<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>r3b1s</title><description>Notes on security, privacy, and systems.</description><link>https://r3b1s.pages.dev</link><language>en-us</language><item><title>California&apos;s 2025 Tech Legislation: AI Transparency, Chatbots, and Privacy</title><link>https://r3b1s.pages.dev/blog/california-policy</link><guid isPermaLink="true">https://r3b1s.pages.dev/blog/california-policy</guid><pubDate>Sun, 09 Nov 2025 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;California has enacted a suite of new legislation with a &lt;strong&gt;diverse&lt;/strong&gt; set of
impacts. Among other things, these bills are intended to:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Increase transparency in the process of building &lt;strong&gt;frontier&lt;/strong&gt; AI models
(defined later).&lt;/li&gt;
&lt;li&gt;Ensure the well-being of individuals interacting with AI chatbot services.&lt;/li&gt;
&lt;li&gt;Combat social media addiction.&lt;/li&gt;
&lt;li&gt;Protect children and minors.&lt;/li&gt;
&lt;li&gt;Prevent stalking via connected devices.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Most businesses operating in the State of California -- remotely or otherwise --
will likely need to implement compliance measures by the relevant deadlines to
maintain their bottom line. Because California is the 4th largest economy in the
world, this affects &lt;em&gt;many&lt;/em&gt; businesses.&lt;/p&gt;
&lt;p&gt;Much of the AI-specific legislation is aimed at large organizations with copious
resources, so SMBs need not worry about those portions -- but the breach
notification and chatbot rules apply to businesses of all sizes.&lt;/p&gt;
&lt;p&gt;There&apos;s A LOT to cover here, so I&apos;ll be focusing on global impacts.&lt;/p&gt;
&lt;h2&gt;AI Legislation&lt;/h2&gt;
&lt;p&gt;It is important to note that California has been the USA&apos;s leader in sounding
the horn on data, privacy, and AI legislation.&lt;/p&gt;
&lt;p&gt;As of November 2025, AI&apos;s &lt;strong&gt;Black Box Problem&lt;/strong&gt; remains unsolved: even the
developers of large AI models cannot fully explain why a model produced a given
output, because its behavior emerges from billions of learned parameters rather
than legible, human-written rules. This makes model behavior difficult to audit,
predict, or guarantee -- which is precisely why transparency legislation focuses
on disclosure of &lt;em&gt;processes&lt;/em&gt; rather than inspection of the models themselves.&lt;/p&gt;
&lt;h3&gt;SB 53: Transparency in Frontier Artificial Intelligence Act&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;Full Bill Text [3]: &lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB53&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB53&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Culminating a multi-year policy-making process, the ratification of the
&lt;strong&gt;Transparency in Frontier Artificial Intelligence Act (TFAIA)&lt;/strong&gt; [3] is perhaps
the most noteworthy of the entire package. It&apos;s the first piece of comprehensive
AI legislation regulating the development of &lt;em&gt;frontier&lt;/em&gt; foundation models --
that is, &lt;em&gt;cutting edge&lt;/em&gt; AI models -- in the U.S.&lt;/p&gt;
&lt;p&gt;Last year, after vetoing a similar bill (California Senate Bill 1047 of 2024),
Gov. Gavin Newsom tasked the &lt;strong&gt;Joint California Policy Working Group on AI
Frontier Models&lt;/strong&gt; to deliver a report &amp;quot;focused on artificial intelligence (AI)
frontier models.&amp;quot; [1][2] This report ultimately guided the creation of the
finalized bill.&lt;/p&gt;
&lt;p&gt;Fostering public trust in AI developers and service providers is the predominant
goal:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;It&apos;s meant to foster an environment of transparency surrounding the innovation
and development of cutting edge, highly-capable foundation models.&lt;/li&gt;
&lt;li&gt;Large frontier developers must write, publish, and actually follow a &lt;strong&gt;frontier
AI framework&lt;/strong&gt; describing how they incorporate national/international safety
standards, assess catastrophic risk, and govern secure deployment. The
framework must be reviewed and updated at least annually.&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;transparency report&lt;/strong&gt; must be published whenever a new frontier model (or a
substantially modified version of one) is released -- covering its capabilities,
intended uses, and restrictions.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Critical safety incidents&lt;/strong&gt; must be reported to California&apos;s Office of
Emergency Services within 15 days of discovery -- or within 24 hours if the
incident poses an imminent risk of death or serious physical injury.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Whistleblower protections&lt;/strong&gt; shield employees who report catastrophic-risk
concerns, and large frontier developers must maintain an anonymous internal
reporting channel.&lt;/li&gt;
&lt;li&gt;Enforcement falls to the Attorney General, with civil penalties of up to &lt;strong&gt;$1
million per violation&lt;/strong&gt;. Notably, there is &lt;em&gt;no&lt;/em&gt; private right of action --
contrast this with SB 243 below.&lt;/li&gt;
&lt;li&gt;The bill also establishes &lt;strong&gt;CalCompute&lt;/strong&gt;, a consortium tasked with designing a
public compute cluster to support safe, equitable AI research.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For context, the bill&apos;s section 1(f) [3] defines a &lt;strong&gt;foundation model&lt;/strong&gt; as:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;(f) &amp;quot;Foundation model&amp;quot; means an artificial intelligence model that is all of
the following:&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(1) Trained on a broad data set.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(2) Designed for generality of output.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(3) Adaptable to a wide range of distinctive tasks.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;A short, high-level summary of the law can be gleaned from section 1(k) [3]:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;&amp;quot;With the frontier of artificial intelligence rapidly evolving, there is a
need for legislation to track the frontier of artificial intelligence research
and alert policymakers and the public to serious risks and harms from the very
most advanced artificial intelligence systems, while avoiding burdening smaller
companies behind the frontier.&amp;quot;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Large companies at the frontier of AI research are the primary focus, but &lt;strong&gt;a
