cybersim's blog

APTs and Elephants

check my website (cybersime) — Sun, 22 Mar 2026 09:20:33 +0100

cybersim's blog https://cybersim.ch/posts/apts-and-elephants/ -

The threat landscape is scattered with animals: pandas, bears, and even kittens — all dangerous cyber creatures. There’s even sandworms and sandstorms. These names are commonly used by vendors, researchers and threat intelligence companies to designate APTs, Advanced Persistent Threats. Each company has its own nomenclature: Microsoft uses a weather system, Palo Alto’s Unit 42 references star constellations, and in 2013, Mandiant (now Google) published a report on the initial APT1, which is associated with the Chinese government. MITRE maintains an extensive list of commonly known threat actor groups; threat intelligence researchers usually keep their own “Spreadsheet of Doom”, a Who’s Who of threat actors.

Newcomers to cyber threat intelligence (CTI) examine such a list and observe that Magic Hound is also called TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, or Mint Sandstorm. They are then tempted to draw a big equals sign between all these names. Which name to use is left to the author or their employer; sometimes, it is simply what initially stuck in public perception. For example, I read more about “Charming Kitten” and less about “Magic Hound”.

However, APTs are a construct.

They are not clear-cut entities.

Rather, these names are similar to blind people who touch an elephant for the first time and describe their impression of what an elephant is (Sinology side note: 盲人摸像). Each company requires data to form any threat intelligence. For those who sit at the intelligence source, this means customer data, such as agents running on customer devices, or employees responding to customer incidents. Sophos serves many SMEs, which means their data is based on small companies who are often easily compromised. Google Mandiant responds to incidents of Fortune 500 companies, who operate on a global scale and usually have a decent security posture. Kaspersky has lost a lot of Western customers since the war in Ukraine started, which means their customers are now in other parts of the world, with different IT environments than Europe. Consequently, the data that formed “Magic Hound” won’t be identical to the one that constructed “Charming Kitten”. Based on some similarities however, they are commonly grouped together. As a result, analysts see the various names of a group on MITRE’s web site and use their names interchangeably, which is imprecise and misses this key background knowledge.

And what distinguishes your run-of-the-mill script kiddie from an APT? What turns a UNC (UNCagetorized threat actor, Mandiant) into a Kitten (threat actor linked to Iran, CrowdStrike)? Most vendors have their “secret magic sauce” that marks the birth of a threat group. As an open-source, vendor-neutral rule of thumb: An activity group can be formed when two vertices of the Diamond Model overlap across intrusions or campaigns, for example overlaps in infrastructure and victims. Note that this must not be necessarily an “APT”; and all companies will have their own methodology of what constitutes “their” APTs.

Finally, APTs change over time. China’s PLA and general governmental system have been overhauled multiple times under Xi Jinping, and the TTPs of the Lazarus Group has surely not stayed identical since 2009.

Which name to use, then? CTI is, like its big aunt Journalism, about who consumes the intelligence. Most of your audiences won’t be aware of the minutiae detailed in this blog post. They likely don’t even care. So: Use the threat actor name that fits your audience, but try to point out somewhere whose nomenclature it is and provide one, two alternative names. If you say “ELECTRUM”, my brain will draw a blank, but if you say “Sandworm”, I’ll see the elephant.

Image Source: Nightcafe/Flux 2

- https://cybersim.ch/posts/apts-and-elephants/ -

It's Been a While

check my website (cybersime) — Fri, 05 Dec 2025 10:00:24 +0100

cybersim's blog https://cybersim.ch/posts/its-been-a-while-infosec/ -

“You know a lot”, remarked an apprentice recently while I was looking at some tickets from the Stone Age and explaining long-gone threats. The more younger people join infosec, the more I realise: Yes, in fact, I have been around for a while. Surely, Hackers (1995) was my gateway drug, but attending my first Chaos Communication Congress in 2010 was true First Contact. Back then, if you weren’t already working in tech, this was one of the few opportunities to dive into infosec topics. Live-hacking CTFs on YouTube were not really a thing yet, and if you wanted access to the scene, this was the place to go. Most other conferences — even today — have price tags clearly meant to be paid by an employer and not by yourself. And if it’s one-third of your part-time salary, why even bother? During the 2010s, I became a regular C3 attendee while also connecting with more and more peers online (thanks, 2010s Twitter). And even though I’m only a few years into an actual infosec job, the knowledge has accumulated: Confs, meet-ups, more confs, workshops, years of tech-journalism, a computer science degree.

