In a perverse way, the recent attacks on infrastructure are a good thing. Can you imagine if these all hit in a coordinated attack during actual hostilities?
Yes it's painful and interferes with the economy, but ultimately this will harden up potential targets. And boy do some of these guys need hardening up.
I think you're right unfortunately, maybe the Patriot Act will get expanded or maybe there'll be a sibling Good People Have Nothing to Hide Act.
Speaking from my vantage in the United States, I can't believe how quickly the population has become knowingly accepting and complicit with a mass surveillance culture. I'm equally concerned with how quickly ownership of purchased goods has been undermined by the server-client model of the internet. These two things are linked and fundamentally disagree with the basic premises the US believes itself to be founded on ...
It's hard to draw parallels historically in a way that gives hope. There is quite a lot of middle ground and reasonable solutions that just don't get mentioned in the political theater of today's corpocracy.
I know all this has basically become a meme on HN, but every government not following the EU's example and iterating on things like GDPR is implicitly supporting authoritarianism (if not explicitly) and setting up an oppressive future that their children will be trodden down by.
People haven’t accepted mass surveillance, they just don’t understand what it is and have been mislead by the media, government, and corporations into silently consenting to privacy intrusions.
They think it won’t be used against them, until one day it does, and they are horrified when a divorce attorney is talking about the GPS movements from their “connected car” or their bank closes an account and locks out their funds because they attended a political protest. Unfortunately for them the realization comes way too late.
> They think it won’t be used against them, until one day it does, and they are horrified when a divorce attorney is talking about the GPS movements from their “connected car” or their bank closes an account and locks out their funds because they attended a political protest.
Not to mention those horrified at finding out that even though they deleted their tweets and videos, the feds have shown up at their doorstep because they were in a rampaging mob in the Capitol, searching for elected officials to murder.
I wish there was a nice, easy answer on where to draw the line with surveillance. I'm actually glad that the insurrectionists left a zillion-mile wide electronic trail, but I'm all too acutely aware that these capabilities can be turned against anyone, and I'm dead-set against backdooring encryption. At least (US-specific here) there are nominally limits on what the government can do, but those limits are often ignored, and private corporations have much freer rein on what they can do with your data.
Most people are still not sold on January being an insurrection, FWIW. People thought they were going to a political rally, not to murder senators. Things just got out of hand because lunatics decided to storm the building.
Funny how the 1% that take it too far always seem to be just the excuse most otherwise seemingly reasonable need to justify supporting the revocation or curtailing of civil rights.
Part of liberty is cleaning up the mess when some people take it a bit far, and moving on.
But really, there's still some pretty reliable ways to carry out these attacks anonymously or with little risk of getting caught. OpSec has come a long way since the early 2000's. Yes, many are still getting caught often.. But many aren't.
Yes, this'll be used to undermine anonymity (for example try getting a phone plan in many western countries without an ID - it's hard), however I believe there's still going to be a large push from governments and legislative bodies to push better security processes within private enterprise.
Jungle rules is not pure freedom. You need both freedom to and freedom from. The balance is struck when no ones actions impinge on another’s person or property without consent. The best form of that is an agreement between the involved parties to act respectfully. The worst is abdicating all of your responsibility to big brother.
There are different ways to provide security when it’s needed but most of what you would consider the benefits of security have more to do with everyone voluntarily obeying a set of written and unwritten rules. That’s easy to see if you ask why crime rates vary by geographic location. The same law should apply everywhere and for any given city you have the same police force so why do some areas have high crime while others have low?
I’m not sure I agree with that. In the 21st century, at least in the US, most adults have access to firearms for self defense. There is no such thing as “survival of the strongest” when everyone is on an equal playing field and has the capability to defend themselves.
Personally, I view the opposite as closer to Law of the Jungle, that is our current system of policing that gives a small fraction of society access to self defense but denying it to the rest of the group.
Law of the jungle implies lawlessness. How are you going to “self-defend” with your firearms against the random gangs or warlords in your neighborhood? You will join them or perish.
In a world with firearms it can mean survival of the best shot, the owner of the best weapons, or more likely the wealthy with their own militia. This is all in the absence of a state providing security. This happened many times in history, particularly the feudal era where feudal lords acted like a mini state, and often pledged allegiance to a larger state with a king.
While this is one line of thinking, in another way of thinking, we're just now in a perpetual cyber cold war. As long as there are some rogue nations that turn their eyes away from cybercriminals, or adversaries that actively promote them, we're going to have an endless series of outages - every possible thing from factories to toll roads to desalination plants to illicit photos.
Nah, we're just gonna get every state having its own mini-Great-Firewall and very limited access to non-friendly states, at the routing level. There's a next gen Internet protocol that makes this easy. Maybe also personal IDs with a kind of Internet "credit score". We already do that, but with IP addresses and machine fingerprints. I expect some countries will adopt something like that, even in the "West".
Either that or the cost of attacks will remain lower than the benefit of being able to sell bits and bytes to your adversaries. I do not expect this to be the case, but maybe.
The open, global, semi-anonymous web is what's not going to survive this fight, I'm afraid. I give it 20 more years, tops, and maybe a lot less.
That could sounds interesting to to a lawmaker, but it wouldn't change anything in practice. Those hacks don't come directly from the authors nicely identified by their affiliation and location. They'll come from a trusted node in the US. Some many already do.
It would force the attackers to enter the jurisdiction of a state that will prosecute them if they're discovered, to carry out the attack, or else resort to much more difficult and slower methods (sneaker-net introduction of initial malware infections in the target state, say).
You don't have to enter a specific jurisdiction. There are supply chain attacks, escalation through residential connections, existing international botnets, and a thousand other approaches. And of course, there's always someone out there ready to open an email which will own them.
Yes, some relatively slow, difficult, and expensive attacks would of course still be viable. That does not mean that, "it wouldn't change anything in practice."
> escalation through residential connections, existing international botnets
Right—so how are you going to talk to your botnet from outside the target sub-Internet when it won't even route packets you send it, except maybe to some hardened commerce-and-propaganda-only subnet that may have limited or no connection to the rest of the target state/bloc's Internet (and again, even that part existing is a maybe)?
We have a small experiment with that already - corporate NATs which are supposed to achieve the same thing. They still get owned. Even SWIFT which is basically as isolated as it gets in business had bad actors with access.
I don't believe a complete separation would ever be possible. We'd have to put banks on the commerce side. But that means every single business entity would also have to have access to them. But most businesses also need access to the other side and will not do perfect separation.
In malware research labs you can find rooms literally painted in two colours to separate the isolated part and prevent joining networks by accident. Normal companies do not care that much. Most single-person entities will just plug both ends into one computer and go on with their life.
Sure, but there wouldn't be a "bad" network to connect to.
Two things that are surprising me in this thread: 1) "there are ways to work around this, so it's completely useless" (yes, that's... any security), and 2) either not a lot of people are paying attention to future-Internet development, as in actual, technical development and research, or they're not seeing what I'm seeing in them, somehow, as, for example:
There will be plenty of home grown hackers within the country doing it then too. Sure that might make prosecution easier if we can catch them, but it's not like we have anything close to a good track record in solving most crimes and bringing the criminal to justice. It will just be another risk/reward trade off that domestics criminals make every day already.
“The internet interprets censorship as damage and routes around it”
Even if you physically firewalled every connection into a country all it takes is one little node connected via RF (satellite, HF, etc) dropped near an open WiFi hotspot.
The topology for the commercial internet today is not the same as the topology for the early internet which that quote is from. Today's internet is more of a hub and spoke model that is much more susceptible to damage if certain nodes are affected.
Wifi hotspot asks for personal or corporate/server ID of the sender of packets coming from this new node, since it can't route the traffic any farther without that. Gets nothing. Drops that node's packets as either hostile or malfunctioning, and, regardless, useless, since it can't route them anywhere. OK, so maybe you manage to steal an ID. See how this is making attacks harder? Now you're stealing or forging identities just to get any packets routed, and if you do anything suspicious-looking you'll rapidly get your stolen ID on the automatically-managed collective shit-list and it'll stop being very useful. Because the volume of attacks is so much lower, your drop-a-radio-near-a-hotspot trick might even trip enough flags to get someone to come find the device, if you use it very much—and if you can't use it much without "burning" the hardware, then, well, sure seems like it made your job as an attacker a lot harder, right?
There is nothing that guarantees the Internet will keep working the way it does now, and if an open Internet causes enough problems, it will be reigned in. How it works now is a choice, not a law of nature. I'm not happy about it, but that's just how it is. Either these kinds of attacks won't get much worse, or they'll get a lot worse and something like that will be what happens.
Wouldn't it be easier for the vulnerable beef packers and pipelines to simply disconnect from the public internet? What qualities do they have that would force them to burn down the world rather than fixing their shit?
I think between telling big businesses to spend a bunch of money and fix their shit and do things without the Internet, and adjusting the Internet—which would also make state-level attacks and foreign astroturf disinfo/propaganda campaigns harder to carry out—we're going to pick the latter. Again, unless these threats don't keep getting worse, though I expect they will.
Unless we shut down physical borders that won't work because the developed world has travel open enough that hackers can travel to the country if their target, setup the attack, and leave. A few months later it executes and we're in the same boat as before, albeit with an additional speed bump for the hackers.
Or it will just be home grown criminals doing the same thing.
How so? Can't attack from abroad if non-trusted states have trouble even getting packets routed to the target state, let alone the specific network you're trying to breach. Very hard to attack from inside the "firewall" if access is, as a condition of being considered a trusted routing peer, gated by tying all traffic to a personal or corporate ID that would cause all kinds of trouble for the holder of same IDs should they route traffic on some bad actor's behalf (as, say, through Tor or other means).
That's just a matter of finding a vulnerable ally county to hop through. That's SOP now to hide your tracks. It's not like current attacks from Iran to the US have Irani addresses in the IP header.
That's fine until it's nearly impossible to route a packet from (for example) Iran to any IP in any state that's legally unfriendly to hackers and scammers, or otherwise operates outside the broad legal jurisdiction of the hackers' target states.
Yes, the Internet as currently structured is resistant to this. The Internet is not guaranteed to continue to have that structure. I'm saying that if our choices are "constant attacks such that the Internet is horribly dangerous" and "don't have the Internet", the popular (at the state level) solution will be "I choose neither—instead, we're changing the Internet".
It's not direct packets. You ssh into a box in, say, UAE, then Cuba, then Canada, then USA. You're just uploading and running scripts, so latency doesn't matter.
Yes, I know how the Internet works now. It doesn't have to keep working that way, and if attacks get really bad the result will not be that we just live with them. The Internet will be modified to reduce the threat to a tolerable level. There's already been some pretty serious work put into what this will look like, if/when it happens.
So all that will change is you use a wireless link (starlink?) to SSH into a box in another country that connects to a box to a box to a box. It will not change a lot, infact as starlink like satellites become common place you can use them as jump boxes....
Security does not have to be perfect to be effective. If it did, we'd have no security, because none of it is both useful /practical and perfectly effective.
That is basically KYC for internet traffic. Hasn't stopped big operators in finance, and i doubt that it will be different in Internet. A new crime of "traffic laundering", and mesh networks untraceable and unregulated like cash transactions.
Because the problem is critical infrastructure with holes in it, not that someone might communicate with that infrastructure. Trying to change the environment to ensure there are no attackers on the net is not a feasible alternative to hardening the critical systems.
This is NOT a cybersecurity or network vulnerability problem. That's just a symptom.
The real problem is that here, like so many other places in modern society, we've allowed consolidation to proceed far beyond healthy levels - when a single company is responsible for 20% of beef supply, it's time for antitrust action! (Yes, I'm looking at you, too, Internet, Tech, Media, Pharma, Aerospace/Defense, etc. companies...)
Maybe just allow one merger per decade, only available to companies with less than 10% of their market?
Consolidation leads to efficiency. Which in the case of commodities, is the only way to ensure low prices. A new slaughter company is not going to innovate a more efficient means of producing a pound of beef. In theory, a perfectly run state monopoly would be the ideal system. But that rarely ends well. In the US we've worked out a sort of half way between the two extremes, where large private corporations are allowed to consolidate in the name of consumer prices, while still maintaining just enough competition for profit motive to keep things well run. It's not perfect but it's the best we've figured out so far.
The security state is willing to do anything, up to kidnapping, torture and murder, in order to not change a thing about the current economic order.
I expect the problem to be addressed with technology, treaties, extraditions and putting a lot of people in prisons before the fragility of consolidation is addressed.
