I would have advised him to stay quiet about this. Not out of fear of the North Koreans, but out of fear of our own security agencies seeing the activity as interfering in international relations. Also the vagueness of our hacking laws probably make what he did a crime.
But I also am immensely proud that we have people willing to take things into their own hands when needed.
Also, I feel like the 2nd amendment should be interpreted to include the right to bear digital arms (strong encryption for a start). This will probably take another decade to figure out what that would really mean.
We’ll it’s interesting in this case, because technically speaking a peace treaty was never signed and North Korea is in the state of war with the United States. So is it really a crime to attack a hostile state?
> North Korea is in the state of war with the United States
I'm not sure where this comes from, but you're now the second person I see on HN to say this (https://news.ycombinator.com/item?id=29896969). Is this "common knowledge" in the US or something?
Here is what I said the last time:
>> The US and KP are technically still at war (the Korean war stopped with a cease fire, not a treaty) and the US and its allies levy sanctions on them that hurt.
> Technically, I don't think the US and North Korea ever been at war. South Korea and North Korea are technically still at war though, as they signed the treaty with each other, not the US.
None of the US wars since WWII have been formally declared wars. They're still wars.
The conflict with North Korea ended with an armistice, not a formal treaty. The armistice intended for peace treaty discussions to start 3 months later... and they never really did.
The US, UN Command, and North Korea are still operating under a temporary cease-fire that's now basically 70 years old. (I don't think South Korea even signed the armistice).
If you're technically not at war then you can't at the same time be technically still at war. Neither side declared war against the other or is currently acting like they are at war, thus they aren't at war.
I would add to the “at war” column: the VFW (Veterans of Foreign Wars) grants membership to any US service members who have been stationed in South Korea.
Looks like every man and his dog is an expert on North Koreans. Did it occur to you that most citizen there are hostages of the own state and may be fighting hard to get a piece of bread on the table? I highly doubt they give a shit to the US, or the internet or the hacker wars of any kind.
> I highly doubt they give a shit to the US, or the internet or the hacker wars of any kind.
somehow, I don't think that those are the people that are being targeted. it's the "elite" who actually have internet access, and can also eat.
those who make the decisions, and those who are friends of those who make the decisions would be the ones affected by the internet being down, not those who can barely eat and obviously don't have internet access.
> The United States rejected a North Korean proposal to discuss a peace treaty to formally end the Korean War because it did not address denuclearization on the peninsula, the State Department said on Sunday.
> Then they signed the Panmunjom Declaration for Peace, Prosperity and Unification on the Korean Peninsula, which commits the two countries to denuclearization and talks to bring a formal end to conflict. It was a startling conclusion to the first meeting between leaders of the two countries in 10 years.
> "I once again urge the community of nations to mobilize its strengths for the end-of-war declaration on the Korean Peninsula," Moon said in a speech to the annual gathering of the world body.
Technically speaking, there hasn't been a peace treaty between Russia and Japan, either. That doesn't mean we've spent the past 77 years waiting with bated breath for yet another conflict over the Kuril islands to break out.
It was not that long ago that whether to formally end the Korean War or not was the subject of spirited debate. Like, a few years ago. You guys telling me the War is actually over should have told them they didn't need to waste their time.
“So is it really a crime to attack a hostile state?”
I don’t know if it’s illegal per se but it’s definitely a dangerous game. If there are any misunderstandings things like this could lead to retaliation and ultimately armed conflict.
Yes, like that accidental pipeline hack. That group that shut down a good chunk of the national oil supply didn't have a letter of marque, so they were dealt with.
> technically speaking a peace treaty was never signed and North Korea is in the state of war with the United States. So is it really a crime to attack a hostile state?
that seems to be standard US foreign policy. it's probably actually worse in reality; where the US even 'intervenes' even if it does have a peace treaty with them. [1]
We signed an extradition treaty in 2003 with the UK:
The Parties agree to extradite to each other, pursuant to the provisions of this
Treaty, persons sought by the authorities in the Requesting State for trial or
punishment for extraditable offenses.
There's also the factor of the word "hacker" having multiple meanings, with the most currently common meaning being equivalent to "people who break into computer systems/networks" (thanks a bunch Hollywood /s), where originally the same word "hacker" meant "person who comes up with creative solutions to technical problems" (among the community of actual original hackers). Both meanings are still in widespread use today but most "normal" people instantly jump to the criminal meaning in their brains thanks to popular media (Hollywood) helping the "black hat" hackers steal the label for themselves.
