To calm things down a bit keep in mind the target was a backwater agency called the "Election Assistance Commission" which is not exactly the hive-center of democracy:
"The security firm, Recorded Future, was monitoring underground electronic markets where hackers buy and sell wares and discovered someone offering log-on credentials for access to computers at the U.S. Election Assistance Commission, company executives said.
Posing as a potential buyer, the researchers engaged in a conversation with the hacker..."
Sounds like somebody found a vuln in probably a creaky lowest-bid government contractor website and wanted to monetize.
I've never heard of this "Election Assistance Commission" agency before but it sounds like they exist to help US states implement a law from 2002 called the Help America Vote Act (HAVA.)
I'm not at all comfortable with all these infiltrations, but this "American Election Commission" has done a pretty awful job, hacked or not.
The fact that voter fraud/suppression shenanigans exist or that there's any ambiguity about how votes gets counted indicates to me they're assisting a pretty screwball election system.
I know someone who used to work there. They don't do much. One of their initial responsibilities was ensuring that funds for HAVA (Help America Vote Act) were dispensed and electronic voting machines were certified following the hanging chad adventure.
As we all know, electronic voting machines aren't so hot and in my personal opinion, the EAC hasn't done much very effectively and has been under fairly regular attack in congress and under (maybe toothless) threat of being shut down.
I don't think they have any actual power over much of anything in elections because that power is distributed to the the state level secretary of state's, so their role is more advisory at best and also is disjoint from the more powerful FEC.
The amount of power they have isn't as important as the amount of network access they have.
Have there been any steps towards coming up with a formal graph of privileged network links between government organizations? If A works with B & C, then if A is penetrated then B & C should be formally notified and audited as well.
It seems obvious to us, but computer literacy in out country (and the world) is quite low. I think this underlines how bad it is. Can you imagine if the English literacy rate were only a few %? It wouldn't be uncommon to hear of people doing strange things since they wouldn't be able to read warning signs.
In this case, I think it's probably because most librarians can't read, or at least many in publicly funded libraries. It's hard to point to one illiterate librarian when their colleagues are also illiterate.
> People would start to confuse "your" and "you're" or "its" and "it's".
I am genuinely trying to determine if this is a joke. :) People already do confuse those! I have unfortunately seen many arguments on Facebook over the correct usage.
This is pretty much almost already the case for mathematics; understanding of basic mathematical concepts in the general public is piss poor. No one is up in arms about that.
- Outsourcing offshore to lower costs through a 3PP
- Junior developers with inadequate training
- Sheer incompetence
Incompetence can be extended to management - i.e. a lack of policies and auditing to undertake due diligence.
Sometimes SQLi isn't always obvious even if they are aware of the attack vector if the developer is not thinking defensively. For example inputs from a cookie or HTTP headers such as HTTP referer etc.
But then you add a few layers of frameworks on top of that, each with its own mix of convenience, abstraction and SQLI protection. Occasionally, people will use available the escape hatch mechanisms to deeper levels when the convenience (or their understanding of it) does not align well with what they need to do. It's not impossibly hard to get confused about where the handholding stops in a complex stack like that.
I might naively underestimate the amount of pure "naked SQL" code still written, but I suspect that in this age, more SQLi accidents happen in "95% safe" environments. Kind of like the class of accidents we expect from 95% autonomous cars, where an unfocused and out of practice driver is expected to take over the wheel when the robot brain decides that driving is to difficult.
Yet researchers have actually investigated the problem of automatically generating prepared statements from existing code and it turns out to be weirdly challenging.
The problem isn't that some people are idiots. The problem is that we, as an industry, don't have great security solutions.
While this is true, the developer implementing this can still make a mistake. I've seen (esp. on long multiline queries that get modified over some time), a mix of prepared variables for things like userids and string concat for things like table names but the dba or the dev doesn't realize the attacker has control over the table name due to how they are handling user input on that particular endpoint. Maybe the table name is passed in on one endpoint because it's old and janky. Then it fools people because they see it's a str passed to prepared statement func and assume it's safe. I've seen this in some place in a large number of the apps I've worked on.
If you have to let the attacker control a direct substring of SQL, then use a whitelist of allowed characters – for tablenames, [a-zA-Z0-9_] is usually good enough, and then put that in quotes (as some databases reserve keywords such as "user" or "password", which is bad if you want to name columns like that).
I’ve had quite a few codebases I’ve worked on where I had to replace naive code [1], and until now, it’s always been easily possible to ensure that the entire space of possible inputs is limited enough to prevent SQL injections.
Sure, there are rare projects where you have to do such very complicated systems, but for 99%, it’s possible to get guaranteed protection from SQL injections.
________________________
1: "db->query('SELECT 1 FROM users WHERE username = "' + $_POST['username'] + '" AND password = "' + md5($_POST['password']) + ';"');" was real code I’ve seen
Because no part of "securing an enterprise network" includes any meaningful filter on the shitty software the organization is going to buy and run.
If something "needs to be secure" then IT is likely up to its ears in reams of policies and reports, Cisco firewalls, VLANs, Group Policies, Symantec antivirus products, Websense, and password complexity regimes. It seems only elite tech companies and the military/intelligence community are making serious steps towards "How can I choose and commission software that is not so likely to contain serious vulnerabilities?" Even obvious ones.
Mainstream IT security practices can, at best, put up a perimeter around the steaming pile of garbage fresh from the lowest bidder so that it can't infect anything else, and only insiders can exploit it, and maybe there will even be a record of them doing things that look like exploit attempts.