There are many problems with over-consolidation, but this isn't one of them.
The primary problem here is criminals and criminal organizations parading as nation-states. The secondary problem is systems and networks that are insufficiently secured.
I think it'll be easier to have one network that's secure (or, at least, securable) at the protocol level, than two networks. As someone notes down-thread, people don't like dealing with two highly-separated networks, and if you have devices on both then that's a huge threat vector.
Further, I think states are likely to use this both to prevent beyond-their-reach nationals from attacking infrastructure and citizens, and to curtail foreign astroturf propaganda efforts.
The ID stuff is something I don't think all states will adopt, but some might, even in Democratic states. I think adjusting backbone routing to allow easy network-wide black holing based on verifiable origin, though, is very likely to become widely adopted over the next couple decades.
Right. I posit that either we will arrive at that outcome, or "cyber attacks" and various other forms of Internet-enabled international abuse will never get bad enough to justify it. I suspect we're in for the former.
Sorta, but more like marking anyone's packets from outside your (or a friendly and cooperative country's) legal jurisdiction with the evil bit by default, and then also tracking which person or company, not device or IP address, originated every packet, so if they sent anything that should have been evil-bitted you can track them down.
Again, I reckon it's either that or this problem never gets much worse. Given trends, I expect we're gonna lose the open, global Internet.
Hopefully its not endless. I kind of view these attacks as forced penetration testing of sloppy companies. They may not have been hired or perform their work legally, but hopefully their work results in changes similar to legal penetration testers. Also, the more that these attacks happen, the more that insurance companies will begin to increase premiums and the more that they will push back on companies that practice sloppy security. It may be painful in the near term, but hopefully these attacks are a net good in the long term.
The thing that really pissed me off about it is that the same organization that leaked my data in the first place was going to monitor my privacy. But in order to sign up, they needed... more personal data.
I don’t think a Cold War is a good description of what’s happening; it’s not as if there’s some arms race going on as it is just a very public exposure of how bad our overall tech / security infrastructure is.
The question is whether the pains we’re currently feeling are enough to cause a change in the industries affected.
> The question is whether the pains we’re currently feeling are enough to cause a change in the industries affected.
Considering downthread there are honest suggestions to send special forces after the ransomware gangs, I’m gonna go with “probably not”. That type of denial is pervasive.
The F500 and companies like JBS just need to move essentially dataframes around from automation to automation, but somehow the software ecosystem is still building that with the same tools used to write Google. The next answer is usually “they don’t invest in a security team, clearly,” and I’m waiting for that subthread to kick off, too, to continue the denial.
Software complexity is the enemy, not the malicious actors exploiting it. Fix one, fix the other.
Software complexity is hard to tackle because it's really the underlying business complexity that's being modelled, which is usually beurocratic, Byzantine-like.
It is, but it's never going to be perfect. Nobody has achieved that so far. Or at least not in an environment where you have international distribution and thousands of endpoints touching different areas of the system.
The arms race is in exploits and software development. The country with the largest stockpile of the former and the best talent in the latter will emerge the victor.
A large stockpile of exploits can only harm someone else's economy, and it does not protect your economy. So perhaps your neighbour will suffer more than you do, but none of you will be winners in any sense.
With big limitations that don't apply here. Things like mutually assured destruction work if/because an attack is quickly detectable, reasonably clearly attributable, and a symmetric tit-for-tat retaliation is plausible.
That's not the case for cyberattacks. Solarwinds was attacked many months before it was detected, Stuxnet was hidden for years. We have attributed some attacks but not most and attribution often succeeds only years after detection. And the attackers aren't as vulnerable to cyberattacks simply because their economy is "less connected" - for example, North Korea is at the extreme end of that scale and they really don't care much about what exploits you have; you have a digital economy that's wealthy but vulnerable to attacks by those who don't have it.
Or you could go a step further that it is our hubris as a nation that expects the other side to fight us on a traditional battlefield with tanks and bombs and get crushed in a month. As if the other side is just so stupid as to never figure out a different strategy.
This is a 21st century hot war that we are losing badly.
The good news is that cyber-war has a huge asymmetric advantage for defenders. For modestly more money, we can stop building absolute crap infrastructure that constantly gets owned. A little bit of investment in quality drastically raises the cost of an attack.
> but ultimately this will harden up potential targets.
Or they mop up, get bailed out, and then maybe make some minor changes that don't really solve the problem that their insecure corporate culture begins to undermine immediately. We need companies to essentially go into a perpetual cyber-security war-footing. I don't see that happening without business being impossible to conduct without it.
If this is the USDA we're talking about, they mop it up, and have countless MEETINGS about what should be done. Then a task force is convened. THEN they do nothing.
These are actual hostilities. The U.S. is facing internal political collapse and Russia continues to distract and further sow discontent through these hacks.
The Red Dawn style of hostilities is a relic of the past.
>>>Russia continues to distract and further sow discontent
Meanwhile, the Chinese hackers and those directing their Information Operations are laughing their asses off that nobody points the finger at China first, despite numerous high-profile incidents of military-industrial-political espionage [1][2][3][4], the buildup of a gigantic blue-water navy, and tacit long-term goal of rivaling the US as the global superpower (and unlike the Russians, they've got the economy and manpower to make that happen). Nope, couldn't possible be them. Must be those dastardly Russians.
You misunderstand the purpose of pentesting consultants. They exist to help companies check a box that reduces their legal liability, not to meaningfully improve those companies' security.
Now that there's an actual financial motivation for random non-tech industries to have decent software, they might start to do so.
>pentesting consultants...exist to help companies check a box that reduces their legal liability
I get it, but that's a bit of a false dichotomy. That is, there's also valid pentesting and that's the good thing, as opposed to being attacked by criminals (bad thing). And, the purpose of standing up defenses would be to prevent successful attacks. So, if it's the successful attack that prompts those defenses, then it's already too late.
The bigger point is that, in general, I'm puzzled by the constant stream of people thanking the criminals and blaming the victims after each of these attacks.
I think people underestimate the complexity that has evolved over time in many company systems. Securing systems/networks is hard. Doing it retroactively with mountains of technical debt is even harder. The reality is that some of these companies don't have the wherewithal to do it and, even if they did, the timeline to getting them there would leave them vulnerable for some time.
So it sounds great, but very idealistic to say "hey this will help them harden their security". The reality is we need to stop thanking the criminals and support/protect our companies/agencies with a "layer" above their own security, including via deterrence at the nation-state level.
"The reality is we need to ... support/protect our companies/agencies"
Like how we protect them from all legal consequences of loosing private information of millions of people time after time, such as recent Equifax and Facebook cases?
Or like how we allow companies to sell vulnerable routers, IP cameras, internet enables printers and phones with knows vulnerabilities at the time of release, and leave it without updates?
they are getting away with murder and you are asking for more protection for them? Maybe it's time to accept that this industry is greedy, arrogant and negligent in a way that's unmatched by almost anyone, except maybe hedgefunds.
>Maybe it's time to accept that this industry is greedy, arrogant and negligent in a way that's unmatched by almost anyone, except maybe hedgefunds.
"This industry"? Which industry is that? I mean, it's a tempting narrative: a big greedy industry, etc. But, this is not isolated to any one industry or any one company. These are attacks by foreign actors on a variety of our companies, government agencies, infrastructure, etc. And they result in real harm to our economy, infrastructure, and people.
>allow companies to sell vulnerable routers, IP cameras, internet enables printers and phones with knows vulnerabilities at the time of release, and leave it without updates
Again, this sounds like a compelling narrative, and sure, there need to be improvements. But, the reality is that the attack surface is vast and includes zero-days in well-maintained software, social engineering, OSS, custom software, network configs, etc.
In general, it seems like there's a lot of anger in your post, but none of it directed at the actual criminals (or their national sponsors) who are actually responsible for the attacks. That's really puzzling to the point where it almost reads like defending the criminals.
We have plenty of our own hackers and ransomware, i am not seeing how foreign-angle adds anything to the debate
"none of it directed at the actual criminals"
There will always be criminals. If a bank was robbed by two kids armed with a banana, then the real fault lies with the bank's management for being negligent, and every court will recognise it.
As it stands, most data leaks and hacks are not unpreventable zerodays, they are people being negligent and irreaponsible.
Large organisations need to change, and ignorance of the issue needs to be adressed. This is not just "there need to be some minor improvements"
The overwhelming majority of the recent, most notable attacks have been traced near-exclusively to foreign actors, including the one that is the subject of the actual thread here.
>i am not seeing how foreign-angle adds anything to the debate
Of course, it has everything to do with the debate. Specifically, with how we respond/deter.
>most data leaks and hacks are ... people being negligent and irreaponsible.
The attack surface is vast.
>If a bank was robbed by two kids armed with a banana
We're literally veering into cartoon territory here. Not sure I understand why you're working so hard to exonerate the actual criminals.
"most notable attacks have been traced near-exclusively to foreign actors"
Most criminals are "foreign" because most of Earth's population is foreign.
"The attack surface is vast."
Because we made it vast. It could have been small.
"We're literally veering into cartoon territory here"
Yes we are, because spying on millions of people and then leaving that data unprotected is childishly irresponsible.
Ordinary citizens are the injured party, not companies. They have given up privacy and control over their devices. Even the software that runs on voting machines is copyrighted and secret, and when inspected, it turned out even the basics of security have not been followed.
Now that the chickens are coming home to roost, why are you so vehemently looking to absolve them of all responsebility?
Your last comment shed more light on the narrative you're attempting to establish.
Here's the "foreign" part of the discussion from our "sub-thread" to make things clearer:
Me: These are attacks by foreign actors on a variety of our companies, government agencies, infrastructure, etc.
You: We have plenty of our own hackers and ransomware, i am not seeing how foreign-angle adds anything to the debate
Me: The overwhelming majority of the recent, most notable attacks have been traced near-exclusively to foreign actors, including the one that is the subject of the actual thread here...It has everything to do with the debate. Specifically, with how we respond/deter.
You: Most criminals are "foreign" because most of Earth's population is foreign.
Some hardcore goalpost-moving there. You went from "it's domestic and doesn't matter" to "it's foreign, but only due to a statistical artifact". You're talking in circles in your effort to absolve the attackers. And, it's made clear here that you're not just trying to lay the blame on U.S. companies; you're actively working to absolve/divert focus from the foreign adversaries who are attacking us.
Maybe you can explain why you find it so important that we blame only U.S. entities, whether they be companies or criminals. It's that criminal bit that gives up the game. This isn't just about a crusade against negligent companies. Your narrative seeks to lay blame with U.S. actors and absolve foreign actors.
But, FWIW, a disproportionate number of these attacks come from one country with a population less than half the size of the U.S. It's a country that has been engaged in asymmetric warfare with us. So, you're wrong there too: the foreign nature of the attacks is not a statistical artifact.
>Because we made it vast. It could have been small.
No. It's vast because it's vast. Complexity + interconnectedness.
Fallible humans are responsible for this and it's a problem that's grown over time. Probably every person who's written any significant amount of production code can be said to have contributed to the problem.
And, of course, there's no degree of effort that can defend with 100% efficacy, which is why we also need a deterrent approach.
>why are you so vehemently looking to absolve [companies] of all responsebility?
I've specifically stated that companies need to do better. You, on the other hand, have not assigned an iota of culpability to the actual criminals who attack us. Instead, you've worked against all-logic to absolve them (or, failing that, to place the criminals in the U.S.). It's a simple thing to say "criminals are doing bad things and should be held accountable". Odd that you refuse to say it. Odder still that, to the extent that you even acknowledge criminals exist in this problem-scope, you find it necessary to relocate them to the U.S.
"No. It's vast because it's vast. Complexity + interconnectedness."
Firstly, thats not an argument, its a tautology.
Secondly Attack surface is vast because we have shipped several billion locked down phones with known vulnerabilities and priprietary binary blob drivers, meaning they can't be updated. We could fix the problem overnight by voiding copyright protection on all software where vendor has abandoned uodates for a year or more.
It's not american companies, its the entire shithead industry.
"You, on the other hand, have not assigned an iota of culpability to the actual criminals"
Mate, they are criminals, they are culpable by definition, its in the Oxford dictionary. They have always existed and always will.
Whats the point of banging on about them like a broken record?
Even if Russia and China magically dissapear tomorrow, the problem will remain: if you have vulnerable systems someone will hack them.
Ita like if someone is always stealing stuff from your house, and I tell you maybe you should try locking the door.
No, it's a correction. You suggested that "we made the attack surface vast". The point is that you're wrong. It's vast due to actual complexity and interconnectedness. It's vast by definition.