A lot has changed. My first Blackhoodie workshop was a watershed moment (eternal thanks, Marion): For the first time in my life I was in a room full of other women keen on learning reverse engineering. They exist! The event grew from 30 to 80 women within a couple of years and is now a movement of its own, with self-organised events all over the world. Infosec has become more accessible. Gatekeeping in offensive security and “hacking” is still the modus operandi, but CTFs have proliferated, most conferences stream to YouTube (even some pricey ones), tutorials and materials are everywhere.

A lot has not changed. Fifteen years later, I still enter a room full of strangers and no one takes it for granted that I can actually handle a computer, let alone a command line. You can have a conference for women in cybersecurity, but once you subtract all non-technical people, the number left is your representation in today’s teams. Women’s toilets at infosec events still have next to no queues (except for said conference type). Non-tech people are amazed to hear that, yes, the percentage of women (and other non-cis-het-White-male identities) in my field has remained low. Please do not ask me why.

But: Over the last 15 years, I’ve grown to become part of communities — especially local communities. Our tiny, casual meet-up before the Pandemic has grown into a sizeable member group. Once a month I get to sit at a table with like-minded FINTA people; once a year I am in a room full of good old friends and peers who accompanied me for the last 10+ years (thanks!). “Nevertheless, she persisted”, goes the popular saying, and hopefully, when I retire, everyone who enters a room will at least be considered a potential next Acid Burn.

- https://cybersim.ch/posts/its-been-a-while-infosec/ -

The Birthday Dress

check my website (cybersime) — Sat, 13 Sep 2025 11:01:09 +0200

cybersim's blog https://cybersim.ch/posts/the-birthday-dress/ -

Some birthdays are more special than others, and some projects are more challenging than others. My “Joan Wiggle Dress” represents both. The pattern was the reason why I joined Gertie’s Patreon in the first place, but the striped, stretchy Ponte that is required for the chevron pattern was surprisingly hard to find. After several twists and turns my research led to a mauve stretch lace with a wave pattern (of all things) in an online shop. Several months later I found the perfect backdrop in a brick-and-mortar shop: silver faux leather. Never have I sewn lace or faux leather — this project was going to match the birthday in uniqueness.

While the pattern is simple and comes together quickly, the materials were a challenge: Lace is tricky, faux leather too thick to handle, and together they spell trouble. I did a lot of research on sewing techniques and received savvy advice in a local haberdashery shop that has sadly closed since. Without that expert lady there, this project would have failed spectacularly.

Here’s some notes on the process:

Three prototypes
Test-wash everything
One-shot sewing only, no ripping open of seams. Clippers are your best friends – every pin, every needle leaves permanent holes.
Adjusted the height (easy) and orientation of the bust dart (hard). Many finished dresses show a “V”-shaped bust dart instead of a straight line, and I wanted a straight one too.
So much cold sweat lost over matching up the lace on the vertical front seam
Thank you, shop lady: Faux leather dulls the needle in the blink of an eye, so do not use the overlocker or its knife. Changed Jeans needles twice on my regular sewing machine.
Use the lace like interlining and sew it onto the underlying faux leather, then treat as one
To achieve this, use wash-away stay tape to fix the lace onto the seam allowance of the feaux leather, then zigzag the two together
Feaux leather does not need to be finished and can be left untreated
Thank you, shop lady: A wash-away film called “Avalon” from Madeira is used for quilting, but I used it to sew together the bust darts. Sew the film just inside the bust dart seams onto the right side of the interlined fabric, then close the bust dart. That way, the lace does not shift on the slippery feaux leather and you get precise seams.
Hand sewing. So much hand sewing. I sewed all the seams by hand and finished the hem with a lace band.
Best worn with an underdress

The amount of XP gained during this project definitely unlocked a new sewing skill level: The dress turned into an absolute success! This marvelous Joan Wiggle Dress is the first glamour item in my wardrobe, and it shall be worn on many fancy occasions to come. Also the faux leather feels like a second skin and still the dress is comfortable to wear for hours. If ever I can find striped Ponte, there shall be a twin for less glamorous events.