Virtually every organization i've seen, private or public, that isn't focusing on secret or higher clearance data, doesn't spend more than a weekend on appsec. Even organizations that have security teams dedicated to trying to secure its appsec infrastructure often do it as a black box, or after it is already in production.
Aside from that? It should just be expected that any system that uses a structured query language and can receive user input is vulnerable to injection.
Because many developers don't honestly believe that SQL represents a code execution boundary. Much of the time, the tendency is to think of SQL as simple I/O with a disk. And one rarely needs to worry about escaping interpretted expressions when streaming into and out of an I/O pipe.
They don't think of it as "executable code" because of the limited and monotonous nature of CRUD operations typically associated with data persistence.
They just think of it as yet another inconvenient form of declaritive data already at rest. Perhaps akin to mark-up. Raw data, like XML.
With JSON, some developers innately clue themselves in, because JavaScript, but they don't honestly understand the root of the hazard. They're just thinking FIRE BAD! Then they hack some JSONP into place because it's fun to do that sort of thing.
Most novice developers (my younger self included, tisk tisk) strongly resist protections against even HTML injection, until they see a massacre play itself out in the real world, when someone drops the ball.
This is also why smart money in appsec is focused on langsec and framework-integrated security controls, such as by forcing security patterns (e.g. html-context output encoding) by default and by compelling developers to work harder or, should they decide to break the rules, to do so more visibly.
Granted, most modern parsers disable the features that can trigger this by default. But there's still a lot of code out there compiled against libraries that did not, and some of that code is still updated and extended today.
Lots of languages have easy string interpolation, and don't do anything to prevent that being used around sql statements. I'm not sure why php is being called out in this particular case. Sure, it has warts, but in this specific area, it's no better or worse than most languages. It supports bind variables and the documentation pushes you that way.
It's not just PHP. It's too easy to do in many languages. It almost seems odd there isn't a 'libsodium but for DB access' or 'linter that makes your CI server explode on dangerous DB API use'. Things like that don't have to be foolproof but they'd be better than the current anything-goes default.
It's easy to do in any language/framework which accepts raw strings as SQL input. Which is pretty much all of them, except for ORMs and similar (and even those usually have an escape hatch, which sufficiently lazy/clueless developers can and will find eventually).
If a raw string is allowed, then the standard facilities - string concatenation, formatting etc - can be used to write injection-vulnerable code.
The only mitigation that does not require educating the end developers is to completely banish strings from the API, and require everything to go through a DSL layer instead. Said layer can then ensure that all values are properly quoted and/or parametrized prepared statements are used as needed.
"Said Leopard to Baviaan (and it was a very hot day), "Where has all the game gone?"
And Baviaan winked. He knew.
Said the Ethiopian to Baviaan, "Can you tell me the present habitat of the aboriginal Fauna?" (That meant just the same thing, but the Ethiopian always used long words. He was a grown-up.)"
It's been awhile since I used PHP but even if you're not using a framework I'm pretty sure you can just wrap your strings with mysql_escape_string or some similarly named function.
It has also been a long time since I've used php, but when I did there were a few problems here.
One is that mysql (opposed to oracle or pgsql) is kind of unusual in allowing quotes indiscriminately for all column types, so in order to do this right you have to only do it for string type columns and prevent injection on different types some other way.
Another is that most of the APIs around the more sprintf-style quoting (eg: `query("SELECT * FROM table WHERE x = %", someStr);`) are tied into prepared statements, which carry their own problems that also differ per engine.
It's actually not as simple as you might think. On top of that, php used to have the whole automatic quoting thing that just made a hash out of things.
And how accurate was that data? I'd assume that the commission only has was has been provided to it by others. Someone really wanting to exploit a machine should probably start elsewhere. The russians would do better by just buying some machines and testing them themselves under the guise of 'evaluation'. Russia does have elections and therefor a reason to aquire and test such machines.
That is certainly reassuring in this case. But this is a reminder that either our voting system is secure from tampering or we are pretending that our elections are honest and that the people in office are who we voted for.
I think most people here would have a difficult time saying our voting system is secure from tampering.
Because even if there are hand counted votes, if humans use computers to tally, communicate, or check the vote then that will certainly be open to vector of attack that use personal credentials (the easiest to lose).
There is no escape from a desperate need for competent electronic voting and comprehensive government security in every department.
I'm confused, is this click-bate? Because just this past Friday, December 16, 2016 during President Obama's speech he mentioned there is no evidence that the election itself was hacked. The DNC (Democratic National Committee. Hillary Clinton's party) was hacked and had emails stolen, the election (voting machines etc...) was not.
https://www.youtube.com/watch?v=LBvK-Rb681I at 48:30 President Obama says "I can assure the public that there was not the kind of tampering with the voting process that was a concern. The votes that were cast were counted and they were counted appropriately, we have not seen evidence of machines being tampered with. That assurance I can provide. "
A lot of news outlets from ABC to BBC news show "Russians hack election" in their article's titles to get more clicks, then further down into their articles state the DNC was hacked. "DNC emails stolen" does NOT equal "USA presidential election hacked". Revealing damaging information on a candidate is interfering with an election but not "hacking the election", which makes it sound like the russians cast fraudulent votes using hacked machines. Plus the recount in Detroit revealed this: http://www.detroitnews.com/story/news/politics/2016/12/05/re...
Plus, didn't democratic candidate Hillary Clinton win the popular vote anyway?