The 2nd Amendment says the government can’t infringe your right to possess arms. It does not say that it’s legal for you to use your arms against others to make a point.
“Digital arms” are legal to possess in the U.S. as far as I know. Again, that is not the same thing as legalizing any use of them.
Not being able to use arms absolutely is an infringement of the right to bear them. I mean, how would it be different if we claimed that you can own a gun but not shoot it?
One point that gets lost about the 2nd Amendment is that it should be considered an inalienable right. Meaning, it cannot be diminished by any law of man. Consequently, most of the gun laws can be viewed as fundamentally unconstitutional, and any attempts to enforce them are illegal.
Of course, this is a highly unpopular opinion, as most of the population has surrendered itself to creeping authoritarianism.
> Not being able to use arms absolutely is an infringement of the right to bear them.
That doesn't follow. The right to own something does not imply the right to use it.
> One point that gets lost about the 2nd Amendment is that it should be considered an inalienable right. Meaning, it cannot be diminished by any law of man. Consequently, most of the gun laws can be viewed as fundamentally unconstitutional, and any attempts to enforce them are illegal.
The Constitution does not and cannot bestow inalienable rights.
>"The Constitution does not and cannot bestow inalienable rights."
The Bill of Rights was never supposed to bestow rights, just protect them, as per the preface:
>"The Conventions of a number of the States, having at the time of their adopting the Constitution, expressed a desire, in order to prevent misconstruction or abuse of its powers, that further declaratory and restrictive clauses should be added: And as extending the ground of public confidence in the Government, will best ensure the beneficent ends of its institution."
> That doesn't follow. The right to own something does not imply the right to use it.
That's like saying "The right to own a pair of pants does not mean you have the right to wear them." or "The right to own that Rembrandt doesn't mean you have the right to look at it". What, if not to use or consume an item, is the purpose of ownership at the fundamental level?
> The Constitution does not and cannot bestow inalienable rights.
You'll be happy to hear it does neither. It recognizes rights that are inherent to human beings and (presumably) limits the ability of the government to infringe on them.
Or like saying that "The right to own a car does not mean that you have the right to drive it".
Or even "The right to own a car does not mean that you have the right to drive through red lights".
The fact that you can own something does not mean that you have the right to use it indiscriminately. In this case (if we consider them "digital arms") I don't see how using it for retribution (rather then self defense) would be considered ok.
And even if you don't have a drivers license it can be perfectly legal to drive your car on your own property (hack your own computers) but not to drive on public roads / private property where the owner has not consented to you driving (hacking someone elses computer without their ok), but if they are ok with it it's perfectly legal (like for instance pentesting). Context matters.
> Not being able to use arms absolutely is an infringement of the right to bear them. I mean, how would it be different if we claimed that you can own a gun but not shoot it?
Do you have the right to shoot at someone's house? Do you have the right to fire in a crowded theater? Do you have the right to fire your weapon right next to someone's ear?
Just because you own a gun does mean your use of that gun cannot be restricted by law, indeed severely so. The only issue is to what degree your usage may be curtailed. This is not black and white.
The crimes that you listed are destruction of property, disturbing the peace, and intentionally causing bodily harm. Using a gun is incidental to the actual crime. The same arguments can be made about knives, baseball bats, or other things. Consequently, this is not a legitimate basis for restricting their availability or usage of guns themselves, any more than such potential crimes limit the use of those other objects.
Of course, prosecutors love to double dip with charges, tacking on a weapons charge or two. These extra charges usually result in a far more severe sentence. Again, hard to see the legality of such practices, but this is the status quo that we have today.
Obviously there are limits on what you can shoot your guns at or crimes like murder, for example, would be legal as long as it was accomplished with a gun.
In most jurisdictions, homicide is entirely justifiable when it is committed in the act of defending oneself or others from potentially lethal forces, where a reasonable person would conclude that committing murder was necessary to preserve those lives.
Sure but is it legal if you’re not in the act of defending yourself? If you just walk up to someone who made you mad, and shoot them? No. Which means there are legal limits on how you can use your guns.
Yes, murder would be illegal without just cause, but then it doesn't matter what weapon is used, does it? In which case, you're trying to blame the weapon, rather than the person. I agree there should be legal limits on what you can do to someone else's person, but that policy does not require placing unconstitutional limits on gun use.
Important to note that "digital arms" are not a real thing as far as anyone's rights are concerned. God given rights probably but as far as encoded in law, not the case.
