So basically, the cloud providers got hacked over and over but didn't tell all their clients, who in turn had to discover they used a provided with bad security one by one.
I don't know if the fact HP got hacked repeatedly is stronger evidence in favour of the competence of the attacker or of the incompetence of HP.
Why not both? At least, it's safer to assume both when choosing a platform and where to spend dollars. Security is important yet, in my experience, even more underfunded than reliability -- features are generally king. A platform that repeatedly gets breached shows they don't value security as much as they should. An attacker that has been successful previously should continue to be successful except against those targets that secure themselves.
Not only incompetent, also untrustworthy, which i.m.o. is even worse.
“The security of HPE customer data is always our top priority”
The story then tells otherwise - they kept relevant information from affected customers and even thwarted their own investigation team to keep customers in the dark.
Clearly public image and short-term financial results were the real priorities.
Also a lot of questions are dodged with the "we have found no evidence in any of our extensive investigations that..." answer that provides full deniability. That only makes it plausible that much more happened here.
Exactly! HPE concealing the attack emboldened the attackers and weakened the cumulative defenses of all other Enterprises who would have been on high alert if warned!
Do you have evidence to share with us about the source and/or target of the attacks? Otherwise I will have to possibly consider your comment part of a possible misinformation campaign.
This breaks the site guidelines, which ask you to assume good faith. That's not because everyone is necessarily in good faith—though close observation shows that it is more likely to be true here than many users think. Rather, it's because not making that assumption leads to community-eroding behavior. Please don't post like this.
Do you believe that Reuters engages or would engage in a disinformation campaign at the behest of a western government? If so, do you have evidence to share with us that supports this belief?
Similarly, Reuters points to three anonymous sources in the article. Do you believe that Reuters fabricated these sources? If so, do you have evidence to share with us that supports this belief?
The authors of SPECTRE, Meltdown, Rowhammer (1-4),and whatever else is next would probably disagree with you. Running in cloud providers absolutely without doubt exposes your presence to hostile neighbors scheduled on the same hyoervisor.
Security is all about making the best compromises and shoring up the weakest links.
SPECTRE, Meltdown, Rowhammer are just a few risks amongst thousands. Most importantly they at least have runtime signatures that could be detected.
There are weaker areas for directed attacks against an organisation (e.g. spear-fishing).
When attacked by highly skilled, highly motivated, highly resourced and foreign opponents, an org may find they are better relying upon an external team for securing your VMs. I would expect Google Cloud to be far better than the majority of fortune 500 companies at securing hypervisors and VMs.
a) You're ignoring the "and whatever else is next" part of my statement. If you're on-prem, you don't need to worry about hostile neighbors. Google Cloud engineers could be great at securing public cloud workloads, but even they don't know what's yet to be found.
b) You're not running untrusted, random stranger code on your Fortune 500 VM's. I can't signup for an account on Ford's VM's and start ripping through memory like I can with a public cloud.
No, you're missing the point. The comment I replied to said, "your servers are vulnerable no matter on prem or cloud." If you're in the cloud, you're vulnerable to an entire suite of attacks that you're not exposed to on-prem. That's my point.
I could care less what was used in the attack detailed by the article. I was replying to a specific comment, not the article.
It's true in general. In practice, hosting memory-safe apps on OpenBSD rarely gets people hacked. If ever. You can also pick a better processor (AMD vs Intel) or even an obscure one like Freescale's PPC's that these hackers might not be able to exploit yet.
As long as more than a trivial number of people need to access your application from a network that is bigger than one room, your application is at risk.
But definitely running in public shared cloud exposes you to certain kinds of attack vectors that are not present in an on-prem deployment.
But it also protects you from certain types of attack vectors that your on-prem may not.
For example, you can be a co-incidental victim of a mass hack of public cloud.
But it would be difficult to target your specific machines in the cloud (assuming your application surface is secure) but it might be easier when you are on-prem (easy to locate, isolate and infiltrate etc).
