I seriously think one solution to this problem is for the US gov to start designating some of these gangs as something similar to enemies of the state and start taking military action against them. If there were serious repercussions for these actions, like serious jail time or even something more grave... then that changes the calculus for people running these gangs. At minimum, this shows the gov is taking this threat seriously.
EDIT: ok bad idea, lets take it easy on my poor account :)
The entire computing apparatus of humanity ostensibly can’t figure out secure systems by default without fifty vigilant FAANGineers on hand to rewrite everything quarterly, and then spends the day after Memorial Day arguing for drone strikes and targeted assassinations against two-bit racketeering operations calling them on it to avoid fixing the actual problem. Video at 11.
Why not? $40 trillion dollars in weapons spending would easily save $10 billion dollars it would cost to hire security professionals on an annual salary to patch software and ensure that intrusion was more difficult.
This is exactly what they're doing now, they're just doing it with law enforcement agencies and not military. Military is honestly going to be worse at all of this, as they don't have the investigative capacity. This also ducks the very thorny political problems where Ukraine (never mind Russia!)are NOT going to allow US military involvement in domestic affairs, but do have agreements with Interpol that make this possible. Nobody wants extrajudicial military extraction squads acting on their turf.
I'm sure the various 3 letter agencies (NSA, CIA, etc) are already involved to a degree that's not publicly known.
There's a continuum of responses existing between "do nothing" and "drop missiles". For example, it'd probably be relatively easy for special forces to assassinate key personnel, even deep within enemy territory.
Do you really see nothing wrong with the US military carrying out assassinations of foreign nationals, in foreign territory, on behalf of private companies who can't be bothered to just invest in a decent security team?
The vast majority of participants on this forum work in an environment where the shelf of footguns and gotchas and stupid legacy cruft that is modern software development inherently makes sense. Anyone fucking that house of cards up gets attention not because of the state of modern software development that led them here, but because clearly something is wrong with the external world and that should be handled with cops or whatever the next step after that is. It is in no way an indictment of modern software as practiced, from toolchain on up.
Reminder: Memorial Day was yesterday and this thread is discussing killing human beings in yet another war because of holes in some stupid software that SV won’t lift a finger to fix. If you offer such a suggestion to fix the woes of vulnerable infrastructure, I’m assuming you’re volunteering to go pull the trigger, right? Or were you expecting someone else to do that for you?
Put down the assault keyboard and Clancy novel and get some perspective, subthread. Sheesh. Diddling around in the network of a company you didn’t know existed until five minutes ago is suddenly a capital offense because...Whoppers might run out?
You are absolutely right about the footguns, legacy cruft, and the joke-not-a-joke-it's-so-stupid that is modern web software development. That all needs to be fixed, and here at home
However, it is also not merely about the Whoppers running out - this is just this morning's example.
When even major "security" vendors can be turned into serious NatSec attack vectors, and much more critical infrastructure can also be attacked with ease, and they are doing it, it becomes a bona-fide NatSec issue.
Like any other NatSec issue, this requires both serious hardening actions at home, and serious threats against bad actors abroad. Whether that involves, some kind of diplomacy, economic sanctions, targeted software attacks, targeted covert actions, or overt drone strikes, is up to the experts in those domains, but we do need to treat this as a serious NatSec issue that it is.
On a planet with seven and a half billion people becoming more connected and tech-savy everyday, security by intimidation simply isn't a viable solution, or a meaningful component of a larger solution.
>On a planet with seven and a half billion people becoming more connected and tech-savy everyday, security by intimidation simply isn't a viable solution, or a meaningful component of a larger solution.
It absolutely is and must be a viable component. Those increasingly connected people are also increasingly vulnerable in real-world ways that go well beyond tech. And, it is near impossible to completely secure networks/systems with their near limitless attack surfaces.
Treating it as a game of cat and mouse in which you know the mouse will invariably lose with some regularity, then consigning yourself to ever playing the mouse is disastrous policy.
It is both. How many hackers from Russian & fmr Soviet countries attack within those countries?
Very few. So few that they literally encode checks for RUS language / keyboard installs and skip that machine, and doing such install is at least for now a legit security measure [1]. This isn't just from RUS legal structure and no extradition treaties, but their very intimidating response to anyone acting up internally (I've read of at least one instance where a hacker was found dead at his keyboard with missing hands). RUS security doesn't eff around, and we shouldn't either.
Many people will not play at the pointy end of the NatSec game because you are risking your life, and some do because of that. It is definitely a useful measure, among others, to make it known that trespassing with such intent on western computer systems is also getting you into that risk category.
>is suddenly a capital offense because...Whoppers might run out?
We know the stakes are much higher. We all know there have been attacks on hospitals, law enforcement systems, government agencies, infrastructure companies, etc. And, we know that none of us have a clue where the next attack will be.
>and stupid legacy cruft that is modern software development
Yes, modern software development is stupid, crufty and all of those things. But, these are actual attacks by actual actors, not some self-imploding poor designs. In many cases, these attacks are state-sanctioned, if not outright state-sponsored. So, of course they should be treated just as we treat other attacks. And, under what other scenario do we respond to an attack by declaring "Oh, you got us. We should have better protected that".
These are clear national security threats and should, accordingly, be subject to the full range of responses as any other threats. That includes deterrence. It doesn't necessarily mean dropping bombs. But, it does mean more than blaming ourselves.
>Diddling around in the network of a company you didn’t know existed until five minutes ago
I'd wager there are many companies that the average person has never heard of that, if knocked offline, would result in considerable disruption, economic costs, and even physical danger to a significant portion of the population.
The United States invaded a country under false pretenses and killed almost 300,000 of their civilians... is using a B2 with a laser guided bomb to blow up a team of hackers really all that bad?
At least companies that are paying for a ransomware should be condemned for financing criminal groups. Because you can be certain that part of the ransom is used to grow their activities. If nobody was paying the ransom, their would be no interest in developing ransomware.
EDIT: ok bad idea, lets take it easy on my poor account :)