Also, don't engage in cyber warfare against other nations because the feds will come down on you harder than your target could hope to[1]. Obviously because it's stupid to put your country at risk.
[1] Unless you live in the US and that country is Israel.
Seems like an imperfect analogy. If you find malware running on your computing systems, it is legal to disable and delete it. But it’s not like the bad guys are physically present within your computer, like in a real life home invasion.
Encryption, at least, is a purely defensive weapon. In the historical context of 2A, protecting yourself from your government would closely align with the original intent of militias protecting locals from a federal king.
Yeah. After an expensive legal defense, maybe with a bunch of expensive appeals, you'd be either wrong, poor, and in jail or right, poor, and not in jail.
Do bear in mind that the way this interpreted under US law is considered by most non-Americans to be completely bonkers, and is only sustained by strong, uncompromising activist pressure.
I doubt the NRA would organize a picket to defend your right to run PGP.
Well, it's an American law, so its validity has no relation to how non Americans see it. Also, the activist pressure is much stronger and much, much better financed on the anti gun side, so that does not make much sense. You can go read the recent SCOTUS decisions related to the 2nd amendment; their interpretation of the constitution is very, very well justified. You can disagree with it, but it's ludicrous to say it's all because of extreme activist pressure. The 2nd Amendment is pretty clear on its intent, and that's wildly agreed on by constitutional experts. Americans usually support the right to bear arms too.
I'm not American but if I was and I wanted to limit access to guns, I don't think arguing that the courts should decide the 2nd amendment doesn't actually give the right to bear arms would be the way to go. If you think Americans agree with you and don't actually want that part of the constitution, judicial activism wouldn't be needed.
No offense but why would I care at all what a non-American thinks? They are not governed by this law and so have 0 say in what it should be since it is not a rights violation. I am only sorry you all live with such a lack of a basic right and find it normal.
From the other perspective: gun rights are under constant attack from fearmongering media and I find that bonkers. All it takes is one (1) psycho POS shooting up a school for the media to run a month of coverage claiming that everybody should now lose a fundamental right. Ffs most people agree that criminal activity doesn't justify violating everybodys rights (like police state measures), why is this specifically different? Because the media machine works for a political class that wants a disarmed and castrated electorate.
Theres been a creeping advance against these rights since the 1930s with the NFA passing and gun grabbers have been constantly demanding more for these 100 years with small concessions then larger infringements, racheting toward less gun rights, slowly but surely hellbent on taking away our weapons. Most of this is enabled by bullshit judicial activism that twists 2a for matters of convenience and political ends.
I hate that pro gun propaganda is seeping in to our country and gun access is getting more relaxed allowing psychos to get armed.
I want my right not to get shot to be intact. The police isn't also assuming you are armed during routine stops so they aren't so trigger happy.
> I hate that pro gun propaganda is seeping in to our country and gun access is getting more relaxed allowing psychos to get armed.
What "pro gun propaganda" is this exactly? Gun access is not getting more relaxed - talk about propaganda. The Federal form you are required to fill out at any gun shop in the country asks you to declare whether you have ever been adjudicated as mentally defective or have ever been confined in a mental institution. Answering Yes will result in your firearm purchase being denied.
We can't know ahead of time that someone is going to go off the deep end and go on a shooting spree. You can't legislate this risk away short of banning guns completely and confiscating all of them, which is unrealistic/impossible. Let's ban alcohol as well because it kills twice as many people as guns do (half of which are suicides) annually.
I'm an independent that shares plenty of the Democrat party's positions, but gun control isn't one of them. Guns are tools than can be used and misused like any other tool.
The 2nd amendment already has interpretation questions around the first half -- the "A well regulated Militia, being necessary to the security of a free State," clause. It could go in any number of directions, from expanding "arms" to include "digital arms" to reducing the right only to "as part of a well regulated militia." See: https://www.law.cornell.edu/wex/second_amendment
But I wouldn't bet money on the right expanding beyond firearms any time soon, given the glacial pace of constitutional law review.
It could be interpreted that it'd be ok to ban eggs in other circumstances, certainly. The problem is that it's meaning is so ambiguous that you can't properly tell, especially when considering the arms they had at the time of writing were completely different from what we consider arms these days. If the founders said the right to eat eggs is not to be infringes, would that mean the government would be unable to regulate genetically modified eggs? I don't think so.