There has never shown any evidence about the state of Russia being involved in these hacks. Diplomats would choose their words wisely but media writers whatever their readers want. . It's fake news to one side, and truth serum to another. Repeat other way around...
You may not like or accept the evidence, but there has been plenty over the last 6 months. If you demand more, then you will likely never get it from a spearphishing email dump so asking for it is pointless.
Most all of the DNC / Podesta emails are DKIM verified. That is a level of proof far beyond the word of a single security company with close ties to the FBI and the US government. I scanned through those two links you posted and I've read other interviews with Alperovitch, and I still have not seen proof that Russia was involved. Appeal to authority is not proof. With a password like "p@ssw0rd" it's not hard to imagine that many, many state-level actors and others had access to those emails.
Given how much the US messes about with itself and the rest of the world when the Government is supposed to have been elected fairly, I shudder when I think of the impact on the world when the elections have been unfair and rigged.
I am appalled at how candidates from the same party - e.g. Hillary and Sanders, Hillary and Obama, Trump and who-ever - first criticise each other a lot, raking muck, raising FUD, casting aspersions, indulge in a lot of rabble-rousing - just to win some popularity contest. If the candidates stoop so low for their own party, then how much lower they must stoop to "defeat" the candidates of the opposing parties.
The world has been seeing regular evidence of how easy it is to tamper with the voting machines, with the votes, and what-not. Does this call for a special situation where the elections are held again but with such concerns addressed?
Otherwise, this farce of elections would simply continue, and the world would continue to be in a worse situation.
Before you panic (well, before you continue panicking) you should probably read the article. There is nothing in there that even remotely suggests anything untoward happened in this past election.
> Does this call for a special situation where the elections are held again but with such concerns addressed?
I am so frustrated with how muted the current administration's response has been to the recent hacks. This is an attack on the most fundamental part of US democracy. It should be considered an act of war. Not only should that shape the US response to whoever is responsible, but also the amount of resources it devotes to defending against attacks like this.
Obama telling Putin to "cut it out" isn't enough. No matter what is happening behind the scenes. Our next president might not even go that far.
The "hacks" (so far all we know is Podesta clicked on a phishing email and gave away his password) revealed shady behavior on the part of:
1. The DNC coordinating with the Clinton campaign to ensure victory over Bernie in the primary.
2. Collusion between the media and the Clinton campaign (giving questions ahead of debates) to favor Clinton over Bernie
3. Signs of pay for play or general corruption of the Clinton foundation through foreign government donations.
To the hackers, I say: Thank you very much! Thank you for releasing information on the Democratic party that we would never have been told otherwise (certainly not by the mainstream media).
And you want to fight a nuclear war over this? Ridiculous. Utterly ridiculous.
I'd say each of your three points are seriously exaggerated, but that's really neither here nor there. Why can't we be worried by the content of the emails and the fact that a foreign government hacked them and leaked them strategically to influence our election?
It strikes me as profoundly foolish to not react here just because you happen to be happy that this particular set of information was released. (As well as, by the way, reams of email with no value to the public whatsoever.)
And of course nobody is suggesting we fight a nuclear war. There's clearly plenty of space between GP's suggestion that we do more than tell them to 'cut it out' and nuclear warfare.
Whoever released the emails did the American public a huge service. They pulled back the curtain and we got to see how the sausage is made. It doesn't matter who they are or why they did it. The end result was important whistle blowing. We should hope that information like this is leaked out as it helps balance the power between the public and corrupt politicians/media in a way nothing else can.
How do you feel about the fact that they appear to have hacked the RNC too but deliberately chose not to release those emails, in order to favor one candidate over the other. Still think that's a huge public service?
Not to mention that the emails they kept might be used for blackmail in the future.
If I remember correctly, that was walked back to a claim that they'd hacked "RNC actors" but not the RNC themselves - and we already knew that because e-mails from Republicans were released fairly early on. This is a problem with a lot of the scary claims going around in general; they simply don't actually seem to be true.
Yes they did 1/2 have of the work they could but I'm not complaining about getting more information. Someone else should leak the RNC. Or possibly it didn't contain as many bombshells? Either way, I'm happy to get more information than I had before.
Of course the majority were mundane. The majority of Chapo Guzman's private communications would be mundane too. The contents of the DNC emails suggest nothing about the contents of the RNC emails, though I have no doubt that republicans are equally crooked.
The one-sidedness of the attacks? From whom? If you're referring to recent CIA claims that the RNC was hacked as well, then my answer is that I don't trust the CIA. It may have happened, but you have no real proof about Russian involvement at all. Unlike other posters in this thread and Clinton herself, I am not keen on starting a physical war with Russia over conjecture about a virtual attack.
Here's US congressman Pete King, the Chairman of the Sub-Committee on Counterterrorism and Intelligence, stating this was all a disinformation campaign by the CIA: https://noagendaplayer.com/listen/886/41-20
Publications like the Washington Post have made some ridiculous claims (clickbait headlines) with zero evidence, and it's been cited heavily for more Fake News.
It doesn't help that the new NDAA bill includes the "Countering Foreign Propaganda and Disinformation Act" which allows the US government to propogandize the American people. https://noagendaplayer.com/listen/885/1-30-59
Assange and another involved with WikiLeaks claim the leak wasn't a government official (they know the person who gave them the data). Either that person is involved with Russian intelligence, and the 'hack' involved infiltrating the Democratic party (if we know this happened why isn't the guy in chains?). Or the CIA is flat out lying to the American people for some unknown purpose/operation. Either way it's clear the CIA is the last person to listen to regarding election 'hacks'.
the report you've cited references the same Washington Post story I've noted above, which is the source of all this misinformation
>"A secret CIA assessment...the Washington Post reported, citing officials briefed on the matter."