>Secondly Attack surface is vast because we have shipped several billion locked down phones...
This again illustrates that you don't understand what the attack surface is, thus you believe fallacies such as "we made it vast". It's not a phone or single entry point. It's every bit of software that a system touches or is comprised of, including custom, commercial, and OSS. It's firmware and hardware and networks and configs. It's social. And, to some extent, it's those same vulnerabilities in systems that connect to a system.
Again, it's vast by necessity b/c our modern world depends on software, technology and interconnectedness.
>Mate, they are criminals, they are culpable by definition, its in the Oxford dictionary. They have always existed and always will.
So, this is your grand rationale for focusing all ire on the targeted companies vs the actual criminals? Your overall position then is that we should have no deterrent (why have laws at all?) and just lock our doors/secure our systems. If the inevitable criminals get you, then it's your fault.
>Whats the point of banging on about [criminals]?
Pretty obvious: to acknowledge they exist, are the actual cause of the problem, and need to be deterred/punished as part of any comprehensive solution.
>Even if Russia and China magically dissapear tomorrow, the problem will remain:
Actually, the problem would be substantially reduced to relatively nil. Just removing Russia alone would have a massive impact.
And, the solution-set becomes vastly different when fighting domestic criminals vs deterring state-sanctioned attacks from foreign adversaries.
But, here you are working hard to absolve the U.S.'s foreign adversaries again, "mate". Very curious.
>Ita like if someone is always stealing stuff from your house, and I tell you maybe you should try locking the door.
Another straw man. I've acknowledged repeatedly that we should lock the door. That discussion is over. What we're discussing is your position that we should not attempt to deter criminals (especially if they are foreign). Instead, they should be able to try breaking your locks with impunity and, if they succeed, then it's your fault.
>The problem is the criminals can be anywhere in the world
Perhaps, but we tend to trace the lion's share to one of very few places.
>When criminals are a constant, security is the only variable.
Security also comes through deterring would-be attackers. Security is not simply a posture of attempting to deflect as many attacks as possible. Ever play Missile Command?
In fact, that's disastrous policy. And, even if it were possible to get every company/governmental agency to immediately invest in massive security overhauls along with all vendors, OSS, etc. with near instantaneous results, some attacks will invariably get through.
Seems pretty obvious that we don't want attackers with 100% upside and no downside.
> So, if it's the successful attack that prompts those defenses, then it's already too late.
Reality is not a single-round game.
> Doing it retroactively with mountains of technical debt is even harder.
Building mountains of technical debt is precisely the behavior companies need to stop.
> The reality is we need to stop thanking the criminals and support/protect our companies/agencies with a "layer" above their own security, including via deterrence at the nation-state level.
You can’t accuse someone of being idealistic and then turn around and say this.
There was a big hack recently in Ireland that had taken out the health service IT systems, with a ransom demand. The entry point there was what seems like social engineering, they got an employee to call a number from a Web popup claiming they would fix their computer, and of course then proceed to infiltrate further. This is not hacking in that a SW bug was not exploited, but is effective. Unless employees have no way of running unsigned (by the employer/trusted source) code, its hard to see how this kind of weakness is prevented.
> The U.S. meat industry is so consolidated that with JBS basically offline due to a cyberattack, the USDA can't publish wholesale price data without potentially revealing proprietary information about JBS’s competitors
Consolidation is the natural tendency of all businesses, independent of regulation. Powerful businesses may capture regulation to further entrench their consolidation, but don't confuse cause for effect here. Regulatory capture doesn't happen until after you have a powerful enough cartel to start buying politicians.
Regulations usually carry a fixed cost, regardless of scale, so the easiest way to reduce their impact on margins is to consolidate. Big businesses are often in favor of regulations because they create moats which small businesses cannot cross.
Spot on. Also worth noting that regulation and government administrative law are the only ways to restrict consolidation. (Anti-trust, FTC merger approvals)
In The Omnivore's Dilemma, author Michael Pollan presents USDA meat processing regulation as excessive with respect to actual meat production, but successful at preventing small independent meat processors from being economically viable.
Looks like I'll end up having to pull brisket off the menu again this summer (I own & operate a BBQ food truck).
Before this latest blow to the supply chain I have already seen a 66% increase in brisket prices in the past 4 weeks ($2.99/lb about a month ago, current price is $4.99). The restaurant industry is already running on low margins so it will be interesting to see how this is all going to shake out.
Raising prices is an option but that is very market dependant. BBQ customers in general are more price sensitive than lobster customers and I would lose sales at a higher price point.
There is a certain price (which I have generally found is $4.50 - $4.99/lb, that is when my food cost for a brisket sandwich hits 50%. Target food cost should be somewhere around 30%) where it just isn't worth it to sell brisket. BBQ is somewhat unique in that you have to estimate your demand ahead of time - you can't just throw on another brisket if you run out and I don't reheat/re-use leftovers. So even if I raise my prices $2/sandwich to cover the increased cost my risk is still higher because any unsold product is now a higher loss.
I'm sure you know your business and market, but I'd just through out an example from my back yard.
Matt's BBQ is the best Texas style bbq in Portland by a considerable margin. I've been a customer and friendly with him since he started out in a pawn shop parking lot with zero foot traffic and almost no road visibility. He charges $13.50 for a 1/2 lb of brisket, similar prices for other meats. Sides are typically around $3.50.
He's up to multiple locations and his own commissary kitchen that's like 2000 sq feet.
He sells out every single day.
It's been really fun to watch his business blow up. It's all been from the strength of his product, and his personal hustle to get the momentum. His customer base is loyal and willing to pay a premium.
He even has a side hustle selling smoker rigs, via a partnership.
I'm enjoying this discussion and I'm glad you brought up your example, but keep in mind the sort of folks ordering BBQ in Portland are a very specific class of customers :)
No doubt, but the reason people do or don't get it vary widely be region. In Portland I expect it's more likely to be a novelty or cultural experience, and therefore the clientele to be less price sensitive than Texas.
Do you have any awareness how obnoxious it is to assert you know my neighborhood better than me? When it's clear you've never been to any of these places, talked with fellow customers, etc?
It's a mixed race neighborhood. For the first couple years his neighbor in the pawn shop parking lot was a soul food cart. The clientele at both looked basically the same in terms of demographics.
While you won't find as much good BBQ in Portland as say central Texas, the Carolinas, etc, it's not some sort of exotic novelty.
I don't know why you are so determined to stereotype this stuff, but it is not helpful.
You living someplace, eating at a restaurant, and having a general gestalt of the local experience does not make you (or any of us) an expert on statements about population-level demographics or the economic implication. There's no reason to get upset that someone on the internet doesn't believe your analysis, or to call them names.
It is a statistical impossibility that any given group in Portland is the same as any given group in Texas on the metrics I mentioned, so your claim is really that these metrics don't influence price sensitivity.
It's statements like this that are revealing:
> People do value authenticity in my town. The big corporate chain restaurants are a lot more sparse here, exactly because the local places are just as cheap, far higher quality, locally owned, and using local ingrediants, etc.
There's no trade-off between chain restaurants and locally owned? The latter is just an unalloyed good and other regions of the country are just making mistakes for no reason? So no, I don't find your analysis convincing, but as I already said I appreciate your input in the discussion.
Dude, it's literally my neighborhood, which I've been in for over a decade. These people are mostly my neighbors. They're who I talk to at the corner store, at the cart pods, at the bar when we're watching the Blazers games.
Just. Stop.
I never made any claim about blanket superiority, just described factually what this place is like. You'll find plenty of people and even data supporting that characterization if you want.
Likewise I did not claim anything about equality with Texas, just that your utterly naive assertion that the customer base for the food cart I mentioned must be slanted a particular way, based on literally nothing. It is not.
You don't understand what I've already written if you think that any of this hinges on how many years you've lived in the neighborhood, or high integrated into the community you are.
I do I simply disagree strongly, just as strongly as you would had I tried to bulldoze you with a naive stereotyped view about something you personally are highly familiar with.
In any case, it's clear continuing this line of discussion is pointless.
> He charges $13.50 for a 1/2 lb of brisket, similar prices for other meats. Sides are typically around $3.50.
People in Portland and other liberal cities will paradoxically pay a premium for "poor people" food. When you are wealthy enough to consume whatever you want, the rarest commodity is something that feels like an authentic, meaningful experience. Cuisines that come from poor areas carry that sense of authenticity with them and can charge appropriately.
I don't think you can assume that pricing model will work well outside of a few places like Portland, SF, NYC, Seattle, LA. People that aren't wealthy enough such that they do care about food prices aren't going to pay extra because a brisket is served on a just-so-cute-and-"real" metal tray.
Food carts in Portland are extremely informal and very much a thing for everyday people, including people with low incomes by local standards. In fact it's one of the main drivers of their popularity here.
It's not a matter of wealthy people adopting "poor people's food" as a novelty. It's just good food no matter your situation in life. Matt is charging on the higher end, and a complete meal is still under $20. The best burger in my area is a double bacon cheese for $4.50 that uses really quality ingredients.
I've talked with customers at Matt's that live out in the country and make an hour plus drive to come by every once in a while.
People do value authenticity in my town. The big corporate chain restaurants are a lot more sparse here, exactly because the local places are just as cheap, far higher quality, locally owned, and using local ingrediants, etc.
The genesis of the food cart scene here was the city has some smart policies about making it affordable to start these businesses. Many people who dream of someday having a restaurant start out this way. You can make a serious shot at it with just $50k or so, which is tiny even by small business capital standards. They price their food accordingly.
It's true this place is getting more expensive, but I assure you, if you go out to any of the pods, you'll see a roughly even mix of people who are middle class, and young people that probably make barely enough to cover rent at a service industry job. Everyone will be hanging out, friendly and chatting.
Please don't project your own assumptions onto this scene if you've not been there. This town is pretty grossly misrepresented by a wide swath of media.
That price point is not outlandish. That foodtruck would probably be just as successful setting up outside of bars in Cleveland even. What I've noticed as an adult now visiting friends in various places, high cost of living low cost of living, is food and drink are basically the same exact price. Pints of beer from $6-9 or so. Entrees $12-16 or so. Everywhere in the country has settled at this median pricepoint, no matter what the cuisine.
Is it possible to purchase the cuts in advance and store them frozen or does that noticeably effect the quality? Seems straightforward to through some cuts in a deep freezer to smooth out supply costs. I do that on the small scale at home though obviously the capital costs would be proportionally larger at scale.
That's exactly what I did starting about a month ago - I've got enough on hand to last about a month (most of that is committed to catering jobs that already have a set price - so my forecasting is much easier but if I didn't lock in the price I would have to eat the difference).
As long as they are safely handled I've found no quality difference at all when freezing stuff that is cryo-vaced. More often than not it has already been frozen at least once before it gets to me.
I don't ever sell anything that has been re-heated after cooking though. You can also do that with little to no quality loss but I try to position myself as a premium brand so everything is 'cooked to order'. There are also a lot more food safety concerns (cooing it fast enough, re-heating it fast enough, etc.) that I don't want to worry about. I vacuum seal cooked BBQ at home and it's just as good as fresh but you can't do that in a commercial setting without special permits that aren't available to food trucks (at least not in my area).
> I don't reheat/re-use leftovers. ... any unsold product is now a higher loss.
Perfect yesterday BBQ meat! Coming from USSR/Russia with its food shortages in 198x-first half of 199x i still kind of mentally shudder reading such things even after 21 years of living here.
It’s not waste in that it goes into the trash - it’s just a sink cost that I’ll never recoup. Anything left over I keep for myself, give to friends/family, or donate (which is actually more difficult than you would expect since it is perishable)
I’m only open once or twice a week so secondary uses (beans, chili, etc) unfortunately don’t work for me.
That's because lobster roll customers are rich yuppies. BBQ is for poor people who cannot afford good cuts of meat so they resort to pulverizing bad cuts of meat with smoke heat and sauce.
Yup, there is craft everything now. For example, macaroni and cheese. To me, that will always be the poor folk food of my youth, even though my friends rave about eating it at fine dining establishments. I'm sure soon we'll have artisinal sloppy joes as well -- why not, with high quality ingredients and a creative chef, you can make any dish interesting.
You're exactly right that BBQ is popular and that's why BBQ is getting worse. I know I sound like a salty hipster but bear with me for a moment. There's some "show me the incentives I'll show you the outcome" reasoning behind my opinion.