provision for smaller businesses&lt;/strong&gt; is made with section 1(n) [3]:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;&amp;quot;In the future, foundation models developed by smaller companies or that are
behind the frontier may pose significant catastrophic risk, and additional
legislation may be needed at that time.&amp;quot;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The law applies only to organizations meeting these thresholds:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Compute Threshold:&lt;/strong&gt; Definition of a &amp;quot;&lt;em&gt;&lt;strong&gt;frontier model&lt;/strong&gt;&lt;/em&gt;&amp;quot; -- section 2(i)&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;(i) (1) &amp;quot;Frontier model&amp;quot; means a foundation model that was trained using a
quantity of computing power greater than 10^26 integer or floating-point
operations.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(2) The quantity of computing power described in paragraph (1) shall include
computing for the original training run and for any subsequent fine-tuning,
reinforcement learning, or other material modifications the developer applies
to a preceding foundation model.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Note: 10^26 operations = 100,000,000,000,000,000,000,000,000 operations&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Revenue Threshold:&lt;/strong&gt; Definition of a &amp;quot;&lt;em&gt;&lt;strong&gt;large frontier developer&lt;/strong&gt;&lt;/em&gt;&amp;quot; --
section 2(j)&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;(j) &amp;quot;Large frontier developer&amp;quot; means a frontier developer that together with
its affiliates collectively had annual gross revenues in excess of five hundred
million dollars ($500,000,000) in the preceding calendar year.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;SB 243: Companion Chatbots&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;Full Bill Text [10]: &lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB243&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB243&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Senate Bill 243 focuses on the mental well-being of users of AI chatbots. It
broadly shares many goals with TFAIA [3], attempting to set healthy precedents
that increase the public&apos;s trust in AI services compliant with the policy.&lt;/p&gt;
&lt;p&gt;It mandates the implementation of &lt;em&gt;&amp;quot;…a protocol for preventing the production of
suicidal ideation, suicide, or self-harm content to the user…&amp;quot;&lt;/em&gt; [10] into most
AI chatbot services. Details of such protocols must be made available on service
operators&apos; websites. Additionally, it emphasizes the use of awareness
notifications to prevent users from being misled into thinking an AI chatbot is
a human.&lt;/p&gt;
&lt;p&gt;Further provisions are made for &amp;quot;a user that the operator knows is a minor:&amp;quot;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;It must be disclosed to the user that they are interacting with artificial
intelligence.&lt;/li&gt;
&lt;li&gt;Users must be clearly notified and reminded at least every three hours to take
a break and &amp;quot;that the companion chatbot is artificially generated and not
human.&amp;quot;&lt;/li&gt;
&lt;li&gt;&amp;quot;Reasonable measures&amp;quot; must be instituted to prevent the generation of sexually
explicit material.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Annual Reports: Beginning July 1, 2027, operators [of AI chatbot services] must
annually deliver a report on these efforts to California&apos;s Office of Suicide
Prevention. Data from such reports must be de-identified. Data from the report
must be made available on the operator&apos;s website.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Section 22603(a)&lt;/strong&gt; -- The annual report shall consist solely of these data
points [10]:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;(1) The number of times the operator has issued a crisis service provider
referral notification pursuant to Section 22602 in the preceding calendar
year.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(2) Protocols put in place to detect, remove, and respond to instances of
suicidal ideation by users.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(3) Protocols put in place to prohibit a companion chatbot response about
suicidal ideation or actions with the user.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Importantly, it&apos;s crucial to understand what a &amp;quot;companion chatbot&amp;quot; IS -- and what
it IS NOT.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Section 22601(b)(1)&lt;/strong&gt; -- Definition of a &amp;quot;&lt;strong&gt;Companion chatbot&lt;/strong&gt;&amp;quot; [10]:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;(b) (1) &amp;quot;Companion chatbot&amp;quot; means an artificial intelligence system with a
natural language interface that provides adaptive, human-like responses to user
inputs and is capable of meeting a user&apos;s social needs, including by exhibiting
anthropomorphic features and being able to sustain a relationship across
multiple interactions…&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;&lt;strong&gt;Section 22601(b)(2)&lt;/strong&gt; -- What &lt;em&gt;isn&apos;t&lt;/em&gt; a &amp;quot;Companion chatbot&amp;quot; [10]:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;(2) &amp;quot;Companion chatbot&amp;quot; does not include any of the following:&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(A) A bot that is used only for customer service, a business&apos; operational
purposes, productivity and analysis related to source information, internal
research, or technical assistance.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(B) A bot that is a feature of a video game and is limited to replies related
to the video game that cannot discuss topics related to mental health,
self-harm, sexually explicit conduct, or maintain a dialogue on other topics
unrelated to the video game.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;(C) A stand-alone consumer electronic device that functions as a speaker and
voice command interface, acts as a voice-activated virtual assistant, and does
not sustain a relationship across multiple interactions or generate outputs
that are likely to elicit emotional responses in the user.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Notably, provisions are made for those suffering injury due to non-compliance
(Section 22605):&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;A person who suffers injury in fact as a result of a violation of this chapter
may bring a civil action to recover all of the following relief:&lt;/p&gt;
