

hey
make yourself at home. poke around, read my notes, open everything, take out my trash? 👀
jk brb.
— drea
p.s. it's always 2003 in The Burrow, so some of these files shouldn't even EXIST. and yet...







set up homelab
finally launch The Burrow
click the link aunt carol sent
push risk assessment to github
pick up dry cleaning
build a cyberdeck (?)
renew library book
install linux
the mansion
sherwood drive
milton keynes
mk3 6eb
Real-world examples
So what IS encrypted? Content
What's NOT encrypted? Metadata
Real-world example
On May 12, 2017, a ransomware worm called WannaCry was tearing through 150 countries and crippling the UK's National Health Service among many other victims. A 22-year-old British researcher named Marcus Hutchins was reverse engineering a sample from his bedroom when he noticed the malware was making a query to an unregistered domain before executing. He registered the domain for $10.69 which triggered a kill switch that had been built into the code and stopped the attack from spreading further. Within hours, WannaCry was contained and affected computers began recovering. He worked with the UK's National Cyber Security Centre and his US-based employer Kryptos Logic over the following days to keep the kill switch domain online and prevent a second wave. He was widely regarded as the hacker who saved the internet.
Three months later, the FBI arrested him at the Las Vegas airport as he was leaving DEFCON to fly home to the UK. The charges had nothing to do with WannaCry. The US Department of Justice indicted him on ten counts under the Computer Fraud and Abuse Act and the Wiretap Act related to creating, advertising, and selling Kronos, a banking trojan he had worked on years earlier as a teenager, and a related piece of malware called UPAS Kit. Kronos was sold by an unidentified co-conspirator known online as "Vinny" on dark web forums and was used by criminals to steal banking credentials from victims primarily in the UK and India and later spread globally. Hutchins spent over a year on bail in Los Angeles before pleading guilty to two counts and receiving time served. The other eight counts were dropped.
What the CFAA is
The Computer Fraud and Abuse Act is a US federal law passed in 1986. It is the central statute the US uses to prosecute computer crime, criminalizing unauthorized access to a computer, transmitting code with intent to damage a protected computer, password trafficking, and computer-related fraud. The CFAA defines a "protected computer" as any computer used in or affecting interstate or foreign commerce, which courts have interpreted to cover essentially any computer connected to the internet.
The CFAA does not criminalize writing malware. Creating malicious code is protected speech in the US. Selling and distributing malware to people you know will use it for crimes is criminal under 18 U.S.C. § 2512 which prohibits the manufacture, distribution, and advertising of devices "primarily useful" for intercepting electronic communications. The Wiretap Act (18 U.S.C. § 2511) makes it illegal to intentionally intercept electronic communications without permission.
Federal prosecutors typically combine the CFAA with §2512, the Wiretap Act, conspiracy, and wire fraud to build cases around one event, a practice known as charge stacking.
Critique of the CFAA
The DOJ misrepresents writing as a crime
The DOJ's press release announcing Hutchins's plea was titled "Marcus Hutchins Pleads Guilty to Creating and Distributing the Kronos Banking Trojan." Creating malware is not a crime although selling it to people you know are criminals is. The framing misrepresents the law.
Vague intent and authorization standards
Core CFAA terms like "intent to cause damage," "exceeding authorized access," and "protected computer" have never been clearly defined by Congress or consistently interpreted by courts. Prosecutors decide what counts as criminal after the fact when beneficial for their case. Researchers cannot always predict whether their work will be charged.
Charge stacking creates plea pressure
Federal prosecutors slice one crime into multiple counts under multiple statutes. Hutchins faced ten counts under the CFAA, the Wiretap Act, §2512, conspiracy, and wire fraud for what was essentially one criminal partnership with Vinny. Maximum exposure: 40 years. In these scenarios even defendants with viable defenses plead. Stacking is legal under the Blockburger test which says that the same conduct can be charged under multiple statutes as long as each requires proof of at least one element the others don't, yet it produces the punishment that double jeopardy was meant to prevent. This is why it's widely criticized for creating unjust outcomes in federal criminal law as a whole.
The law stays vague on purpose
Pleas avoid trial. Without trials judges are never made to clarify or define what these terms actually mean. Each new researcher facing similar charges has no clearer answer than the last. The vagueness is not a flaw the system is working to fix...it is the leverage the system runs on.