While "your servers are vulnerable no matter on prem or cloud" is true - there are some sitautions in which the cloud has other risks I never considered until it was an issue.
We had a set of sites on a special hardened security wise anti=hack anti ddos platform... and when that cloud got hacked they got all of our stuff and everyone else's and put it all on the dark net I believe. This was apparently because one of their customers was a semi-high profile target..
We found out a couple days later when the credit card on file started being used around the world, and that card had only ever been used at 2 places. We were not notified by the company.
We did read about it in a story a couple days later that named our hosting company in a sidenote when noting the one client that was hacked / defaced / exposed whatever.
Sadly in this case we would of been better off with non-cloud, non-extra-secure hosting.
As others have said, if it's connected it's vulnerable, I agree. There are different risks for different hosting situations.
Yes, but it can be innocent physical intervention.
With airgapped servers, the question is, how do you install updates? There's almost always a way; IT needs it. With those updates, you can get an attack, if the machine supplying the update has been compromised.
For example, even if the update comes via a DVD, some machine wrote the DVD. If you can corrupt that machine, you can corrupt the DVD. Now you have a way to (eventually) get hostile code on the airgapped server.
Especially when IT is more interested in outsourcing every possible service to a different company/domain. Office 365 alone involves a pretty staggering number, including such self-evidently trustworthy gems as "microsoftonline.com", "azurewebsites.net", and "aka.ms". It's hard to keep up with what's legitimate when seemingly everything you do involves a different domain with a different design language and account management process. Then there's the increasingly popular practice of running things "in-house" but actually on some half-assed cloud stack (What the heck are those stupid CloudFront subdomains, anyhow?).
> It's hard to keep up with what's legitimate when seemingly everything you do involves a different domain with a different design language and account management process.
This is so true. When you have app.<appname>.tld, <appname>app.tld, app.<appname>app.tld, cdn.<appname>.tld, cdn.<appname>app.tld, <appname>cdn.tld, <company>.tld, <appname>.<company>.tld, <company>corp.tld, etc, it's difficult for even tech-savvy users to spot fake domains, especially since there can be multiple TLDs used with seemingly no consistency. Then someone comes along and registers <cornpany>.tld, <company>.othertld, or <compаny>.tld (the "а" is a cyrillic "a")...
Even if you try to integrate Oauth so you can tell users "only enter your username/password on auth.<company>.tld", it's not always consistent. Google will require your email before redirecting, some services require an email and a password (whether it's correct or not) before redirecting, others have special company-specific subdomains, and I've seen a couple where you have to click on an SSO link on the login page and type in your company's domain. Then you get services where you type in your username/password into their site and it authenticates through AD or another backend mechanism which never goes through your Oauth flow (my college had O365 setup like this), bypassing 2FA and defeating the "only auth.<company>.tld is trusted" message.
The best solution I've seen for all of this is an internal TLD, but that requires a VPN to access from offsite, you have to maintain your own CA and DNS (which a much greater impact when it goes down), some services will not allow Oauth redirects to them, and it only works for internally hosted applications.
What's particularly annoying is that HR and finance functions are often among the most likely to involve outsourcing, even as they're also the most sensitive. If I wanted to spear-phish someone, it would probably be through something that looks related to a care provider or financial institution that the company uses, not to the company itself.
> It's hard to keep up with what's legitimate when seemingly everything you do involves a different domain with a different design language and account management process.
More egregious to me has always been my various banks which start out at with bankofamerica.com, chase.com etc but after authentication and some hops I'm usually at something phishtastic like bankfrontend.com.
Google also is running (or claims to be running, I don't work at their IT department) an interesting zero-trust-networking setup involving a lot of on the fly certificate generation and revocation, as well as some SDN trickery behind the scenes. I wouldn't be surprised if that had more to do with their no haxx than 2FA or hardware auth keys.