&lt;p&gt;(a) Injunctive relief.&lt;/p&gt;
&lt;p&gt;(b) Damages in an amount equal to the greater of actual damages or one thousand
dollars ($1,000) per violation.&lt;/p&gt;
&lt;p&gt;(c) Reasonable attorney&apos;s fees and costs.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2&gt;Non-AI Legislation&lt;/h2&gt;
&lt;h3&gt;SB 446: 30-day Data Breach Customer Notification Limit&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;Full Bill Text [9]: &lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB446&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB446&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;This bill amends Section 1798.82 of the California Civil Code -- the state&apos;s
existing breach notification statute. Section 1798 is most notably affiliated
with the enactment of the &lt;strong&gt;California Consumer Privacy Act (CCPA)&lt;/strong&gt; in 2018.&lt;/p&gt;
&lt;p&gt;Currently, businesses operating in California are legally obligated to disclose a
compromise of California residents&apos; unencrypted personal information in &lt;em&gt;&amp;quot;the
most expedient time possible and without unreasonable delay…&amp;quot;&lt;/em&gt; [9].&lt;/p&gt;
&lt;p&gt;Senate Bill 446 replaces the abstract time window, mandating (under normal
circumstances) a maximum limit of 30 days between the first &lt;em&gt;discovery&lt;/em&gt; OR
&lt;em&gt;notification&lt;/em&gt; of the compromise. In other words: organizations operating in
California MUST notify affected parties within 30 days of the point at which the
organization &lt;em&gt;becomes aware&lt;/em&gt; a breach occurred.&lt;/p&gt;
&lt;p&gt;Delaying a breach&apos;s disclosure is allowed in these cases:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&amp;quot;…to accommodate the legitimate needs of law enforcement…&amp;quot;&lt;/li&gt;
&lt;li&gt;&amp;quot;…or as necessary to determine the scope of the breach and restore the
reasonable integrity of the data system.&amp;quot;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Section 1(d) [9] clearly lists the requirements of a sufficient breach
notification:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;…(1) The security breach notification shall be written in plain language,
shall be titled &amp;quot;Notice of Data Breach,&amp;quot; and shall present the information
described in paragraph (2) under the following headings: &amp;quot;What Happened?&amp;quot; &amp;quot;What
Information Was Involved?&amp;quot; &amp;quot;What We Are Doing,&amp;quot; &amp;quot;What You Can Do,&amp;quot; and &amp;quot;For More
Information.&amp;quot; Additional information may be provided as a supplement to the
notice…&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;In addition to the quote above, section 1(d) contains many more &lt;em&gt;granular&lt;/em&gt;
requirements for breach disclosures. It also provides a pre-built template which
can be used to fill out a written disclosure.&lt;/p&gt;
&lt;p&gt;If a single breach results in a notice that must be issued to more than 500
California residents, a copy of this notice must be submitted to the Attorney
General &lt;em&gt;within 15 days&lt;/em&gt; of notifying affected consumers:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;(f) An individual or business that is required to issue a security breach
notification pursuant to this section to more than 500 California residents as
a result of a single breach of the security system shall electronically submit
a single sample copy of that security breach notification, excluding any
personally identifiable information, to the Attorney General within 15 calendar
days of notifying affected consumers of the security breach. A single sample
copy of a security breach notification shall not be deemed to be within Article
1 (commencing with Section 7923.600) of Chapter 1 of Part 5 of Division 10 of
Title 1 of the Government Code.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;In practice, this may just result in organizations feigning ignorance until
they&apos;re ready to disclose publicly -- or asserting that certain compromised data
was already publicly available. That defense gets stronger the more personal
information users leave exposed, which is one more argument for keeping your
data away from the public gaze: scrubbing old posts across platforms, and being
careful about where and with whom you share information.&lt;/p&gt;
&lt;h3&gt;AB 1043: Digital Age Assurance Act&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;Full Bill Text [4]: &lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB1043&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB1043&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;This bill adds a title to section 1798 of the California Civil Code (home of the
CCPA), relating to consumer protection.&lt;/p&gt;
&lt;p&gt;Beginning January 1, 2027, the law requires &amp;quot;operating system providers&amp;quot; to
include a built-in user interface and application programming interface (API) to
facilitate age verification within the operating system and other applications
downloaded to the device. Covered application stores are also obligated to
receive and act on these age-range signals.&lt;/p&gt;
&lt;p&gt;California Civil Code Section 1798.500(g) [4] defines &amp;quot;operating system
provider&amp;quot; as:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;…a person or entity that develops, licenses, or controls the operating system
software on a computer, mobile device, or any other general purpose computing
device.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This broad definition raises complex compliance questions across the operating
system ecosystem due to the diverse range of OS licensing -- most obviously
within open source projects such as Linux.&lt;/p&gt;
&lt;p&gt;Penalties are harsh with maximum penalties of $2,500 per child for each negligent
violation and $7,500 per child for every intentional violation.&lt;/p&gt;
&lt;p&gt;However, the bill does make provisions for providers making &amp;quot;good faith&amp;quot;
compliance efforts:&lt;/p&gt;
&lt;p&gt;California Civil Code Section 1798.503(b) [4]:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;&amp;quot;An operating system provider or a covered application store that makes a good
faith effort to comply with this title, taking into consideration available
technology and any reasonable technical limitations or outages, shall not be
liable for an erroneous signal indicating a user&apos;s age range or any conduct by
a developer that receives a signal indicating a user&apos;s age range.&amp;quot;&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h3&gt;AB 566: California Opt Me Out Act&lt;/h3&gt;