When a thing becomes trendy among moneyed demographics there is now stupid money to be made selling a caricature of that thing to people with too much money. BBQ is one of those thigns becoming just another experience for yuppies to talk about in the break room on Mondays. When you're running a BBQ joint you're not selling meat cooked in a particular style, you're selling an experience. People don't care about whether your BBQ is a career long refinement of what grandma made. They care about whether it's something they can brag about. They're looking for an experience and if you want to stay in business you're gonna sell it to them. It's not about doing your thing well, it's about presentation and show. Many of the people running these restaurants hate bastardizing their craft and leaning into an image/stereotype like this but it's what pays the bills.
Maybe I'm just jaded from growing up in a tourism economy but money uncritically thrown at something tends to ruin it.
When I go looking for a restaurant I go for <censored>, <censored> and <censored>, because those three genres aren't trendy right now and any business specializing in them has to succeed on its own merits, it can't just print money by looking the part.
Fortunately, BBQ in particular is one of those cuisines that with close attention to detail and some hours spent researching on the Net, you as an individual can turn out a brisket that, if not as good as say Snow's or Franklin, is more than Good Enough for an extremely satisfying experience when done with some friends and family as a group effort. One of the glories of our current age is this outcome can be reproduced with many if not all other cuisines and dishes.
No less a pit master than Aaron Franklin will tell anyone who cares to listen that they individually can absolutely turn out a brisket that is equal to or better than what he serves up at his eponymous restaurant. He takes pains to point out it only takes caring attention to detail to that single brisket, which is why I think I run into a greater proportion of BBQ enthusiasts in hacker circles compared to my other communities when categorized by interests. He freely admits his and other pit masters' "secret sauce" lays in how they scale it up and keeps it close to what they produce when they are making only one brisket at home for family and friends.
I generally consider BBQ competitions overblown affairs that are arguing how many angels can dance on the head of a pin. To me, after a certain point it is quite good enough, and any further optimization for "better" doesn't pass my personal cost-benefit filter, and I'd rather spend the cognitive effort on my dining companions.
It is either that, or I possess a philistine palate. The latter is quite possible because I hold a similar opinion of many of the fine dining establishments I've eaten at, from quite fine kaiseki, omakase, Chinese, Michelin-starred French, various fusions, steak, and other restaurants, some with pretty eye-popping per-diner prices. That's mostly because I believe that we're at the nascent, fragile stages of achieving post-scarcity (by no means assured, and still many generations away), and part of that journey involves the elevation of increasingly finer experiences (perhaps some requiring ever-greater cognitive effort to appreciate that I'm not aware of) to a mass market.
Brisket prices have been going up for quite a while now, not least since the pandemic started. This event is likely going to be a blip. That said, typically one of the ways to hedge against volatile prices is through forward contracts. If you have a float, have you thought about pre-paying for brisket to get a discount? I only mention this because I remember reading a story told by Nick Kokonas, who co-owns Alinea, a famous 3 Michelin starred restaurant in Chicago. When he discovered he had a float, he decided to pre-pay his vendors instead of taking net 120 and in the process got a 50% discount on beef. (because pre-paying improved his vendor's cashflow and reduced their risk, they passed it back to him in the form of savings)
"Food costs money. But the way that everyone (in the F&B industry) looks at food costs, and paying for food is very weird. When COVID started, every famous chef that went on TV said, “This is the kind of business where this week’s revenues pay for bills from a month ago.” So when we started to bring in money from deposits and prepaid reservations, I suddenly looked and we had a bank account that had a couple million dollars in it — of forward money
"I started calling up some of our big vendors for the big, expensive items — like proteins: meat, fish; luxury items: like caviar, foie gras, wine and liquor, and I said, “I don’t want net-120 anymore, I want to prepay you for the next three months.” And they had never had that kind of a phone call from a restaurant before.
So how much should they discount it? So let’s say we’re going to buy steaks. We’re going to pay $34 a pound wholesale for dry aged rib-eye, we get net-120 (normally). So I call the guy and say “I’m going to use 400 pounds of your beef a week for the next 4 months, for our menu, which is about about $300,000 of beef, what (would) we get, if we prepay you?” And he was like “what do you mean?” I’m like “I want to write you a check tomorrow for all of it, for four months.” And he was like, “Well, no one has ever said that.” So he called me the next day, he said “$18 a pound” … so … half. Half price.
I went, “I’ll pay you $20 if you tell me why.” And he said, “Well, it’s very simple. I have to slaughter the cows, then I put the beef to dry. For the first 35 days I can sell it. After 35 days there’s only a handful of places that would buy it, after 60 days, I sell it $1 a pound for dog food.” So his waste on the slaughter, and these animals’s lives, and the ethics of all of that, are because of net-120! Seems like someone should have figured this out! As soon as he said that, everything clicked, and I went “We need to call every one of our vendors, every time, and say that we will prepay them.”
Prices had come back down to pre-pandemic levels up until about a month ago. Nationwide easing of restrictions has increased demand faster than the supply chain has been able to keep up.
That is an excellent idea (having more than just a transactional relationship with you food vendor is a good idea in general) but my volume is way too low to have that type of leverage. The best I can do (and fortunately what I did when I saw the prices increasing) is pre-buy and freeze as much as I can to lock in the then-current pricing. Right now food supplies aren't even able to fill many wholesale orders because they don't have enough supply so I'm not sure pre-paying would help if they can't even get the product. For example one major vendor has changed their order cutoff time from 11PM to 5PM so they can spend that extra time allocating their available stock across all the orders because they don't have enough for everyone.
BBQ is my side hustle so I'll be ok either way - but if I was paying my mortgage via food service I would be alot more concerned.
Yes, a supply crunch does make it difficult to execute on these types of strategies. And you're certainly right that having a relationship with your suppliers is often advantageous -- very often, including upstream parties in one's system boundaries increases one's surface area for cost optimization.
Also, just thinking aloud, during normal times, if you happen to know other hobbyist BBQ folks, I'm wondering if there might be opportunities to enter into an informal group-buying situation where you pool your collective brisket demand and bulk buy at a discount. That wouldn't work right now but perhaps it might during normal times. There are websites based around this idea. Best of luck.
It would be very interesting to see a followup report from Nick on what happened with COVID. Did they refund those customers who pre-paid for dinners that couldn't happen? Were they left holding the bag for the dry-aged ribeye that they then couldn't sell? I would love to hear the story.
I don't have the full story on what happened to the tickets and the dry aged beef, but on several podcasts, Kokonas talked about how they pivoted hard to takeout and actually did some of their best sales during COVID than at any other time.
I think you have a well-reasoned, thoughtful post here, but perhaps the person who operates a BBQ food truck might not be the best positioned to take futures contracts out on brisket?
Also, aren't forward contracts by definition unsecured as compared to a futures market?? If the supplier genuinely doesn't have supply or goes out of business, you've lost your money, right?
You can contract around anything, including penalty clauses. But yes if there isn't any X to be had, your agreement to take delivery isn't really helpful today.
Quite right, it's just the seed of an idea. As for scale, that can be achieved through pooling (i.e. group buys), though it wouldn't work right now due to supply constraints.
A lot of folks work like mad in tech to build up a small nestegg and then go pursue a passion. Starting with a food truck is a great way to suss out and ease into eventually owning and running restaurants. It's like the MVP of a cuisine/restaurant idea.
I still have my tech job and don’t plan on going full BBQ anytime soon. I do it enough that it keeps me busy but I can always say no to a catering job or event so it’s still enjoyable and not a chore.
The right opportunity would have to come along for me to jump onto the restaurant world. It’s definitely something I’ve looked into but one thing I have learned is that the BBQ is the easy part of running a BBQ business - it’s everything else that is tricky. Right now I don’t have to worry about employees, rent, etc. so someone with those strengths would have to make a pretty good pitch to get me to open a restaurant.
The short answer is BBQ is “hobbies gone wild” for me.
My “9-5” is in IT and that’s what pays the bills by BBQ is my passion.
I’ve being doing BBQ professionally for 10+ years. It started out just done some small catering jobs and has grown from there. Through BBQ I’ve been able to do lots of cool stuff that I would have never imagined when I started. I was heavily involved in competition BBQ for several years and through that I’ve worked with several big brands . Currently I’m focused on my food truck and rub and sauce products. I’ve also done several BBQ classes and hope that as we turn the corner on COVID I can start that up again soon.
Growing a passion into one that makes money isn't rare. One of the optical engineers I work with is a master brewer at a local brewpub, working on recipes evenings and weekends, after decades of home-brewing. He does his side gig because he wanted to go bigger, meet more experienced people and try new things.
The cyberattack and the fact that one company had 20% of the country's beef processing capacity. A more distributed economy with smaller operators means fewer, less valuable targets for piracy, as well as more supply chain resilience when one company is taken offline.
This is one of the intractable problems of human society. There is no optimal solution:
Consolidation gives you consistency, network effects, and economies of scale. But it also gives you monocultures, stagnation, and overfitting.
Heterogeneity and competition gives you incentives to optimize, innovation, and robustness. But it also gives you redundancy, knowledge loss, and inefficiency.
Technically there probably is an optimal solution, if you decide on a system for valuing each of those positives/negatives. Once you manage that, there's almost certainly a point on the curve that gives you the highest total value. And yes, it is probably impossible to be objective here, but a subjective optimal solution can be helpful too.
And I'd argue that we have chosen such an optimal solution, where robustness is given a low weighting, and now we are experiencing a predicted downtime event. The cost of this event is spread across the whole economy, and the executives (in industry and govt) who made the decisions which led to this will experience no downside personally. Executives at rivals who have just as bad an IT problem will receive bonuses.
Essentially, we have a very weak correction incentive. Until capable hackers are endemic and ransomware hits everyone, there is little likelihood of change. Next week it could be RJR Nabisco, or Synnex/TurboTax/DuPont, or just 10,000 variants of {tiny $20m company that makes software for auditing sewerage pipe and is used by 370 of the 3000 counties in the US, and every client gets the DB corrupted}.
I think we are constantly tweaking things over time.
For much of human history, consolidation was natural but the relative simplicity of technology kept barriers of entry low which enabled competition and new entrants. Also, poorer logistics and transportation meant you have many smaller semi-independent markets instead of fewer monolithic ones.
Industrialization and powered transportation upended that and gave a lot of power to consolidation. That led to the era of robber barons.
That power concentration was so bad for society that eventually the labor and antitrust movements came around to somewhat correct it.
I think now we're seeing another oscillation. Software creates huge network effects and economies of scale. If a business writes a single program once, they can run it on as many servers or sell it to as many users as possible. Services that let users interact benefit exponentially from network effects. AI generates a lot of value, but requires extremely large datasets that only the largest corporations have access to.
We are essentially in the era of digital robber barons right now. Six of the top ten richest people in the world according to Forbes got there through software. (Arguably seven if you consider Musk's wealth to be software-driven.)
We are clearly nowhere near the optimal point on the consolidation continuum. With luck, we'll get something like an "information labor movement" and more teeth in our antitrust regulation to correct that.
Sure, there is an optimal meta-solution if you're able to define which set of trade-offs represent a "winning" solution.
But that's different from other problems where you can simply try to optimize the result itself directly. For example, we probably don't need to have hard discussions of trade-offs when it comes to, I don't know, infant mortality. There's almost no upside to babies dying (assuming you aren't heartless enough to consider less overpopulation to be an "upside").
But with business size, there are many desirable factors and improving any of them reduces another directly opposed but also desireable factor.
Competition is good. Cooperation is also good. Increasing one by definition lowers the other.
I disagree. I prefer the variety of different stores. I prefer the unique floor plans, esthetics, and in house products. I don’t like having Walmart, target, Dunkin, and Starbucks in every city I go to. I may be near poor but I go out of my way to avoid big box stores whenever and wherever I can. I like stores that have been run by the same owner or manager for decades. I’ve seen multiple local shops balloon into chains and in every single case their service, product quality, and in store experience got markedly worse. If I’m going to support Big Box Store then I’m going to nickel and dime every transaction I make with them because that’s how they treat me, their customer. Take the personality out of the experience and all that’s left is the transaction, no loyalty, no good feelings, just the exchange of cash for product. No amount of Twitter wokeisms, virtue signaling, or advertising will replace their dehumanization.
A few years, back, Maersk went down for almost a week due to encryption-type malware.[1] Things happen slowly enough in sea shipping that the impacts were mostly to Maersk itself. It cost them about US$330 million.