- https://cybersim.ch/posts/the-birthday-dress/ -

Die neue Mitbewohnerin

check my website (cybersime) — Sun, 07 Sep 2025 18:44:48 +0200

cybersim's blog https://cybersim.ch/posts/dressform/ -

Verrenkter Nacken, zerstochene Finger, ungelenke Selfies: Irgendeinmal war genug. Eine Schneiderbüste musste her. Also ein Torso auf einem Ständer, woran eine Hobbyschneiderin alle Änderungen und Drapierungen anbringt, um sie später auf das Schnittmuster zu übertragen. Statt sich verzweifelt vor dem Badezimmerspiegel zu drehen und Nadeln in den ~~Körper~~ Stoff zu stechen, arbeitet man sozusagen mit einem Ersatzkörper. Doch nicht irgendeinen – ich wollte meinen. Denn egal, ob Ready-to-Wear-Kleider oder Off-the-Shelf-Büsten, mein Körper ist jenseits jeglicher Zielgruppenvorstellungen.

Vor Jahren hatte ich bereits ein kleines, kanadisches Unternehmen im Auge. Dessen Geschäftsmodell ist ähnlich wie die (gescheiterte) Idee der Kleidermarke Zozo: Die Kundin erhält einen lustigen, hautengen Anzug nach Hause (Stichwort: Mocap), scannt den eigenen Körper mit dem Smartphone, und das Unternehmen fertigt daraus eine Schneiderbüste. Damals ging die Idee von Zozo ein, weil die Messungen viel zu ungenau waren. Zufällig entdeckte ich ein Schweizer Unternehmen, das ebenfalls Schneiderbüsten auf Mass anfertigt; und da ich gerne lokale Geschäfte unterstütze, unternahm ich einen Roadtrip in die Heimatregion von Wilhelm Tell.

Am Dorfeingang begrüssten mich bereits die Statuen von Tell und Walter, doch bei “Zimmermann Büsten” war es keine Frau Zimmermann, sondern Jenny Curtins: Die gelernte Damen- und Theaterschneiderin folgte während Corona dem Ruf ihrer heimatlichen Berge und kehrte nach Schwyz zurück. Dort kam sie in Kontakt mit der bereits älteren Inhaberin von “Zimmermann Büsten”, einem Betrieb, der seit 1937 Büsten von Hand herstellt. Von ihr lernte sie das Handwerk, übernahm den Betrieb und beschloss, den Fertigungsprozess um einen Twist zu erweitern.

Und hier kommt das wundersame Venn-Diagramm “Hobbyschneiderin” und “Computernerd” ins Spiel. Treffen sich nämlich klassisches Handwerk und moderne Technologie, ist meine Neugierde geweckt. In einem iterativen Prozess entwickelte Jenny Curtins eine neuartige Schneiderbüste auf Mass, wobei sie das gelernte, traditionelle Büstenhandwerk um moderne Technologien erweiterte. Ihre Innovation traf genau meine Schnittmenge, und als Journalistin wäre daraus sofort eine Reportage geworden. Nun arbeite ich aber in der Infosec, und mein kleiner Blog muss für die Story herhalten.

Ich betrat also das Obergeschoss des Chalets, wo sie zusammen mit einer Freundin ihr Atelier beherbergt. In einem holzgetäferten Zimmer mit niedriger Decke zwängte ich mich zuerst in Shapewear, um allfällige Unebenheiten auszugleichen. Dann betrat ich eine kleine Plattform ohne mir den Kopf an der niedrigen Decke anzustossen, und erstarrte in der Pose einer Schaufensterpuppe. Während die Plattform rotierte und ich sie mit Fragen löcherte, nahm Jenny Curtins mit einem 3D-Handscanner meine Körperform digital auf. Zu meiner Überraschung hat die Technologie in den letzten Jahren enorme Fortschritte gemacht und sich von einem hochpreisigen Industrieprodukt zu kommerzialisierter Massenware entwickelt. Massenware, die Innovation im Kleinen ermöglicht. Schliesslich bestaunte ich mein 3D-Rohbild im Handscanner – eine Punktewolke mit noch vielen Unebenheiten, die später am Computer ausgebessert werden müssen.