&lt;p&gt;&lt;em&gt;Full Bill Text [5]: &lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB566&quot;&gt;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB566&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;This bill adds section 1798.136 to the California Civil Code (home of the CCPA),
relating to privacy.&lt;/p&gt;
&lt;p&gt;The purpose of the bill is to make the process of opting-out of data collection,
sharing, &amp;amp; selling more accessible.&lt;/p&gt;
&lt;p&gt;Beginning January 1, 2027, businesses developing/maintaining a web browser MUST
include user-configurable functionality to automatically send an &amp;quot;opt-out
preference signal&amp;quot; to businesses interacted with via the browser [5].&lt;/p&gt;
&lt;p&gt;It&apos;s worth mentioning that aside from Google Chrome -- the world&apos;s most popular
browser -- the majority of modern web browsers already support this using
&lt;strong&gt;Global Privacy Control (GPC)&lt;/strong&gt; signals [6][7]. In this case, it appears the
State of California is forcing Google&apos;s hand.&lt;/p&gt;
&lt;p&gt;GPC is similar to the now-deprecated &lt;em&gt;Do Not Track (DNT)&lt;/em&gt; browser feature, which
usually went ignored by third parties receiving the signal. GPC now supersedes
DNT.&lt;/p&gt;
&lt;p&gt;Regulatory pushes behind California&apos;s CCPA and the EU&apos;s GDPR are largely
responsible for the development of GPC. Pursuant to the CCPA, GPC communicates a
&amp;quot;Do Not Sell or Share&amp;quot; request from a user&apos;s browser to third parties. It is
likely that GPC will be utilized to implement this &amp;quot;opt-out preference signal&amp;quot; in
Chrome and other browsers.&lt;/p&gt;
&lt;p&gt;To privacy advocates, this is a positive stride. Though, without
jurisdiction-dependent regulatory &amp;amp; transparency measures, whether parties
&lt;em&gt;receiving&lt;/em&gt; these signals will actually act in accordance with user opt-out
preferences is ultimately unknown. In California, such measures are mandated
under the CCPA.&lt;/p&gt;
&lt;h2&gt;Other Notable Legislation&lt;/h2&gt;
&lt;p&gt;The following is a brief run-down of all other legislation relevant to
information security passed as of October 13th (closing day).&lt;/p&gt;
&lt;p&gt;Inclusion of items within this list -- as opposed to full stories above -- is
NOT meant to discount their impact. This legislation has been broad and
all-encompassing, therefore I chose what I felt to be the most impactful.&lt;/p&gt;
&lt;p&gt;AI&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Amendment to the California AI Transparency Act (Assembly Bill 853)
&lt;ul&gt;
&lt;li&gt;Delays the effective operation of the California AI Transparency Act until
August 2, 2026 (from January 1, 2026).&lt;/li&gt;
&lt;li&gt;Adds whistleblower protections.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;CONTEXT&lt;/strong&gt;: What is the California AI Transparency Act?
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB942&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB942&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;AI and Law&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Targeted restriction of a specific type of legal defense argued in court cases
involving AI (Assembly Bill 316)
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB316&quot;&gt;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB316&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;Defendants having &amp;quot;developed, modified, or used&amp;quot; AI cannot assert &amp;quot;a defense
that the artificial intelligence autonomously caused the harm to the
plaintiff.&amp;quot;&lt;/li&gt;
&lt;li&gt;In simple terms: If the output of an AI agent causes harm to an individual
(within the state of California), the service provider -- NOT the AI agent
itself -- will be held directly responsible.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Non-AI (These directly mandate the inclusion of additional FEATURES in existing
software/tech stacks)&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Social Media Warning Law (Assembly Bill 56)
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB56&quot;&gt;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB56&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;This is implemented under the Health &amp;amp; Safety Code of California&lt;/li&gt;
&lt;li&gt;Platforms, as defined in this bill, will have to implement
notifications/warnings occurring at regular intervals. The intention is to
combat social media addiction.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Connected Device Protection Requests (Senate Bill 50)
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB50&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB50&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;48 hour period.&lt;/li&gt;
&lt;li&gt;Stalker-prevention.&lt;/li&gt;
&lt;li&gt;It will likely have cross-jurisdictional implementation.&lt;/li&gt;
&lt;li&gt;This is a bit similar to the California Opt Out Act with the browser feature
mandates.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Accessible Account Cancellation (Assembly Bill 656)
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB656&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB656&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Data Broker Regulations and Required Registration in the State of California
(Senate Bill 361)
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB361&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB361&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;This is compelling if California releases publicly proprietary
normally-private info on these data brokers.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Deepfake Pornography (Assembly Bill 621)
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB621&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB621&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;Expands liability for distributing nonconsensual sexually explicit deepfakes.
There may be utility in leveraging this alongside AB 316&apos;s restriction on the
&amp;quot;the AI did it autonomously&amp;quot; defense.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Analyst&apos;s Comments&lt;/h2&gt;
&lt;p&gt;Taken together, this package raises real compliance burdens for large AI
developers and sets new guardrails on chatbots, breach response, youth safety,
and consumer privacy. Because of California&apos;s economic weight, expect spillover
well beyond state lines: multi-state operators will likely just adopt the
California baseline rather than fragment their products.&lt;/p&gt;
&lt;h3&gt;Key judgments&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;SB 53 concentrates its obligations on a small handful of large providers --
but don&apos;t expect the 10^26 compute and $500M revenue thresholds to sit still.