But the lack of backups is just a symptom. From the article:
In 2016, one group of IT executives had pushed for a preemptive security redesign of Maersk’s entire global network. They called attention to Maersk’s less-than-perfect software patching, outdated operating systems, and above all insufficient network segmentation. That last vulnerability in particular, they warned, could allow malware with access to one part of the network to spread wildly beyond its initial foothold, exactly as NotPetya would the next year.
The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
And higher prices. I'm all for the smaller distributed suppliers, but let's remember that scale makes things cheaper/easier and there's a reason companies join up. Your local delivery organised between a few farms will be beaten on price by JBS.
That can be true, but it's also massively oversimplified. Efficiency is usually overrated - lower prices come from cutting labor costs and product/service quality. In some cases, combination doesn't wind up lowering prices for the customer in the long run. Once market power is sufficiently concentrated, pricing power gets shifted to the suppliers and distributors, so prices can be raised back up to increase margins.
The local delivery may lose on end price, but they also provide a ton of structural benefits. Usually the cost savings the customer is pretty marginal compared to what has been given up.
> as hackers increasingly target critical infrastructure.
Many attacks aren't truly targeted, they're blanket ransomware attacks trying to hit any entity they can.
Also, meat packing isn't critical infrastructure. It's important, sure, but nobody is going to die if they don't get meat. Food overall, yes, but meat is a luxury good.
As if there's a scarcity of food in the US so that missing out on calories from meat could not very easily be substituted. Incidentally that would also result in a diet commonly regarded as healthier.
To satisfy our consumption of beef using grass-fed grazing, we'd need surface area of like 2.5x of earth just dedicated to that. Most beef is not grazing, it's kept in intensive farms and being fed factory produced feed, made with lower quality crops, i.e. corn and some processing by-products.
But most meat is not beet, it's chicken and pigs, and they can't digest cellulose - they eat same stuff we do.
So for 95% of meet, the OP is correct, it's is a luxury and a strain on our food system, with a giant carbon footprint.
I imagine some grazing land could be converted, but I do think most of it is used for grazing because that's about all it's good for. My family used to graze a small herd on land that could /almost/ be used to grow grain (with lots of chemical help), but definitely not vegetables.
Maybe worth mentioning that poultry feed is grains and "mostly" edible in theory (though maybe not in today's practice), and poultry is the largest segment of meat in the US?
Also relevant are that per-capita meat consumption in the US has gone up dramatically in the last 50 years, and so has the average caloric intake. Looking at history, it seems like we have room to downsize some, right?
> poultry feed is grains and "mostly" edible in theory
Yeah, some of them definitely. We fed our chickens a fair bit of wheat, which of course makes good bread. Plenty of field corn too, which... I guess if you like corn chips as much as I do... okay! Poultry and eggs might be better for you than loading up on grains though.
> per-capita meat consumption in the US has gone up dramatically in the last 50 years, and so has the average caloric intake
Perhaps as little as double those fifty years ago it would have been unthinkable that even the poorest among us could be troubled by obesity. We live in an age of riches and I guess we're still figuring out how that works. What a problem to have, though!
> it seems like we have room to downsize some, right?
This is perhaps the most amusingly uncontroversial thing I've read on the Internet lately. Thank you
You're taking about long-term effects, which are true. But that meat waiting to be distributed is already there. If the deliveries disappear for a few days/weeks, you don't suddenly get extra plants to distribute in that timeframe.
True. Yeah I thought the whole sub-thread here was talking about long-term effects, not a short-term one-time gap of unused supply. The top comment was talking about the general necessity of meat to our economy, right?
Well general and specific, and short- and long-term, are orthogonal. Oil is also generally necessary in the US economy in the short-term, if (conceivably) not in the long-term. On the other hand electricity is not necessary in the short-term specifically to aluminum foundries, but in the long-term it is (or the crucibles solidify).
Sure agreed. I'm perhaps not understanding what part of the above that this distinction clarifies. Sudden loss of oil would bring the entire economy to a halt and certainly result in mass loss of life. Sudden loss of human edible meat would no doubt be a major blow and an enormous waste, but would not generally result in a lot of people dying or stop the economy. It would certainly bankrupt and cripple the operations of meat farmers, but loss of oil would bankrupt and cripple all farmers, and all transportation and distribution of food.
Are there a lot of calories in meat? I always looked at meat by itself as pretty lean.
By volume I think there are quite a few types of food that are richer in calories, and a lot of times meats are rich due to how they are prepared (fried, or drenched in butter, etc.)
Depends on how lean the meat and how dense the fat but generally only processed foods (like bread) are more calorie dense than meat. Protein and sugar (carbs) provide 4 kcal per gram while fat provides 9 kcal per gram and our gastrointestinal tracts are better adapted to carnivorous than herbivorous diets (compared to, say, cows or rabbits). We're simply unable to digest a lot of the mass in fruits and vegetables like the insoluble fiber and animal husbandry's purpose is to convert that material to edible food - it'd be pretty pointless if it wasn't more calorie dense.
Yes, There are a lot of calories is meat, even without additions. See bellow for calories in 100g of common foods. The only things that are more calorie dense than meat are primarily composed of sugar or fat.
This is like saying "nobody is going to die from making 10% less money". In a sort of literal sense it's true, but in a more useful sense it's going to increase mortality at the margins (via nutritional deficiency, in this case). Meat is a luxury in the same way that bathing water or enough sleep is a luxury.
Bad news - you’re getting your nutritional info from pop-scientism BS. There is no rational health-based framework where the median person should eat less meat. Fewer Slim Jims, maybe.
Forgive me if these are dumb questions because I'm a programmer not a network engineer, but why are companies exposing critical information and systems to the global internet? Surely there must be a market for a physically separate and secure private network. Why in 2021 hasn't the email attachment problem been solved. Surely we can sandbox email attachments as the default and only move them out of the sandbox when the consequences of opening them are known. Why are we allowing large sums in the millions to be transferred around the world without giving law enforcement the ability to intercede?
> Why are we allowing large sums in the millions to be transferred around the world without giving law enforcement the ability to intercede?
I agree with the rest of your comment but this strikes me as a strange question. Programmers if anyone should realize that you can't always 100% selectively give "good guys" access to something easily without also opening up potential weaknesses for "bad guys". Especially when it comes to large transfers or other essential information, it has to be secure and private for the participants and the participants only.
My last question came in response to recent criticism of crypto currency here: https://twitter.com/Pinboard/status/1399058952336277505 and similar. As someone pointed out, ransomware payments in the millions can't happen without crypto. Banks would stop the electronic payments and cash would require suitcases.
Alright, but still. The ability for some party to block or stop a transfer would make cryptocurrencies not be cryptocurrencies anymore, the topmost reason cryptocurrencies exists in the first place and the reason they are built the way they are built is precisely to have the feature of "unstoppable transfers". Changing that and you might as well use banks as we already have "electronic cash". Using that as a argument against cryptocurrencies is a bit like using "but the water irrigation system is using water" as a argument against irrigation systems, it's the main point of using it in the first place.
We can't add selective control to allow just government agencies to stop cryptocurrency transfers, it'll eventually be used by others, one way or another. The only way of stopping anyone from being able to straight up manipulate the chain is to disallow anyone to manipulate the chain.
That's really something totally different. That fraud is basically tricking people into sending money where it doesn't belong. Ransomware wouldn't be possible with wires.
To get over the hump, there’s a large amount of cost center and infra spending, and then basically exclusive focus on tech debt-like activities for a few quarters to get everything in place. If the cost was manageable, imagine being on the receiving end of the attitudes you, or hopefully not you but some of your coworkers put towards helping implement these changes as the infra fixes cross so many departments.
That’s snark aside, just a candid take.
If it was fixable like that, the other issue is IOT doesn’t really have a standard platform to build on that’s secure. The equip leaves a factory in Shenzhen and like who is patch managing that? The producer in China? That activity goes on behind the scenes at company by a security team.
Good news is MSFT and AWS are starting to deploy COTS IoT operating systems to help fix.
So: crazy tech debt to fix, hard patch/support problems, and then (unmentioned) is ICS pay for security engineers is a About half of market, so talent problems abound.
I don't think the former would be even in the upper-tier of reasons. This company would be a great example of one not considering themselves a likely target though!
That's actually a bit more common than people know; a lot of infrastructure has access via modem over the phone network. While that's realistically not been a valid application for web browsing for a long time now, it's certainly a valid way to get a command line interface to equipment without exposing it an unending stream of free security audits.
That isn't, of course, to say that there shouldn't be precautions regardless. But it's not the internet, and it lets you transmit information at a distance.
First you scope out attack surface. If you can physically penetrate security there are all manner of attacks you can accomplish and connectivity you are able to achieve. You might go to a search engine like shodan (https://www.shodan.io/) and discover some internet exposure that is attackable. You might find e-mails and start phishing/landing trojans. You might be able to execute a supply chain attack (ala solarwinds). You might be able to compromise an employee. After you compromise the corp network you might figure out how to escalate into the infra network.
Now you are a company. You have limited resources. Security is not your business. Security is only a "cost." Tech isn't your main business so you need to hire a security minded person without a strong ability to vet them. That security person needs to scope the attack-able surface, model the above risks and more, and implement preventive measures. That person will probably be hired well after infrastructure is already established. That person will have to justify the potentially large resource expenditures involved in solving problems and hiring more security engineers. That person will be a very limited resource and therefore very expensive since our universities don't pump out a lot of security experts. This person will probably have a market rate of well over 300k a year. That person's competence will likely directly correlate to time spent in industry, so new grads probably wouldn't cut it. Maybe you decide to see if companies will sell you solutions to this problem. How do you separate those selling security theater from those who will legitimately solve your security problem?
So, if you are the business owner at what point do you decide, "wow, we need to spend a lot of resources (time, attention, and money) on security." After some number of employees? After some dollar cost in business? After some position in industry? When a competitor is breached? Unfortunately the de facto answer appears to be after the first major [embarrassing] incident.
Imagine you appear to have had impeccable security and are spending 10 million a year for it. How do you know you are making good on your investment? How do you know 5 mil isn't good enough? How do you know you haven't already been deeply breached by a very competent APT?
Unfortunately, the reason we haven't solved the tech problem is that it is an arms race. This stops the problem from fundamentally being a tech problem, but instead a problem of incentives.
Taxing poor security via government run pen tests with fines (forced bug bounty), that grow as the number of vulnerabilities are found is a system that might change incentives. Indemnification for (maybe only accredited) white hats might change incentives. Regulating all companies to be part of a bug bounty program might change incentives. Legally requiring breach insurance might change incentives. Alternatively there are probably small fortunes to be made to the first entity able to solve corp net as an economies of scale problem (AWS for corpnet).
To answer your question directly. We currently have a system where the average business owner is either uninformed, ignorant, or has calculated cost to be greater than risk, resulting in lower resource expenditure than required to solve these technical problems resulting in poor security that directly puts national security at risk.
Overly dramatic and inaccurate as far as I can tell.
Something like a contagion introduced into the facility might warrant a "Wiped Out" description but "Production Paused" seems more accurate and informative.
Almost every concrete way to manifest "building a business focused internet" is something that the businesses can already do, today. They aren't doing it.
It doesn't do any good if your secretary needs access to the "business focused internet" and also has to get mail from the "normal" internet. The transitive nature of networks makes things very hard to isolate in practice. People and businesses are going to have to accept a lot more inconvenience to isolate things better, and that inconvenience is real money, too.
The problem is you end up with yet another manifestation of a common business problem; if you take the time and money to build a secure business, that carefully isolates everything correctly, that hires good security engineers, that accepts higher costs of doing business, you'll be in a position to handle a cyberpocalypse better than your competitors and you will reap the benefits when that day comes. The problem is, you'll never survive to see that day come because you'll have been utterly outcompeted by your competition that cut corners and carelessly, but effectively, integrated their systems, and over-optimized their internal systems to function more cheaply day-by-day. You may have taken the time to build on the rock while they threw shacks up on the sand but they end up killing you before the storm comes.
All true, and I think the solution is even harder than that. That is, even the best-intentioned and well-resourced companies would face severe headwinds in trying to "build [or rebuild] on the rock".
A lot of these businesses have been around for decades and are working on mountains of technical debt. They built ad-hoc systems over the years (before security was "a thing"), employ tenuously-functioning integrations with acquired company systems and more. To make matters worse, much of the technical knowledge has walked out of the door over the years.
In my consulting days it wasn't unusual to find that no one in a company really understood how systems worked (or even why). And, in some cases, they actually didn't work. I've seen billing systems that were unpredictable and relied on customers to call to report billing errors. Not a single person in the company even understood how it was supposed to work.
