I’m seriously asking because a while ago, I had an interview that was explicitly about finding a business model for that type of data (flights, on-time, maintenance, etc.) for a reseller. I think I did a good job, but the company closed before they made an offer. I reached out to a friend who was working for a big airline to ask for his help on that, he was helpful but cagey: that’s because that was his job. A bit later, he mentioned that those were notoriously hard to buy because there wasn’t really any client — not a legitimate one.
The only potentially interested parties he could mention were people looking at tourist trends (they get overall hotel and restaurant stats: flights aren't the right breakdown) and possibly taxi companies to get on-time stats (that’s actually another project I worked on; small world). But landing data is public, or at least scrapable.
Chinese manufacturers (if you believe the rumors that they like to copy technology) care about R&D. Airbus, maybe, to price them out when competing on bids? But it would seem obvious and not that helpful. I’m not a sales guy.
This is “parts and distribution business” so, essentially, the business branch recently transformed by a lot of machine learning to predict failures. If another maintenance company could train a similar model, they would benefit, but is there such a company? Does anyone do that in both partnership and competition with Boeing?
How did we coordinate activities across multiple sites and suppliers before the internet?
Basically, I don't think enough people are seriously questioning the costs vs benefits of using the internet when dealing with sensitive data. You should assume anything that touches an internet-connected device will eventually be stolen, and plan accordingly.
Before the Internet, aircraft designs were far simpler and thus it was feasible to do the work at only a few sites. The JSF / F-35 program then went even further by intentionally spreading work across many US Congressional districts plus several allied countries in order to make it politically impossible to cancel.
I don't understand the downvotes. Industrial espionage is a fact of how governments operate, all governments that have a spying apparatus at least.
For some it's a bitter pill to swallow when everyone is the bad guy, but we should just accept governments don't like being bound by international laws when breaking them can give them an advantage.
Considering it's Boeing, there's a 50-50 chance that the leaked parts data is a shambling pile of DFARS violations.
They can get up to some stuff when it comes to classifying things as "new". Check out the financials. BGS is always swimming in money compared to the other divisions - that cash flow almost certainly helped along by pushing returned assemblies back out as "more new than they probably actually are, and should be according to the contract docs".
And there's just a joyous brown fountain of horse puckey when it comes to "equivalence", a whole other pile of dead fish. The stuff that the PLs claim is "electromechanically equivalent" makes my brain hurt. Like, does it have wires sticking out? "Oh, that's an ARINC 600 connector for sure!". It's harder to nail someone for false equivalence, though, since it's a pretty nebulous thing to define. Unlike "yo, this new part is actually old and busted".
I should add that Boeing isn't really alone here. Lot of suppliers do this stuff too, and Boeing, the damn fools, probably get caught covering for suppliers and subsidiaries.
The market for actual systematic non real-time data on flights etc is pretty diverse (airlines/airports, finance & leasing, maintenance companies and aftermarket parts suppliers, insurance, consultancies), but companies are paying the likes of Corium or OAG for systematic structured data in formats that make creating forecasts or spotting opportunities easy, not because darknet data dumps are the only way to find stuff out about a company.
I'm not seeing much value in loads of Boeing-specific tech data for current generation civil aircraft though. Most of it isn't that secret, there's no viable market for copying Boeing parts without Boeing approvals stamped all over them, maintenance on Boeing aircraft is done at manufacturer-specified intervals regardless of whether it's a Boeing facility or a third party with Boeing approvals, competing aircraft have completely different needs, and if they really wanted to know how Boeing solved a problem that's bugging them they could just poach engineers...
China. They able to mass produce Boeing spare parts and also built their own planes cheaper at same or at least better quality to eat into Boeing market worldwide. Those ransom would be way cheaper to pay than losing 20Bil usd over then next 8 years (I have done analysis how bad this will affect Boeing revenue). I forsee Boeing going downhill in the next 20 years ala Nokia-Blackberry style. I already dump their stock just before those crashes. Extreme poor decision.