Link to their somewhat vague white papers on the matter:
Exactly: Google detected they were hacked by the Chinese government a decade ago ("Operation Aurora" affecting a lot of other companies including Adobe, Juniper, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical).
Google stopped allowing Windows to be used within the organisation in 2010 as a response.
I think any other organisation that continued to use Windows values features more than they value security (and I believe that is still the case: you can't secure Windows, Office or Microsoft browsers against state level actors).
I doubt anyone from Google is going to publicly comment on their internal security policies, but AFAIK this is a known fact for many years. I'm sure there's plenty of people who work for Google who can comment anonymously.
Security by obfuscation of techniques involved. Classic trick. It's the best so long as each security measure and their interactions are fairly secure.
I would say obfuscation is a valid strategy if also coupled with good security practices / algorithmic security. You're no less secure than if you were using the common flavors of good security practices (assuming you didn't create a mistake in rolling your own, which is a difficult assumption) but the effort required to target you is much higher than normal, and you are somewhat shielded from blanket-applying zero days.
Can you help me understand how those relate to each other?
For instance, someone gets a malicious email, and clicks on a link which downloads a bit of code the exploits a bug in the software to install something, perhaps a key logger or screen reader.
What on earth does hardware keys do to eliminate that?
Seriously, I can’t make the connection (and if I understood I’d probably roll that out across my firm tomorrow!).
I phished for your login credentials, and I get them, but there is no way for me to effectively use them because there is still the hardware key step, which I do not have.
Malware downloads is a separate issue from phishing schemes.
Right, and even if they completely root an employee's laptop and phone they still can't get into the hardware key. Sure, they can "boop hijack" the key by popping up a convincing fake login prompt, but they have to synchronize their schedule to the employee they want to hijack and pull off a convincing fake login prompt each and every time they want to login, so the logistics are still much more challenging than copying a OTP seed.
Why go thru all that trouble when you can just phish with malware?
I’m reminded of back when Kevin Mitnick said it wasn’t that he was a great hacker, but that he was good as social engineering. What made him good was that he took the easiest way in, which is kind of what my point is. I don’t care if you block the hardest hack - I care about blocking the easiest.
(FWIW, I am a huge fan of 2FA, I just don’t understand how it stops phishing.)
You're moving the goalposts. GP was just explaining why base level phishing has been elevated to a higher difficulty level than without U2F.
The way U2F prevents phishing is by binding auth requests to the requesting origin and generating unique key pairs for each origin, so it doesn't matter if the user is convinced and manually activates the key, the phishing site gains nothing it can use on a different origin—even in real time.
One definition is tricking users into giving valuable information (such as passwords, 2FA codes, bank account details, credit card numbers, social security numbers, etc). Malware doesn't meet this definition of phishing.
That's interesting. This should bring us to the realization that we should think of this as an engineering problem, rather than having an expectation of humans being "bug-free".
We definitely should! The current state of infosec as practiced, regarding, say, vulnerability to email trojan horses, is like using sharp knives for door handles, that instead of just mangling your fingers make a copy of the door keys and mail them to people who sent you emails. And then insisting that repeated user training is enough, and a cost-efficient counter-measure. Even in the face of repeated evidence that it's not.
A rested, focused, well-trained human is almost bug-free. No one is rested, focused or well-trained 100% of the time.
Well, after everybody and their mother pushed for 2FA they realized people can still get phished for the 2FA token, so...
If the service that you're running is not made by idiots that will store your password with anything weaker than PBKDF2 then a strong (unique) password is still a good bet.
Human factors are an issue and I believe lack of enforcement and prosecution is another issue.
To me it is obvious that passwords are insecure. Just think how many people are saving them in a browser without a master password, share them in internal chats, use same password everywhere because it's difficult to remember several passwords etc.
Which ends up being darkly hilarious when they're whitelisted, leading to a situation where literally every "phishing attempt" an employee ever sees is a fake crafted to conform to the stereotypes given in the training.