And, these were sizable companies. Agile has only exacerbated these issues as more software is built more quickly and with scant documentation.
All of that to say that it's difficult enough for many companies to build functioning software, let alone to secure it. And, the number of people who truly understand what it takes to secure networks/software is tiny relative to demand for engineers.
Throw in OSS, zero-days, social engineering attacks, etc. and it starts to become clear that any realistic solution includes a regime of deterrence through aggressive responses at the nation-state level. Sure, we should require companies to do more to secure their networks/systems, educate on best practices, etc. But, it's easy to issue an off-handed "they should've been more secure" response. The reality is that many companies simply aren't. We need to appreciate the difficulty and the protracted timeline over which any hardening might happen (if at all), and deploy a multi-faceted approach that also treats the problem as the national security issue it represents.
The first step is reliable backups. Preferably to write-once media. And both onsite and offsite. Hard backups aren't expensive.
Not of everything. Just the important stuff. Maybe a snapshot of the whole business once a month in addition to transaction backups.
Any business doing financial transactions should be backing them up to something like Blu-Ray disks. Preferably the blanks with the 1000-year lifetime. US banks are already required to do something like that, by the FDIC.
For one thing backups are no use if you do not test them. How often are you going to bring your systems down to test restorinig from backup? If you do not how do you know they work?
Also, even provided you have known-good backups from the time before an attack occured: restore takes time, for a whole-company-restore in the order of several weeks to several months. Can your business survive that long without doing anything?
Okay, let's assume that you have a bunch of Blu-ray disks with backups of your databases - for a round number suitable for some enterprise, let's assume a hundred separate systems, but you want to restore just the important stuff, so a dozen of them. How do you do that if all your infrastructure is toast? Also, how do you restore a cluster of interconnected systems from different vendors? I mean, all of that is done, but it's far from easy or trivial, and if you're not properly prepared, backups alone aren't enough as it'll take a lot of time and work until you have the systems functional and properly interconnected so what you can restore the data to them.
Those systems aren't simply deployable overnight, and I would presume that for at least half of these systems the enterprise never ever had the capability to deploy them, the initial install was and configuration done by a combination of vendor engineers and outside consultants and took six or more months. Sure, you'll recover the data eventually, but you'd rather pay a ransom to avoid as much downtime.
A "business focused internet" is a security measure.
That sounds a lot like "do not connect one's valuable and vulnerabe machines to the open internet" which is something one should aready be doing in the first place and one can and should be doing it right now with the current internet we have.
Business-focused? How should that do anything about security? Do you want to charge an entry fee that evil people cannot afford? Or just label it "serious business only"? Have things audited somehow? I don't think any of that would do any good.
Honestly, "business-focused" decisions like cost-center accounting, and various schemes to save money, are really how we got into this mess. A lot of our appalling lack of computer security basically comes from the equivalent of a hospital administration refusing to allow surgeons the time to wash their hands.
As "reductio ad absurdum" of a metaphor as that seems, that was actually the huge culture battle that got fought when germ theory came out - tons of medical practices refused to waste time on such "silliness". Over time it became a cultural norm, and then became a protected practice through professional guilds, and through law, so that even if hospital administrators push for surgeons to hurry up and fit more patients into a day (and they do), their prerogative to take their time and do it right is institutionally protected.
> Then respond with force, arresting people, targeting however you can.
Yeah that's a nice fantasy. "Hands up, Russky bastards, the Navy Seal Bin Laden crew is here to take you out." Shoots up a row of laptops while bearded Russian hackers cower in fear.
Except for that to happen the Seals would have to have reliable intel from inside an uncooperative foreign state, and the ability to move freely, carrying guns, in that foreign state; and if they raided in it without permission, that would be an act of war.
Oh, so it's Russia the root of all evil again. Without a single piece of evidence. How convenient!
Thanks god we have nuclear weapons, otherwise we'd definitely experience another incursion like Iraq or Afghanistan, that were made under absurd pretexts and only led to great numbers of civilian casualties and some economical gain for the US and/or US government officials tied to the military complex.
See Matt Levine's 10 laws of insider trading. In particular, "5. Don’t do it by planting bombs at a company and shorting its stock." Somebody nicely put a non-paywall link here: https://github.com/0xNF/lawsofinsidertrading.com
Buying puts in this fashion will generally be a remarkable, traceable event. There's a reason ransoms typically go through cryptocurrency.
It's generally not illegal to pay ransom, though with ransomware you have the issue that the recipients may be subject to US sanctions and it could be illegal to send them money on those grounds.
"The U.S. needs to make it illegal to pay ransom."
Ugh. So you get attacked through some old wordpress install, freak out to get your company online, pay, now you also go to jail for paying a ransom. Not a fan of this plan.
Or identify certain certain specific "hacks" and setup a bounty program. If you can gain root access by guessing the CEOs password, he should be punished not you.
Edit: doubly so if the company is question is part of important infrastructure (including food supply).
Even with backups we've seen companies are more than willing to pay a modest ransom, like the pipeline last month. It takes a long time to fully restore big infrastructure from backup--especially if it's something like old tapes.
But yeah, companies should stop viewing security and IT as a cost center and start paying up for good penetration testing every few years.
The US needs to make it illegal to have private data left in a database without a password (hello equifax), or on a old machine with obsolete OS with known vulnerabilities.
Or to sell routers, wifi printers, cameras and smart TVs with known security flaws, and to leave it without updates.
Then respond with force, arresting people, targeting however you can.
If those countries take away the legal system route of extradition for attacks on critical infrastructure, then in my mind its justifiable to go the batman style of extradition with a special forces team.
Fixing infrastructure won't get done because the people in charge are too stupid, lazy and greedy to fix it. Most of them are so wealthy they're completely insulated from the consequences of their actions (or inaction, as the case may be). Folks need to wake up and realize they're living in a global public-private idiocracy.
It's interesting to compare this to the physical-world analog. What if somebody shows up at the US-Canada border, start shooting rockets at Canada, and the US refuses to acknowledge this as a crime or extradite? What if the rockets are aimed at a critical piece of infrastructure near the border and can cause billions in damage? One could argue that if the US condones these attacks, they have effectively already declared war on Canada.
Well that's the main issue, currently the states do not consider such cyberattacks the equivalent of sending troops or rockets across the border that justify a "kinetic" response but rather the equivalent of earlier espionage activities which usually justifies only a diplomatic response. Of course, that might change in the future.
More like, don’t harbor or foster attacks on critical infrastructure or we will take action to bring those that do to justice. At what point do those actions by other countries become acts of war?
Ransom is actually quite efficient (in a utilitarian sense) in scenarios like this. The net long-term result is an efficient allocation of resources towards computer security.
A couple of jobs back, there was a day when our app stopped working. After poking around in the database a little bit I found out that most of our data had been deleted and replaced with a ransom demand including the address of a bitcoin wallet.
After a few minutes of ineffectually pondering the occurrence, we restored our latest database backup which was maybe half a day old and then beefed up our passwords and network security. The ransom note went straight into the trash.
So I wonder, does "ransomware" refer simply to an attack like the one I experienced or something more sophisticated. Do all these companies just not have secure backups?
Hackers are laughing at the idea of concentrating large amounts of the economy at a single company. The whole internet will be coming to a halt once this can replicated on at least one of the big web companies.
Today, I was finally able to incorporate the "Where's the beef!?!" catch-phrase into daily conversation! But, it just didn't land as funny as I was expecting in my mind.
Targeting politically important industries rather than strategically important ones (no price increases get people quite as fumed and likely to take to the streets as gasoline and meat price increases) is an interesting development in quasi-state-sponsored cybercrime.
Interesting. My third thought was “Huh, perhaps we’ll be eating less beef until the inevitable price shock and hoarding passes.”
(First thought was for the poor IT folks stuck in this mess and the second was remembering a sensitive machine that was open to all of AWS because the vendor’s servers “needed access to push frequent updates.” and “nobody has ever pushed back on that requirement before.”)
Klaus Schwab of the WEF “predicted” this a year ago [1]. Either the WEF and other NGOs are incredibly prescient on a number of unrelated issues, or we may be getting taken for a ride.
In the case of the pipeline disruption, it was reported that the USG disrupted the CCC of the ransomer and their crypto accounts were drained.
I wonder if a similar sort of reaction will happen here or if the attackers will move more quickly?
From a technical standpoint, why was JBS' backup chain a workable solution for JBS and not for the pipeline operator? Was it incompetence on the part of the attacker or just a better defense, or luck?
Although not a cyberattack it reminds me of the massive supply disruption and culling that occurred in the UK because of the mad cow disease.
There is still no clue as to why these disruptions happened but the educated guess mentioned in the article is ransomware. The one that is almost always forgotten is how they they escalated privileges through compromised passwords because most of these organizations don’t use multi factor authentication everywhere.
Ransomware attacks were made more feasible (the ransom part) thanks to cryptocurrencies commoditizing low traceability for criminals. I'm pretty sure we're going to see more and more of them, especially with all "digital transformation" going on.
Although not a cyberattack it reminds me of the massive supply disruption and culling that occurred in the UK because of the mad cow disease
Still a form of information warfare attack, perpetuated by none other than Neil Ferguson, operating in plain sight. If he was a hacker he would be in prison but he does incalculable damage again and again and gets away Scot free every time!
So this random article [0] I googled says it's ransomware.
Can that really be called an "attack" ?
JBS said:
not aware of any evidence that any customer,
supplier, or employee data has been compromised
So the "attackers" didn't steal anything. Give them the finger then, restore from backup, get upset about losing 25 minutes of data and keep going.
How are ransomware "attacks" still a thing ? Why is any of the software that controlls meat-cutting/oil pipeline hardware not air-gapped under normal operations? How is there no plan on how to continue operating when losing power, so that stuff still works?
One of these "attacks" pops up every three days and I get that if data is exfiltrated then the problem is not the same.
BUT
"someone encrypted all my data" and "oh shit, my harddrive crashed" have almost the exact same recovery plan and we have dedicated a complete international holiday called World Backup Day[1] over ten years ago to remind people of the principles of how that works that were known since at least when harddrives where invented.
It's not an attack, it's pure negligence.
It's not special IT SuperHighTechnologyKnowledge either. It's a simple principle:
Things need to exist in at least three places in case one of them breaks and the other explodes/tornadoes/earthquakes.
The slightly advanced corollary is:
Make sure that the thing in the three places is actually the thing that it should be.
... It's not like I do not understand how organizations fail at this that or the other and that maybe the tradeoffs here were made correctly, but it still boggles the mind.
It is cheaper to build a shoddy system out of the pre-made parts that software companies sell. A shiny very capable system can be built quickly, and cheaply.
To build a robust system, segmented, properly backed up, maintained professionally... costs a lot more.
To have staff on your payroll who understand your systems, who can maintain your systems and recover your systems in a disaster means having expensive professionals on the payroll who look like they are doing nothing.
When your whole business goes into a paralysis because of the costs you saved, there will be some one to blame. Some clerk in a office that "clicked on a attachment" - it is their fault....
Yes, it is cheaper in the long run to build robust maintained systems. But in the long run we are all dead, and our bonuses will be paid before the catastrophe, and anyway it is "some body else's fault".
I think a lot of the "cost savings" and "efficiency" of sticking everything on computers and putting them online would evaporate if it all had to be secured properly, even for fairly generous values of "properly".
It's always a weird phase. A proper one would be "we have no records of data exfiltration, so we hope it didn't happen". Attackers had the access, otherwise the data wouldn't be encrypted.
> restore from backup, get upset about losing 25 minutes of data and keep going.
Unless you want to be owned again in 30min, you need to first analyse how did it happen the first time and how to mitigate it, before getting everything back online. That takes time.
> Why is any of the software that controlls meat-cutting/oil pipeline hardware not air-gapped
None of those were affected. The pipeline hack took their billing system down, not the operations. I haven't seen the details here, but it's not like the meat saws and trucks just stopped - more likely the stock/communication/billing system was stopped as well.
One of these "attacks" pops up every three days and I get that if data is exfiltrated then the problem is not the same.
Even exfiltration seems less dire in these recent cases than it would in other industries. If anything, beef carcasses seem less likely to require HIPAA or PCI compliance than gasoline deliveries...
They're probably using some insane piece of crap corporate management system written by a Fujitsu subsidiary or something. "Restore from backup" might not be something that's possible for them.
It is interesting how many companies end up paying $30M for pre-packaged garbage when they could get something a lot better by hiring a competent IT/developer for a few years at 10% of the cost. I think the biggest impediment is finding the small fraction of people who could actually pull it off; there's a huge opportunity there for anyone who can figure out how to connect top-tier devs to companies who just need to hire one person and don't have the domain expertise to know who/how to hire.
