Hacker News new | past | comments | ask | show | jobs | submit login

The evidence that points to Iran comes from a company named, Resecurity. But there are some odd stuff about this company.

1 - their CEO has no real linkedIn history [1]

2 - they revenue and employment went off the chart just in 2 quarters [2]

3 - very unclear how they came to this assessment. Especially now that US government is looking for excuses (real or fabricated) to make a case for war with Iran, I look at these evidence with some skepticism.

Am I being over-cynical here?

1 - https://www.linkedin.com/in/charles-yoo-365201165/

2 - https://www.zoominfo.com/c/resecurity-inc/353866377

edit - formating.

1 Resecurity's wordpress site has directory listing turned on. Most content on the website seems to have been uploaded in february. 2 The services that does the press releases looks suspicious. 3 The second service also looks suspicious 4 Golden Bridge Silver and Gold Award winners... Anyone heard of this? Seems they sell thophies

[1] https://resecurity.com/wp-content/uploads/ [2] https://www.prnewswire.com/news-releases/resecurity-names-ia... [3] https://www.businesswire.com/news/home/20190226005414/en/Res... [4] https://goldenbridgeawards.com/store/

Looks like a fish, smells like a fish

“Resecurity Inc., California-Based cybersecurity company”

timezone_string: Europe/Kiev

Admin IP address:, AS196740, Ukraine

Really piling on the confidence here.

This one's before the Forbes article:

Citrix Data Breach – Next is what to do next newsbeezer.com "resecurity" kiev ukraine from newsbeezer.com 19 hours ago · KIEV, UKRAINE – 2019/01/ 20: Citrix Systems software ... According to Security Company Resecurity, the attacks were ...


Here's the article's top image sub-text:

Citrix was hit by hackers in attacks that may have exposed large amounts of customer data. KIEV, UKRAINE – 2019/01/20: Citrix Systems software Company logo displayed on a smartphone. (Photo by Igor Golovniov / SOPA Images / LightRocket on Getty Images) Getty

The image is hosted by Forbes: https://thumbor.forbes.com/thumbor/600x315/https%3A%2F%2Fspe...

Why newsbreezer has an article dated an hour earlier in a Google search than the Forbes article which is hosting the image on both sites, and why it's coincidentally sub-texted with KIEV, UKRAINE, I can't explain...

Way too sloppy for a false flag operation. Probably just some shady company trying to make a buck.

Regardless, it would be irresponsible to trust their attribution claim, especially when no evidence has been presented.

I just did a search for `"resecurity" kiev ukraine` on Google and got some strange results showing news articles from well-known sites stating KIEV, UKRAINE in context with the article's top pic... I'm not sure how to explain that:

Why The Citrix Breach Matters -- And What To Do Next Forbes "resecurity" kiev ukraine from www.forbes.com 18 hours ago · KIEV, UKRAINE - 2019/01/20: Citrix Systems Software company logo seen ... According to security firm Resecurity, the attacks were perpetrated by ...



Nice find. It contains the e-mail address mr.archee@gmail.com

Which seems to belong to a russian guy: https://support.webasyst.ru/forum/4011/filtr-v-vide-select/

Must be a russian speaking Iranian ;-)

Unsecured directory listing of a common php cms that shows uploads, and one of them them is a full DB dump made with phpmyadmin. The only thing missing is execution rights in that directory.

This is either an insider joke or a jump back to 2004.

this is "wordpress-normal" - the funny/sad part is its the wordpress blog of a security company investigating a huge breach...

Unless this is actually not a security company investigating a huge breach.

I've never seen directory listing turned on as a normal part of WP install.

Well, its better to get some wordpress hacked, than it is to have a server onprem get pwned and used as a inadvertent bastion to your internal network.

phpmyadmin is apprx. the only thing i remember about making a website.

Nice. According to the wp_users table there are 3 users, all nearly exactly 1 year old (2018-03-03, 2018-03-05, 2018-03-17).What are the chances that's a coincidence?

Is there any risk you take by posting that?