The Supreme Court does not make policy, at most it stops other branches from making certain kind of policies, when presented an opportunity to do so when resolving an actual case or controversy.
Our current Supreme Court is creating policy from whole cloth while entirely ignoring precedent, and the text of law as a flagrant act of partisan pandering in their recent vax || test ruling.
> I would have advised him to stay quiet about this. Not out of fear of the North Koreans
Both reasons seem pretty compelling. "Keeping your mouth shut" is such a fundamental rule of opsec that it's hard to take this persons skill/expertise seriously. Why put yourself in a place where you (and your family) have to look over their shoulder for the rest of your life.
I applaud the guy for his civil courage, but seriously this just painted a huge target on his back and probably changed his life forever. Hope he is OK and even more so hope he has no family or friends who sure didn't sign up for it.
You can't own a firearm if you consume marijuana, so using the 2nd amendment for things like encryption might get interesting. The 2nd amendment allows for heavy regulation of arms.
> You can't own a firearm if you consume marijuana [...]
While BATF Form 4473 and the Gun Control Act may lead some to conclude that you cannot be "addicted to marijuana" and simultaneously legally possess a firearm, consider that many laws are on the books that would likely be adjudicated unconstitutional. The second amendment concludes with "shall not be infringed", and denying somebody their right to possess a firearm (for any reason) appears to be an infringement of that right, according to the second amendment.
> The 2nd amendment allows for heavy regulation of arms.
I'd be curious to hear what leads you to believe this. The language of the second amendment is clear, and the founder's intentions even more so. If you're developing your view based on the term "well-regulated", go do a bit of research on what that term meant when the Bill of Rights was authored (hint: it's different than what "regulated" is often interpreted to mean in 2022).
The federal application for a Federal Firearms License, the license needed to be a firearm vendor, not the (as far as I can tell) non-existent federal license to own one?
It isn't just FFLs. The Gun Control Act (GCA) defines a list of people who aren't allowed to ship, transport, receive, or possess firearms of ammo. This includes any person "who is an unlawful user of or addicted to any controlled substance (as defined in section 102 of the Controlled Substances Act, codified at 21 U.S.C. § 802);" [1]. Since cannabis is federally illegal still if you use it you can't legally even possess (not just own) a firearm or ammo.
I think it is a stupid law though. Imagine if we applied that logic to other constitutionally protected rights. "Anyone who is an unlawful user of or addicted to any controlled substance shall not have the right to vote" or "Anyone who is an unlawful user of or addicted to any controlled substance shall not have the right to due process".
Admittedly, it's hard to kill another person by voting, or receiving due process. And we do restrict speech when it verges on violence (imminent lawless action, fighting words).
> "Anyone who is an unlawful user of or addicted to any controlled substance shall not have the right to vote" or "Anyone who is an unlawful user of or addicted to any controlled substance shall not have the right to due process".
Not the same thing at all, because a firearm is directly and irrevocably more dangerous while under the influence of drugs.
You can debate the tradeoff of "right to bear arms" vs "right to regulate arms" (just as voting has gone through lots of regulations, some terrible (black people, women), some OK or debatable (showing proof residence or citizenship somewhere in the process), but it's not obvious simply by analogy to other rights.
The other day I read a (possibly wrong, fictional, or dramatized) account of some private group hacking Belorussian railways to impede Russian military logistics.
I'm sure this is not new, but to me it is a fascinating concept: the modern era equivalent of Partisan soldiers, conducting cyber warfare in their jammies.
It's a real thing, live and ongoing. They have a Telegram channel https://t.me/cpartisans and also a promotional video on YouTube for how to defeat Lukashenko, the only dictator in Europe: https://youtu.be/UldT78OjlvE
They did manage to induce mess on Belarus railways transporting Russian military equipment to Ukrainian border. It probably stalled, but still didn't prevent Russian military reaching the Ukrainian border through Belarus.
Remember: the US Constitution includes "letters of marque" clause, empowering Congress to grant citizens' requests to wage private warfare against foreign entities. Wish people would exercise this option more.
Yea I was wondering about the legality of this cyber self-defence, but like many crimes, if the victim (deserving or not) does not report it, you’ll probably get away scot free.
In the case of NK, they could probably even register a complaint and have it ignored, assuming the effort needed to locate the perp was greater than the fucks given by the appropriate authorities.