I seriously think one solution to this problem is for the US gov to start designating some of these gangs as something similar to enemies of the state and start taking military action against them. If there were serious repercussions for these actions, like serious jail time or even something more grave... then that changes the calculus for people running these gangs. At minimum, this shows the gov is taking this threat seriously.
EDIT: ok bad idea, lets take it easy on my poor account :)
The entire computing apparatus of humanity ostensibly can’t figure out secure systems by default without fifty vigilant FAANGineers on hand to rewrite everything quarterly, and then spends the day after Memorial Day arguing for drone strikes and targeted assassinations against two-bit racketeering operations calling them on it to avoid fixing the actual problem. Video at 11.
Why not? $40 trillion dollars in weapons spending would easily save $10 billion dollars it would cost to hire security professionals on an annual salary to patch software and ensure that intrusion was more difficult.
This is exactly what they're doing now, they're just doing it with law enforcement agencies and not military. Military is honestly going to be worse at all of this, as they don't have the investigative capacity. This also ducks the very thorny political problems where Ukraine (never mind Russia!)are NOT going to allow US military involvement in domestic affairs, but do have agreements with Interpol that make this possible. Nobody wants extrajudicial military extraction squads acting on their turf.
I'm sure the various 3 letter agencies (NSA, CIA, etc) are already involved to a degree that's not publicly known.
There's a continuum of responses existing between "do nothing" and "drop missiles". For example, it'd probably be relatively easy for special forces to assassinate key personnel, even deep within enemy territory.
Do you really see nothing wrong with the US military carrying out assassinations of foreign nationals, in foreign territory, on behalf of private companies who can't be bothered to just invest in a decent security team?
The vast majority of participants on this forum work in an environment where the shelf of footguns and gotchas and stupid legacy cruft that is modern software development inherently makes sense. Anyone fucking that house of cards up gets attention not because of the state of modern software development that led them here, but because clearly something is wrong with the external world and that should be handled with cops or whatever the next step after that is. It is in no way an indictment of modern software as practiced, from toolchain on up.
Reminder: Memorial Day was yesterday and this thread is discussing killing human beings in yet another war because of holes in some stupid software that SV won’t lift a finger to fix. If you offer such a suggestion to fix the woes of vulnerable infrastructure, I’m assuming you’re volunteering to go pull the trigger, right? Or were you expecting someone else to do that for you?
Put down the assault keyboard and Clancy novel and get some perspective, subthread. Sheesh. Diddling around in the network of a company you didn’t know existed until five minutes ago is suddenly a capital offense because...Whoppers might run out?
You are absolutely right about the footguns, legacy cruft, and the joke-not-a-joke-it's-so-stupid that is modern web software development. That all needs to be fixed, and here at home
However, it is also not merely about the Whoppers running out - this is just this morning's example.
When even major "security" vendors can be turned into serious NatSec attack vectors, and much more critical infrastructure can also be attacked with ease, and they are doing it, it becomes a bona-fide NatSec issue.
Like any other NatSec issue, this requires both serious hardening actions at home, and serious threats against bad actors abroad. Whether that involves, some kind of diplomacy, economic sanctions, targeted software attacks, targeted covert actions, or overt drone strikes, is up to the experts in those domains, but we do need to treat this as a serious NatSec issue that it is.
On a planet with seven and a half billion people becoming more connected and tech-savy everyday, security by intimidation simply isn't a viable solution, or a meaningful component of a larger solution.
>On a planet with seven and a half billion people becoming more connected and tech-savy everyday, security by intimidation simply isn't a viable solution, or a meaningful component of a larger solution.
It absolutely is and must be a viable component. Those increasingly connected people are also increasingly vulnerable in real-world ways that go well beyond tech. And, it is near impossible to completely secure networks/systems with their near limitless attack surfaces.
Treating it as a game of cat and mouse in which you know the mouse will invariably lose with some regularity, then consigning yourself to ever playing the mouse is disastrous policy.
It is both. How many hackers from Russian & fmr Soviet countries attack within those countries?
Very few. So few that they literally encode checks for RUS language / keyboard installs and skip that machine, and doing such install is at least for now a legit security measure [1]. This isn't just from RUS legal structure and no extradition treaties, but their very intimidating response to anyone acting up internally (I've read of at least one instance where a hacker was found dead at his keyboard with missing hands). RUS security doesn't eff around, and we shouldn't either.
Many people will not play at the pointy end of the NatSec game because you are risking your life, and some do because of that. It is definitely a useful measure, among others, to make it known that trespassing with such intent on western computer systems is also getting you into that risk category.
>is suddenly a capital offense because...Whoppers might run out?
We know the stakes are much higher. We all know there have been attacks on hospitals, law enforcement systems, government agencies, infrastructure companies, etc. And, we know that none of us have a clue where the next attack will be.
>and stupid legacy cruft that is modern software development
Yes, modern software development is stupid, crufty and all of those things. But, these are actual attacks by actual actors, not some self-imploding poor designs. In many cases, these attacks are state-sanctioned, if not outright state-sponsored. So, of course they should be treated just as we treat other attacks. And, under what other scenario do we respond to an attack by declaring "Oh, you got us. We should have better protected that".
These are clear national security threats and should, accordingly, be subject to the full range of responses as any other threats. That includes deterrence. It doesn't necessarily mean dropping bombs. But, it does mean more than blaming ourselves.
>Diddling around in the network of a company you didn’t know existed until five minutes ago
I'd wager there are many companies that the average person has never heard of that, if knocked offline, would result in considerable disruption, economic costs, and even physical danger to a significant portion of the population.
The United States invaded a country under false pretenses and killed almost 300,000 of their civilians... is using a B2 with a laser guided bomb to blow up a team of hackers really all that bad?
At least companies that are paying for a ransomware should be condemned for financing criminal groups. Because you can be certain that part of the ransom is used to grow their activities. If nobody was paying the ransom, their would be no interest in developing ransomware.
The United States' failing infrastructure, both physical and digital, will be its downfall.
How fragile are we as a nation if a group of profit motivated hackers can shut down oil pipelines and food production?
What happens when a hostile nation state or terror organization actually wants to do some damage and isn't interested in negotiating with insurance companies for a few BTC.
Maybe if the DHS was focused on actual threats instead of cosplaying as SS we would be prepared for what everyone knew was coming.
Now none of us will be able to buy beef for a month because a small contingent of reactionaries are going to stockpile. At least that's what happened when there were reports of meat processing plants getting shutdown by COVID. Not to mention the famous toilet paper debacle. I'd almost say we need a legal way to prevent hoarding during these fake shortages, because it's the hoarding that creates the actual shortage.
This is the kind of false narrative that spreads like wildfire because it rests on a morality play we all love about how a small number of those people are ruining it for everyone else.
In reality, the toilet paper shortage was caused by people using their home toilets instead of office ones. Office toilets use different toilet paper (those giant rolls of pretty scratchy paper). Those rolls are manufactured on different lines, shipped through different supply chains, and sold in different stores. Paper companies have incredibly thin margins, and it took a while for them to retool and shift over to the new reality. The shortage was just the dip while that was happening.
Basically, sales of product A (residential TP) skyrocketed while product B tanked (office TP). No surprise that it became hard to find A in stores.
Hoarding didn't have a significant impact. (Think about it, how could it have? The shortage was a few weeks long. Think about how much toilet paper a small number of hoarders would have to have to cause a shortage of that scale. Did they literally fill their entire house with rolls?)
Rational people bought bidets or just used the shower already installed in their bathroom, rather than going full Road-Warrior in search of toilet paper. Non-rational people chose otherwise.
In this case, too, rational people will substitute other proteins for beef. As a beef producer, I'm glad most Americans aren't completely rational consumers.
I'm more and more starting to see this as failure in process resiliency. Unless each and every computer and smartphone is encrypted by ransomware they should still be able to run things at some level. With people doing things manually. Might have to give out some overtime pays, but still... Like in pipeline case the choice of just stopping operating should have massive regulatory cost.
Is there any other kind of "cyber attack" with respect to companies like this? This is a serious question, I can't imagine someone DDos'ing or trying to "steal passwords" or "private data" from a meat processor. But disrupting their business and holding them hostage? Seems to be a thing these days.
Sure, you could have an attack whose goal is to cause damage like what happened in the Sony Pictures hack in 2014 [1]. Or follow through on a direct blackmail attempt of money for no disruption. Even if we limit ourselves to financially motivated actors there are plenty of ways to convert business disruption to money other than ransomware such as stock manipulation, competitive sabotage, etc.; they are just a little more sophisticated in the non-technical aspects. However, these tactics are quite rare currently because most hackers are extremely financially unsophisticated, being mostly young technically-minded people, so they focus more on the technical aspect of just doing more hacks rather than the business aspect of extracting the most value through solid financial engineering.
We can see this by the fact that just a few years ago they would take down the same types of companies they are hitting now and ask for a ridiculously low sum of like $10k, but now they are asking for a much more reasonable, but still low $1M. Nothing changed about who they were attacking, they just slowly realized that they underestimated how much companies would pay for their "services" by a factor of 100x. That is a classic mark of a business amateur who has no idea just how much money is involved in B2B deals.
But to your underlying question, yeah, it is probably ransomware.
In terms of things that are not specifically targeted:
I still see things attacks on open SMTP ports to relay spam email, installing crypto mining software on PCs and servers, scanning for insecure VoIP phone systems and racking up long-distance phone bills..
The ransomware attacks makes a lot of headlines I think because it's somewhat easy to sensationalize without a lot of explanation of boring IT stuff, but there are still plenty of other things happening regularly to compromise insecure systems.
Sure, but those don't typically warrant telling anyone right? I mean "our email server just sent a zillion spam messages, we're working on it." would largely go under the radar I suspect.
The big difference is that ransomware is a strike directly against the people who got hacked, while turning servers into bot farms at worst costs them a little electricity. The victims of DDosSes, for example, aren't usually the ones whose compromised systems are running the DDoS.
1) Cyber warfare. Taking down critical capacity like food production weakens your enemy. I don't think hostilities are anywhere near bad enough with anyone for this to be an issue at this point; but it would not surprise me if the other major countries are already in our systems and could do this with the push of a button if they wanted to. (Similarly, it would not surprise me if we were in theirs as well).
Establishing the capacity to do this at the push of a button, could have the effect of accidentally shutting things down. Either because of a mistake from the attacker, or because the attack is discovered and production is shut down out of an abundance of caution while we figure out what happened.
2) Terrorism. Really, I consider this the same as warfare, just coming from "terrorists" instead of "countries". With this broader base of attackers, I think there are groups that would be willing to do so. The only question is if they have the technical know-how. Given how cheap these ransoms can be ($4.4 mill for the pipeline hack), and the fact that a payed randsom probably a good profit margin, in terms of raw funding, these hacks seem within the range of terrorist groups.
All valid if we were at war or there was an active anti-meat terrorist group (I don't consider PETA to be terrorists :-). Just using the process of elimination to guess what is up and "ransomware" is highest on my survey board at the moment. (weak hat tip to Family Feud)
The most obvious one to me, especially affecting a meat producer, is activism. Disrupting supply chains for meat production could very well drive demand for plant-based alternatives, and if it becomes a cost of doing business, perhaps it would balance out massive subsidies which keep meat prices competitive with prices for plant-based meats.
FWIW, I'm not saying it couldn't have some other motivation, I am saying that it is unlikely.
And now Bloomberg is reporting it was a ransomware attack -- "It’s unclear exactly how many plants globally have been affected by the ransomware attack as Sao Paulo-based JBS has yet to release those details."
> A CNN White House correspondent reported on Tuesday afternoon that JBS told the Biden administration it had received a ransom request from a criminal organization “likely based in Russia.”
Why don't we have a branch of the government that is purely cyber defense? I know a bunch of you are going to say NSA, but we all know that they are more occupied with offense and that they don't have great interests to patch things because then they give up weapons that they have.
If there's any sort of bright side to this, it's that no one is going to tolerate continued attacks of this type much longer.
It's clear that they're no longer a minor threat and that the vague boogeyman of countless techno-thrillers over the last few decades where hackers bring down massive pieces of infrastructure is no longer fiction, it's here.
What's more, these cannot be considered simple criminal acts: If these were (or are) state-sponsored attacks, they are pretty close to acts of war. Short of that, they are quickly rising to the level of terrorism. That takes the decision to pay off these hackers out if the hands of irresponsible companies and puts it in the hands of those who handle national security.