That is a page that I doubt the author would have wanted to be public, and is not linked to from the home page or its descendants. Wasn't that the case against weev?

(IMO, if it is public, it should be legal to post to it, but whatever.)

Interesting question. Technically, it is public. The user didn’t break anything or use any nefarious techniques. The web server is configured to list directories which in concert with file permissions makes it public. Not sure how/if this might be analogous to “just because a door isn’t locked doesn’t mean you can go in”.

feels like there isnt even a door . . "just because its in my front yard doesnt mean youre allowed to walk in front of my house and look at it sitting there."

This argument is not much different than what the grandparent is referring to. weev was convicted of conspiracy to access a computer without authorization because he advised a guy who discovered a publicly available HTTP API hosted by AT&T that returned email addresses based on guessable ids. The conviction was overturned, but on procedural grounds, not legal ones.

Directory listing wasn't on on the AT&T server.

He accessed “public” URLs that he inferred the existence of but wasn’t supposed to access. So I guess if you can start at the homepage of this site and find a link to a directory, you’re OK.

It was linked from https://resecurity.com/wp-content/uploads/, which is a common and public URL, and anything uploaded there is intended to be public. Of course, whoever uploaded it either wasn't aware or didn't think it through--maybe they thought nobody would ever visit that page.

As you can see, the link is gone now.

This url is now showing a 404.

They took it down. What did it say?

It was an SQL dump of their entire database: https://archive.is/https://resecurity.com/wp-content/uploads...

They also seem to have stolen a number of graphics on their website. If you check their filenames, they have the default filename of when you take a screenshot on OSX. Then take this one for example:


Throw it into Google's reverse image search and you'll find the graphic if was cut out of:


Thanks for finding that. This image from their directory listing (maybe on their site somewhere but I couldn't find it) shows me at least something about their offering - looks like another dark web breach alerting service.


FYI, PRNewswire is one of the oldest, respected, and expensive newswire services around. Businesswire is also very well established. Not sure how those seem “suspicious”.

Not sure if that was meant to be sarcastic. They have a pretty clear history of accepting garbage for money. https://www.seroundtable.com/google-panda-pr-newswire-change...

PRNewswire is used by the vast majority of the Fortune 1000, including for releases that are required for SEC compliance. They are probably the oldest and most widely used of all the newswire services.

The point is that using PRNewswire or Businesswire is hardly “suspicious,” because most businesses that do press releases use one or the other.

What's suspicious about PR Newswire / Business Wire? They're the industry standard wire tools in Public Relations.

The Golden Bridge trophies seem to be available to buy if you've won.

I don’t know specifically about Golden Bridge but I have been on the receiving end of other trophy clearinghouses: we were notified we had won a whatever of the year award without even applying for it and that we could purchase the actual trophy for a very reasonable price. Basically these companies’ business is selling overpriced crystal trinkets.

As have I, it's a fairly common racket. However, rights to a trophy / rights to use the logo etc are also sold by perfectly legitimate awards too.

Only fake awards sell trophies. they give the award to everything and make money in trophy sales. See also SuperDoctors, Who's Who, and pay to publish journals with no peer reviews.

It’s absolutely reasonable to be critical of any accusations that “Iran did it” or any other nation that the US considers enemies. Didn’t our security ministers claim North Korea was behind the Sony hacks when Obama was in office? We were never given any proof, so it’s impossible to verify... When you consider the way we lie on international affairs, all statements our government makes must be considered suspect. This is not unique to the US by the way, so treat your own state similarly.

there is one small nuisance here - if we start to treat all governments equally skeptic, we should also "fry live" all large corporations too.

How did we come to this imbalance?


Truly free people are free to keep all the secrets they want.

The only reason to keep secrets is if they aren't free. Otherwise the secret protects nothing. Freedom is broad and self contradictory. Complete freedom for more than one person is impossible.

That's not true. There are any number of subgroups that view certain behavior with distaste that other subgroups do not. Just because there is social and cultural pressure to do or not do things doesn't mean you are unfree. You are just as free to observe the behaviors or not as other people are to judge you by them.