If it's a secret assessment, how did WaPo get a hold of it? How does the CIA not disclose this information to US Congress, who has oversight over the CIA, when they're asked to testify re: this new information?
Please see the first link in my previous post.
Nearly every single one of these "Russia did it!" stories cites the Washington Post article[1]. Interestingly, the article itself says:
>a senior U.S. official said there were minor disagreements among intelligence officials about the agency’s assessment, in part because some questions remain unanswered.
and
>For example, intelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said.
As mentioned elsewhere, there's is zero coverage on the contents of the emails leaked & the blatent corruption that should make people mad. CNN even said it was illegal for anyone other than CNN to look at the Clinton Email leaks.
Why is the media so afraid?
The CIA and mainstream news is clearly lying to American people to trigger war.
They seem to have no control over PEOTUS, who is shutting down Military contracts via Twitter -- how can the military industrial complex survive without endless war!?
There has been no suggestion that Trump is willing to seriously dismantle the MIC, in fact to the contrary, he is calling for expanded capabilities.
> The CIA and mainstream news is clearly lying to American people to trigger war.
These kinds of claims are not appropriate. You have not offered any evidence that this true, yet state it as fact. It is a wild accusation and an irresponsible one.
I'll give you (1), but that's on the DNC, not the Clinton campaign. (2) and (3) seems pretty tough unlikely to be substantiated by the evidence I've seen. Hackers released dirt on only one side -- a clear attempt to influence the election, not expose corruption overall.
>Hackers released dirt on only one side -- a clear attempt to influence the election, not expose corruption overall.
And unsurprisingly, almost everyone who wants to dismiss any thought of retaliation or of even investigating the matter seems to be either a Republican or Trump supporter.
You can view it as not that big of a deal, or unavoidable by the nature of employing biased pundits at a news organization that carries out the debates. Whatever. But it happened.
My larger view is that none of these things were overall that significant of factors to a huge portion of the electorate.
More significant were the economic uncertainties of midwest states who viewed Trump's ideas as appealing... while the Democratic candidate failed to campaign in many of these states (Minnesota (she barely won it), Michigan, Wisconsin, Pennsylvania). Hillary Clinton was a terrible candidate. She almost won, and should have. But I don't think she can blame Russia for her failures.
That sounds like (1), not (2). The DNS head leaked a single question to one of the candidates, and it never even did Hillary any good. It's not just not-a-big-deal, it's literally an issue of zero importance that had zero impact on Hillary beating Berney.
Not blaming Russia for Hillary's failures, of course, just pointing out that even intelligent people are super confused by the disinformation that happened this year.
If you're talking about Donna Brazile, she was not the head of the DNC at the time she was giving the Clinton campaign debate questions.
She was employed at CNN. If she acted alone, then maybe you can argue it wasn't "the media" but one person. But how was she able to view the questions ahead of time? She was a known Clinton supporter, no?
No, that's part of the problem. She was a mover and shaker behind the scenes but had not formally and publicly declared an allegiance (of course, it was obvious from the way she talked on CNN). She was an ostensibly unaffiliated commentator who had a secret allegiance.
It's an excellent case study of why news agencies and networks should not have paid political operators (hacks) on their payroll and the fact that it went wrong is entirely predictable.
Still seem like non-issues -- Hillary's and Bernie's answers to "should states abolish the death penalty?" and "how will you help people with lead poisoning from municipal water supplies?" were prepared long before anyone at her campaign got them, and it seem unlikely they went anywhere near the candidates.
I'll support Bernie and his policies over Clinton any day of the week, but I have no doubt Hillary would have won the dem primaries without Donna's attempts at illicit support.
Compare that to what's likely in Trump's tax returns (and do you think the Russians really don't have a copy?), and you'll see that these are absolutely non-issues.
He also said "Donald Trump will not be allowed to win" the weekend before the election. Pretty sure Julian sees the world not wholly accurately these days :-/
Not only a damn shame, but in fact the reason that it can be claimed to have been a partisan attack and an attempt to sway the election one way or another.
We should have an open government, but it doesn't work properly if only one party's dirty laundry which is aired.
Both the DNC and the RNC are non-profit private organizations (IRS 527).
While I'm also interested in an open government, I think it's reasonable for both of those groups to expect to operate with some degree of privacy and autonomy.
In case you missed the recent news: they did hack the RNC too, but chose not to release any of that information. Presumably either to influence the election by making one side look worse than the other, or to have leverage over them by threatening blackmail... or both. That's one of the facets of this that is really disturbing.
I wasn't aware they also hacked the RNC. The article has conflicting information on how far they actually got though, and may not have actually gotten any useful information. The part about them (russians) doing it just to disrupt the confidence of democracy is interesting. The article doesn't actually state anything about blackmail or leverage though.
Hopefully something informative comes out of the investigation Obama ordered to be delivered before he leaves office.
We need to first lay the groundwork for a third party option to actually work. This means getting something like ranked-choice voting in place. Otherwise you're left with the winner take all system, and even if you had just 30% of the vote go to one candidate, if that was 2% more than all the other candidates, that one would win. It ends up forcing a two party system, b/c nothing else will allow smaller parties to emerge.