Danach folgt der Schritt von digital zu analog: Das finale Modell wird im 3D-Drucker gedruckt und dann in klassischer Fertigungsweise zu einer Büste verarbeitet. Der Torso wird aussen gekleistert, mit einer Wattierung versehen und danach mit Stoff satt überzogen. Same-Day-Delivery ist ausgeschlossen – der ganze Prozess dauert mehrere Monate. Und wenn schon lokal, dann richtig: Der Holzständer kam gleich vom ansässigen Drechsler.

Drei Monate später kam sie endlich, die Schneiderbüste, die verdrehte Nacken, zerstochene Finger und ungelenke Selfies erübrigt. Ein Meilenstein nach bald zehn Jahren Hobbyschneiderei: Check! Und last but not least: Bessere Bilder! Denn die Büste ermöglicht, den Blog hier mit besseren Aufnahmen meiner Werke zu zieren. Zwei ältere Blog-Posts haben deswegen gleich bessere Bilder erhalten:

Schlussnotiz 1: Es gibt bewusst keine Links - der Post ist keine gesponserte Werbung, sondern eine Würdigung des Venn-Diagramms “klassisches Handwerk trifft moderne Technologie”. Wer mehr zum Unternehmen wissen möchte, weiss wie googeln.

Schlussnotiz 2: Der Blog-Post entstand zuerst auf Englisch, aber irgendwie hing ich fest. Der Text wollte einfach nicht von der Hand gehen. Wechsel auf Deutsch, und siehe da – die Worte flossen. Ein Fall von lokalem Einkaufen, lokalem Schreiben.

- https://cybersim.ch/posts/dressform/ -

Erasure of Expertise

check my website (cybersime) — Fri, 30 May 2025 08:32:47 +0200

cybersim's blog https://cybersim.ch/posts/erasure-of-expertise/ -

There’s a shop in my town that’s about to close. I usually don’t care about such announcements, as a lot of my shopping happens online anyway. Except when.

Except I’m a hobby sewist with no formal training, who entered the craft by way of Burda without Google or YouTube (1/10 would not recommend). I still learn by failing and improve with each garment, but sometimes I am just stuck. Stuck as in unable to measure myself properly, stuck as in unable to do certain fitting adjustments. Stuck, because of lacking expertise. Of course, there’s plenty of expertise online, yet also “expertise”. This is when human contact helps you to become unstuck. And I kid you not, such humans can also be found in real stores.

Many bigger towns have at least one brick-and-mortar haberdashery selling just that one thing that you need to succeed. That button in the perfect matching color. Top-quality zippers. Horsehair canvas. But these stores not only sell things, they have staff who know their stock down to the last tiny brooch and are often skilled crafters and sewists themselves. Elderly women who have sewn all their lives, know the tricks of the trade, and how to complete the most intricate projects – and who are more than happy to share their knowledge.

This is why I love and need physical shops: They not only sell goods, they also provide expertise. A recent project (to be blogged) had so many firsts that I was at a loss as how to tackle it. Instead of finding questionable opinions online, I went to my local haberdashery and the employee there knew exactly what I needed, provided options, and I succeeded thanks to her help.

When I went back with my finished pride, I spotted a note of doom in the shop window: The original owner retires and closes the store. It will likely be replaced by some chain, whose employees answer every question with “We only have what’s here”. I presented my project to the employee to thank her and share my joy – and expressed my grief about the shop’s closure. Its end erases the best haberdashery in my vicinity, and all the expertise that helped my project to completion. “We are looking for a successor”, she said politely. Her eyes were watery.

Image source: Nightcafé/Google Imagen 3.0

- https://cybersim.ch/posts/erasure-of-expertise/ -

Reflections on Writing and AI

check my website (cybersime) — Sun, 13 Apr 2025 20:00:51 +0200

cybersim's blog https://cybersim.ch/posts/ai-writing-reflections/ -

The most frequent answer you hear in IT: “It depends”. Using AI to write texts? “It depends”. End of story.

Just kidding.