My employer uses PhishMe. Every "phishing attempt" I see is from my own employer. It is not adaptive. They don't scale up the apparent sophistication of the attack if previous attempt didn't work. So I am continually getting e-mails from "HR" asking me to update my contact info, or from "Expense Reports" asking me to verify some info to get reimbursed for my travel expenses.
Indeed. I setup a rule in outlook to look for knowbe4 in the header to dump those. Although, to be fair, I doubt it is the devs they are worried about.
What hardline though? One can't on the one hand sell manufacturing, technology, companies and even infrastructure to China and on the other claim to be uncompromising. I wouldn't mind an actual uncompromising stance on for example labour conditions and investments. But that certainly isn't the case now. Ericsson probably employs less people in Sweden than Chinese companies do at this point.
Likely both. I'm no expert in this domain, but from my perspective, due to the nature of cyber warfare, it's all but impossible to have any kind of concrete evidence or smoking gun. Cyber security firms are deliberately very careful in levelling specific accusations with the lack of concrete evidence.
For example, researchers at Malwarebytes [1] say:
> "While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs."
> "Variants of PlugX and Poison Ivy were developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone."
Likewise, the report put out by PwC and BAE [2] label APT10 only as a "China-based actor". They cite things like attacks occurring during Chinese timezones and CCP-interest aligned hacking as evidence. This is all great circumstantial evidence and while compelling, it is far from conclusive. The report does not mention the Chinese Ministry of State Security even once.
We can say how likely or unlikely something is, but the likelihood of something in the context of circumstantial evidence should not be taken as a full-on indictment. The most one could say conclusively is that it is likely to be state sponsored.
There's a fair amount of evidence that APT10 is sponsored by China here[1]. It's not 100% proof, but what are the alternatives, and what chances do they have? The alternative possibilities seem slim to me.
The US government accused them of working for China[2]. Of course not everything the US government says is true, but it seems likely to me this is true and they have some non-public evidence to back it up.
>All I'm seeing is the Uber receipt, which even they say they can't verify.
There's other stuff there. For example Gao was recruiting for Laoying Baichen Instruments which shares an address with CNITSEC (which is run by MSS). CNITSEC has in the past been confirmed to work with APT3.
>The alternative is that they are black hat hackers, which is very likely.
Are there a lot of advanced Chinese black hat hackers that don't work with the Chinese government? Because it seems like there are a lot of advanced Chinese hackers that work for the government. For example APT3 and APT1. Also the APT10 stuff appears to have happened during Chinese working hours, which is indicative of government work[1].
>There's other stuff there. For example Gao was recruiting for Laoying Baichen Instruments which shares an address with CNITSEC
They can't verify that was Gao, that the poster represented that company, or show that they occupied the office building with the other company.
>Are there a lot of advanced Chinese black hat hackers that don't work with the Chinese government? Because it seems like there are a lot of advanced Chinese hackers that work for the government
Any hack reported by the western media immediately gets linked to the government, no matter how thin the evidence is. Chinese people can be smart and motivated by greed too, and they have a ton of people.
If you personally think China is behind this based on the released evidence, that's fine. Using it as justification for attacks on the Chinese requires more proof to even be considered.
>Any hack reported by the western media immediately gets linked to the government, no matter how thin the evidence is.
The October hack of Facebook[1] didn't seem to be blamed on any government by the media. It seems to me like a fairly sophisticated attack that could have been done by a government.
And the western media blames some hacks on the US government and its allies as well[2][3].
> Chinese people can be smart and motivated by greed too
How do they plan to make money by hacking NASA and the US military's shipbuilder? They're not installing ransomware asking for bitcoin payment. If they want to hack for money, I would think they would target credit cards, or banks, or better yet: cryptocurrency exchanges. Or maybe popular websites whose databases they can use for credential stuffing. One way to make money by hacking NASA is to be paid by the Chinese government.
