In a perverse way, the recent attacks on infrastructure are a good thing. Can you imagine if these all hit in a coordinated attack during actual hostilities?
Yes it's painful and interferes with the economy, but ultimately this will harden up potential targets. And boy do some of these guys need hardening up.
I think you're right unfortunately, maybe the Patriot Act will get expanded or maybe there'll be a sibling Good People Have Nothing to Hide Act.
Speaking from my vantage in the United States, I can't believe how quickly the population has become knowingly accepting and complicit with a mass surveillance culture. I'm equally concerned with how quickly ownership of purchased goods has been undermined by the server-client model of the internet. These two things are linked and fundamentally disagree with the basic premises the US believes itself to be founded on ...
It's hard to draw parallels historically in a way that gives hope. There is quite a lot of middle ground and reasonable solutions that just don't get mentioned in the political theater of today's corpocracy.
I know all this has basically become a meme on HN, but every government not following the EU's example and iterating on things like GDPR is implicitly supporting authoritarianism (if not explicitly) and setting up an oppressive future that their children will be trodden down by.
People haven’t accepted mass surveillance, they just don’t understand what it is and have been mislead by the media, government, and corporations into silently consenting to privacy intrusions.
They think it won’t be used against them, until one day it does, and they are horrified when a divorce attorney is talking about the GPS movements from their “connected car” or their bank closes an account and locks out their funds because they attended a political protest. Unfortunately for them the realization comes way too late.
> They think it won’t be used against them, until one day it does, and they are horrified when a divorce attorney is talking about the GPS movements from their “connected car” or their bank closes an account and locks out their funds because they attended a political protest.
Not to mention those horrified at finding out that even though they deleted their tweets and videos, the feds have shown up at their doorstep because they were in a rampaging mob in the Capitol, searching for elected officials to murder.
I wish there was a nice, easy answer on where to draw the line with surveillance. I'm actually glad that the insurrectionists left a zillion-mile wide electronic trail, but I'm all too acutely aware that these capabilities can be turned against anyone, and I'm dead-set against backdooring encryption. At least (US-specific here) there are nominally limits on what the government can do, but those limits are often ignored, and private corporations have much freer rein on what they can do with your data.
Most people are still not sold on January being an insurrection, FWIW. People thought they were going to a political rally, not to murder senators. Things just got out of hand because lunatics decided to storm the building.
Funny how the 1% that take it too far always seem to be just the excuse most otherwise seemingly reasonable need to justify supporting the revocation or curtailing of civil rights.
Part of liberty is cleaning up the mess when some people take it a bit far, and moving on.
But really, there's still some pretty reliable ways to carry out these attacks anonymously or with little risk of getting caught. OpSec has come a long way since the early 2000's. Yes, many are still getting caught often.. But many aren't.
Yes, this'll be used to undermine anonymity (for example try getting a phone plan in many western countries without an ID - it's hard), however I believe there's still going to be a large push from governments and legislative bodies to push better security processes within private enterprise.
Jungle rules is not pure freedom. You need both freedom to and freedom from. The balance is struck when no ones actions impinge on another’s person or property without consent. The best form of that is an agreement between the involved parties to act respectfully. The worst is abdicating all of your responsibility to big brother.
There are different ways to provide security when it’s needed but most of what you would consider the benefits of security have more to do with everyone voluntarily obeying a set of written and unwritten rules. That’s easy to see if you ask why crime rates vary by geographic location. The same law should apply everywhere and for any given city you have the same police force so why do some areas have high crime while others have low?
I’m not sure I agree with that. In the 21st century, at least in the US, most adults have access to firearms for self defense. There is no such thing as “survival of the strongest” when everyone is on an equal playing field and has the capability to defend themselves.
Personally, I view the opposite as closer to Law of the Jungle, that is our current system of policing that gives a small fraction of society access to self defense but denying it to the rest of the group.
Law of the jungle implies lawlessness. How are you going to “self-defend” with your firearms against the random gangs or warlords in your neighborhood? You will join them or perish.