Critique of UK government complicity
GCHQ used him for WannaCry, then let him walk into the arrest
Hutchins worked directly with the UK's National Cyber Security Centre which is part of GCHQ during the WannaCry response. He helped them keep the kill switch online and prevent a second wave. Three months later, GCHQ knew the FBI was investigating him for Kronos and planned to arrest him when he flew to DEFCON. Hutchins was not warned whatsoever. He boarded the flight and was arrested at the Las Vegas airport. The same agency that needed him during the attack stood by while another government grabbed him.
The UK had clear jurisdiction and didn't use it
Hutchins lived in the UK and wrote the code in the UK. The Computer Misuse Act 1990 (the UK's main computer crime law) has covered "making, supplying, or obtaining articles for use in computer misuse offences" since 2006. UK prosecutors had clear authority to charge him but chose not to. Why?
The US could punish him harder
US jurisdiction was based on a small amount of Kronos activity that touched US soil, which was enough under the CFAA's broad "protected computer" definition (any computer connected to the internet). Hutchins faced up to 40 years across his ten US counts under the CFAA. The same conduct under the UK's Computer Misuse Act carries a maximum of two to ten years per offense depending on the section but realistically sentences are much shorter. If anyone in either government wanted Hutchins to actually serve significant time then the US was the venue.
The UK did the US a quiet favor
An anonymous UK government source told The Sunday Times the arrest "freed the British government and intelligence agencies from yet another headache of an extradition battle." The same source added: "Our US partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition." The UK had repeatedly refused to extradite UK hackers like Gary McKinnon (blocked 2012) and Lauri Love (blocked 2018). Letting the US grab Hutchins on US soil evened the score without the UK government having to formally approve anything.
The UK avoided the political cost of prosecuting a national hero
UK prosecution of Hutchins immediately after WannaCry would have politically been toxic. The press would have run the story of a young man who saved the NHS being charged by that same government for code he wrote as a teenager under blackmail. Public sympathy likely would have been on his side. Also likely, a UK trial produces a light sentence or acquittal. Letting the US prosecute meant the UK government could express "concern" while doing nothing and get the conviction without the political cost. Where someone is prosecuted is not always a legal question but a political one.
Critique of who was charged vs. who wasn't
Out of every actor connected to either Kronos or WannaCry, only one was prosecuted: Hutchins. Everyone with more responsibility either couldn't be reached, was institutionally protected, or worked for the agency that built the exploit in the first place.
Kronos
Hutchins
Wrote the UPAS rootkit foundation around age 17. Refused to write the bank targeting web inject. Helped integrate code from a second programmer when blackmailed. Made approximately $8,000 from five sales of Kronos as of November 2014, according to FBI intercepted chats. Indicted on ten counts:
Pleaded guilty to two (counts 1 and 6). Eight were dropped. Time served.
Vinny
Ran the operation. Marketed Kronos on AlphaBay and Russian forums. Hired and paid the second programmer to write the bank targeting web inject. Blackmailed Hutchins into continuing development by threatening to give his real name and address to the FBI. Took the bulk of the profits. The same indictment that charged Hutchins names Vinny as the unnamed co-conspirator on every count except count 10. Based on the descriptions in court documents, Vinny would face significantly more charges than Hutchins did.
Charges in the indictment (shared with Hutchins):
Additional charges Vinny alone would face based on his conduct:
Federal prosecutors stacked ten counts against Hutchins under the same logic that produces the punishment double jeopardy was meant to prevent. Applying that same logic to Vinny, the operator they say ran the entire enterprise, produces seventeen+ counts and a conservative maximum exposure of around 160 years before any per sale wire fraud or per victim identity theft is fully broken out. Whether the government ever identified him is unknown. What is known is that he was never publicly named and he was never charged.
The unidentified second programmer
Wrote the web inject which was the code that actually made Kronos a banking trojan. Without their work UPAS Kit was just a rootkit not a full bank targeting tool. Based on descriptions in court documents they would face the same §2512 and conspiracy charges Hutchins did in the same range or higher. The stacking math above gives us a sense of what the exposure looks like. Also never publicly identified. Also never charged.
The buyers
People who paid up to $7,000 to use Kronos against actual bank customers. Some buyers were in the US, the UK, India, France, Germany, and Poland. Some were identified by researchers tracking the malware. Most were never charged.
WannaCry
Hutchins
Stopped the attack. Worked with the UK's National Cyber Security Centre on the response FOR FREE with no formal protection or recognition from the UK government. Three months later, he was the only individual federally prosecuted in connection with the WannaCry response on unrelated charges and the same UK government let him fly into FBI hands without warning.