The answer I sent to my colleague was longer — basically a mini-blog post that evolved into this one.¹

First, the good news: Asking GenAI to write texts is useful. My native language is Swiss German; an AI that fixes my non-native English errors is a game changer. I will always miss some meanings, idioms, gerunds — things the AI can spot and explain.

Other use cases resemble the idea of “Gebrauchsmusik”, which in this case would be “Gebrauchstexte” in a wider sense: Boilerplate texts with specific purposes that I find tedious to write, as it is about formalities, less about creativity. Let AI handle the boring stuff.

That’s basically it.

If you look at a football field or a golf course, all you see is grass, neatly trimmed to the same height, conforming to some standard. It’s boring as hell. AI texts are a trimmed sports lawn. Sometimes, uniformly dull with lots of empty phrases.² Sometimes, they are repetitive and lackluster, void of any rhetorical device or sense of rhythm.³ It’s like walking through a concrete industrial space instead of walking through a lively, colorful street. But writing should use all the colors to play and paint a picture that echoes your inner voice.

Text is also like clay: It can be easily reshaped into any form. Following this metaphor, I am rarely attached to my texts.⁴ If you ask me to scrap them, edit them, change them in any way and give me a good reason to do so, I am happy to oblige. Especially if you are an editor who does these things daily. Always trust the editor. The editor will improve your text, while keeping its origins. On the other hand, the AI lawn mower alters your texts ignoring both their essence and your voice.⁵

Which brings up the next point: Editing is not the same as writing. Me reviewing AI output requires a different skill set than writing. It requires fact-checking details, looking for cohesion and what’s missing. Writing, however, is something completely different. As a journalist I learned the phrase that you truly understood a topic if you’ve reported on it. Not by reading, but by creating a story and writing it, no matter if it’s for ears or eyes. Thinking is often a mess, jumbled, chaotic. Writing means putting elements in a sequential order, considering the how and why, what’s left in and out. What’s at the core of this problem? This is the major issue. Then the minor one. Finally, what’s not relevant and left out. AI will save you the trouble, but also shave down your skills.

Coincidentally, two recent blog posts even highlight this: Luciano Nooijen writes how he ditched most code editors as he lost his “Fingerspitzengefühl” when coding (another German word!). Nico Dekens writes how CTI analysts lose their critical thinking because they rely too much on AI output. Writing, coding, critical thinking all turned into passive skills when they are in fact a craft.⁶

I neither want to lose my voice nor my craft.

Addendum: While writing this, I realized that my criticism is actually bigger than the listed advantages. That is not my final verdict though. My final verdict is that we still learn to use AI for all sorts of tasks, while figuring out what helps and what harms us in the long run. We need to try and experiment — and have discussions about it.

Post addendum: Of course I asked GenAI to fix my English. It changed "It depends". to "It depends.". Thanks, AI, but this is a decision that usually precedes eons of newsroom editor fights, and differs across English variants. You just changed it.

The AI also rewrote Sometimes, uniformly dull with lots of empty phrases. Sometimes, repetitive and lackluster, devoid of any rhetorical device or sense of rhythm. to a Sometimes uniformly dull, filled with empty phrases. At other times, they’re repetitive and lifeless, lacking rhetorical devices or any sense of rhythm. It completely missed the intentional repetition for exactly the reason it was criticized.

Image source: Nightcafé/Dreamshaper XL Lightning

Sorry, dear colleague, for the wall of text that may have surprised you, not sorry, because it led to an intellectual exchange that sparked my thinking and writing. Thank you :) ↩︎
Many models have been trained on the sales pitches and ads that pollute the open web. ↩︎
I won’t link that infosec blog post from a big vendor. It was a desert made of concrete. ↩︎
Why else would I publish them here? But: Stealing my texts and “repurposing” them as yours is not clay, that’s plagiarism. ↩︎
This is where “Gebrauchstexte” as a term is handy: They do not need to carry my voice. If I have to write Gebrauchstexte, let the AI do it – no problem. ↩︎
Many, many years ago I read Richard Sennett’s “The Craftsman”. I dimly remember it’s basically about exactly this topic and I should give it another read. ↩︎

- https://cybersim.ch/posts/ai-writing-reflections/ -

Adventures in Keyboarding: Daily Drivers

check my website (cybersime) — Thu, 20 Mar 2025 19:22:28 +0100

cybersim's blog https://cybersim.ch/posts/adventures-in-keyboarding-daily-drivers/ -

Peak influencer-dom has probably been reached when you convince other co-workers to buy a good-quality-but-pricey keyboard. Since my last blog post, two more Moonlanders appeared on our floor, and it all started with rows of blinkenlights on my desk instead of lettered keykaps. Three Moonlanders on one office floor should be enough to finally report results after long-term usage.