In a world with firearms it can mean survival of the best shot, the owner of the best weapons, or more likely the wealthy with their own militia. This is all in the absence of a state providing security. This happened many times in history, particularly the feudal era where feudal lords acted like a mini state, and often pledged allegiance to a larger state with a king.
While this is one line of thinking, in another way of thinking, we're just now in a perpetual cyber cold war. As long as there are some rogue nations that turn their eyes away from cybercriminals, or adversaries that actively promote them, we're going to have an endless series of outages - every possible thing from factories to toll roads to desalination plants to illicit photos.
Nah, we're just gonna get every state having its own mini-Great-Firewall and very limited access to non-friendly states, at the routing level. There's a next gen Internet protocol that makes this easy. Maybe also personal IDs with a kind of Internet "credit score". We already do that, but with IP addresses and machine fingerprints. I expect some countries will adopt something like that, even in the "West".
Either that or the cost of attacks will remain lower than the benefit of being able to sell bits and bytes to your adversaries. I do not expect this to be the case, but maybe.
The open, global, semi-anonymous web is what's not going to survive this fight, I'm afraid. I give it 20 more years, tops, and maybe a lot less.
That could sounds interesting to to a lawmaker, but it wouldn't change anything in practice. Those hacks don't come directly from the authors nicely identified by their affiliation and location. They'll come from a trusted node in the US. Some many already do.
It would force the attackers to enter the jurisdiction of a state that will prosecute them if they're discovered, to carry out the attack, or else resort to much more difficult and slower methods (sneaker-net introduction of initial malware infections in the target state, say).
You don't have to enter a specific jurisdiction. There are supply chain attacks, escalation through residential connections, existing international botnets, and a thousand other approaches. And of course, there's always someone out there ready to open an email which will own them.
Yes, some relatively slow, difficult, and expensive attacks would of course still be viable. That does not mean that, "it wouldn't change anything in practice."
> escalation through residential connections, existing international botnets
Right—so how are you going to talk to your botnet from outside the target sub-Internet when it won't even route packets you send it, except maybe to some hardened commerce-and-propaganda-only subnet that may have limited or no connection to the rest of the target state/bloc's Internet (and again, even that part existing is a maybe)?
We have a small experiment with that already - corporate NATs which are supposed to achieve the same thing. They still get owned. Even SWIFT which is basically as isolated as it gets in business had bad actors with access.
I don't believe a complete separation would ever be possible. We'd have to put banks on the commerce side. But that means every single business entity would also have to have access to them. But most businesses also need access to the other side and will not do perfect separation.
In malware research labs you can find rooms literally painted in two colours to separate the isolated part and prevent joining networks by accident. Normal companies do not care that much. Most single-person entities will just plug both ends into one computer and go on with their life.
Sure, but there wouldn't be a "bad" network to connect to.
Two things that are surprising me in this thread: 1) "there are ways to work around this, so it's completely useless" (yes, that's... any security), and 2) either not a lot of people are paying attention to future-Internet development, as in actual, technical development and research, or they're not seeing what I'm seeing in them, somehow, as, for example:
There will be plenty of home grown hackers within the country doing it then too. Sure that might make prosecution easier if we can catch them, but it's not like we have anything close to a good track record in solving most crimes and bringing the criminal to justice. It will just be another risk/reward trade off that domestics criminals make every day already.
“The internet interprets censorship as damage and routes around it”
Even if you physically firewalled every connection into a country all it takes is one little node connected via RF (satellite, HF, etc) dropped near an open WiFi hotspot.
The topology for the commercial internet today is not the same as the topology for the early internet which that quote is from. Today's internet is more of a hub and spoke model that is much more susceptible to damage if certain nodes are affected.
Wifi hotspot asks for personal or corporate/server ID of the sender of packets coming from this new node, since it can't route the traffic any farther without that. Gets nothing. Drops that node's packets as either hostile or malfunctioning, and, regardless, useless, since it can't route them anywhere. OK, so maybe you manage to steal an ID. See how this is making attacks harder? Now you're stealing or forging identities just to get any packets routed, and if you do anything suspicious-looking you'll rapidly get your stolen ID on the automatically-managed collective shit-list and it'll stop being very useful. Because the volume of attacks is so much lower, your drop-a-radio-near-a-hotspot trick might even trip enough flags to get someone to come find the device, if you use it very much—and if you can't use it much without "burning" the hardware, then, well, sure seems like it made your job as an attacker a lot harder, right?