Hats off to the author but I would also caution them against broadcasting it publicly. The people who would appreciate this the most probably use secure channels anyway ;)
But doesn't love Osama Bin Laden, although Afghanistan certainly suffered more from US involvement than the US has suffered from North Korea, whose people it killed millions of.
OBL bombed more than just infrastructure. I wonder how the US/world would have felt about him if he decided to take out the Statue of Liberty or something like that (while it was closed for repairs).
I'm hopeful that the new originalist makeup of the SCOTUS means no longer unconstitutionally limiting what's meant by "arms". ICBMs for billionaires! /s
> Also the vagueness of our hacking laws probably make what he did a crime.
I think it is likely North Korea could charge him with a number of crimes that may be extraditable, like cyber "terrorism" (the quotes are necessary, right?) The US has extradited at least one Russian hacker [1] P4X is also likely now featured in intelligence summaries in countries with security treaties with North Korea, like China and Russia. Also, it's possible P4X has violated the Logan Act.
>Also, I feel like the 2nd amendment should be interpreted to include the right to bear digital arms
The case presented in the article is not at all what the 2nd amendment or any self defense laws are about. This guy was seeking revenge and punishment for an act, not attempting to prevent damage from a imminent threat. The court systems are for dealing with those types of situations. Granted, the court systems wouldn't have helped in this situation, but it's important to make the distinction that this was an attack, not self defense.
It's not about "vagueness" - intentionally messing up somebody else's computer or network (without owner's permission) is a crime, and it's not vague in any computer crime statute worth its name. Granted, if somebody had it coming and deserves this and much more, it's North Korea, but that doesn't change the nature of the deed. I don't think US authorities will be eager to prosecute, but that doesn't change the nature of it.
Right to bear digital arm to fight foreign digital empire … seems fit the spirit. Not sure about the law and 3 letter people. Best of luck. Brave soul to fight N Korea. How about China.
A North Korean law was probably broken. North Korea could ask the US to send him over to stand trial and the US could agree or ignore the request. No legal framework exists between the two countries so the US isn't forced to send them.
Things don't start becoming a crime until laws exist.
Sorry for being pedantic but the State of North Korea does not claim to be communist but rather "socialist Juche" which is very different from Marxism-Leninism and other "communisms".
I think we definitely need some additional rights listed to account for digital. GDPR seems like a good start to give people more ownership of their data, but in the US we still have basically no data rights or protection against searches of digital content that you don't physically host.
I see comments saying that he may be interfering with actual operations against NK or that now that he has done this they are more likely to patch their systems and be more secure, contradicting his own intentions.
It's also entirely possible that this action, including the WIRED article and it's high visibility, is part of a broader effort and strategy. In reality we just won't know in this type of situation.
Any casual judgement that talks about how obviously naive this is may be a little too shallow.
A colleague asked me what I meant by this - what use would a WIRED article have? etc.
Targets (individuals, interior or gapped networks, etc) can be difficult to identify or locate and are even more difficult to get access to. Consider that it may be easier to run an operation where you intentionally pseudo-identify a security researcher engaging in his own attack to draw attention. Better yet, this researcher is known to be in possession of valuable tools, after all, the article says so.
Maybe P4x exists or is a fiction, but either way there's a difficult yet traversable route of information that leads to "his" network. Somewhere there's an encrypted volume that presumably holds his cherished tools and information. But P4x knows that the encryption he's using suffers from undisclosed 0day. In fact, the 0day was developed by P4x et al and released into the wild to be found and used in just this kind of situation. The tools that appear to be protected by researcher P4x are actually compromised themselves, meant to be taken. He schedules an interview with WIRED, he talks shit and trashes NK operations, and plays the cocky and justice hungry hacker trope. He chums the water.
There are countless ways that misdirection and narrative can be layered to draw your adversary into a worldview that is the creation of your own. It's not _just_ floors of camo-clad cyberoperaters phishing management types and looking for document dumps.
> “I want them to understand that if you come at us, it means some of your infrastructure is going down for a while.”
Doing that is one thing, and certainly won't increase your personal safety. Doing that and telling the western press to embarrass them is insanely stupid. Kim Jong-un is widely believed to have ordered the assassination of his half-brother. And you want to threaten the infrastructure of his country? Talk about a keyboard warrior.
It's not infrastructure. He attacked a few propaganda sites aimed at outside audiences. He didn't get into their internal network, which is sealed off from the Internet.
Actual North Korean state sponsored hackers operate from embassies abroad, not from domestic locations. They also hire "security companies" in places like India and China to do a lot of the dirty work.