>The October hack of Facebook[1] didn't seem to be blamed on any government by the media. It seems to me like a fairly sophisticated attack that could have been done by a government.
Sorry, I should have said "any hack originating in China." Poor wording on my part.
>How do they plan to make money by hacking NASA and the US military's shipbuilder?
Their methods were to gain access to a machine, and then try to use that access to jump to client servers. There's nothing saying NASA or government contactor's were specifically targeted, but seem like excellent jump targets if an opportunity arose.
Yes, nearly-indiscriminate colossal-scale industrial espionage being funneled to state-controlled companies is NOT a cyber activity in which most nation states engage.
If your reply is going to be about British textile machinery or some one-off accusation from the last century, please focus on the scale of the accusations against the CCP, as well as consensus global norms of the current era.
>... please focus on the scale of the accusations against the CCP, as well as consensus global norms of the current era
There is no consensus on 'norms' for cyber-espionage and every country is operating the the gray-areas. There is no red-line that defines what an act of war is. It wasn't long ago that the NSA was listening to Angela Merkel's phone calls; this is far more aggressive than industrial espionage, in my book.
Every nation does industrial espionage - in the "national interest"
My assertion is that all advanced nation states engage in cyber warfare against one another, sometimes for the purpose of industrial espionage, sometimes for the purpose of achieving geopolitical goals (regime change, influencing elections, etc).
As long as we're talking about unsubstantiated claims (and yes, that is all they are at the moment unsubstantiated), I would hazard a guess that the U.S is by far the largest, most capable and most pervasive wager of cyber warfare and espionage of them all -which incidentally is probably the reason why they are so paranoid. One would have to be supremely naive to think otherwise.
Many tools used by these alleged Chinese state hackers were likely generously donated by the NSA themselves during their own cyber operations [1].
The consensus global norms of the current era is that everybody is hacking everybody at massive scale in order to further their own strategic interests -the same as it has always been. The only thing worthy of attention is the fact that these attacks are only being publicly disclosed now, coincidentally in the middle of a trade war, when the U.S administration is grasping for support from the American public against China.
There's important nuance here that has a large impact. I'm not talking about geopolitical espionage, which I'd agree goes in all directions.
I'm talking about concerted IP / business secrets theft which is then funneled to domestic companies. I call these companies "state-controlled" because they are ultimately susceptible to the authoritarian central government's will.
I can't think of anywhere else in the world where this is not only routine, but coordinated at massive scale. Can you inform me what I'm missing?
Edit: I disagree with your last point too. There's been plenty of reporting on Chinese IP theft dating back years, it's only increased in prominence. Trump is waging the trade war partially because of the history of hacking. It was a point of contention throughout Obama's admin too, but Trump is handling it his way. (Obama's answer was TPP, but deployed too late)
> I call these companies "state-controlled" because they are ultimately susceptible to the authoritarian central government's will.
If the companies are susceptible to the government's will, then attacks against the government would also be attacks on the companies. Defense and recovery against geopolitical espionage diverts resources away from those companies. Why is the drain on profit industrial espionage causes a problem while a drain on resources is acceptable?
You’re making a distinction between cyber industrial espionage and cyber geopolitical espionage and I’m not. I would classify all of these actions under the broad umbrella of cyber warfare. In this context, the OP’s assertion that Europe and the U.S need to “join the hard line on China” is based on the fundamentally flawed assumption that the EU and the U.S are simply innocent victims of cyber attacks. It implies that they, as pure, liberal and democratic as they are, have never, and would never engage in such reprehensible and illegal activities as hacking, unlike the big bad evil Chinese. It is my view that this is an untenable and fundamentally flawed position.
> I can't think of anywhere else in the world where this is not only routine, but coordinated at massive scale. Can you inform me what I'm missing?
Why would you need me to inform you about something that I’ve never claimed? My claim is that nobody’s hands are clean when it comes to cyber warfare, not that China has never before engaged in the type of espionage you describe.