There is nothing that guarantees the Internet will keep working the way it does now, and if an open Internet causes enough problems, it will be reigned in. How it works now is a choice, not a law of nature. I'm not happy about it, but that's just how it is. Either these kinds of attacks won't get much worse, or they'll get a lot worse and something like that will be what happens.
Wouldn't it be easier for the vulnerable beef packers and pipelines to simply disconnect from the public internet? What qualities do they have that would force them to burn down the world rather than fixing their shit?
I think between telling big businesses to spend a bunch of money and fix their shit and do things without the Internet, and adjusting the Internet—which would also make state-level attacks and foreign astroturf disinfo/propaganda campaigns harder to carry out—we're going to pick the latter. Again, unless these threats don't keep getting worse, though I expect they will.
Unless we shut down physical borders that won't work because the developed world has travel open enough that hackers can travel to the country if their target, setup the attack, and leave. A few months later it executes and we're in the same boat as before, albeit with an additional speed bump for the hackers.
Or it will just be home grown criminals doing the same thing.
How so? Can't attack from abroad if non-trusted states have trouble even getting packets routed to the target state, let alone the specific network you're trying to breach. Very hard to attack from inside the "firewall" if access is, as a condition of being considered a trusted routing peer, gated by tying all traffic to a personal or corporate ID that would cause all kinds of trouble for the holder of same IDs should they route traffic on some bad actor's behalf (as, say, through Tor or other means).
That's just a matter of finding a vulnerable ally county to hop through. That's SOP now to hide your tracks. It's not like current attacks from Iran to the US have Irani addresses in the IP header.
That's fine until it's nearly impossible to route a packet from (for example) Iran to any IP in any state that's legally unfriendly to hackers and scammers, or otherwise operates outside the broad legal jurisdiction of the hackers' target states.
Yes, the Internet as currently structured is resistant to this. The Internet is not guaranteed to continue to have that structure. I'm saying that if our choices are "constant attacks such that the Internet is horribly dangerous" and "don't have the Internet", the popular (at the state level) solution will be "I choose neither—instead, we're changing the Internet".
It's not direct packets. You ssh into a box in, say, UAE, then Cuba, then Canada, then USA. You're just uploading and running scripts, so latency doesn't matter.
Yes, I know how the Internet works now. It doesn't have to keep working that way, and if attacks get really bad the result will not be that we just live with them. The Internet will be modified to reduce the threat to a tolerable level. There's already been some pretty serious work put into what this will look like, if/when it happens.
So all that will change is you use a wireless link (starlink?) to SSH into a box in another country that connects to a box to a box to a box. It will not change a lot, infact as starlink like satellites become common place you can use them as jump boxes....
Security does not have to be perfect to be effective. If it did, we'd have no security, because none of it is both useful /practical and perfectly effective.
That is basically KYC for internet traffic. Hasn't stopped big operators in finance, and i doubt that it will be different in Internet. A new crime of "traffic laundering", and mesh networks untraceable and unregulated like cash transactions.
Because the problem is critical infrastructure with holes in it, not that someone might communicate with that infrastructure. Trying to change the environment to ensure there are no attackers on the net is not a feasible alternative to hardening the critical systems.
This is NOT a cybersecurity or network vulnerability problem. That's just a symptom.
The real problem is that here, like so many other places in modern society, we've allowed consolidation to proceed far beyond healthy levels - when a single company is responsible for 20% of beef supply, it's time for antitrust action! (Yes, I'm looking at you, too, Internet, Tech, Media, Pharma, Aerospace/Defense, etc. companies...)
Maybe just allow one merger per decade, only available to companies with less than 10% of their market?
Consolidation leads to efficiency. Which in the case of commodities, is the only way to ensure low prices. A new slaughter company is not going to innovate a more efficient means of producing a pound of beef. In theory, a perfectly run state monopoly would be the ideal system. But that rarely ends well. In the US we've worked out a sort of half way between the two extremes, where large private corporations are allowed to consolidate in the name of consumer prices, while still maintaining just enough competition for profit motive to keep things well run. It's not perfect but it's the best we've figured out so far.