Is the prospect that we might finally take meaningful action not a bright side? That it will be impossible to ignore? You are unimaginative if you interpret "bright" as "a good thing". Of course things are getting worse. But we are unfortunately in a situation where things may need to get worse before we take action to make it better. It is not unreasonable to hope that we have finally hit that point, it is the first step towards positive actions, and that is the brighter side if a descent into a deeper and deeper hole is to be avoided.
It's easy to post a pithy critical response to a comment. Deciding to take the time to understand the subtlety involved takes more time. Maybe next time you should keep in mind the community guidelines that set the tone for how to interpret comments and make substantive replies that are not simply low-effort one-liners. Especially on my comment that fully acknowledges the crap we're in but sees the latest development as a possible catalyst for change. It's easy to criticize, it's much harder, but more productive, to engage in an actual conversation. I'm sorry you chose the low road, many on HN are better than that.
I still don't see it. I can't imagine "meaningful action" as anything except "mass slaughter" or "slow starvation." Yes, these kinds of economic attacks are unfortunate, but this kind of retaliation puts others in a far deeper hole than it gets us anywhere near. Plus, would you be happy if other countries took such retaliatory action for American linked cyber attacks?
On your second part, I was hoping to clarify your point as maybe you had some other reason it was the "bright side." Additionally, please refrain from personal attacks.
I disagree, but you still make good points, which I appreciate. And I apologize for the "imagination" remark: not only was it not necessary, it's the type of comment very likely to result in significantly less productive conversation.
Usually I am hyper careful in how I address solely the merits of an argument rather than an emotional response or ad hominem comment. I'll say-- not as an excuse, but an explanation that does not excuse the comment-- the fact that I was winding down after working without sleep into the mid a.m. hours, and my self-reflection was clearly lacking. I'll do better, and again I am sorry for what I said.
Does BK separate its griddles and fryers between vegetarian and non-vegetarian items? Because if they don't, then meat products will leach animal fats and proteins while they cook and your vegetarian items will pick them up.
It needs heavy funding or subsidizing, this sort of product needs to be scaled up fast, because the price per lb of the meat is so much more expensive than low quality chicken, beef, pork etc. purchased at costco type bulk prices.
There’s no reason to believe that the plants that produce vegan products are any more secure; if veganism became the norm then the infrastructure required to process that food would be as valuable a target as meat processing is today.
Core count seems a less-than-useful restriction on its own. Clock rate, cache sizes, and instructions per cycle need to be limited for this to be effective. Then bandwidth has to be constrained to avoid people building Beowulf clusters of RISC-V systems (which we won't be able to buy in the US thanks to "munitions" import restrictions from overseas producers).
RAM and disk capacities will also have to be limited for similar reasons. As will their speeds.
CPU enthusiasts, builders, and overclockers would get put on a government list, then shadowbanned from social video platforms for encouraging domestic cyber terrorism.
It could be, but that's something that only privileged elected officials e.g. members of the intelligence committee, US President, past presidents, etc, get to know. If you let yourself get into conspiratorial thinking you'll soon find yourself without any moorings whatsoever.
It could also be many other countries or even private entities that get excited about extracting money from big US companies. The list of possibilities is very long.
Cyber attacks between major powers targeting important infrastructure aren't conspiracy theories; we have plenty of confirmed cases of it at this point. Whether this situation in particular, or the recent oil disruption are targeted attacks is hard to say.
As with the "lab origin" situation, it's probably best to avoid whatever the mainstream media is saying and try to find the few rogue experts who aren't being paid to say the right thing (or nothing at all) and thus have no incentives other than the satisfaction of offering a frank assessment (with any luck, you can find them before they're banned from all social media platforms for "misinformation" (ie, disagreeing with the party line)). It took years for any official confirmation of Stuxnet being a state-sponsored attack. But if you were paying attention to the right people, you knew it had all the fingerprints of such an attack pretty early on.
As a layperson in basically all fields except the very narrow field of my professional career, I have basically a zero chance of finding the "right people" and about a 99% chance of finding someone who sounds like the "right people" and aren't.
Data security will get better as the risk calculus changes. A lot of companies are mentally doing math:
(Probability of cyber attack per year) * (cost of ransom + costs of downtime) = X,
(Overhead of additional cybersecurity personnel)= Y
If X < Y, it's basically just a no brainier to just eat the costs and pay the X million if it happens. If Y > X, they hire security personnel and it "gets better".
If the government makes paying the ransom less attractive (via basically labeling it as a financial transaction with a sanctioned entity making it illegal) OR the probability of the cyber attack goes up (as this becomes more lucrative), risk calculus changes, security is improved, and it "gets better".
* Non-tech industry belatedly starts prioritising cyber security; security gradually gets better while costs increase and infosec consultants enjoy a Y2K-style boom.
* Tech-competent startups outcompete non-tech industries through avoiding ransom costs.
* The international internet degrades into mostly-closed national networks with end-to-end government control and monitoring.
* The US government starts treating these attacks as national security threats and goes all War on Terror, probably triggered by a hit on critical infrastructure that costs lives. Heinous collateral damage.
Most small and medium enterprises will eventually have to outsource their technology infrastructure to a few huge cloud vendors that have sufficient scale and technical expertise to build secure systems.
Losses due to underinvestment will motivate investment. Some companies will invest more wisely than others. Eventually every company will be wisely investing in security, by copying companies that got it right or by being replaced by them.
It's because none of it is secured, and the US has a shit load of infrastructure that all has its own independent systems. Even a tiny percent being hacked per lifetime will be constant hacks in the news.
Independent systems have their own problems but also benefits. The trendy word for this is ‘decentralized’. IMHO, I’d prefer we don’t have one big system. At least when the pipeline was shutdown it didn’t affect the entire country.
Theory: running the same system in pre-internet style would add overhead in salaries and delays that's more costly than being down for a few weeks after a hack.
Posted this on the related thread on the front page: Klaus Schwab of the WEF “predicted” this a year ago [1]. Either the WEF and other NGOs are incredibly prescient on a number of unrelated issues, or we may be getting taken for a ride.
[1]https://m.youtube.com/watch?v=0DKRvS-C04o
I imagine it happens everywhere, but tends to make bigger news in the US. You can still find industrial control systems exposed to the internet with password free VNC...
I hope it's beginning to sink in to corporate America: you need to get serious about security. Go Linux. Hire many permanent security experts with continuous audit processes. Acknowledge the true cost of IT.
Or perhaps the choice makes a difference, but neither is sufficiently secure. Both likely have dozens if not hundreds of undiscovered array-out-of-bounds errors, stack overruns, and race conditions, some of which may have security implications.
I don't think that "re-write everything in Rust" is the final solution in terms of security, but in terms of something like the Linux kernel one can at least see how such a (difficult and unlikely) project might at least address many of the low-hanging fruit so developers can shift their focus to fixing higher-level vulnerabilities.
The risk of kernel exploits isn't the main threat. The complete lack of meaningful sandboxing is a much bigger problem.
Most applications need to be able to read:
- files that the user drops into them or opens through a file picker (which could be OS-controlled, giving access to only the selected file)
- their own storage/config directories
- read-only system libraries
- temp files (again, isolated per app)
Just moving everything into this model would already go a long way.
We see kernel exploits on phones because you need them to bypass the sandboxing. We don't see them often on computers, because why would attackers bother?
I can agree with that; writing applications the same way we did on 1980's Unix systems is no longer a sensible way of doing things, and I really wish there was some momentum around fixing that too.
Absolutely. Plenty of America runs on EOL Windows XP legacy apps that have been too complicated to migrate. Sometimes they run airgapped until someone realizes that isn’t practical. CEOs must demand better and be willing to pay for it. Without leadership support these migrations almost always fail.
And (operating) system and programming language designers must make security a foundational property of their systems. Most modern languages will never be secure, because their semantics necessitate things like global names. Trying to graft security extensions onto an existing language that wasn't built with them in mind will be painstaking and will always lag behind and is thus often abandoned: https://en.wikipedia.org/wiki/Caja_project
> JBS’s five biggest beef plants in the U.S. -- which altogether handle 22,500 cattle a day -- have halted processing following a weekend attack on the company’s computer networks, according to JBS posts on Facebook, labor unions and employees.
It wasn't clear to me from the headlines that this is about meat plants.
You could speculate that. Then you could ask yourself why a climate activist would create a situation where cattle starve at the plant and are put down and not used economically.
There are thousands of cattle in transit to just one of these facilities every hour of every day. Most are not equipped to feed incoming cattle - they arrive hungry and with minutes to hours to live. If you’re annoyed about the climate, forcing a manufacturer to throw out and waste hundreds of tons of perfectly fine beef does what, exactly? Send a message?
This isn’t spiking trees. You’re dealing with live animals. I have a hard time believing an activist environmentalist would be fine with exacerbating an animal welfare situation they already don’t like. Putting thousands of cattle through even worse experiences than usual. Yeah, no.
Source: One degree removed from a foreman at an impacted plant. What I’m describing is already happening - plant I’m aware of has 14k head on hand with about 24 hours to figure it out or kill and discard. The administration is already involved and aware of the details, too, and everyone should be vigilant regarding speculation as to who’s behind it (this is likely misdirection, given who it actually is).
>This isn’t spiking trees. You’re dealing with live animals. I have a hard time believing an activist environmentalist would be fine with exacerbating an animal welfare situation they already don’t like. Putting thousands of cattle through even worse experiences than usual. Yeah, no.
Animal rights activists aren't always known for thinking about the consequences of their actions.
Wait. So, you're saying that by virtue of being "one-degree removed from a foreman at an impacted plant", you know who the attackers actually are, and that it contradicts the White House's statement that it's "likely" Russia?
Don't hacktivists/eco-terrorists usually claim responsibility? Shutting down beef/oil production for a few days isn't going to do much for the environment, if at all since demand basically stays the same, so claiming responsibility and/or getting awareness is the only reason for hacking.
This is being downvoted, but it seems like a reasonable theory to me. I know a decent number of brilliant engineers/hackers who are strong proponents of a vegetarian diet.
Or maybe it's just a general attack on US food production, and meat is the most vulnerable sector due to its complexity.
Good, I hope this encourages people to support plant based alternatives and "vat meat" type stuff. The meat industry is awful for two major disaster scenarios facing humanity: global warming and antibiotic resistance. Meat isn't "critical infrastructure", it's a luxury with health risks akin to other luxury products that are taxed, and is propped up and subsidized already in order to survive. This is not even beginning to talk about the ethics of this situation. People like Noam Chomsky etc have been behind this: https://www.nationalobserver.com/2019/02/12/features/noam-ch...
No one would be particularly choked up if this affected the cigarette industry or the alcohol industry.
Yeah, we should also take a stand against all the plants and fruits we are farming. It is incredibly bad for the environment (ex: pesticides, water usage,slave labor practices, etc). The whole food sector is a major producer of Green house gasses and farming whether livestock or grains, etc is extremely bad for the environment. Lets save the planet and stop eatin.
I mean, I'm all for humanity dying out at some point, but this is a question of harm reduction...I don't really understand the logic in "But ALL food production has some net impact, checkmate!" By virtue of living we are endlessly consuming. The answer to that isn't to jump off a cliff or restrict ourselves to the point where we can barely function within current society. We have to eat, and we have to work within the supply chain system we have now. We can campaign long term for fair trade/accountable supply chains and that's probably never going to be perfect. But if you have an option that involves by definition the unethical slaughter and treatment of billions of animals that has diminishing returns as far as calories/nutrients go (you can feed soybeans to cows, and eat that one cow, or feed soybeans directly to people) the choice seems very simple.
People often take pride in recycling or doing other carbon footprint cutting measures like driving a prius, switching off the lights, and so forth. But I could drive a Hummer every day to work and have less of a carbon footprint if I don't eat animal products.
It may not be reasonable for everyone to cut meat out of their diet due to food desserts, society, and so forth at this point, but that doesn't mean that it makes any sense from an environmental, ethical, or health perspective to keep factory farming. There is no question that it should be on its way out - if you believe in anyway that coal/oil should be phased out, look at the data on what factory farming contributes to global warming and tell me there's any justification for that not to be phased out as well.
I can be against factory farming and also against human trafficking and sweat shops. Both are bad. It's not a good argument to say that since there's exploitation in the food chain regardless, it doesn't matter. It's a question of harm reduction.
Yes it's painful and interferes with the economy, but ultimately this will harden up potential targets. And boy do some of these guys need hardening up.