> So after a year of letting his resentment simmer, P4x has taken matters into his own hands. “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming,” says the hacker.
Frankly, I feel that international relations are going poorly enough without vigilantes poking the bear. And also, I doubt that bringing down their network infrastructure will have the desired effect of them lessening the cyber-attack capabilities.
The article says he downloaded a hacking tool for a friend into a VM that had a back door. Then goes on to say he was “personally targeted”. This is ridiculous.
NK was specifically targeting prominent security researchers, with fake accounts and blogs, then trying to get the researchers to open a backdoored Visual Studio project. They were absolutely personally targeting people, and I don't doubt he was one of them.
I'm not sure that's what the article is saying, and I certainly don't think it's "ridiculous". The relevant part:
> In late January of 2021, he opened a file sent to him by a fellow hacker, who had described it as an exploitation tool. Just 24 hours later, he spotted a blog post from Google Threat Analysis Group warning that North Korean hackers were targeting security researchers. Sure enough, when P4x scrutinized the hacking tool he'd received from a stranger, he saw that it contained a backdoor designed to provide a remote foothold on his computer. P4x had opened the file in a virtual machine, digitally quarantining it from the rest of his system. But he was nonetheless shocked and appalled by the realization that he'd been personally targeted by North Korea.
The article specifically states he received it "from a stranger", not a friend, which suggests that he was indeed personally targeted. Yes, it does say "fellow hacker", but again this is obviously not someone he knows because it's a "stranger".
I guess it comes down to your definition of "personally targeted". Sure, this isn't a spearphishing campaign, but according to Google's blog writeup about these events [1], they basically targeted individual researchers:
> The actors have been observed targeting specific security researchers by a novel social engineering method. After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together...
North Korea's power doesn't come from its technical capabilities in terms of nuclear weapon usage against the United States. North Korea's power comes from its close proximity to South Korea, which is well within striking distance, and how the geopolitical ramifications amplify out. Even with conventional weapons, a re-ignition of hostilities on the Korean peninsula would be disastrous. Relative to Russia, which more or less has the ability to trade with the world, and has a fairly sustainable economy, North Korea has basically nothing.
The whole reason why NK repeatedly tests nuclear and conventional strike capabilities is to power project, get people to the negotiating table, and try to get supplies/food/money from countries in exchange for a halt of testing.
States don't exist in a vacuum, they exist in a complex web of relations to other states. North Korea is in a particular intersection between South Korea, the United States, Russia and China. I think if you do anything with NK, you also signal something to these others. If you look at it like this, it becomes apt to say "poking the bear".
I would imagine the intelligence services aren't happy he's providing them free pen-test services. He's taking potential tools out of their toolbox when they may need/want them in a future time of conflict.
So if the reds start parachuting down over your community you should just sit pretty lest you interfere with your military’s operations?
The equivalence is not a false one in my eyes because a cyberattack against a US national’s systems should be seen as an attack on a US national’s property.
If they send a small aircraft onto your territory you shouldn't light it up with all your SAMs and take it down, because that will allow them to locate your SAMs for SEAD.
So that guy downloaded some random "hacking tool" a friend of his found, and no shit it had a backdoor. He was never directly targeted by the North Koreans.
Maybe the CIA/NSA were all over inside the North Korean networks, thanks to the weak security, monitoring their emails (do they use emails?) or probably even inside their mobile networks monitoring the North Korean elites' texts to each other.
Meanwhile this kid comes in screaming "Leeeeroy Jenkins!" making the North Koreans aware of their shit security.
A parachute attack is different to stealth spy missions...
>So if the reds start parachuting down over your community you should just sit pretty lest you interfere with your military’s operations?
I imagine you would be told to evacuate if possible but I'm sure the military would prefer you just don't get involved. Civilians should stay out of warfare.
At this point I would assume that foreign states have malware hooked deep enough into all the systems that the only way to eradicate them would be with an incinerator. Plus even after (if?) they update their software I doubt you’d need zero days to get back in. Im interested to see what the upgrade path is for the Red Star OS is though lol
The difference of course being, is that they don't want to shut them down during a time of relative peace. Getting them to harden their presence now is strategically a waste.
In the extremis they can always bring in the orbital cannons and overwhelm them of course.
This is precisely my first thought as well. It makes for a half-decent Hollywood plot but IRL? My guess is there’s got to be more than what meets the eye. Propaganda piece perhaps?