The security state is willing to do anything, up to kidnapping, torture and murder, in order to not change a thing about the current economic order.
I expect the problem to be addressed with technology, treaties, extraditions and putting a lot of people in prisons before the fragility of consolidation is addressed.
There are many problems with over-consolidation, but this isn't one of them.
The primary problem here is criminals and criminal organizations parading as nation-states. The secondary problem is systems and networks that are insufficiently secured.
I think it'll be easier to have one network that's secure (or, at least, securable) at the protocol level, than two networks. As someone notes down-thread, people don't like dealing with two highly-separated networks, and if you have devices on both then that's a huge threat vector.
Further, I think states are likely to use this both to prevent beyond-their-reach nationals from attacking infrastructure and citizens, and to curtail foreign astroturf propaganda efforts.
The ID stuff is something I don't think all states will adopt, but some might, even in Democratic states. I think adjusting backbone routing to allow easy network-wide black holing based on verifiable origin, though, is very likely to become widely adopted over the next couple decades.
Right. I posit that either we will arrive at that outcome, or "cyber attacks" and various other forms of Internet-enabled international abuse will never get bad enough to justify it. I suspect we're in for the former.
Sorta, but more like marking anyone's packets from outside your (or a friendly and cooperative country's) legal jurisdiction with the evil bit by default, and then also tracking which person or company, not device or IP address, originated every packet, so if they sent anything that should have been evil-bitted you can track them down.
Again, I reckon it's either that or this problem never gets much worse. Given trends, I expect we're gonna lose the open, global Internet.
Hopefully its not endless. I kind of view these attacks as forced penetration testing of sloppy companies. They may not have been hired or perform their work legally, but hopefully their work results in changes similar to legal penetration testers. Also, the more that these attacks happen, the more that insurance companies will begin to increase premiums and the more that they will push back on companies that practice sloppy security. It may be painful in the near term, but hopefully these attacks are a net good in the long term.
The thing that really pissed me off about it is that the same organization that leaked my data in the first place was going to monitor my privacy. But in order to sign up, they needed... more personal data.
I don’t think a Cold War is a good description of what’s happening; it’s not as if there’s some arms race going on as it is just a very public exposure of how bad our overall tech / security infrastructure is.
The question is whether the pains we’re currently feeling are enough to cause a change in the industries affected.
> The question is whether the pains we’re currently feeling are enough to cause a change in the industries affected.
Considering downthread there are honest suggestions to send special forces after the ransomware gangs, I’m gonna go with “probably not”. That type of denial is pervasive.
The F500 and companies like JBS just need to move essentially dataframes around from automation to automation, but somehow the software ecosystem is still building that with the same tools used to write Google. The next answer is usually “they don’t invest in a security team, clearly,” and I’m waiting for that subthread to kick off, too, to continue the denial.
Software complexity is the enemy, not the malicious actors exploiting it. Fix one, fix the other.
Software complexity is hard to tackle because it's really the underlying business complexity that's being modelled, which is usually beurocratic, Byzantine-like.
It is, but it's never going to be perfect. Nobody has achieved that so far. Or at least not in an environment where you have international distribution and thousands of endpoints touching different areas of the system.
The arms race is in exploits and software development. The country with the largest stockpile of the former and the best talent in the latter will emerge the victor.
A large stockpile of exploits can only harm someone else's economy, and it does not protect your economy. So perhaps your neighbour will suffer more than you do, but none of you will be winners in any sense.
With big limitations that don't apply here. Things like mutually assured destruction work if/because an attack is quickly detectable, reasonably clearly attributable, and a symmetric tit-for-tat retaliation is plausible.
That's not the case for cyberattacks. Solarwinds was attacked many months before it was detected, Stuxnet was hidden for years. We have attributed some attacks but not most and attribution often succeeds only years after detection. And the attackers aren't as vulnerable to cyberattacks simply because their economy is "less connected" - for example, North Korea is at the extreme end of that scale and they really don't care much about what exploits you have; you have a digital economy that's wealthy but vulnerable to attacks by those who don't have it.