Brand new account and you're using it to criticize a victim not paying an extortionist ransom? I hope you don't think you're going to change anyone's mind, least of all boeing. and if you are expecting any direct gains from that ransom - or any cryptolocker-style parasitism - I hope you understand that there are a great many people out there, with numbers increasing geometrically every time this sort of thing happens, who will gladly vote for anyone with a plan to throw people like you into a sewer. Or sign up to do it themselves. retroactively, with no statute of limitations, if need be.
That data is copyrighted, so Boeing could go after you for that, using anti-movie-piracy laws that are quite draconian in the US: copying itself is bad but hard to prove; making it available is definitely worse.
Trade secret tends to extend more broadly, including soliciting, and corporate espionage carries real penalty including conspiracy, so I would avoid it.
Where I’m less clear is if that data would be protected under anti-terrorism laws: now that I’ve been thinking about it, such documents could help someone plan a terrorist attack by, say, planning a watering hole or supply-chain attack. In that case, the law gets far more open-minded for the prosecution, letting them try anything to prove their case, and the consequences go as far as extra-territorial non-US-jurisdiction legal nightmares. I’d stay away from it, but IANAL.
In case anyone is curious*, you need the Tor browser to download it from the LockBit onion site [1]. It's a dump from a malware distributor though, so downloader beware.
From the file names it doesn't look like anything particularly interesting though.
What exciting classified bits were you expecting? Outside of signing keys, I would expect the vast majority of classified documentation is boring technical specs for the N millions of parts required to assemble military gear. Each valuable in their own right, but knowing the exact dimensions and composition of the inanimate carbon rod is not going to move hearts and minds.
Juiciest potential bit is always going to be emails so you can see the human component of what people really think.
As a DCS player, I appreciate when information is moved into the public domain or whatever it's called when the module makers can freely design a plane that's almost just like the real thing. A few specifics are approximated to gloss over things that remain classified.
(DCS World is a combat flight simulation game, the consumer version.)
Very boring. Most of the files are MSSQL database backups according to trid, mostly for random Citrix, Ivanti, and so on services. I'm still downloading data.zip and boeing.com.7z to see if there's anything juicy there (also unlikely)
That said, I'm learning a lot about digital forensics
Some victim has been violated by a criminal, with the breaking in and stealing and threats, but doesn't further violation happen when others pile onto that?
Also, isn't the threat of releasing the information that the victim will be further violated by others if the information is released, and so those others could arguably be seen as enforcers for the criminal threat?
No idea but the ethics of this are fascinating. At first I was on the side of absolute freedom especially since I'm just satisfying a personal curiosity but this has led me down a rabbit hole of leaks where I'm not so sure. The ethics of using any of this information commercially is murky at best.
A group called ALPHV (who AFAICT was responsible for the MGM resort outage) even makes an API available and indexes their leaks so users can search through them and download individual files. One particular leak for the 3-D Engineering Corporation caught my eye - I can see a bunch of Solidworks parts and assemblies from just a quick glance of the file list. I'm betting there's some ITAR violating files in there which makes me feel icky. Any serious leak from Boeing could contain stuff that's actually relevant to natsec.
That said, we are talking about Boeing here, which was recently responsible for negligently killing hundreds of people. I'm inclined to say "fuck their right to confidentiality."
> That said, we are talking about Boeing here, which was recently responsible for negligently killing hundreds of people. I'm inclined to say "fuck their right to confidentiality."
Lose their right to confidentiality wrt public interest independent investigation of the 737 MAX 8 and/or other possible wrongdoing/dysfunction?
Or lose their right to confidentiality just in general, as a kind of mob justice lite?
In both cases, how clearly can we distinguish logical reasonings in pursuit of justice, and convenient rationalization for something we wanted to do anyway?
It may seem like boring data at first, but that kind of data is gold mine for hackers seeking to learn about Boeing internals and partners to enhance their social engineering attacks (people's name, methods of authentication, software used, password policy etc)
Yes, but the context was information that would be useful for curious minds (that wanna, lets say build their own jet engine). For that purpose, these documents don't seem all that useful.