It's easy to accuse North Korea. They can't practically respond to the accusations because they have no outlet anyone reads, and if anyone did then nobody would care anyway.
Hm. So I actually like the form of north korean websites, if these two in this thread are representative of the norm. :) No ads, no trackers, 0 resources blocked in uBlock, no CDNs, clean design not jumping around, to the point without useless stock photos... No modern "design", with thin grayed out unreadable fonts. No webfonts, clean html code. Interesting. :)
NK trains up and operates hacking groups to generate income, not just to be unpleasant. So, guessing that would mean NK is renting out hacking services to China. Other ways to generate income from hacking is operating a ransomware gang, renting out botnets, and gathering banking passwords to use in draining accounts. We may assume they are involved in all of the above.
That's the wrong takeaway from that bit though I think. I believe they are saying that China and other states are the actors on behalf of NK not that they are using NK as patsies ... granted that may also be true. International politics and espionage is a weird domain.
It's good that he went public about it, as this is the sort of thing that can cause international tensions when the target assumes it's a state-sponsored attack. So many cyberattacks by individuals or small crime outfits get misinterpreted as state-sponsored because they're "sophisticated".
Things are really easy to misinterpret, like when Ukraine's undercover attempt to capture Russian PMC soldiers resulted in Belarus thinking Russia was attempting a coup in Belarus.
Either way, I don't know what you mean. What is this "Fight Club" of which you speak? Is it an agro baseball bat? It's probably some Hard Rock Cafe memorabilia Brad Pitt signed, right?
Surprised that I have to scroll that far for this comment. Imagine the US or South Korea is negotiating say, prisoner releases or family reunifications and then some dude causes what looks like an American cyberattack on North Korea.
Warfare falls within the domain of the state, that includes cyberspace. Americans love their vigilantes but this has the potential to be incredibly destructive.
It's no different from the private Russian attacks on American oil infrastructure. Private actors causing tensions between nuclear powers is a bad idea.
Cyberattacks are different then sending a warship or dropping a bomb though. They are harder to attribute and anyone knowledgeable and willing to the spend the time can carry them out. There have long been cyberattacks by criminals on companies in other countries, but attacks by individuals on governments are also possible as we now see. It seems likely others will emulate this and there is no obvious way to stop it from happening. It may be illegal but you have to find the person responsible first. Current cyberdefenses obviously are porous. Warfare used to be the domain of the state mainly because only the state had the capabilities (and some corporations have had and used similar capabilites, like oil companies with their own private armies). An individual could travel somewhere and start throwing bombs but the amount of damage they could do was small. Instead of a DDoS attack this guy could have decided to brick all computers in North Korea. I don't see a way these kinds of attacks can be stopped and they seem likely to cause a lot of havoc in the world. Basically, imagine ransomware with a political motive behind it launched by individuals with a goal of destruction rather than Bitcoin. It's actually kind of surprising there haven't already been many instances of it, or maybe there have.
an attempt to draw attention to what he sees as a lack of government response to North Korean targeting of US individuals. “If no one ’s going to help me, I’m going to help myself,” he says.
Good. I'm sick of foreign policy being determined by spreadsheets that say whether defending ourselves or others will be profitable.
You can admire his spirit, but not his judgement or actions.
Attacking a foreign power, or serving a foreign power's military, are both crimes from what I know (am not a lawyer, but cybersecurity tangential).
Specifically, taking out the power affects everyone who lost power, and could be construed as an attack that causes harm to foreign officials. As a result I'd think https://www.law.cornell.edu/uscode/text/18/112 applies. Again, not a lawyer, but the days of hacktivist actions without major retributions have been gone since the early 90s (hackers often get worse sentences than rapists or murderers). It's a different world now, more's the pity. For some background I recommend The Hacker Crackdown (https://www.mit.edu/hacker/hacker.html)
North Korea successfully stole tens of millions by hacking banks via SWIFT between 2015 and 20216 and probably several hundreds of millions in crypto currency in 2021 alone.
Why wouldn't it be possible for a country of almost 26M people to have competent hackers? Just cause they live in a dictatorship doesn't mean they're all stupid.
> he opened a file sent to him by a fellow hacker, who had described it as an exploitation tool.
Is it not potentially their mistake in the first place? They opened themselves to becoming exploited via social engineering. And if that is the real reason why, they were not really hacked. So can we stop using the term "hacked" so ambiguously?