Pain and Posture

Monotony is the enemy of good posture, and so it is with my keyboards: Instead of completely switching to the Moonlander, I alternate between my trusty QWERTZ, off-the-shelf keyboard and the Bone-layout Moonlander. On some days, I prefer typing at high-speed, on others I crave the macros and dedicated special keys which I configured on my own layout. I will never reach my QWERTZ speeds with the Bone layout, but a mouse, scroll wheel, and media control all on one keyboard makes it a powerful tool for tedious tasks. Form-wise, I currently use the Moonlander with its platform add-ons, and prop up the hand rests via stacked cardboards, so I don’t create a dent in my wrists. My body also welcomes these changes: The more variety I introduce, the better for my posture. Conversely, the more monotony my body suffers, the more it complains.

Traveling: Back to Basics

Traveling gear is the only thing I have not quite figured out yet. One thing I love about my Kyria, the little keyboard that started my keyboarding adventures: At 480g, it’s extremely compact and light. However, it gave me some wrist pains and I just can’t reach a reasonable typing speed. On the other hand, I shlepped the Moonlander in a big plastic box to a week-long workshop and struggled to set up and stow away the thing every day. For another recent workshop I brought a cheap, light Logitech QWERTZ keyboard, which was enough for the occasional typing. At 75%, it neatly fits into my backpack and I can temporarily live without a numpad. For now, this is my go-to solution.

Layout and Macros

After over two years, my Bone-DE-CH layout has been refined to the bone (ha). The only downside lies in some macros: the circumflex and the backtick are notoriously cumbersome to type on a Swiss keyboard, and I’ve written macros for each. Sadly, they cannot be directly integrated in ZSA’s online tool Oryx (or I was too impatient for a GUI deep-dive), so flashing the keyboard directly from the browser is not possible. Instead, I:

Download the source
Fiddle the macros into the updated keymap file
Compile the firmware
Flash the keyboard using Wally

It works, but it’s time-intensive and I fear Wally won’t be supported anymore at some point. Here are the two macros for those who want to add them to their own QMK keymap (DE-CH):

enum custom_keycodes {
  ST_MACRO_0,
  ST_MACRO_1,
};
// --- lots of layers here ---
bool process_record_user(uint16_t keycode, keyrecord_t *record) {
  switch (keycode) {
    case ST_MACRO_0:
    if (record->event.pressed) {
      SEND_STRING(SS_TAP(X_EQL)SS_TAP(X_SPC));  // prints ^ with one keystroke
    }
    break;
    case ST_MACRO_1:
    if (record->event.pressed) {
      SEND_STRING(SS_DOWN(X_LSFT)SS_TAP(X_EQL)SS_UP(X_LSFT)SS_TAP(X_SPC));  // prints backtick ` with one keystroke
    }
    break;

All in all it took me about six months to learn the layout, another six to master all the unconscious controls like Alt+F4 or Ctrl+S, and touch-typing complex passwords is still next-level hard.

Blinkenlights, Baby

Strangers rarely assume I’m a computery person even if I and the job title say I am – something something bias – until they see my keyboard. The blank blinkenlight keycaps evoke gasps and seem to max out my hacker scale in the eye of the beholder, when all I can say is “I really like computers” and “pain is a good motivator”. Still, it amazes me how much the Moonlander serves as a signifier of nerd-dom, instead of being just a tool that suits your needs. It’s also a bit sad to still experience this in 2025.

- https://cybersim.ch/posts/adventures-in-keyboarding-daily-drivers/ -

From Black Magic to Pandas in CTI

check my website (cybersime) — Fri, 21 Feb 2025 16:23:59 +0100

cybersim's blog https://cybersim.ch/posts/cti-pandas-heatmap/ -

Every day, black magic is performed in offices; mysterious numbers appear on-screen as if directed by an invisible hand. The tool for such a magical performance is called Excel. While I use it for simple budgetary needs, I do not excel at using it (scnr) and admire everyone who knows how. To this day, it still looks like black magic to me, and I rather prefer excelling (sorry-not-sorry) in the art of taming Pythons.