I mean, I don't like tipping. I think it's horrible in many aspects, not the least of which how it taps directly into racial and gender prejudices monetarily (black waiters make less in tips regardless of service level). That said, I tip. I would rather not be known as the guy that doesn't tip (and wages assume tips as of now, so it's a bit unfair to the service people). I'm still free to tip or not, and others are free to judge or misjudge me for it if I do.

.. and they will forever be ruled by them, so: not free.

<sarcasm>Yes. US government should publish it's nuclear launch codes on whitehouse.gov </sarcasm>

Conflating nuclear launch code secrets with war crime secrets: this is the problem with Americans today.

In the sense that free people would still be free if all their secrets are exposed? I can get behind that train of thought.

If you allow your government to keep its own secrets, it will use that right to rule you.

In Liar’s Poker, the author said Wall Street would always blame the Arabs for any unpredicted movement in the finance markets.

Zero evidence, but most Americans didn’t know any personally but knew they had oil money to buy/sell investments.


None of the articles you linked offered any proof but rather just accusations mostly more accusations from American companies too I may add. “While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following: Then it goes into some vague details about how it happened proving nothing. So again we have to take their word this is the truth. Perhaps it is but show us the hard truth. De-classify the documents that show the links. Again it is all “believe us we can link it to North Korea”.

You simply gave a summary of the first article's summary and then falsely claimed there were no details.

The articles are summaries of what the government and the companies discovered. Read the indictment linked in the last article or the reports from the companies for details.

I think it is best to take a wholesale view that the news as we know it is a religion. That sounds a bit odd given that a lot that is in the news is fact oriented and a lot of current affairs is discussed. But in a formal church there is mention and prayers for those caught up in actual events.

Fundamentally though the news requires belief. It is there for the 'capitalist flock' who have a world where the government, democracy as we know it and the laws we have define the world.

With normal religion the real things that happen with celestial bodies get interpreted in some narrative that has to do with some carpenter's son who died a long time ago. A whole new world of god is created which is an abstraction of physical realities. Rather than 'primitive sun worshipping' there is this new religion to believe in, the religion accounts for everything in its own special way.

If you could teleport 500 years into the future and learned about TV news and how people believed it then you would wonder how people disbelieved facts they observed with their own eyes and what they knew to be true by the calling of their own heart and their own sense of reason.

Therefore, at least as a thought experiment, see the news and the nasty things said about people outside capitalist countries as 'religion'. It all becomes clearer then.

I'm not really sure how this is so controversial. Even formal mathematical systems contain axioms. And science is largely based on faith in other people's truthfully reported observations. And news is founded on faith in a whole bunch more different things, and there is sectarian tension between the congregation s of, let's say, Fox and NPR. Even the qualia of physical existence can be considered as a matter of faith , but typically it's only practical for philosophers to worry about that. But, it is practical for everyone to consider the matter of faith in news, given human history.

One could also describe it simply as a tautology. It comes with its own simplified, illusory cause/effect chain and line of reasoning based off of itself, without necessitating the same "feeling" or "spiritual" sensibilities as most religions or cult movements.

I don't have a LinkedIn page, or any other social media for this matter. Does that make me a non-trusrworthy person now? This is horrible. (I don't disagree with your other points).

Are you the CEO of a company that works in computer security, where fame is probably more important than in other fields?

To be fair, conceptually the concept of a CEO of a security company with no social media presence at all is not surprising, speaking from my experience with people in this field.

Interesting, I have little idea how the field really works. I guess there must still be some kind of internet presence, maybe not through a typical social network ?

This is often overlooked. If your kid wants to work in security it will be hard to get a job if his/her info and history can be found on social media.

No it won't, that's a really odd take. Perhaps if you want a job in very specific sub-section of cyber-espionage stuff, you might have a problem with existing on social media (although I doubt it)

But the idea that general IT security companies have a reduced chance of hiring someone based on their information being on social media is... not the case.