> Edit: I disagree with your last point too. There's been plenty of reporting on Chinese IP theft dating back years, it's only increased in prominence. Trump is waging the trade war partially because of the history of hacking. It was a point of contention throughout Obama's admin too, but Trump is handling it his way. (Obama's answer was TPP, but deployed too late)
I’ve addressed the industrial espionage point above. As far as the trade war: Trump is waging his trade war because of the trade imbalance between the U.S and China as he has repeated ad nauseam since day one. There was a particular point in time (probably around the time of the as-of-yet unsubstantiated and unretracted Bloomberg Supermicro story) where the hacking narrative was retroactively shoehorned in as a reason. I stand by my opinion that the timing of this report, along with the other recent mountains of anti-China mainstream media stories and social media posts, is highly suspect.
Can anyone explain the popularity and persuasiveness of "whataboutism"?
If "To be fair, isn't this functionally equivalent to the NSA attacks on Huawei and Chinese aircraft manufacturers over the past decade" is indeed a logically valid comparison, is that not a perfectly valid rebuttal to ~scare mongering accusations of "state sponsored attacks" from China? It doesn't nullify it, but it puts it in accurate perspective, no? And should not accuracy be an important part of such conversations?
Whataboutism is using the hypocracy of B to argue that A shouldn't be held to account for its misdeads.
Constructively pointing out hypocracy is to also call for B to be held to account. Whataboutism isn't constructive; it's obstructive.
In many cases, it's even worse. Whataboutism is often used to argue that the hypocracy of B negates the complaints of third party C against A. Nobody is claiming HP or the journalists have tried to hack the Chinese government, or that HP or the journalists support the NSA's misdeads.
Whataboutism impedes progress and should be called out when encoutered.
'Whataboutism!' is a relevant response when someone brings up some unrelated problem of another country. For example, you are touring North Korea, see a broken escalator, ask the tour guide about it, and they say: 'But you are lynching Africans in America.'
When you bring up something quite related to the presented problem, that's not whataboutism.
In a logical discussion whataboutism is never a relevant response. If something is bad it is bad if any side does it. But hypocrisy as a fallacy don't necessarily apply when discussing geopolitical power struggles. This is because people on one side using a tactic but not the other is usually a disadvantage, so when someone accuses you of hypocrisy they're basically saying that you're trying to get me to stop, but you won't, which will give you the upper hand, so... why should I stop?
As a European I think the West are pussies, why won't they fight back against these blatant attacks? Is it because computer hacking laws are much more stringent and punitive here?
As a fellow European I think this fight back rhetoric is pretty stupid. Instead of amassing 0days by the military and the secret services while gaining us, the population, zero benefits for the millions spent (because we will still get hacked, regardless of the number of 0days hoarded), why not invest all these ressources into securing our broken software infrastructure? Forcing companies to fix their shit?
That would actually help against foreign hackers while also helping the actual population.
How do you force a company who uses OSS to fix the vulnerability? Do you hold the company or the OSS organization accountable? Who do you fine? Both?
I use OSS all the time but I am not capable of fixing a lot of it. I’d just use something else. Companies will just buy closed software instead from companies who will do the support and fixing for them. “It’s closed source we can’t fix it.”
We are talking about hundreds of millions of Euros here. The resources are there, just used for propping up prices in the black market instead of securing the software. The EU could pay a bunch of security researchers to review open source software (analog to e.g. Googles project zero). Or implement bug bounty programs for the most used open source software.
In general, though, I think the company using the software should be held liable. Almost every OSS license explicitly disclaims warranty and liability. That means the company has to provide this if it wishes to use the OS software.
> EU could pay a bunch of security researchers to review open source software (analog to e.g. Googles project zero). Or implement bug bounty programs for the most used open source software.
How do you know they're not? I hardly expect either side to put out a press release if they are.