As training practices shift (iterative fine-tuning, RL on top of prior
models), the covered population could grow, and the bill&apos;s own text openly
anticipates expanding to smaller developers later.&lt;/li&gt;
&lt;li&gt;SB 243&apos;s private right of action ($1,000 per violation plus attorney&apos;s fees)
is the sharpest enforcement tool in the package. Product teams should also
watch the &amp;quot;companion chatbot&amp;quot; definition edges -- a productivity bot that
picks up enough personality and memory could creep into covered territory
without anyone deciding it should.&lt;/li&gt;
&lt;li&gt;SB 446&apos;s hard 30-day clock will force incident-response playbooks to be
rewritten. The law-enforcement and scope-determination exceptions remain, but
organizations leaning on them should expect to document that reliance
carefully.&lt;/li&gt;
&lt;li&gt;AB 1043&apos;s OS-level mandate collides with how operating systems are actually
governed -- especially open-source distributions -- and will likely need
interpretive guidance before 2027. And while AB 566 mandates browser-side
opt-out signals, whether downstream data receivers &lt;em&gt;honor&lt;/em&gt; them still depends
on enforcement.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Indicators to watch&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;Agency rulemaking clarifying SB 53&apos;s documentation expectations, and how
&amp;quot;material modifications&amp;quot; fold into the compute threshold.&lt;/li&gt;
&lt;li&gt;The first public operator reports under SB 243, and any enforcement actions
or private suits tied to inadequate protocols.&lt;/li&gt;
&lt;li&gt;Attorney General guidance or actions referencing SB 446&apos;s 30-day clock.&lt;/li&gt;
&lt;li&gt;OS and browser vendor roadmaps for age signaling and opt-out preference
support ahead of the 2027 deadlines.&lt;/li&gt;
&lt;li&gt;Legislative follow-ons expanding coverage to smaller AI developers.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Sources&lt;/h2&gt;
&lt;p&gt;[1] &amp;quot;Joint California Policy Working Group on AI Frontier Models&amp;quot;
&lt;a href=&quot;https://www.cafrontieraigov.org/&quot;&gt;https://www.cafrontieraigov.org/&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[2] &amp;quot;The California Report on Frontier AI Policy&amp;quot;
&lt;a href=&quot;https://www.gov.ca.gov/wp-content/uploads/2025/06/June-17-2025-%E2%80%93-The-California-Report-on-Frontier-AI-Policy.pdf&quot;&gt;https://www.gov.ca.gov/wp-content/uploads/2025/06/June-17-2025-–-The-California-Report-on-Frontier-AI-Policy.pdf&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[3] California Legislative Information -- Senate Bill No. 53 &amp;quot;Transparency in
Frontier Artificial Intelligence Act&amp;quot;
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260SB53&quot;&gt;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260SB53&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[4] California Legislative Information -- Assembly Bill No. 1043 &amp;quot;Digital Age
Assurance Act&amp;quot;
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043&quot;&gt;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[5] California Legislative Information -- Assembly Bill No. 566 &amp;quot;California Opt
Me Out Act&amp;quot;
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB566&quot;&gt;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB566&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[6] &amp;quot;What is GPC?&amp;quot; &lt;a href=&quot;https://oag.ca.gov/privacy/ccpa/gpc&quot;&gt;https://oag.ca.gov/privacy/ccpa/gpc&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[7] GlobalPrivacyControl &lt;a href=&quot;https://globalprivacycontrol.org/&quot;&gt;https://globalprivacycontrol.org/&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[8] California Legislative Information -- Assembly Bill No. 56 &amp;quot;Social Media
Warning Law&amp;quot;
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB56&quot;&gt;https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB56&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[9] California Legislative Information -- Senate Bill No. 446 &amp;quot;Data breaches:
customer notification&amp;quot;
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB446&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB446&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;[10] California Legislative Information -- Senate Bill No. 243 &amp;quot;Companion
chatbots.&amp;quot;
&lt;a href=&quot;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB243&quot;&gt;https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB243&lt;/a&gt;&lt;/p&gt;
</content:encoded></item><item><title>What IS the Dark Web Anyway?</title><link>https://r3b1s.pages.dev/blog/dark-web</link><guid isPermaLink="true">https://r3b1s.pages.dev/blog/dark-web</guid><pubDate>Mon, 18 Aug 2025 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;What imagery does the phrase &amp;quot;Dark Web&amp;quot; evoke in your mind?&lt;/p&gt;
&lt;p&gt;To most, the Dark Web is an urban legend -- a monster hiding under the bed,
a space normally safe and purposeful turned enigmatic and sinister. In the last
twenty years the term has become a catch-all scapegoat whenever hidden, illicit
activity is uncovered online. I&apos;d like to demystify that notion. Would you be
surprised to learn that crime is a far cry from the original intent behind the
technologies making up most of the Dark Web?&lt;/p&gt;
&lt;p&gt;What if this shadowy back alley is one of the last places you can walk unseen?
One of the few online spaces where a semblance of privacy, anonymity, and freedom
of speech persist? This is the first in a series of articles on the Dark Web,
Darknets, and enhancing one&apos;s privacy online.&lt;/p&gt;
&lt;p&gt;&amp;lt;figure style=&amp;quot;--ar:1/1&amp;quot;&amp;gt;
&amp;lt;img src=&amp;quot;https://raw.githubusercontent.com/reg1z/pics/refs/heads/main/darkweb1.webp&amp;quot; alt=&amp;quot;Stylized illustration of the dark web&amp;quot;&amp;gt;
&amp;lt;/figure&amp;gt;&lt;/p&gt;
&lt;h2&gt;Legitimate Uses of the Dark Web&lt;/h2&gt;
&lt;p&gt;Culturally, the Dark Web isn&apos;t often associated with lawful activities -- and
for good reason, given the amount of prominent crime that occurs there. Despite
that, Darknets remain useful tools for many legitimate purposes. Tor, for
instance, was built not to facilitate crime but to prevent surveillance and
tracking.&lt;/p&gt;
&lt;p&gt;The Dark Web can be used for:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Privacy&lt;/strong&gt; -- control over access to one&apos;s personal data, especially
powerful in authoritarian contexts.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Anonymity&lt;/strong&gt; -- a distinct concept often conflated with privacy: the
freedom to act without those actions being linked to your identity.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Freedom of speech&lt;/strong&gt; -- as close to a guarantee as one can get online,
once confidentiality and integrity are built into the protocol itself. This
enables censorship circumvention, protection of dissidents, whistle-blowing,
privacy-oriented marketplaces, and OSINT research -- though it can just as