NHS leadership
Ignored a year of NHS Digital patch warnings. The National Audit Office confirmed the attack was preventable. Sir Chris Wormald, the Permanent Secretary at the Department of Health and Social Care, told the Public Accounts Committee in 2018 that "Cyber attacks and cyber crime are a fact of life. You are never completely safe from them, and indeed, if you believed you were completely safe from cyber crime, it would be an extremely bad sign." Nobody at NHS Digital, NHS England, or the Department of Health was fired, charged, fined, or formally disciplined. Instead(!) Sir Chris Wormald was promoted. Despite UK taxpayers paying an additional £196 million for cybersecurity through 2020 after WannaCry, a 2018 parliamentary audit found that all 200 NHS organizations checked still failed cybersecurity checks. The NHS continues to fail its legal obligation to protect patient data and has been breached every year since:
The NSA
Built EternalBlue, the exploit WannaCry depended on. Lost control of it when the Shadow Brokers leaked it in April 2017. No agency accountability and no public investigation.
Lazarus Group
Conducted the actual attack. Out of US legal reach as a North Korean state actor.
Acts of God
When someone as high up as the Permanent Secretary at the UK Department of Health calls cyberattacks "a fact of life," they are making excuses in advance for future preventable vulnerabilities. Yes, breaches happen everywhere but this specific breach happened to the NHS because the NHS specifically ignored its specific patch warnings. "Breaches happen" is not a defense for "this breach has happened to us, again and again, for nearly a decade."
Real-world example
In 2013, documents leaked by Edward Snowden revealed the MUSCULAR program. The NSA and its UK counterpart GCHQ tapped into the private underwater(!) fiber-optic links that connected Google's and Yahoo's data centers around the world. Before your email left Google's network to travel the public internet, it was encrypted. After it left, it was encrypted. But between Google's own data centers, on Google's own private cables, it was not encrypted because Google assumed that network was theirs. The NSA tapped those cables and collected hundreds of millions of records a day. Because the collection was happening outside of the US targeting non-US infrastructure, it required zero warrants, no FISA court approval, and no Section 702 certification. It was done legally under the authority of Executive Order 12333. An actual NSA slide describing the location of the tap had a smiley face drawn on it.
What Executive Order 12333 is
This is an executive order (issued directly by the President without Congress voting on it) by President Reagan on December 4, 1981. It is the foundational authority governing how US intelligence conducts surveillance outside the US against non-US persons. It covers the CIA, NSA, DIA, and the intelligence arms of other agencies when they operate abroad. It came decades before FISA Section 702 (2008) and the Patriot Act (2001) but is still in effect today.
Why "executive order" matters
Section 702, as flawed as it is, does at least have some oversight. Congressional committees, sunset clauses, FISA court review, public debate, etc. EO 12333 has almost none of that. It cannot be modified by Congress because it is an executive order. It has no sunset clause so it never expires and never provides a reauthorization conversation. It is not subject to FISA court review because the FISA court only covers FISA. The intelligence community interprets EO 12333 internally, with the rules for what to do when Americans' data gets swept up set by the agencies themselves. Most of what is done under it is classified. The public has almost no visibility into the largest category of US surveillance.
Legislation from a different time
1981 was before the commercial internet, even before cellphones, before cloud computing, before undersea fiber-optic cables carried the majority of global communications, before Google existed, before email was common, before anyone imagined that a person in Illinois would have their private emails routed through servers in Ireland and back through London. EO 12333 was written for a world of embassies, foreign agents, and cold war intelligence yet is being applied to a world where the physical infrastructure of citizen communications happens to pass through foreign jurisdictions by default. The law has not caught up with the world that exists today. The permissions have not been adjusted...the surveillance has just expanded to fill the technology as it was built.
The exposure
Most corporate data flows through foreign infrastructure at some point. Overseas offices, international customers, cloud providers with servers abroad, and routine traffic that crosses borders invisibly. All of it is potentially exposed to EO 12333 collection, and that exposure cannot be contracted around by any "privacy-focused" company or service. This is part of why Schrems II was decided the way it was: US surveillance law, including the parts the US government would prefer not to discuss, gives intelligence agencies access that violates GDPR standards.