So for anyone who wants third party options, start pushing for their states to allow for ranked-choice voting in state wide elections.
Not only that, but both Wikileaks and Russia have hinted that it was a disgruntled insider in the Clinton campaign that did the major email leak. To those that care about the truth, the leak was a service.
The problem is that there's such a thing as lie by omission. Cherry picking which truths to release, and which to keep hidden, can provide an extremely distorted picture of the world.
Indeed, 90% of modern Russian propaganda for internal consumption is exactly that. It's not that they lie all that much, it's that they selectively choose the facts to focus on, and the facts to ignore, to create a very specific view of the world.
The US has been guilty of electronic espionage and tampering in other countries. The world would call us out for aggressive retaliation here, and rightly so.
I think there is an implicit assumption that your last sentence is justification for condoning this type of hacking behavior, when it happens to us. I challenge this. Just because the US has meddled in elections in the past, it doesn't make it right, and it shouldn't render us mute when we are victims of it.
I think you don't understand the implications here.
US has a LOOOOONG history of meddling with other countries with some heavy-handed manner (like sending a carrier group to Brazil in 1964 to ensure a coup, bombing Chile to install Pinochet, attempt to assassinate Castro 60+ times or so, and so on...)
If US even HINTS in considering a minor hack of sorts as an act of war and attacks Russia over it, it could very well spark the entire world to attack US back.
US can be the most powerful country of earth, but I am very sure US vs all other countries US meddled with would mean US destruction (and maybe the other countries wouldn't survive it either...)
People shouldn't even joke about going to war over the "election hack", what should be done is fix your own security and redo the elections if the hack was proven.
> I think you don't understand the implications here.
My knowledge and familiarity with the US and South America more than likely doesn't supersede yours. I think we can agree that the implications of a war with Russia far outweigh the fear of Chile, Cuba, and Brazil making an unexpected comeback. But back to the initial point, even if Russia wasn't a concern.
1) These countries are disconnected geographically.
2) These events happened before our time.
a) Fidel is dead, Raul wants to do things differently.
b) Pinochet was the foulest human being to ever roam the planet, but Chile has been back to civilian rule since the 1990's, and has gone through its own national grieving process (including long drawn-out prosecutions of Pinochet, who just died before a conviction in 2006.)
c) Brazil has a crime and corruption problem. Its problems fragment the population and I don't think a war would fix them. I can discuss this further if you would like.
There is little probability that payback from these nations would be a real concern. The only thing I can think of is Cuba's strategic location. Please let me know if I'm missing something.
No, it doesn't justify it. The most powerful nations are being very cavalier and the consequences could be dire. But to imply that we should immediately go to war seems disproportionate.
No, we should be pissed when our government does it, we should be pissed when other governments do it, we should be pissed if anyone does it. It devalues democracy in a fundamental and dangerous way. We have been wronged in a multitude of ways, and we shouldn't forgive any of the wrongs.
I'm incredibly tired of hearing false dichotomies here. It is imperative to maintaining a democracy that it not be hindered. We've done a disservice to democracy by tampering in elections, as have the hackers here.
Notice how you don't hear too much about "Chinese hackers" anymore? There's all sorts of brinksmanship and politics involved here.
The US have even publicly acknowledged this stuff. In 1982 pirated software (I think IBM mainframe stuff iirc) was modified, stuxnet-style to cause one of the largest non-nuclear explosions of some sort of gas refinery ever. God knows what's been done since then.
You're probably thinking of the story Reed included in "At the Abyss," about a pipeline explosion from a trojan horse slipped in the Canadian control software. That was supposed to be in 1982. It's become an infamous legend about ICS attack.
Probably didn't happen though. There was definitely a big pipeline explosion at the time, though Reed's fact checking misses the location, and somewhat more importantly, the fact that Russian control systems weren't software-based at the time.
Although it was a fun legend, it probably started as a game of telephone (a/o paranoia).
I'm not a fan of these "Notice how you don't hear too much about X" arguments. Just because you aren't interested does not mean it's not being reported.
Not only that, but if we start dumping dirt, who knows what secrets our adversaries might choose to drag out of the closet and parade down main street. It's a loosing proposition.
I say it is time for the governments of the world to publicly display those secrets. Maybe then we can move forward into a world where humanity isn't constantly stabbing everyone else in the back.
In the long run, perhaps, you may (I hope) be right. There's an interesting analogy that Nate Silver lays out in the beginning of The Signal and the Noise where basically, after the printing press, the availability of information to masses that didn't before have it exponentially increased way faster than "humanity" could adjust. (Obviously, this is massively simplified and leaves out all sorts of important things etc) Early on, much of what was (popularly) printed was religious. Then, the world was at war for a couple centuries before the enlightenment happened and some semblance of stability arose from the changed complex system humans had found themselves in.
Now, with the internet, we're at the beginning of another such monumental shift in information access. The cynic in me finds it likely that shit gets worse before we, as a species, find a new balance point. I mean, either we learn to live with all varieties of each other in peace (which is what I think you're saying), or we end up blasting ourselves into extinction. No?
Maybe then we can move forward into a world where humanity isn't constantly stabbing everyone else in the back.
I don't think it's really possible without a major change to cognitive capabilities. The human biological system and the resultant communities aren't built to handle truth.
This is kind of nit-picky, but I think it might be closer to the collective we can't ever really know The Truth (about any big meta issues), but just about everybody is convinced they know and have that truth right (and by extension, most other peoples have that truth wrong).