easily facilitate mis- and disinformation, so question every source.&lt;/li&gt;
&lt;/ul&gt;
&lt;blockquote&gt;
&lt;p&gt;This article is not a guide or &amp;quot;how-to&amp;quot; for any particular
activity; it simply aims to communicate the legitimate, ethical use of the Dark
Web as a resource.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2&gt;The Surface Web, and What Lies Under&lt;/h2&gt;
&lt;p&gt;When people think of accessing the Dark Web, the first thought is usually the
Tor Browser. Tor has become virtually synonymous with the Dark Web, when in fact
the Tor network is only one Darknet used to anonymize traffic. But what is a
Darknet? First, some key terms:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;World Wide Web&lt;/strong&gt; -- the internet as accessed through a browser.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Surface Web&lt;/strong&gt; -- the portion of the Web that is (or can be) indexed by
standard search engines; the easiest part to access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Deep Web&lt;/strong&gt; -- the portion NOT indexed by search engines: backend
dashboards, databases, anything private and otherwise inaccessible.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dark Web&lt;/strong&gt; -- the portions of the Web hosted on individual Darknets.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Because the Dark Web isn&apos;t indexable by standard search engines, it can be
considered to exist nested within the Deep Web.&lt;/p&gt;
&lt;p&gt;&amp;lt;figure style=&amp;quot;--ar:2/3&amp;quot;&amp;gt;
&amp;lt;img src=&amp;quot;https://raw.githubusercontent.com/reg1z/pics/refs/heads/main/DarkwebIceberg.webp&amp;quot; alt=&amp;quot;Iceberg diagram showing the surface web, deep web, and dark web&amp;quot;&amp;gt;
&amp;lt;/figure&amp;gt;&lt;/p&gt;
&lt;h2&gt;Darknets: Building Blocks of the Dark Web&lt;/h2&gt;
&lt;h3&gt;Clearnets&lt;/h3&gt;
&lt;p&gt;Clearnets comprise the default &amp;quot;layer&amp;quot; of the Web most people are accustomed
to. Communication on a Clearnet is usually not anonymous or privacy-friendly --
most sites fingerprint users through IP address, screen size, and more. A
Clearnet is the polar opposite of a Darknet; the Surface Web can itself be
thought of as one very large Clearnet.&lt;/p&gt;
&lt;h3&gt;Darknets&lt;/h3&gt;
&lt;p&gt;A Darknet is an overlay network layered on top of existing communication
protocols, providing anonymity, privacy, and therefore plausible deniability. It
acts as a &amp;quot;mask&amp;quot; that obfuscates information tied to the user, often running on
network segments that would otherwise be part of a Clearnet.&lt;/p&gt;
&lt;p&gt;How much anonymity a Darknet actually guarantees depends on how its protocols
and software were designed -- usually informed by a threat model for the project.
To access a specific Darknet you need software built for it; Tor uses Onion
Routing (hence &amp;quot;The Onion Router&amp;quot;) and requires the Tor Browser or an equivalent
purpose-built client.&lt;/p&gt;
&lt;p&gt;For a Darknet to function well it typically needs significant user buy-in.
Tor routes traffic through a randomized sequence of relays run by many different
parties -- some passionate volunteers, others with less clear motivation, which is
worth weighing against your own threat model. A non-exhaustive list of notable
Darknets: Tor, I2P, Hyphanet, GNUnet. Many lesser-known projects exist too, with
varying levels of community support, and plenty have been abandoned outright.&lt;/p&gt;
&lt;h2&gt;Bringing It All Together&lt;/h2&gt;
&lt;p&gt;From a bird&apos;s-eye view, this is the essence of the Dark Web: a grouping of
individual Darknets that are largely segmented from one another, though
intercommunication between them is sometimes possible -- a topic for another
post.&lt;/p&gt;
&lt;p&gt;This was the first in a series on the Dark Web, Darknets, and enhancing your
privacy online. Thanks for reading -- more entries to come.&lt;/p&gt;
&lt;h3&gt;Sources&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;https://www.torproject.org/&quot;&gt;The Tor Project&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://tb-manual.torproject.org/&quot;&gt;Tor Browser User Manual&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.whonix.org/wiki/Documentation&quot;&gt;Whonix Documentation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://geti2p.net/en/&quot;&gt;The Invisible Internet Project (I2P)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.hyphanet.org/index.html&quot;&gt;Hyphanet&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.gnunet.org/en/index.html&quot;&gt;GNUnet&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://www.privacyguides.org/en/basics/threat-modeling/&quot;&gt;Privacy Guides: Threat Modeling&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;a href=&quot;/blog&quot;&gt;Go back to the index&lt;/a&gt;.&lt;/p&gt;
</content:encoded></item><item><title>Are First Principles Becoming a Distraction?</title><link>https://r3b1s.pages.dev/blog/first-principles-distraction</link><guid isPermaLink="true">https://r3b1s.pages.dev/blog/first-principles-distraction</guid><pubDate>Sun, 01 Jun 2025 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;I&apos;d like to explore the uncertainty many are grappling with in balancing
fundamental understanding against the immediate results enabled by AI tools. For
clarity, I use &amp;quot;first principles&amp;quot; and &amp;quot;fundamentals&amp;quot; interchangeably here.&lt;/p&gt;
&lt;p&gt;Lifelong learning is essential for a lasting infosec career. For the past year
or so, as I&apos;ve worked to expand my knowledge and skill set, I&apos;ve dealt with a
persistent internal dilemma.&lt;/p&gt;
&lt;p&gt;I like to know the bare truth behind systems -- &lt;em&gt;how&lt;/em&gt; individual first
principles come together to make a larger whole. That doesn&apos;t seem like a
problem on its face; the fundamentals are the most important thing, no? At least
that&apos;s what my teachers did their best to hammer home. Lately, that lesson keeps
getting called into question.&lt;/p&gt;
&lt;p&gt;In cybersecurity -- and similarly in many IT fields -- practical necessity often
forces us to learn &lt;strong&gt;tools&lt;/strong&gt; rather than the underlying &lt;strong&gt;first
principles&lt;/strong&gt;. The industry is results-oriented: knowing how to quickly secure
systems, respond to incidents, or manage infrastructure often matters more
immediately than grasping the theory behind every practice. That pragmatism isn&apos;t
inherently flawed -- it&apos;s effective -- but it creates tension around long-term
retention and adaptability. As AI tooling grows more sophisticated, it becomes
even easier to focus purely on immediate outcomes at the expense of deeper
understanding.&lt;/p&gt;
&lt;p&gt;First principles remain of extreme importance -- you need some understanding
of a system before you can truly validate its safety. That said, there&apos;s no such
thing as a &amp;quot;perfect&amp;quot; security attestation. Security is fluid, and ensuring it
requires ongoing vigilance. So we rely on our tools to get the job done, because
we often have little time for much else.&lt;/p&gt;
&lt;p&gt;More and more, we&apos;re outsourcing our understanding of a domain to the LLM.