Or you could go a step further that it is our hubris as a nation that expects the other side to fight us on a traditional battlefield with tanks and bombs and get crushed in a month. As if the other side is just so stupid as to never figure out a different strategy.
This is a 21st century hot war that we are losing badly.
The good news is that cyber-war has a huge asymmetric advantage for defenders. For modestly more money, we can stop building absolute crap infrastructure that constantly gets owned. A little bit of investment in quality drastically raises the cost of an attack.
> but ultimately this will harden up potential targets.
Or they mop up, get bailed out, and then maybe make some minor changes that don't really solve the problem that their insecure corporate culture begins to undermine immediately. We need companies to essentially go into a perpetual cyber-security war-footing. I don't see that happening without business being impossible to conduct without it.
If this is the USDA we're talking about, they mop it up, and have countless MEETINGS about what should be done. Then a task force is convened. THEN they do nothing.
These are actual hostilities. The U.S. is facing internal political collapse and Russia continues to distract and further sow discontent through these hacks.
The Red Dawn style of hostilities is a relic of the past.
>>>Russia continues to distract and further sow discontent
Meanwhile, the Chinese hackers and those directing their Information Operations are laughing their asses off that nobody points the finger at China first, despite numerous high-profile incidents of military-industrial-political espionage [1][2][3][4], the buildup of a gigantic blue-water navy, and tacit long-term goal of rivaling the US as the global superpower (and unlike the Russians, they've got the economy and manpower to make that happen). Nope, couldn't possible be them. Must be those dastardly Russians.
You misunderstand the purpose of pentesting consultants. They exist to help companies check a box that reduces their legal liability, not to meaningfully improve those companies' security.
Now that there's an actual financial motivation for random non-tech industries to have decent software, they might start to do so.
>pentesting consultants...exist to help companies check a box that reduces their legal liability
I get it, but that's a bit of a false dichotomy. That is, there's also valid pentesting and that's the good thing, as opposed to being attacked by criminals (bad thing). And, the purpose of standing up defenses would be to prevent successful attacks. So, if it's the successful attack that prompts those defenses, then it's already too late.
The bigger point is that, in general, I'm puzzled by the constant stream of people thanking the criminals and blaming the victims after each of these attacks.
I think people underestimate the complexity that has evolved over time in many company systems. Securing systems/networks is hard. Doing it retroactively with mountains of technical debt is even harder. The reality is that some of these companies don't have the wherewithal to do it and, even if they did, the timeline to getting them there would leave them vulnerable for some time.
So it sounds great, but very idealistic to say "hey this will help them harden their security". The reality is we need to stop thanking the criminals and support/protect our companies/agencies with a "layer" above their own security, including via deterrence at the nation-state level.
"The reality is we need to ... support/protect our companies/agencies"
Like how we protect them from all legal consequences of loosing private information of millions of people time after time, such as recent Equifax and Facebook cases?
Or like how we allow companies to sell vulnerable routers, IP cameras, internet enables printers and phones with knows vulnerabilities at the time of release, and leave it without updates?
they are getting away with murder and you are asking for more protection for them? Maybe it's time to accept that this industry is greedy, arrogant and negligent in a way that's unmatched by almost anyone, except maybe hedgefunds.
>Maybe it's time to accept that this industry is greedy, arrogant and negligent in a way that's unmatched by almost anyone, except maybe hedgefunds.
"This industry"? Which industry is that? I mean, it's a tempting narrative: a big greedy industry, etc. But, this is not isolated to any one industry or any one company. These are attacks by foreign actors on a variety of our companies, government agencies, infrastructure, etc. And they result in real harm to our economy, infrastructure, and people.
>allow companies to sell vulnerable routers, IP cameras, internet enables printers and phones with knows vulnerabilities at the time of release, and leave it without updates
Again, this sounds like a compelling narrative, and sure, there need to be improvements. But, the reality is that the attack surface is vast and includes zero-days in well-maintained software, social engineering, OSS, custom software, network configs, etc.