Which is to say, the brain equates beliefs to truths, which is an extremely difficult-to-overcome fallacy. (And, I suspect, therein lies the solution, if there is one.) Paradoxically, of course, life also wouldn't really be all that practical to live out if our brains didn't make such an overly simplistic jump.
So, yea, not really disagreeing with you on the cognitive capabilities part. But I'm also not convinced there's no such belief structure out there that isn't capable of solving this pickle. Implementing and spreading said system of beliefs - if it exists and without starting a bunch of wars in the process, of course - is the harder part.
Which is to say, the brain equates beliefs to truths, which is an extremely difficult-to-overcome fallacy.
In fact this construct is the basis for the illusion of the self - so it's inextricably linked to the human experience. The idea of an unbroken consciousness relies on a forward projection of a "future self" that is consistent with past experience. Practically, this construct is incompatible with objective experience because of our limitations for recall and "objective" evaluation of experience.
But I'm also not convinced there's no such belief structure out there that isn't capable of solving this pickle.
I don't think it's a belief structure that is needed - it's deeper than we can manifest so we need something to augment our limited capability.
[edit] On your first point: we can't ever really know The Truth (about any big meta issues)
I think that's true from an epistemic perspective, but I think we can reduce the uncertainty of variability around truth with enough inputs about causal factors in whatever event/issue is being evaluated.
Most of these issues seem to stem from identity and the ego. We wear many identities but at the root they all work in concert to strengthen the ego. People think they are their thoughts.
The system of mindfulness, and Eckart Tolle, in particular talk about looking for the consciousness behind the thoughts, removing attachment from your ego and possessions (not to ignore the utility, just in the sense of identity through consumption) and living in the present moment, free of the depression from the past or anxiety of the future.
Bureaucracy is a hard to manage 4th branch of government.
If legal or other changes were made to do what you suggest, most of the juicy stuff would be destroyed... more to cover the asses of the people involved than anything else.
I can't even begin to comprehend a country whose citizens don't want the dirt on their government. There is exponentially less incentive to lie to citizens of other countries than your own.
Not wanting your elections to be hacked doesn't mean not wanting dirt on the government. It's not like we got to read all the juicy dirt on both parties, in which case I'd be more OK with it, though not completely. But when you're only selectively provided with dirt as some external actor sees fit to reveal then you're being played to some extent.
I feel I've been pretty consistent about this as opposed to being partisan; I had a minor spat with Assange over his choices about his approach to editorial framing back when WL was first revealing helicopter footage from Iraq. Wl is a new kind of publishing outlet, but no more neutral or disinterested than the more traditional kind.
Wow, how well put. It is appalling that citizens are scared of the dirty laundry that might come out, and are instead prepared to look the other way :(
That happens when you link your identity with your tribe's identity. A lot of people in the US bought into the propaganda that we're the best or better than others. All that dirt surfacing would be an attack against that identity. It would force us to reconsider and reevaluate, which is a painful process if it requires changing one's identity.
Deniability is a powerful thing. How many disputes have been settled in the shadows?
Remember this is 2016, not 1916. Revelation and escalation don't lead to a mere slaughter of soldiers, but potentially destruction of civilization as we know it.
> Obama telling Putin to "cut it out" isn't enough
As far as I know, that isn't the plan, and retaliation is planned. Do you know otherwise?
People instinctively want a strong, immediate response in kind. From what I understand, that's actually the wrong way to respond. Here are a couple of points to consider, based on reading a lot of experts (I'm not one myself):
* 'The task of international relations is to prevent C level problems from becoming A level problems.' (I forget where I read that.) Escalation rarely is desirable. That doesn't mean that you don't respond, but that you need to respond in a way that doesn't escalate and put your adversary in a political position where they must re-escalate (e.g., because their populations are angry and demand it). That's how wars begin, often despite the intentions of leaders. Threading that needle is difficult, but that's what the situation demands. For example, after some bad behavior by North Korea, the U.S. responded by flying one or two nuclear capable bombers in an exercise over S. Korea; the point was made but not in a way that required re-escalation by the North.
* "the threat of asymmetric punishment - striking wherever, whenever, and with flexible means rather than retaliation-in-kind in a theater of operations chosen by an adversary - can be an effective instrument of deterrence". [0] If you respond immediately and in the same way your opponent attacked you, you are letting them manipulate you and the situation: They decide when, where, and how you act and the battle takes place (assuredly they will chose situations to their advantage).
Based on the above, a good response has to be smartly chosen to effectively send a message but not invite escalation, and should be at a time, place, and manner of your choosing.
----
[0] Toward a New Offset Strategy: Exploiting U.S. Long-term Advantages To Restore U.S. Global Power Projection Capability by Robert Martinage, Center for Strategic and Budgetary Assessments [a leading defense think tank]
There's been virtually no evidence posted about the hack outside of "Russia did it" and as far as i can tell there was no attacks on actual voting machines. Most of these hacks revealed dirty laundry on the democratic party and its nominee. No votes were altered if i understand the situation correctly. I don't think Russia or anybody else would be brave enough to perform such a hack.
That shouldn't be too surprising. It's difficult to hack voting machines. There are many of them with disparate standards and they're air gapped in many cases until they're done collecting and reporting.
As has been shown, it's a lot easier to hack voters themselves with targeted information, misinformation and outright fantasy. We've also learned something amazing this cycle: a key tactic anyone will replicate in the future:
When you run negative political ads, don't let anyone outside of the laser focused target demo you want to reach see it until it's too late. The "super predator" ads were crazy damaging to HRC in swing states, but even to this day most people haven't seen them. There's no way to respond to political attacks you aren't even aware of.