What use is there in cognitively front-loading all the fundamentals when the
model can worry about them? And if it doesn&apos;t have the capability, can&apos;t you just
fill the gaps as needed?&lt;/p&gt;
&lt;p&gt;Students and knowledge workers in IT-oriented fields face this dilemma as the
age of AI progresses. The value of putting in the effort to learn first
principles versus relying on outsourced intelligence is genuinely difficult to
calculate, and it&apos;s always in flux as model capability continues to enable more
sophisticated agentic behavior.&lt;/p&gt;
&lt;p&gt;On one hand, AI tooling can show you the bigger picture -- it can augment your
ability to understand fundamentals; it&apos;s an amazing learning tool. On the other,
it gives you an intelligent cudgel to smash problems with: tell it to do Z without
knowing X and Y yourself, because it already has the information it needs --
usually.&lt;/p&gt;
&lt;p&gt;It&apos;s hard to avoid the sentiment online that young and future generations
could be at a career disadvantage as AI capability outpaces the rate at which
humans acquire similar skills. Optimists claim AI will merely automate the boring
parts, freeing cognitive space for what only humans are good at. There&apos;s no
telling whether that will hold. And there lies the dilemma -- at this point, it&apos;s
impossible to know.&lt;/p&gt;
&lt;p&gt;I don&apos;t mean to portray AI tools negatively; they&apos;ve been of great use to me.
Still, whenever I&apos;m studying on my own -- the fundamentals of some IT domain, a
programming language -- I find myself asking: are first principles becoming
distractions? Am I wasting time mastering them while others leap into AI tools and
find rapid success? Would diving straight into results-oriented projects offer a
faster, equally robust understanding? And how does relying on these models square
with personal privacy, given how often they handle sensitive data behind closed
doors without clear guarantees of trust?&lt;/p&gt;
&lt;p&gt;It&apos;s a real rabbit hole. I remain resolved that an understanding of first
principles will always matter, and that some measure of human intervention in our
systems will always be necessary -- but I grow uncertain how practical and
feasible they&apos;ll remain as time passes.&lt;/p&gt;
&lt;p&gt;Are these tools changing how you learn, or how you approach problems? Do you
feel over-reliant at all? What are your feelings on the bigger picture?&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;/blog&quot;&gt;Go back to the index&lt;/a&gt;.&lt;/p&gt;
</content:encoded></item><item><title>Preparing for a Blue Team Competition</title><link>https://r3b1s.pages.dev/blog/blue-team</link><guid isPermaLink="true">https://r3b1s.pages.dev/blog/blue-team</guid><pubDate>Thu, 27 Feb 2025 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;This past February, I began volunteering in WGU&apos;s Cyber Club, which afforded
the opportunity to participate in the
&lt;a href=&quot;https://www.ncaecybergames.org/&quot;&gt;2025 NCAE Cybergames&lt;/a&gt; -- a
single-day, blue-team-oriented competition aimed at first-time competitors. This
is one of my first experiences on a team-based defensive engagement like this.
Our teams hadn&apos;t yet competed but had been hard at work preparing.&lt;/p&gt;
&lt;p&gt;The NCAE has its own
&lt;a href=&quot;https://www.ncaecybergames.org/tutorials/&quot;&gt;YouTube playlist&lt;/a&gt; covering
fundamental Linux skills -- high-level, comprehensive, and lengthy. It&apos;s a great
introduction, but it doesn&apos;t hint at the vast amount of other knowledge a team
might want after watching.&lt;/p&gt;
&lt;p&gt;With a background in software development, I&apos;d call myself fairly capable at
the terminal, but nothing truly prepared me for the open-endedness of all the
potential skills a team could bring in. There&apos;s an overwhelming number of
approaches to take, which made it hard to land on any single &amp;quot;comprehensive&amp;quot;
practice plan -- so, alongside my own research, I sought the help of others. Here&apos;s
what they told me. This competition mostly uses Linux hosts, so I don&apos;t give
Windows-specific advice below.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Credits&lt;/strong&gt; -- thanks to &lt;strong&gt;w33t&lt;/strong&gt;
(&lt;a href=&quot;https://w33t.io/&quot;&gt;w33t.io&lt;/a&gt;) and &lt;strong&gt;echotango&lt;/strong&gt; for taking the time
to offer their expertise.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2&gt;Core Skills&lt;/h2&gt;
&lt;h3&gt;0) Research / OSINT Skills&lt;/h3&gt;
&lt;p&gt;Knowing how to quickly and tactically prompt search engines and other tools
gets you needed information fast -- and knowing when to question the results
matters just as much. This isn&apos;t &amp;quot;formal&amp;quot; research, it&apos;s the proverbial
google-fu. When you don&apos;t know something, be prepared to figure it out on the
fly.&lt;/p&gt;
&lt;h3&gt;1) Conceptual Knowledge&lt;/h3&gt;
&lt;p&gt;Fundamental concepts and frameworks within networking and security. Without at
least a surface-level understanding of these, it&apos;s hard to communicate with
teammates about specific elements of the engagement.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The TCP/IP model -- the OSI model, while popular, isn&apos;t how the internet
actually works (ask John Strand).&lt;/li&gt;
&lt;li&gt;Least privilege&lt;/li&gt;
&lt;li&gt;System monitoring&lt;/li&gt;
&lt;li&gt;Network monitoring&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;2) Linux Fundamentals&lt;/h3&gt;
&lt;p&gt;In a competition like this, you&apos;ll feel dead in the water without rudimentary
command-line knowledge. Ideally you&apos;ll have some passing knowledge of the system
as a whole. Roughly in priority order:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Navigating the filesystem -- &lt;code&gt;cd&lt;/code&gt;, &lt;code&gt;ls&lt;/code&gt;,
&lt;code&gt;cat&lt;/code&gt;, &lt;code&gt;cp&lt;/code&gt;, &lt;code&gt;mv&lt;/code&gt;, and a basic understanding
of the
&lt;a href=&quot;https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard&quot;&gt;Filesystem Hierarchy Standard&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Bash -- overall syntax, operators, stdout vs. stdin vs. stderr, input/output
redirection, piping.&lt;/li&gt;
&lt;li&gt;Users and groups; &lt;code&gt;sudo&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Process management -- &lt;code&gt;ps&lt;/code&gt;, &lt;code&gt;kill&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Service configuration -- systemctl, systemd (to a minimal extent).&lt;/li&gt;
&lt;li&gt;Networking and protocols -- opening/closing ports, DNS configuration (the
NCAE uses &lt;code&gt;bind&lt;/code&gt; in its tutorials), routing.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3&gt;3) Knowledge of Communication Protocols&lt;/h3&gt;
&lt;p&gt;Some of the Linux skills above require familiarity with widely used protocols.