In general, it seems like there's a lot of anger in your post, but none of it directed at the actual criminals (or their national sponsors) who are actually responsible for the attacks. That's really puzzling to the point where it almost reads like defending the criminals.
We have plenty of our own hackers and ransomware, i am not seeing how foreign-angle adds anything to the debate
"none of it directed at the actual criminals"
There will always be criminals. If a bank was robbed by two kids armed with a banana, then the real fault lies with the bank's management for being negligent, and every court will recognise it.
As it stands, most data leaks and hacks are not unpreventable zerodays, they are people being negligent and irreaponsible.
Large organisations need to change, and ignorance of the issue needs to be adressed. This is not just "there need to be some minor improvements"
The overwhelming majority of the recent, most notable attacks have been traced near-exclusively to foreign actors, including the one that is the subject of the actual thread here.
>i am not seeing how foreign-angle adds anything to the debate
Of course, it has everything to do with the debate. Specifically, with how we respond/deter.
>most data leaks and hacks are ... people being negligent and irreaponsible.
The attack surface is vast.
>If a bank was robbed by two kids armed with a banana
We're literally veering into cartoon territory here. Not sure I understand why you're working so hard to exonerate the actual criminals.
"most notable attacks have been traced near-exclusively to foreign actors"
Most criminals are "foreign" because most of Earth's population is foreign.
"The attack surface is vast."
Because we made it vast. It could have been small.
"We're literally veering into cartoon territory here"
Yes we are, because spying on millions of people and then leaving that data unprotected is childishly irresponsible.
Ordinary citizens are the injured party, not companies. They have given up privacy and control over their devices. Even the software that runs on voting machines is copyrighted and secret, and when inspected, it turned out even the basics of security have not been followed.
Now that the chickens are coming home to roost, why are you so vehemently looking to absolve them of all responsebility?
Your last comment shed more light on the narrative you're attempting to establish.
Here's the "foreign" part of the discussion from our "sub-thread" to make things clearer:
Me: These are attacks by foreign actors on a variety of our companies, government agencies, infrastructure, etc.
You: We have plenty of our own hackers and ransomware, i am not seeing how foreign-angle adds anything to the debate
Me: The overwhelming majority of the recent, most notable attacks have been traced near-exclusively to foreign actors, including the one that is the subject of the actual thread here...It has everything to do with the debate. Specifically, with how we respond/deter.
You: Most criminals are "foreign" because most of Earth's population is foreign.
Some hardcore goalpost-moving there. You went from "it's domestic and doesn't matter" to "it's foreign, but only due to a statistical artifact". You're talking in circles in your effort to absolve the attackers. And, it's made clear here that you're not just trying to lay the blame on U.S. companies; you're actively working to absolve/divert focus from the foreign adversaries who are attacking us.
Maybe you can explain why you find it so important that we blame only U.S. entities, whether they be companies or criminals. It's that criminal bit that gives up the game. This isn't just about a crusade against negligent companies. Your narrative seeks to lay blame with U.S. actors and absolve foreign actors.
But, FWIW, a disproportionate number of these attacks come from one country with a population less than half the size of the U.S. It's a country that has been engaged in asymmetric warfare with us. So, you're wrong there too: the foreign nature of the attacks is not a statistical artifact.
>Because we made it vast. It could have been small.
No. It's vast because it's vast. Complexity + interconnectedness.
Fallible humans are responsible for this and it's a problem that's grown over time. Probably every person who's written any significant amount of production code can be said to have contributed to the problem.
And, of course, there's no degree of effort that can defend with 100% efficacy, which is why we also need a deterrent approach.
>why are you so vehemently looking to absolve [companies] of all responsebility?
I've specifically stated that companies need to do better. You, on the other hand, have not assigned an iota of culpability to the actual criminals who attack us. Instead, you've worked against all-logic to absolve them (or, failing that, to place the criminals in the U.S.). It's a simple thing to say "criminals are doing bad things and should be held accountable". Odd that you refuse to say it. Odder still that, to the extent that you even acknowledge criminals exist in this problem-scope, you find it necessary to relocate them to the U.S.
"No. It's vast because it's vast. Complexity + interconnectedness."
Firstly, thats not an argument, its a tautology.