Like I said, what's new is our unique ability to both target and blind it in such a way that it's difficult to respond to. It will require a whole set of technological counters to be developer to prevent untraceable entities from launching the "super predator" ads again.
That's ridiculous. A campaign that well funded has folks positioned to see that sort of thing. Politics is nasty business... opposition research and spies are all over the place.
In Hillary's case it's even more absurd to claim that they could have known nothing -- many of the voters targeted and flip flopping were union guys and easy to get intel out of. End of the day, the campaign fucked up.
I come from New York, where we had easily manipulatable, gear-driven mechanical machines for decades. (It was pretty trivial to jam them up, and the historical over representation of the number 9 in results validated that) The major parties understood the margin of error and used absentee balloting to cover that risk.
> In Hillary's case it's even more absurd to claim that they could have known nothing
I don't think there is any indiciation in my post that HRC didn't screw up a campaign in several key ways. It's just worth noting that there is a new and unique series of technology-enabled techniques that DJT's team used to influence key states at the end.
Hopefully Facebook will be forced to release all the relevant data and we can see more about it.
> You don't have any idea what evidence Obama is privy to.
While I agree with you, I'm also reminded of how all the war triggered by "discoveries of weapons of mass destruction" started. That war only resulted in lots of casualties across the Middle East and of a lot of American soldiers, while Bush and others have got away having to answer to nobody about their lies.
> Obama telling Putin to "cut it out" isn't enough. No matter what is happening behind the scenes. Our next president might not even go that far.
The article states, "Eventually they discovered that the Russian-speaking hacker..." I'd like to see more than a Russian-speaking hacker before attributing this to the Russian government.
Most importantly, there is a very strong motive for Russia specifically to do so. And the rhetoric of the Trump administration, both before and after the election, bears it out.
Most tellingly, there was exactly one thing that Trump asked to change in the then-preliminary GOP platform when he became the party's candidate - and that was the stance on Ukraine. The original document included language such as "lethal defensive weapons" - which was what Republicans in the Congress were demanding from Obama ever since the occupation of Crimea - and then it became the much more vague "appropriate assistance".
To Russia, this is crucial, because its ability to wage successful "undercover war" in Ukraine hinges significantly on its technological superiority. For example, by supplying the local militias with new and shiny tanks with modern reactive armor (and some "vacationing" drivers and gunners), they significantly diminish AT capabilities of Ukrainian infantry; and in a war where both sides are unable or unwilling to use the air force, armor is the next best thing when it comes to close infantry support. But if Ukrainian troops were to get, say, Javelins (the single most asked thing by them to date), that would change matters a lot.
And it's not that Russia couldn't crush Ukrainian army, such as it is, in a head-on confrontation, Javelins or not. It's just that it would be too overt for plausible deniability.
Their job is to find it out who did this, informing the US population is not part of their job and quite often is counter productive. Don't trust any of them, your interests are more similar to a Russian civilian than any of the agencies.
We are never going to be able to bully other countries into not spying on us. It just won't happen. We're not going to go to war with the Russians or anyone else over these kinds of breaches and they know it.
The only solution we have is to depend on systems that are more secure. As far as voting is concerned that means paper ballots.
If in the end we can't secure vital computer systems, well, I remember reading an article about the FSB buying a bunch of electric typewriters to create sensitive documents. It's not because they don't have sendmail figured out.
The hacks comprised exposing confidential information, not tampering on the level of, say, Stuxnet. Given that we not only have leaked information about nefarious goings-on in other countries but in all probability are still doing so today, it isn't an event of sufficient novelty to activate the national adrenal glands. What's most likely is that we'll try to do the same thing to United Russia that they did to the Democrats -- but, hopefully, better.
I think the most likely response on the part of the US is both the Democrats and Republicans having Wikileaks, hackers and trolls as an integral part of their campaign strategy.
Well the state of Georgia has been asking why they had attempts from DHS addresses. The states own systems detected the attempt and even where it came from. These were early in the year. it took awhile but DHS claimed a hack occurred via the Borders and Custom's systems.
Trying to get to the bottom of that one where we know who was affected and the IP addresses trace back to another government agency is even more maddening, why won't the Feds cooperate?
The initial information on that sounded like they were whining about a port scan. Did I miss something about it being a real attack? To me it's maddening that basic nonintrusive port scans would be considered hostile or needing investigation/apology.
I agree, but I see why Obama did what he did. He thought this would be counteracted by Hillary's win and that any further action could be taken by the next administration.
We know now that nothing will come of it unless Trump does an about-face come January 21st.
The logical extension of your statement means the Russians should be invited to hack the DNC or any enemies of Trump forever because in your opinion leaks about debate questions and Pizzerias are so very, very critical to democracy. Perhaps denying the hacks every time they happens because, after all, they serve such a 'noble' purpose.
And I imagine I am not remotely the first one to realize this.
(Edit) My goodness but this is earning a lot of down votes. How very odd.
I just think it's very childlike and immature to blame others for your own mistakes.
The Democrats were unhappy embarrassing information they hid from voters was leaked to voters. They have no one to blame but themselves. If they didn't do the things talked about in the emails, there would be nothing to leak. How many people even viewed the emails, anyways?
I think both: [0] the info in the emails was bad and
[1] not that many people knew about it, or needed the Wikileaks info to not want to vote for Hillary Clinton.