If you&apos;re touching network configuration, you&apos;ll need to understand what you&apos;re
working with -- though a comprehensive knowledge of each protocol isn&apos;t required,
just enough to acquire the skills necessary to protect your environment.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Know these no matter what:&lt;/strong&gt; TCP, UDP, IP (v4, and v6 if in scope),
ICMP, SSH.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Know what these are, tailored to your role:&lt;/strong&gt; DNS, FTP, SSL/TLS.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;May not always apply, depends on the scenario:&lt;/strong&gt; NFS, SMB, Syslog.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Gaining a Competitive Edge&lt;/h2&gt;
&lt;p&gt;This is a bare-bones list -- dive deeper into each topic, ideally with direct
advice from someone more experienced, if you want competitive results.&lt;/p&gt;
&lt;p&gt;In the NCAE, teams get external network access and few restrictions on tools
they import, as long as everything used is disclosed or already public. Don&apos;t
assume you can bring in any cutting-edge defensive solution, though -- you rarely
know the state of each endpoint. The NCAE&apos;s practice environment uses Kali Linux
2021.1 as its attack box, a rolling distribution whose package repos will refuse
to install onto such an out-of-date system anyway. That&apos;s seemingly by design: the
organizers want you to get creative, so much so that in cases like this they&apos;ll
downright force you to.&lt;/p&gt;
&lt;p&gt;Realizing this, our teams started brainstorming, with more help from w33t and
echotango. This is a growing list, in no particular order:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;A shared cloud sandbox for practice&lt;/strong&gt; -- Digital Ocean + Terraform?&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;A list of IoCs to triage&lt;/strong&gt; -- which indicators of compromise carry the
largest risk? &lt;code&gt;netstat&lt;/code&gt; and &lt;code&gt;ss&lt;/code&gt; are good for spotting
some of them.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pre-built scripts &amp;amp; configs&lt;/strong&gt; -- an Ansible playbook (run over SSH
from a player&apos;s own machine, for compatibility) to set up user accounts, groups,
and least-privilege permissions; pre-built bash scripts for initial setup; a
secure SSH config; a vulnerability-analysis script.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;System &amp;amp; network monitoring&lt;/strong&gt; -- syslog for simple, compatible
monitoring, ideally automated.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Deterrence&lt;/strong&gt; -- per-host firewalls (iptables/ufw) where available.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operational security&lt;/strong&gt; -- unique, memorized passwords with a backup in
case of compromise; a secure way to share them; SSH keys used with extreme
caution on potentially vulnerable hosts; regular backups, or at least a SHA256
hash to verify integrity before trusting one.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Least privilege&lt;/strong&gt; -- tailor folder and file permissions to specific
roles.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Monitoring processes&lt;/strong&gt; -- &lt;code&gt;lsof -i -n&lt;/code&gt; and &lt;code&gt;lsof -p &amp;lt;pid&amp;gt;&lt;/code&gt;
to find open backdoors, &lt;code&gt;ls /proc&lt;/code&gt; and
&lt;code&gt;/proc/&amp;lt;pid&amp;gt;/cmdline&lt;/code&gt; to trace where a process was invoked,
&lt;code&gt;strings&lt;/code&gt; against a suspicious executable.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Common services worth knowing&lt;/strong&gt;, even unmentioned by organizers -- nginx,
SQL/Postgres/Flask, certbot (dry-run first to avoid rate limits).&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Roles and an engagement playbook were both still
work-in-progress at the time of writing -- delegating tasks (someone watching
connections for intrusions, and so on), and a roughly ordered sequence of steps to
run through on connecting to the environment: get &lt;code&gt;spice-vdagent&lt;/code&gt;
working for shared clipboard, get accounts provisioned fast, open external access
through the router first, run the Ansible playbooks over SSH, inventory and
vuln-scan every host, take manual rsync backups, remediate and harden, then stand
up monitoring. Coordination is the constant: make sure your actions don&apos;t conflict
with a teammate&apos;s.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Two general tips:&lt;/strong&gt; with this many options, don&apos;t consider too many at
once -- pick a tool to get experience with it, and move on if it isn&apos;t working out.
And the Black Team is usually there to help when needed.&lt;/p&gt;
&lt;h2&gt;Fin&lt;/h2&gt;
&lt;p&gt;That&apos;s all I have for now, but I&apos;ll keep updating as preparations continue.
There&apos;s much more I could cover in preparing for an event like this, but as is
always the case in security, staying current means always learning. Security is
never a guarantee -- all you can do is build the best castle you can, repair your
walls as needed, and hope your enemies don&apos;t bring a trebuchet.&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;/blog&quot;&gt;Go back to the index&lt;/a&gt;.&lt;/p&gt;
</content:encoded></item></channel></rss>