Nope, sorry, this isn't accurate at all.

That's a very odd thing to say. There are so many security professionals in the world with LinkedIn profiles.

This is not true.

Fame does not equal trust. While there may not be any security through obsecurity it is a barrier. As for being a trusted CEO at a certain point its about who you know and who knows you. Do you think the NSA employees all have social media profiles?

Fame doesn't equal trust, but trust over time does create recognition (perhaps fame is a bit too strong). My claim is that if no one can vouch for you, how can I trust you?

Fame doesn't equal trust, but if someone with no public background starts claiming to have been in the NSA/MI6/FSB/whatever, why would you believe them?

the point is that there is a LinkedIn page. But all employees are directors or VP's - not a single engineer that works at Rsecurity.

Unlikely that they are a front to a US operation. But very likely that it's a start-up that leverages the currently toxic climate in order to get themselves in the news. Making half baked attribution claims is a perfect way to do so. One might even say that not doing so would be leaving money on the table.

According to 2 companies I interviewed with: Yes. I was pissed because if they didn't trust my resume, why even interview me and waste my time.

You dodged two bullets. Consider yourself lucky.

TLDR; in some jobs, you can't have social media accounts.

I have some contact with cybersec in Europe and it is very common that cybersec professionals in gov and mil positions do not have any social media accounts under their own name, and certainly not linkedin. Social media makes you too much of a target and reveals too much about your org. When promoted to a public-facing position the person then suddenly "appears" from nowhere and the media profile has as little information as possible. Real professionals use those accounts only from designated computers, and if you are high ranking enough (head of...) in fact never use them at all, but rather have someone else using them for you. All in the name of keeping your own actions and locations away from the curious.

Does the entire org appear out of nowhere? No. MI5, CIA, Stasi, etc have been quite public about their existence.

Knowing the organization exists and knowing that someone specifically works the organization are two different things. In fact, this is the defining characteristic of any secret organization (governmental or otherwise: CIA, Stasi, KKK (in the 50s)...) that wants to project power: we exist, we are everywhere but you don’t know who we are.

+1, I also recently deleted my LinkedIn profile. Taking LinkedIn profile as a sign of authenticity is indeed horrible.

Yes, basically. For example, I've used LinkedIn to double check whether I should trust that an online watch buyer is a real person.

I also dont have a LinkedIn page, quite amusing that people find that a problem

Wtf is this "zoominfo" site that, upon clicking "Read More", tries to drive-by download an exe onto my computer? What is this, 2002?

Wow, I read the EULA-thing for that executable.

> I Agree to the Terms of Service and Privacy Policy I understand that I will receive a subscription to Zoominfo Community Edition at no charge in exchange for downloading and installing the ZoomInfo which, among other features involves sharing my business contacts as well as headers and signature blocks from emails that I receive.

It's effectively malware though at least they display it up-front, which is more than can be said for most.

Ah, dang it, I have to actually read these things now?

This is the same as LinkedIn or Facebook slurping your address book.

Given an absence of even other vague data like 'exfiltrated data IP addresses were registered as Iranian' (not conclusive proof in itself given that the end devices could have been compromised) I'd say there is reason to be skeptical until they can provide more evidence.

Given the history of states to lie and manipulate to get into war, and since the USA proved to be particularly ok with it during the last decades, I'd say being cynical should be the default mode for this kind of analysis. If you are wrong, you are being over protective about peace, so what ?

Agreed that something seems off.

Generous interpretation - they're brand new (first Tweet 2/13/2019, first blog 2/19/2019).

Would love to know if those logos & awards are legit (quick search of the awards makes some look like pay to win).

The FAQ page: How Can I Improve my Chances of Receiving an Award?

One answer is: Sponsor the Cybersecurity Excellence Awards

There's a voting scheme, but the FAQ does state: The popular vote will only be considered if two or more nomination are tied for an award

Slightly less cynical explanation, could it be a parallel construction type thing? Something like: The FBI (or whoever) have espionage on whichever groups and heard data from Citrix being discussed, but they don’t want to reveal that espionage so they reveal it through Resecurity.