50GB of data from a big company seems like a big nothing burger unless it's like 50GB of specifically executive email or similar. If it's actual product info, 50GB of CAD files is nothing for a big industrial project.
Shouldn’t be an issue. Plenty of court precedent that evidence gathered through crimes is admissible as long as it wasn’t the cops/gov’t committing the crimes.
FOTPT only applies in instances where the cops obtained the content illegally. If some vigilante or bad actor obtains evidence of a crime without coordination or involvement from the government, then the government obtains this illegally-obtained information through legal means, it's still fair game for prosecution.
For example, if I break into your home and steal your safe, which contains evidence of fraud you're committing, then the cops catch me and seize the evidence of my crime, thus observing evidence of your crimes, the evidence they took from my case can be used against you.
In fact, if I'm talking to my cop friend and he tells me about the case against you and that they think there's evidence of your criminal activity in your safe, but they haven't obtained probable cause, I could break in, take the safe, and provide it to my friend and it still be admissible in court. Your defense would have to make a convincing argument that my cop friend asked or coordinated with me to commit the crime of breaking into your house/safe.
Exfiltration isn't always about copying the tech. 50GB may not be enough to reproduce the object, but it's enough to sniff out a vulnerability. Boeing happens to be a defense contractor...
> files said to be related to [...] supplier details.
Supply chain attacks are the social equivalent of malware persistence. Now you know what parts they need, what vendors they source from, and maybe even for what products, so you've found a number of ways to get back in later.
That's probably why Boeing didn't pay, mustn't be very valuable hostages there.
OTOH, this isn't plain ransomware, it's exfiltration+ransomware. More and more bad actors ransom, and after being paid, sell anyway. Why pay if they're going to slap your other cheek regardless?
It's still impossible to prove the files were deleted even if they don't release after the initial payment. All it takes is a single individual in a group to make a backup or have a default policy of keeping a backup "just in case".
One should assume at this point that it's not a question of whether the files will be leaked but when.
also, governments like china, North Korea , Russia, Iran are basically silent endpoints for this stuff, so assuming it's valuable data, the ransom request should trigger whatever intelligence protocols you have.
Obviously. The surface for such an enterprise is tiny, while a worldwide multinational with hundred of thousands of employees and contractors can't afford that luxury.
If they were the tiniest bit decent they wouldn't be working in ransom ware.
If they delete the files, it's not out of decency. It's out of a desire to build a reputation of post-ransom trustworthiness so others will pay in the future.
Low Earth Orbit. It has become sentient as more starlink satellites have gone into orbit. As starlink is used to transfer data LEO has become interested in the uses of the data transfer. Being of Lawful orientation LEO doesn't like ransomware, and may at some point use its computational and communication abilities to redirect any ballistic missiles or rockets which are fired into LEO at the points of origin of the ransomware demands.
If one group got it, there's no reason to assume another group didn't also get to it first and simply sat on the data. There's also no reason to assume the group holding your data ransom is acting as a single reasonable entity: it could be a group of people, each with a copy, who all have different opinions on what to do.
I know that’s what one would expect, but it’s not true. Many large ransomware distributors have a solid record of keeping their word and established relationships with the negotiation firms. Trustworthiness and honesty lead to more payouts and they have no interest in your data or doing you harm, just getting paid.
When the time comes to retire, a criminal can sell the brand name they have built, sell the accumulated data they have backed up, or keep the backup as a bargaining chip. Of course, they might have already needed to leak all the data to the local authorities in exchange for protection. Or their employees might have made copies. Unlike kidnapping, data can be ransomed many times. You are paying just to delay the leak, hopefully until after you have retired and it is someone else's problem or people have stopped caring. And if you never publicly announced the leak, hopefully until after you are dead and nobody can sue you for securities fraud or similar.
