are too many wrong configurations in productions sometimes just because someone thought that it is a good idea to mine bitcoins on a nuclear weapon facility.

Yesterday Pukhraj Singh did a tweet saying:

So, it's public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit.

Yup, you read it right, a nuclear power plant was hit, using a static username password combination over SMB. Following the standard Indian Government style about dealing with problems, the plant released a note saying there was no problem. Sadly just denying that there were no issues does not cover up the truth, and today a story on Indian Express confirms the breach.

One another big news, Citizen Lab published a report on NSO Group’s attack over WhatsApp, which points out that now WhatsApp officially filed a complaint in a U.S. federal court against NSO group. WashingtoPost has a detailed report. WhatsApp also messaged around 1400 users who might have been impacted by this attack.

Videos to watch

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel. Also, please share about the newsletter in your favorite social media as this is still a very new thing from me.

Note: I think I managed to break the formatting, sorry for the trouble in reading.


Twitter has become one of the primary news sources for many (including me). It has also enabled a large number of folks to ask questions, which are not always easier to ask otherwise. But, the algorithms which decide which all tweets to show in the timeline behave based on the mood of the company. They can decide what kind of information you can see and what you can not. For example, it stopped showing almost any tweets related to infosec in my timeline.

Recently following orders from the Indian Government, Twitter decided to remove more than a million tweets related to Kashmir. In case you don't know what is going on, Kashmir is under siege from August 5, and all sorts of human rights violation happening there. The state still does not have any Internet connection due to the forced shutdown by the government.

Videos to watch

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel.


Facial recognition is a new weapon in the hands of regimes. China is already leading on how to use this as a tool of oppression, and other countries are getting excited and slowly following China. Thankfully activists around the world are also organizing the resistance against it. Cities like San Francisco, Okland, Somerville, Massachusetts, already banned the use of facial recognition.

Sadly, for the Indians, the current regime is doubling their effort to use bio-metrics and facial recognition in every possible way. Airports like Hyderabad are using them to allow boarding to flights, and they will spread them to other cities very soon. India is also creating a national facial recognition system. Details can be found here and here

New releases for this week

Talks for the week

The L0pht video is a classic and must watch for every one of you. The second talk is a personal favorite.

If you want to discuss any of these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel.


I keep reading random things over the Internet, and I feel a few of those will make sense to others too. But, posting those links into the primary blog does not make sense. That is the reason I am starting up this newsletter. I will try to make at least one post every week.

  • Pushing left like a boss In this long series of posts Tanya Janca explains the idea behind application security and how that has to be thought from the very beginning of the development process.

  • Blood money and Gitlab Gitlab said that they are okay to take money from any client, this brings back the memory of IBM doing business with Nazi Germany.

  • Just in case you are interested in connected Urinals, check this tweet

  • The FinFisher malware authors used legal threats against a German newsmedia

Book suggestion

Both book are amazing reads, and full of previously unknown details. If you want to discuss about any of the these topics, hop on to the Freenode server (IRC), and come to the #learnandteach channel.


Enter your email to subscribe to updates.