I wouldn't rule it out completely but both Hanlon's and Occam's razor would point against it. More likely that it's just another cybersec company that has found a way to newsjack itself into a position of fame via premature attribution.

I've looked over their website and I'm confused about what they actually do. They are "trusted by leading Fortune 500 corporations" apparently (with logos for Microsoft and Amazon), but the entire "Interested in our solutions" section is a sign up form. What am I signing up for? It's unusual for a company to barely try to promote their products.

Yes, it makes you wonder, how does a small company pop into existence straight into class-A office space in downtown LA, and within the span of what? two years? claims to have done business with a dozen or so heavyweight companies. And what is their web presence? Vague, inscrutable C-suite-speak about security, and one blockbuster claim in the Citrix break.

At some point, Occam's razor will favor that this company is having its strings pulled by some larger entity that doesn't want to be revealed.

The address "555 West 5th St, Los Angeles, California" has a WeWork space in it.

They’re most famous for their hypervisor and virtualized desktop software.

That's what Citrix is famous for - that's not the company I was talking about.

I think GP is asking about the security company, not Citrix.

Good catch, that is called a 3 letter agency front.

Or just a two bit con artist

Absolutely this. Have encountered them before.

There is almost no information about this company. I did a passive recon and this is what I've got: https://recon.secapps.com/f/EMh9

That's a really cool service. Thanks for sharing.

We most definitely need to see real evidence in these kinds of cases. It is not enough to be told 'the experts say it is so' - the case must be made public.

Too many times we are led into disaster and tragedy by secrets.

The text on the site alone is a red flag. It might as well be Latin gibberish. And the "awards" aren't linked to anything. Some of them are just silly, like this one: https://resecurity.com/wp-content/uploads/2019/02/award-4.pn...

which was apparently uploaded last month...

Neither the US government nor Citrix have implicated Iran. Resecurity came out of the woodwork contacting media companies about its supposed research after Citrix posted a brief statement explaining the FBI had notified it of a breach.

The same company also blamed a hack in Australia on Iran, which the Australian government does not agree with. https://www.itwire.com/security/86141-iran-or-china-competin...

Looks like the Iran connection came from a guy with a history of opportunistically jumping in on big security news stories: https://mobile.twitter.com/imdeaconblues/status/110504680622...

You can hide your linkedin history from people that are not connected to you (or your whole profile). It's a privacy option.


Assad is using chemical weapons against his own people. It was determined by OPCW. You can read full reports of the two well publicized attacks here:



But there were many more. So please don't spread unsubstantiated falsehoods and doubt.

These reports make no such conclusion - that the Syrian government was responsible for the attack.

They do confirm that chemical weapons were used. Who used them, is not determined, and even the reports themselves state that the provenance of the chemicals is out of scope of the FFM.

It states that Sarin and chlorine-based weapons were used - but the FFM was not able to visit the site directly and relied on samples collected by third parties and provided to the FFM for the purposes of their investigation. The only conclusion is: chemical weapons were used.

It does not, in any way, state that the Syrian government were responsible for the attack.

Indeed, the Syrian government themselves requested this mission proceed to determine the use of these chemical weapons - why would they do that if they knew they'd used the chemical weapons?

>But there were many more. So please don't spread unsubstantiated falsehoods and doubt.

If you have further evidence that supports the claim that the Syrian government used these weapons, please provide it. Thus far, you have failed to apply your own demand for evidence.

> These reports make no such conclusion - that the Syrian government was responsible for the attack.

They can be used to make a conclusion. We don't need the mandate, and we can think for ourselves, no? In both cases the munitions were reportedly dropped from the air. Once from the airplane, and second time from helicopters.


Rebel groups don't have airplanes or heliopters, so Khan-Sheikoun attack was most likely made by the Assad regime. Douma can be speculated about somewhat more, but dropping the chlorine containers from the air was not excluded, and was quite likely, based on previous documented droppings of chlorine canisters from helicopters, that used the same mounting technology.