Secondly Attack surface is vast because we have shipped several billion locked down phones with known vulnerabilities and priprietary binary blob drivers, meaning they can't be updated. We could fix the problem overnight by voiding copyright protection on all software where vendor has abandoned uodates for a year or more.
It's not american companies, its the entire shithead industry.
"You, on the other hand, have not assigned an iota of culpability to the actual criminals"
Mate, they are criminals, they are culpable by definition, its in the Oxford dictionary. They have always existed and always will.
Whats the point of banging on about them like a broken record?
Even if Russia and China magically dissapear tomorrow, the problem will remain: if you have vulnerable systems someone will hack them.
Ita like if someone is always stealing stuff from your house, and I tell you maybe you should try locking the door.
No, it's a correction. You suggested that "we made the attack surface vast". The point is that you're wrong. It's vast due to actual complexity and interconnectedness. It's vast by definition.
>Secondly Attack surface is vast because we have shipped several billion locked down phones...
This again illustrates that you don't understand what the attack surface is, thus you believe fallacies such as "we made it vast". It's not a phone or single entry point. It's every bit of software that a system touches or is comprised of, including custom, commercial, and OSS. It's firmware and hardware and networks and configs. It's social. And, to some extent, it's those same vulnerabilities in systems that connect to a system.
Again, it's vast by necessity b/c our modern world depends on software, technology and interconnectedness.
>Mate, they are criminals, they are culpable by definition, its in the Oxford dictionary. They have always existed and always will.
So, this is your grand rationale for focusing all ire on the targeted companies vs the actual criminals? Your overall position then is that we should have no deterrent (why have laws at all?) and just lock our doors/secure our systems. If the inevitable criminals get you, then it's your fault.
>Whats the point of banging on about [criminals]?
Pretty obvious: to acknowledge they exist, are the actual cause of the problem, and need to be deterred/punished as part of any comprehensive solution.
>Even if Russia and China magically dissapear tomorrow, the problem will remain:
Actually, the problem would be substantially reduced to relatively nil. Just removing Russia alone would have a massive impact.
And, the solution-set becomes vastly different when fighting domestic criminals vs deterring state-sanctioned attacks from foreign adversaries.
But, here you are working hard to absolve the U.S.'s foreign adversaries again, "mate". Very curious.
>Ita like if someone is always stealing stuff from your house, and I tell you maybe you should try locking the door.
Another straw man. I've acknowledged repeatedly that we should lock the door. That discussion is over. What we're discussing is your position that we should not attempt to deter criminals (especially if they are foreign). Instead, they should be able to try breaking your locks with impunity and, if they succeed, then it's your fault.
>The problem is the criminals can be anywhere in the world
Perhaps, but we tend to trace the lion's share to one of very few places.
>When criminals are a constant, security is the only variable.
Security also comes through deterring would-be attackers. Security is not simply a posture of attempting to deflect as many attacks as possible. Ever play Missile Command?
In fact, that's disastrous policy. And, even if it were possible to get every company/governmental agency to immediately invest in massive security overhauls along with all vendors, OSS, etc. with near instantaneous results, some attacks will invariably get through.
Seems pretty obvious that we don't want attackers with 100% upside and no downside.
> So, if it's the successful attack that prompts those defenses, then it's already too late.
Reality is not a single-round game.
> Doing it retroactively with mountains of technical debt is even harder.
Building mountains of technical debt is precisely the behavior companies need to stop.
> The reality is we need to stop thanking the criminals and support/protect our companies/agencies with a "layer" above their own security, including via deterrence at the nation-state level.
You can’t accuse someone of being idealistic and then turn around and say this.
There was a big hack recently in Ireland that had taken out the health service IT systems, with a ransom demand. The entry point there was what seems like social engineering, they got an employee to call a number from a Web popup claiming they would fix their computer, and of course then proceed to infiltrate further. This is not hacking in that a SW bug was not exploited, but is effective. Unless employees have no way of running unsigned (by the employer/trusted source) code, its hard to see how this kind of weakness is prevented.
Yes it's painful and interferes with the economy, but ultimately this will harden up potential targets. And boy do some of these guys need hardening up.