But the West is quite capable of its own state-assisted industrial espionage, such as between Airbus and Boeing. Or random incidents like https://www.theguardian.com/uk-news/2018/sep/21/british-spie... - would you expect retaliation by Belgium, and how?
the airbus case you mention was a corruption investigation and was done in conjunction with german state intelligence, not industrial espionage. the belgian telecom hack you link was regular espionage. there is an actual difference between what china is doing and what the rest of us do.
I’d say the EU lacks capability and likely a legal route to actually do it. The US and UK certainly do. Obama and Trump have both confirmed the use of cyber weapons in 2 instances against Iran.
I think it’s very much a hush hush matter for the US and UK. There’s probably a few stories on HN that the US or UK are actually behind.
Europe will have to push back a lot more against persistent campaigns. This isn’t a one off. It’s persistent. Maybe the EU should leverage NATO or something pan-national because small countries individually fighting off a giant isn’t as effective.
The US/UK/EU need to push back hard. They are probably the only places that will actually hold their citizens accountable for cybercrime. Russians and Chinese can hide behind no extradition.
The west needs to draw lines, create treaties, create legal definitions and frameworks. It all needs to be done in a very public forum. Not secret courts. If the lines are crossed there needs to be real and serious consequences that aren’t all for show like the recent Russian and Iranian sanctions.
Those Iranian sanctions aren't for show. I don't think the Iranians share your perspective at all. They're brutally crushing the Iranian economy at the moment and causing the regime to lash out aggressively. The Russian sanctions are more reasonably in the for show category by comparison.
Their oil output has collapsed by 50%, from roughly 4m barrels per day. Their currency has lost 2/3 of its value versus the dollar and is near record lows. Inflation has skyrocketed, around 30% in 2018 and perhaps 40% in 2019. It's hammering living standards:
"In the past 12 months, the cost of red meat and poultry has increased by 57%, milk, cheese and eggs by 37%, and vegetables by 47%, according to the Statistical Centre of Iran."
2019-04-29: "Iran’s economy is expected to shrink for the second consecutive year and inflation could reach 40 percent, an International Monetary Fund senior official said, as the country copes with the impact of tighter sanctions imposed by the United States."
I was thinking more serious things than sanctions. For example, if Iran launches a cyber attack on the west like the Saudi-Americo wiper attack we shut off their internet for a few days. Hack our infrastructure, we shut down the whole power grid.
> Under the 1949 Geneva Conventions, collective punishment is a war crime. By collective punishment, the drafters of the Geneva Conventions had in mind the reprisal killings of World War I and World War II. In the First World War, the Germans executed Belgian villagers in mass retribution for resistance activity during the Rape of Belgium. In World War II, both the Germans and the Japanese carried out a form of collective punishment to suppress resistance. Entire villages or towns or districts were held responsible for any resistance activity that occurred at those places.[5] The conventions, to counter this, reiterated the principle of individual responsibility. The International Committee of the Red Cross (ICRC) Commentary to the conventions states that parties to a conflict often would resort to "intimidatory measures to terrorize the population" in hopes of preventing hostile acts, but such practices "strike at guilty and innocent alike. They are opposed to all principles based on humanity and justice."
Geneva convention seems to be working very well in the Middle East and Russia.
Russian used a nerve agent in London and not much happened. They’ve also annexed part of a sovereign nation in Europe. The last time that happened WWII started. They likely provided chemical agents or technical know how to Syria. The Saudis do whatever they please.
Ukraine is not part of Europe. They have a trade agreement with the European Union.
Still, there was much more pushback against Russia before Trump took office. Sanctions hurt their economy and Russia was forced to sell from their gold reserves to defend large dips in the ruble's value.
i don't disagree, except the cw stuff. the US breaks the conventions too (eg waterboarding) but they're still there for a reason. many people, mostly elderly or critically ill, would die in the event of a power grid being shut down. it is effectively indistinguishable from terrorism.