It was also not unprecedentend, dropping chlorine canisters from helicoters by Assad regime was docummneted previously on multiple occasions. The same canisters, and mounting technology for dropping from helicopters. The same goes for Sarin use. (look up other Sarin uses OPCW investigated)


I mean what's so surprising about this? Assad regime has been procuring chemical weapons for decades. They do it just for fun? It's a very expensive hobby.

> Indeed, the Syrian government themselves requested this mission proceed to determine the use of these chemical weapons - why would they do that if they knew they'd used the chemical weapons?

How would I know.

You can obviously kill people and request an inestigation at the same time. There's nothing that prevents that.

It's pointless to speculate on motives. But hey: Because they don't care? Because nothing's gonna happen anyway? Because they were scared of non-cooperation? Because Russia wanted them to? Because it's good optics in the war propaganda - it seems like they have nothing to hide? Calculated risk? (noone's gonna invade them for chlorine use, and they would have had to know that Sarin was not used in Douma, so why not?)

Even if Sarin would have been used, most likely nothing would have happened to them, like many times before. There were several other recent Sarin uses that went unpunished. US is not there for a regime change, and Assad has an upper hand, except for Idlib, and SDF areas. Chemicals are a great weapon for terrorizing civilian population. So why not use them after calculating some risks?

Just look at some WWI documentaries. People/leaders can get completely crazy under a war situation, and justify pretty much anything - even sacrificing almost 30000 soldiers in one day in pointless attacks. It's pointless to speculate on motives now.

They don't say what you say they do. Saying something happened doesn't mean they said who did it. They did not. Most likely it is false flag.

Most likely based on what? There's zero evidence for that.

What you're saying is impossible; until June, the OPCW didn't have the mandate to assign blame[1], and while they now do, the Duoma expedition still did not[2].

[1] https://www.bbc.com/news/world-europe-44634434

[2] https://www.bbc.com/news/world-middle-east-47424266

Lack of mandate doesn't make it impossible to assign blame based on facts in the report. It's just that OPCW wasn't tasked with it. Though you're right that OPCW didn't blame Assad. I was inaccurate, there.

You're downvoted, because you seem to be whitewashing a few things - from Assad, to Soviets in Afghanistan, in your quest to paint USA blacker. You tell us to take intelligence community with a grain of salt, and then speculate about Kashoggi - where most information comes from Turkey's intelligence aparatus. Also socialists are also funded and armed by USA (see SDF in Syria). Also this guy (armed by USA) - https://en.wikipedia.org/wiki/Nouri_al-Maliki is a Shia.

I mean, yes, USA foreing policy is a mess. But we should still be bothered by facts.

I agree regarding “whitewashing” the Soviet presence in Afghanistan, for example. But it was skipping over that to make a point - we occupied the country and did the exact same thing as the Soviets, for longer than they did, on our own dime, and encountered the same kind of resistance that we formerly supported. Whatever the reasons for the Soviet coup in 1979, our actions post 9/11 combined with our actions then show a schitzophrenic foreign policy.

Socialists and Shiites were obviously occasionally funded and armed by the USA, and I even alluded to this - Saddam was a socialist, and the new government of Iraq was a Shiite government. However, that doesn’t negate what I said - read it carefully. Far more mainstream sources than me have pointed this out:



Most of the discussion oriented places is mostly US (or west) centered, any kind of thoughts or idea that is against it will not be favored and for sure will be discouraged as well by any means (downvoting, labeling, banning, etc...)

The right Audience for such message that can digest are minority.

I would say, don't count on having any kind of support from such places (HN, reddit, facebook, twitter, Quora etc). US has the media and already online media too.

Keep pushing <3

I'm not American, and I downvoted because it's easy to conflate things which were clearly wrong (WMD) and things for which there is plenty of open source intel showing are correct (North Korea Sony hack).

It's just too easy to do this.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact