Internet 2.0: Ongoing analysis and response
Edward Farrell
Cyber security nerd, Director, Advisor, Industry Fellow @ UNSW Canberra, Annoying Gadfly
Earlier this week a colleague passed over to me a post published by Internet 2.0 in March 2024 as a response to our publication of a report highlighting vulnerabilities in their product. I wanted to analyse their response as to why our analysis was misleading and incorrect.
Their post is available via the following URL:
Our report is available via the following URL:
The claim & our analysis
Internet 2.0 had claimed that :
the old 2021 Azure image he based most of his [Mercurys] report on was never used by any customer as it was a pfSense version we were testing during R&D. It was a test image we thought we had removed completely from Azure. Azure is hard to use and there was a toggle we honestly forgot to click which would have permanently deleted it
Internet 2.0 have claimed that system was used purely for research and development purposes in 2021. An analysis of the Internet Archive indicates that the Azure instance was actively marketed throughout 2022. This can be identified by the following URL:
The archived site contains a link to the azure marketplace instance that formed part of our analysis. The presence of this URL is inconsistent with their statement that the product was simply a test instance from 2021 that they forgot about because Azure was hard to use. The following URL associated with the alleged 2021 R&D instance can be seen in the page:
As late as March 2023 the organisation still had a logo "I20-Azure-400x284.png" in their website collateral. The use of Azure was still referenced in their white papers from July 2023 as is references to the cloaking firewall being patented and built by the organisation, available on their website and home affairs:
领英推荐
I assess the claim that this was a test instance is inaccurate, given the link to the Azure edition of the cloaking firewall was actively marketed throughout 2022, and possibly into 2023 with no readily identifiable replacement provided. Significant changes were made to the site in March 2023, indicating that the Azure product may have no longer been actively marketed. No mention on their website of the ISO install was observed outside of their March 2024 post, so there is also the concern, how did they guide prospective clients onto this instance?
I also observed that none of our other items we've raised in our report have been disputed including the claims of unique or patented technologies.
A change in tone
Analysing their March 2024 statement, it appears that the messaging has now gone towards "we sell OPNSense licences" as opposed to their earlier statements of "military grade patented technology [we built]." This observation is reinforced by the fact that patents no longer form part of their marketing materials alongside other drastic changes to their advertising.
I am curious if this change of tone is a reflection of our report or if significant changes to marketing have taken place, noting the evolution of their site between October 2023 when we first published and the current date.
ad hominem
Internet 2.0 have claimed this is personal which, to an extent, it is. I believe that a level of integrity needs to be maintained in our role as cyber security professionals to enable us to do our jobs with due care and skill. I have not seen these qualities exhibited in the product, much less the response provided by Internet 2.0 or throughout their conduct.
Where possible I have sought to be as objective as possible in my analysis and work over the years. Our analysis of TikTok and other social media platforms had identified a consistent pattern of behaviour across all the platforms which was identified in our report in early 2023. I have no personal investment in TikTok; my greater concern is that negligible technical risks have overshadowed the greater risk of social disconnection, and as a result of fear mongering western governments has been actively disengaged in social media, only leaving the void to be filled by our adversaries.
As to weather I or my business have suffered reputational damage or not, both still have an established presence in the market and Mercury itself has maintained strong growth since the publication of our report.
I was also at one point threatened to be losing my role with ISC2 and at ADFA by a member of Internet 2.0 since our publication in October 2023, however none of these have come to pass.
A request....
if anyone has a hardware instance of the military grade cloaking firewall from before 2022/2023, I'd appreciate an opportunity to conduct an analysis. Something I've been dwelling on is an observation from our report as well as a comment made from someone else was to do a dive in the pfSense+ licensing on the hardware based system, and ideally 2x instances to compare.
Consistently curious creature of creation. Harmless hacker helping humans. The least metal metal guy you'll meet. Growing Gigabuddy to help the humans win (and having fun while doing it).
7 个月lol what. Gotta love vendor gaslighting. Well handled Edward Farrell ! ??
securitribe | vCISO | ISO27001 | Security Architect
8 个月Great continuation of this story, Edward. I find it hilarious that an organisation that builds firewalls, arguably a very complex effort, have issues with Azure being "difficult" to use. That says a lot about their technical ability, and integrity, blaming the tools instead of their internal process and quality control.