He was socially engineered in-by trusting who was thought a buddy to open a file; who which was maliciously a actor for the N.Korea. I've been a SysAdmin for god-long time, so thank you for respectfully telling me that I am not, when I am full well aware of what I am talking about.
He was socially engineered to open a file. It wasn't Abbacada 123, poof your hacked. It was his fault, he opened the file and that makes him foolish of him to "trust" and open a file.
End result, he got himself infected with an exploit.
So your tools get stolen and you take down possibly critical infrastructure for huge numbers of people? Terrorism.
Imagine someone did that to America in response to the NSA hacking them (read, most of the world's population all the time since the Bush administration).
We celebrate that when it's done to official enemies.
Just to add context for others that aren't familiar, NK definitely learned from the Libyan experience. It was after Gaddafi got filmed getting bayoneted in the ass for giving up the Libyan nuclear program, North Korea learned to never give up nuclear weapons and accelerated their program.
I'd bet that this hacker has personally been targeted by US intelligence agencies, if not before this event certainly after. Yet somehow I doubt he will attempt to take down the entire cointries internet or start a FU USA group.
They claim that this only affects "propaganda websites" but I honestly do not know how North Koreans use the intranet and what kind of access they have outside the country. Do you see reporters doing in-depth interviews regularly or NK citizens on english language websites? We should be very careful to qualify what we actually know about this country as it is a regime change target. This means most of what we read in the news about it will be war propaganda.
> “The United States is good at protecting the government, OK at protecting corporations, but does not protect individuals.”
> [Dave Aitel] points out that many of the targeted security researchers likely had significant access to software vulnerabilities, enterprise networks, and the code of widely used tools. That could result, he says, in “the next SolarWinds.”
Then again, if a secret state org hacked the sites, part of the plan would probably be to place stories crediting a rouge individual and discrediting the idea it was a government org. Obviously not proof the story is false either, but like so many of these things, conclusive proof or even evidence of attribution is not given.
reckless. could have caused missiles accidents or god knows what. now those vulnerabilities will be patched. it would have been better to report those vulnerabilities to the military so they could be used when needed.
> he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally—and by the lack of any visible response from the US government.
> Aitel agrees, though, that the government response to North Korea's campaign has been lacking.
From a certain perspective I'm not surprised: We're accustomed to the US government being hands-off the Internet, going back to the Internet's early idealistic libertarian days, and in the past lacked the technical abilities.
But we need to be surprised: Fraud, scams, theft, damage, hacking, ransoms, etc., etc. are commonplace. The Internet is highly insecure, yet the US government hasn't yet taken responsibility for enforcing the law and protecting the innocent there. It's just crime; it's not a special situation anymore.
This idiot. Took down a countries internet and bragged to the press. I wonder how many doctors in NK couldn't serve their patients without network access?
But why stop there? Take out the power as well. Contaminate the water. We'll all have a good laugh. No wonder they're building missiles to shoot at us.
This hacker franchise has run its course. Ok it was a fun movie in 1995. But in our modern world what this guy has done is plainly terrorism, probably with a real body count. Not a prank, not hip and not cool. And if it was done to us it would be a clear act of war.
Calm down, he took down a few websites. He didn't take down their entire internet, as the article notes a few times:
> As rare as it may be for a single pseudonymous hacker to cause an internet blackout on that scale, it's far from clear what real effects the attacks have had on the North Korean government. Only a tiny fraction of North Koreans have access to internet-connected systems to begin with, says Martyn Williams, a researcher for the Stimson Center think tank's North Korea-focused 38 North Project. The vast majority of residents are confined to the country's disconnected intranet. Williams says the dozens of sites P4x has repeatedly taken down are largely used for propaganda and other functions aimed at an international audience.
> While knocking out those sites no doubt presents a nuisance to some regime officials, Williams points out that the hackers who targeted P4x last year—like almost all the country's hackers—are almost certainly based in other countries, such as China. “I would say, if he's going after those people, he's probably directing his attentions to the wrong place,” says Williams. “But if he just wants to annoy North Korea, then he is probably being annoying.”
> For his part, P4x says he would count annoying the regime as a success, and that the vast majority of the country's population that lacks internet access was never his target. “I definitely wanted to affect the people as little as possible and the government as much as possible,” P4x says.
But I also am immensely proud that we have people willing to take things into their own hands when needed.
Also, I feel like the 2nd amendment should be interpreted to include the right to bear digital arms (strong encryption for a start). This will probably take another decade to figure out what that would really mean.