Real-world example
On March 26, 2026, six Democratic lawmakers: Senators Ron Wyden, Alex Padilla, Ed Markey, and Elizabeth Warren, plus Rep. Sara Jacobs and Rep. Pramila Jayapal sent a formal letter to Director of National Intelligence Tulsi Gabbard. The letter asks her to publicly clarify whether Americans who use commercial VPN services are being treated as foreigners for surveillance purposes and so losing their protections under the Fourth Amendment. As of now, Gabbard has not responded. The timing was intentional as the letter was sent while Congress is actively debating Section 702 reauthorization which forces the VPN question into the fight.
The core question
VPNs route internet traffic through servers in other locations to hide a user's real location. That is the point. But under Section 702 the government can obtain foreign communications without a warrant. If an American's traffic exits through a VPN server in Amsterdam, does the intelligence community treat that traffic as Dutch/foreign/okay to collect without a warrant? The lawmakers are asking Gabbard to say publicly whether this is happening or not. If yes, it means a privacy tool is actually stripping Americans of their Fourth Amendment rights. If no, Gabbard should say so on the record.
How Congress forces an answer
This is also a clean example of how Congress actually pulls answers out of the executive branch. You don't ask quietly. You put the question in writing, you make it public, and you time it to a vote that matters, here, Section 702 reauthorization. That way the silence costs something.

Real-world example
Section 702 was supposed to expire April 20, 2026, unless Congress reauthorizes it. As of tonight, the fight is live. The Trump administration pushed for a clean 18-month reauthorization with no changes. House blocked amendments that would have required warrants for searching Americans' data. On April 17, two back-to-back votes failed. Those were 1: a five-year package with modest reforms which collapsed when roughly a dozen Republicans rejected it and 2: the procedural vote for the clean 18 month extension failed 197-228, with 20 Republicans defying Trump and 4 Dems also voting no. Around 2am the House passed a 10 day stopgap, pushing the deadline to April 30. DNI Tulsi Gabbard, who previously opposed 702 as a congresswoman and co-sponsored legislation to repeal it, reversed position again saying warrants should be required for US person queries which goes against Trump. The reform coalition cuts across both parties (Freedom Caucus Republicans plus progressive Democrats). The coalition protecting 702 also spans across both parties. Outcome unclear.
What is Section 702
A surveillance authority passed in 2008 as part of the FISA Amendments Act. It allows the US government to collect emails, phone calls, and text messages of non-US persons located outside of the US without a warrant. Targets are selected by intelligence analysts, not courts. The Attorney General and DNI issue annual "certifications" (very broad/bulk request like "We want to spy on foreign cyber threats") that the FISA court reviews and generally approves. The FISA court does not approve individual targets. Any American who communicates with a foreign target can have their communications swept into the 702 database as "incidental collection."
The loophole
Once Americans' communications are in the 702 database, the FBI can search them for US person information without a warrant. These are called "US person queries" or backdoor searches. The FISA Court found in 2022 that "compliance problems with the FBI's querying of Section 702 information have proven to be persistent and widespread." From 2020 to 2021 alone, the FBI conducted 278,000 noncompliant searches that the DOJ determined violated FBI standards. Documented abuses include searches targeting Black Lives Matter protesters, January 6 participants, a congressional campaign's 19,000 donors, a US Senator, a state senator, and a state judge. A 2024 federal court ruling held that these backdoor searches are unconstitutional and ordinarily require a warrant. Congress has reauthorized 702 multiple times despite the abuses.
Why Europe won't touch US cloud
Section 702 is why US cloud services struggle with EU data protection compliance. The EU's Schrems II ruling in 2020 found that US surveillance law, specifically 702, gives US intelligence agencies too much access to European data, which violates GDPR. Any organization handling EU citizen data through US-based infrastructure is exposed to this, and no contractual clause overrides a surveillance authority like 702.
Real-world example
Switzerland built its reputation as a kind of privacy refuge. Swiss law historically categorized VPN providers differently from telecom providers so VPNs had no logging obligations which is why companies like Proton based themselves there.
What's changing
Switzerland is proposing a revision to the VÜPF that would begin in late 2026:
Why it matters
Proton's response
What is an MLAT
An agreement between two or more countries that allows them to request and share evidence and information for criminal investigations.
What can be requested
Key points
Five Eyes
The most well known is the Five Eyes: an intelligence alliance between the US, UK, Canada, Australia, and New Zealand, sharing since 1946. Wider circles, Nine Eyes and Fourteen Eyes, pull in countries like France, Germany, and the Netherlands. The critique people raise: a government barred from spying on its own citizens can let an ally do it instead, then simply share the results back. The alliance operated secretly for decades until Edward Snowden's bombshell 2013 leaks exposed it. It still operates today in the open.