It'll be a good day when everyone stops giving in to these ransom seeking parasites. I wonder how hard law enforcement goes looking for them? They're taking society hostage left and right.
Until companies accurately value their distributed bug bounties and have a better track record of paying, then the parallel market of the true market price of security will flourish
The market price of how worth it is this stuff to the company
For now, the flogging continues until morale improves
correct, and the blackhat infrastructure is far more sophisticated to distribute liability, corporation like.
the person creating a payload is compensated without doing the unauthorized access
the person doing the unauthorized access is compensated without selling the things they found
the person selling the things they found didn’t do the unauthorized access, and is not trying to weaponize the information (lets use an example of identity theft here and below)
the person weaponizing the information is only guilty of using someone else’s credentials or making new credit cards
in comparison, white hat is undervalued when respected, a gamble for being respected enough for compensation at all, and comes with threats of prosecution anyway
I don't agree that companies like boeing failing to secure their own assets properly is taking society hostage, rather than the absolute lax and laid-back approach to digital infrastructure that leads to allowing these weekly emerging "cyber terrorist" groups to take advantage to begin with.
They may be inappropriately handling the contents relative to their scope and potential damage, but that's actually not their prerogative or their concern. It should be a punishable offense beyond "ransom fees" to be in such a position that you can get so easily exfiltrated when entrusted with nationally secure data. Making a big display to the company to pay up a ransom means this has likely already happened silently multiple times to varying degrees without notice, and that anything after the initial public response is just theater. Its unfortunate that I have to feel embarrassed by the security posture of businesses that have absolutely no excuse.
If we want to stop ransomeware, then government should make it illegal to pay ransoms. If CFOs faced jail, then companies hit with attacks would never pay. After a few such failures, gangs would focus on countries that don’t prohibit payments.
Sometimes the government itself might be impacted directly. What happens when a government agency/local government/whatever gets ransowmared, turns out their backups don't exist/work/were locked as well, and the options are to shut down which they can't, legally, or pay up? Or in cases such as the above, when the impacted private entity is a massive government contractor that is too big to fail?
Those are reasons why I think it's unlikely such a legislation would appear, not why it's a bad idea. Liability, personal at that, for lack of cybersecurity should absolutely be introduced globally.
A government gets to override the law by executive order. Maybe even in secret. A government is only beholden to a constitution, and sometimes not even that. I think this is why we are hearing of an alliance to stop payments. It at least provides a disincentive to caving in and making a payment, even if that disincentive is in practical terms minor political points.
I suspect an alliance of western countries may happen. When the criminals are based in Russia, China and North Korea, we can expect those countries to already have a copy of all the leaked data, and paying ransoms is essentially just funding enemy spy agencies.
As far as am aware executive orders can’t override or nullify laws, they’re mainly directives to government employees (exec branch) to do X thing under the authority of a specific statute.
I’m seriously asking because a while ago, I had an interview that was explicitly about finding a business model for that type of data (flights, on-time, maintenance, etc.) for a reseller. I think I did a good job, but the company closed before they made an offer. I reached out to a friend who was working for a big airline to ask for his help on that, he was helpful but cagey: that’s because that was his job. A bit later, he mentioned that those were notoriously hard to buy because there wasn’t really any client — not a legitimate one.
The only potentially interested parties he could mention were people looking at tourist trends (they get overall hotel and restaurant stats: flights aren't the right breakdown) and possibly taxi companies to get on-time stats (that’s actually another project I worked on; small world). But landing data is public, or at least scrapable.
Chinese manufacturers (if you believe the rumors that they like to copy technology) care about R&D. Airbus, maybe, to price them out when competing on bids? But it would seem obvious and not that helpful. I’m not a sales guy.
This is “parts and distribution business” so, essentially, the business branch recently transformed by a lot of machine learning to predict failures. If another maintenance company could train a similar model, they would benefit, but is there such a company? Does anyone do that in both partnership and competition with Boeing?
I’m genuinely curious: Who would want that data?