And I think a hostile nation affecting one's internal politics is an act of war, successful or not.
This didn't just damage Hillary, although the media you so deprecate made it into just that. The hack also serves to de-legitimatize Trump. It is also causing Trump to fight with and denounce all the intelligence agencies critical to US functioning. Beside refusing their intelligence, the demoralization affect alone is huge (who will risk their life for a president who calls them a liar?). It has also thrown the whole electoral process into doubt. etc.
And they hacked the RNC too. You can bet that will be used to to maximum damage at some point.
It is no doubt that most damaging and successful attack on the US in decades.
But even more shocking is that it is condoned because it furthers certain parties political ends. What happens if both political parties start using acts by hostile nations to help them win elections?
Both those questions are uncivil. The second is one that the site guidelines explicitly ask you not to post, and the first will be in there soon too. Please post civilly and substantively, or not at all.
Oh right. What about when the commenter is obviously either astroturfing or responding to the headline alone? Or perhaps you prefer to get your website brigaded?
In that case you should email us so we can take care of the problem right away. Fortunately, that's also what you should do about any other astroturfing concerns too.
What you mustn't do is throw 'astroturfing' and 'shill' around as ammunition in an argument; that's as cheap as it is common, and uncivil.
> obviously
If I've learned anything moderating HN, it's that we all vastly overestimate what counts as 'obvious' and that this is the root of most of our problems here. When you find yourself thinking 'obviously', that's probably a good time to search for at least one alternate model.
And if there's one thing I've learned from reading your website, it's that sometimes the argument will legitimately be that the commenter is astroturfing or spewing an argument that an astroturfer would use. It seems increasingly likely that the discourse on your website is being attacked by brigades of users -- ones even with established accounts here -- who bring along intellectually dishonest argumentation that is motivated by political trolling alone. If those people (or the people influenced by them) can't be called out as brigaders and astroturfers, then I suspect many normal users here will increasingly be influenced by spurious arguments of the sort to which I originally responded.
Keep in mind that you are not making a neutral call by preventing me from calling out a commenter. You legitimize their arguments and leave it to others to find a way to call them out without raising your hackles.
Truthfully, the fact that I'd waste time on the matter is, I suppose, my own problem to fix in the new year...
There are two problems here, real astroturfing and imaginary. Real astroturfing is a violation of HN's rules. When we find evidence of it, we ban the accounts and sites involved. Imaginary astroturfing—people convincing themselves that the only possible reason for some comment they dislike is that the other user must be an astroturfer or shill—is also a violation of HN's rules. Some people feel a temptation to sling such accusations at each another, merely because they strongly disagree. That is uncivil and it isn't allowed on HN.
Since these two are quite different problems, we need a way to tell the one apart from the other. The way is simple: we look for evidence. If there's actual evidence that someone has been abusing HN, we ban them. If there isn't any evidence, we tell the person who invoked the accusation that doing so is against HN's rules and ask them not to do it again. An opposing opinion does not count as evidence.
If you have evidence that someone is abusing HN, please bring it to our attention. If you don't, you're not allowed to smear someone anyway. Either way, it's not ok to use such accusations as ammunition in an argument. Concern for the integrity of the community is welcome, but invoking that merely to score points against someone is not.
Speaking of intellectual dishonesty, you're putting a whole lot of words in my mouth in the process of responding to only a single one of mine. You yourself have now made accusations about my thought process that are not in evidence.
The original comment showed no evidence of having arisen from information in the linked article. In acting to silence someone for asking whether the commenter had read the article, you legitimized their unfounded accusations, particularly that the article was "click-bate" [sic]. Don't pretend that your actions are somehow neutral.
If you think neutrality means making a platform to give spurious claims unfettered voice, then enjoy watching your website crumble into reddit in the new year. If you don't understand how your moderation is needlessly making yourself part of the problem, I have no idea how to convince you of it. We will soon be in a place where your well-meaning notion of civility will be entirely irrelevant.
I don't believe it. I feel the public service is just continuing it's attack against a Trump presidency by reinforcing mini narratives that he shouldn't be in power vs Hillary.
Yes the article doesn't say this (of course the hacker is Russian, which isn't out of the ordinary). But your average person won't read that far or even past the headline and when it gets republished those parts will disappear.
You shouldn't trust anything you read without multiple independent sources to verify it. But that's what credible news organizations (usually) do. And government organizations don't (usually) lie just to provide a fuzzy narrative of doubt over something which literally no longer matters. That's my read.
How come we know so much about the "stolen" US elections through hacking but very little about HRC's unsecure private server which was likely hacked due to her wanton irresponsibility and likely treasonous actions?
"The security firm, Recorded Future, was monitoring underground electronic markets where hackers buy and sell wares and discovered someone offering log-on credentials for access to computers at the U.S. Election Assistance Commission, company executives said.
Posing as a potential buyer, the researchers engaged in a conversation with the hacker..."
Sounds like somebody found a vuln in probably a creaky lowest-bid government contractor website and wanted to monetize.
I've never heard of this "Election Assistance Commission" agency before but it sounds like they exist to help US states implement a law from 2002 called the Help America Vote Act (HAVA.)
I'm not at all comfortable with all these infiltrations, but this "American Election Commission" has done a pretty awful job, hacked or not.
The fact that voter fraud/suppression shenanigans exist or that there's any ambiguity about how votes gets counted indicates to me they're assisting a pretty screwball election system.