11 items
select a message
horror_fan_n1k0
oi_ollie
KIRA_from_AOL
JCP__
xX_dial_up_diva_Xx
cyber_kitten_03
Sk8rJake420
hannahparks*
mike_d22
<3sarah
tommy_guns_xD
KatieM_xo
chrisw
RyanFromBioClass
brandon_99
Zer0Cool_99
napster_nikki
DJ_DANNYBOY
emilyxglitter
steph<>
laura_loves_pink
_megan_
xX_AlexTheGreat_Xx
jenny*p
kev_works_at_gap
nicole_xox
MattyIce99
ashleeyy_marie
greg_from_NYU
moms_computer
DO_NOT_ADD_him
The data shown above was transmitted automatically by your browser upon visiting this site. Every website you access receives the same information through a process known as browser fingerprinting. Peek does not collect, store, or transmit any user data.
Peek is a privacy awareness tool used by individuals to identify what data has been exposed without their consent. Mobile devices expose significantly more and pose a greater risk. Learn more →
What just happened
Every time you open a website, your browser quietly hands it a few details: your device, your screen size, your time zone, and your language. You didn't type any of it and you weren't asked, yet it happens on every site you visit by design.
Why it matters
On their own, these details sound harmless, but together they form something like a fingerprint, more than enough to know exactly who you are, name or no name. Collecting this is completely legal, and since the US still has no privacy law covering it, gathering and selling this kind of data is a thriving business (only $200 billion).
Now your phone
Your phone does the same thing, but worse, because it goes everywhere you do. In 2022, the FTC sued a data broker called Kochava for selling the precise location data of hundreds of millions of phones to anyone who would pay. The data showed where people went: clinics, places of worship, shelters, doctors' offices, and more. Tracked over time, it showed where they slept at night (their home address), and where they went all day (think their jobs and their kids' schools). Nobody gave permission, nor did they even know it was happening. The best (worst) part is it's still happening right now.
Your move
Use a browser that fights this (Firefox, Brave). Ditch Google and use a search engine that isn't spying on you (DuckDuckGo). Turn off ad tracking on your phone. Stop giving apps your location unless they need it. You'll never be invisible, but you can be informed and wildly inconvenient. That's what The Burrow is about.
TOP SECRET//SI//ORCON//NOFORN
(declassified in part, ODNI 10/08/2019)
UNITED STATES FOREIGN INTELLIGENCE SURVEILLANCE COURT
Memorandum Opinion and Order · Oct. 18, 2018 · Boasberg, J.
Section 702 authorizes the targeting of ██████████████████████████████████ to acquire foreign intelligence information.
In the course of that targeting, the communications of U.S. persons are incidentally acquired and retained in Government databases.
In 2017 the FBI conducted █████████ queries of information acquired under Section 702 on a single system. The Bureau does not record whether a query term is a ████████████████ term.
Each query must be reasonably likely to retrieve foreign intelligence information or evidence of a crime. The Court finds ██████████████████████████, likely occurring ████████████.
Queries were run against the identifiers of ████████████████████████████████████████████, persons not suspected of █████████████.
The Government acknowledged that the improper queries resulted from ████████████████████████████████████████ among personnel with access to raw Section 702 data.
For ████████ the Government did not perform the count of U.S.-person queries that Congress required as a condition of reauthorization.
The Court engaged ██████████, who advised that the procedures failed to satisfy both the statute and the Constitution. The Court agreed in █████████████.
The Court holds that these procedures, as implemented, are inconsistent with the minimization requirement of Section 702 and with the Fourth Amendment████████████████████.
As a remedy, FBI personnel must record a written statement of facts for each U.S.-person query, retained so that ████████████ may conduct oversight.
Notwithstanding the foregoing, the Government’s 2018 certifications are █████████
The remainder of this opinion is classified pursuant to ████████ and is exempt from disclosure under ██████████ and ██████████.
404
file not found
turns out this one was always empty.
42 items
Committed revision 143.
[burrow-mac:~] drea% ./wakeup.sh
[warn] system hibernation detected
[error] caffeine levels critical (0%)
[fatal] cannot proceed
[burrow-mac:~] drea% caffeinate -d
Caffeinate drea? [y/n] █