Recently I was given the chance to attend the SANS FOR578 class on Cyber Threat Intelligence which was a delight in itself. The other delight consisted of lessons in black magic – using Excel to create pivot tables and cast other spells. Meanwhile, Python has gained a strong presence in data science, and as a Pythonista, I wanted to solve some of the exercises using Python instead. Additionally, data sets are becoming so big that manual work in Excel simply leads to nowhere. I have only shallow experience in data science, so I considered this a useful challenge.

What follows are some notes on translating a couple of Excel tasks into Python which are also related to CTI. I am a bit familiar with pandas, and used GenAI to quickly generate prototypes and then refine them into what I was looking for.

Note 2026-02-01: This blog post was written with pandas 2. Pandas 3 introduces easier ways to access data using pd.col().

Notes on the Code Snippets

You can find Jupyter Notebooks of the simple queries and the heatmap in this GitHub repo. The Jupyter Notebooks all create fake, randomized data that do not in any way correlate to the class content. They are all common tasks in Excel.

The simple queries create a fake data set with cheese types sold on a particular time and month.
Another data set contains fake username-password combinations and IP addresses reserved for example code (RFC5735).
The heatmap uses a selection of Chinese zodiac animals linked to a random year-date combination.

The snippets below are just the most relevant parts to answer the question without any setup. For that, see the whole Jupyter Notebooks.

Simple Queries: Frequency Analysis

Which was the month with the highest sale and latest time sold?

1
2

sorted_df = df.sort_values(by=["Month", "Time Sold"], ascending=[True, False], na_position="last")
sorted_df.iloc[0]

What was the month with the highest sales?

1
2

weekday_counts = df.groupby('Month').size().reset_index(name='count').sort_values(by="Month", ascending=False)
weekday_counts.iloc[0]

Simple Queries: Search Data

Search for an IP address, first with equals, then as substring search.

1
2

filtered_df = df.loc[df["IP Address"] == "203.0.113.42"]
filtered_df_sub = df.loc[df["IP Address"].str.contains("203.0.113.42", na=False)]

What are the two most common passwords?

`1`	`counted_passwords = df["Password"].value_counts().head(2)`

Search for an IP address across the whole data frame.

`1`	`searched = df[df.apply(lambda row: row.astype(str).str.contains("203.0.113.0", na=False, case=False).any(), axis=1)]`

Search the username column either for god or toor then get its corresponding password.

`1`	`pw = df.loc[df["Username"].str.contains("god\|toor", na=False)]["Password"]`

Pivot Table and Heatmap

Generate a pivot table out of a data set, where rows are dates and columns are the Chinese zodiac animals. Count occurrences as aggregation function.

1
2
3

animal_per_month = df.pivot_table(index="Date", columns="Zodiac", aggfunc="size", fill_value=0)
groups = animal_per_month.columns.tolist()
animal_per_month = animal_per_month.reindex(columns=groups)

Create grand totals:

1
2
3

grand_total = animal_per_month.copy()
grand_total.loc["Grand Total"] = animal_per_month.sum(axis=0)
grand_total["Grand Total"] = animal_per_month.sum(axis=1)

Now to the heatmap. In the task, the grand totals were not part of the heatmap itself and uncolored. Which means: Generating heatmaps in Python is easy. Generating heatmaps in Python that look like the one in Excel is difficult. I used GenAI to quickly create a prototype. Then followed the familiar rabbit hole of a hallucinating GenAI when I wanted to have the grand totals not included in the heatmap coloring.

After many very-similar-yet-different questions to The Cheery Robot that is GenAI, I found an answer on StackOverflow. It uses one heatmap as a mask over the other. Let’s create the mask:

1
2
3

mask = np.zeros(grand_total.shape)
mask[-1, :] = True  # mask the Grand Total row
mask[:, -1] = True  # mask the Grand Total column

After some trial and error with a visualization library called seaborn, I achieved my desired result using the mask:

1
2

sns.heatmap(grand_total, mask=mask, cmap="RdYlGn_r", cbar=False)
sns.heatmap(grand_total, alpha=0, cbar=False, annot=True, cmap="RdYlGn_r", annot_kws={"size": 10, "color":"k"})

… and can now present this lovely heatmap that is not Excel:

A heatmap! With grand totals in white!

Here’s again the repo with the full code: cti-with-pandas

Image source: RealVisXL/Nightcafe

- https://cybersim.ch/posts/cti-pandas-heatmap/ -

Marvels in Digital Art

check my website (cybersime) — Sun, 09 Feb 2025 19:26:50 +0100

cybersim's blog https://cybersim.ch/posts/nxtmuseum/ -

“Man kann mit einem Computer Kunst und Schönheit schaffen”, says the OG hacker ethics (“You can create art and beauty on a computer.”) and nothing embodies this better than the Nxt Museum in Amsterdam. While the Museum of Digital Art in Zurich perished during the pandemic, the Nxt Museum opened its doors in 2020 and persisted. Its latest exhibition caught me again with my mouth open and a “holy sh…” under my breath.

One of its current installations, “All-together-now” (2025) by Children of the Light, takes a scientific breakthrough from 2019 and turns it into an art experience. In that year, the first-ever image of a black hole was published, made even more famous by the researcher Katie Bouman, whose delighted expression at the breakthrough went viral. Thanks to the artists, we now stand in a room with five huge halos. Each of them turns at an individual speed, emits white and amber light, and each round evokes another optical illusion of haze, light, and magic. We essentially relive Katie Bouman’s moment back in 2019: Staring at a small cosmos in wonder and amazement, experiencing pure delight in what human creativity and ingenuity can bring forth.

If you ever visit Amsterdam and are remotely into digital art: The Nxt Museum is worth a tour and every Euro of the ticket. Take your time to sit through all the installations without a smartphone; marvel at the hacker ethic being turned into its finest possible representations. Be aware that many installations contain flashing lights.

Image source: ALL-TOGETHER-NOW (2025) by Children of the Light, Installation, photograph by Maarten Nauw, Nxt Museum. Thank you to Nxt Museum for responding to my inquiry about an image to illustrate this tiny blog entry.

- https://cybersim.ch/posts/nxtmuseum/ -

Book Note: Some Desperate Glory

check my website (cybersime) — Sat, 01 Feb 2025 08:31:00 +0100

cybersim's blog https://cybersim.ch/posts/desperate-glory/ -

“Some Desperate Glory” by Emily Tesh came out in 2023 and won a Hugo award in 2024 for best novel. It’s a science-fiction novel, but also one about fascism and the deradicalization of a young woman called Kyr. With every recent headline my brain circles back to that book. “Blog it”, my brain says.

The book is brilliant in many ways, so find the basic plot and some reviews in the link section below. What I want to highlight here is the narrative technique of an unreliable narrator combined with Kyr as the main focalizer of the story, and its effect on us, the readers.

Kyr grows up in a fascist society, hard, passionate, relentless in her pursuit, determined to win in any way. Accustomed to sci-fi narratives we readers believe her. Here the good, there the baddies. Star Wars: clear-cut lines and enemies. Slowly, cracks appear. Slowly, we doubt. Slowly, Kyr doubts. Something is wrong with Gaea Station where she grew up. Something is wrong about her being top of her class, then delegated to the baby factory. Something is wrong with her brother Magnus – or is it us? The glitz of her world crumbles, as we discover along with Kyr the lies that kept her believing, as we discover how such a society operates once the veil of radicalization is lifted. How everyone suffers by clinging to beliefs which only serve a few powerful men.

It’s brilliant.

There are a ton of texts about fascism and the cruelties of Hitler, Mussolini, Franco, and all the others. We’ve been through this before. However, it’s stories that have the most power. In these times, we need stories of hope, stories that help people understand what is going on and where we could end up. This is one.

Links

Tesh, Emily: “Some Desperate Glory”, Tor: 2023, 9781250834980.

Tor publishes ebooks without DRM, it’s worth buying it.

Image source: Nightcafé/Dreamshaper XL

- https://cybersim.ch/posts/desperate-glory/ -