We do have the UN for that. Unfortunately, all permanent members (except possibly France) are guilty of state sponsored cybercrimes, so nothing comes of it, as with many other issues.
It’s the Wild West in cyber warfare right now. Draws lines for the US and UK to follow with plans of action if they are crossed.
The EU is a bunch of small countries and last time I checked there is no EU army or intelligence service. So yes it is a pan-national countries fighting off giants.
NATO needs to have offensive and defensive cyber ware capabilities if they don’t already have it.
Not all offensive cyber is military, although there's certainly ambition within the EU there. That aside, the EU didn't have a Cybersecurity Agency with legal powers to prevent and respond to cyber threats yesterday.
Coincidentally, it does today.
Baby steps I'm sure and with the imminent potential withdrawal of a 5 eyes member it isn't unsurprising. So this picture looks to be changing in the future.
So basically, the cloud providers got hacked over and over but didn't tell all their clients, who in turn had to discover they used a provided with bad security one by one.
I don't know if the fact HP got hacked repeatedly is stronger evidence in favour of the competence of the attacker or of the incompetence of HP.
Why not both? At least, it's safer to assume both when choosing a platform and where to spend dollars. Security is important yet, in my experience, even more underfunded than reliability -- features are generally king. A platform that repeatedly gets breached shows they don't value security as much as they should. An attacker that has been successful previously should continue to be successful except against those targets that secure themselves.
Not only incompetent, also untrustworthy, which i.m.o. is even worse.
The story then tells otherwise - they kept relevant information from affected customers and even thwarted their own investigation team to keep customers in the dark.Clearly public image and short-term financial results were the real priorities.
Also a lot of questions are dodged with the "we have found no evidence in any of our extensive investigations that..." answer that provides full deniability. That only makes it plausible that much more happened here.
The cloud providers? Are you referring to HPE and Ericsson here?
Exactly! HPE concealing the attack emboldened the attackers and weakened the cumulative defenses of all other Enterprises who would have been on high alert if warned!
Poor decision by HPE. So sad because I like Neiri
Some top-notch reporting from Reuters here, I think. Kudos to them for sinking this level of editorial resource into a story.
Do you have evidence to share with us about the source and/or target of the attacks? Otherwise I will have to possibly consider your comment part of a possible misinformation campaign.
This breaks the site guidelines, which ask you to assume good faith. That's not because everyone is necessarily in good faith—though close observation shows that it is more likely to be true here than many users think. Rather, it's because not making that assumption leads to community-eroding behavior. Please don't post like this.
https://news.ycombinator.com/newsguidelines.html
Doesn't GP break the same rule then?
I don't see how.
Do you believe that Reuters engages or would engage in a disinformation campaign at the behest of a western government? If so, do you have evidence to share with us that supports this belief?
Similarly, Reuters points to three anonymous sources in the article. Do you believe that Reuters fabricated these sources? If so, do you have evidence to share with us that supports this belief?
If you don't trust Reuters then you might as well not read any news at all.
I second this.
Interesting how the "level of concern" raises in some news articles. Good that the general audience can usually see through it.
Shows the advantage of on prem vs cloud
It's just the medium, your servers are vulnerable no matter on prem or cloud.
The authors of SPECTRE, Meltdown, Rowhammer (1-4),and whatever else is next would probably disagree with you. Running in cloud providers absolutely without doubt exposes your presence to hostile neighbors scheduled on the same hyoervisor.
Security is all about making the best compromises and shoring up the weakest links.
SPECTRE, Meltdown, Rowhammer are just a few risks amongst thousands. Most importantly they at least have runtime signatures that could be detected.
There are weaker areas for directed attacks against an organisation (e.g. spear-fishing).
When attacked by highly skilled, highly motivated, highly resourced and foreign opponents, an org may find they are better relying upon an external team for securing your VMs. I would expect Google Cloud to be far better than the majority of fortune 500 companies at securing hypervisors and VMs.
a) You're ignoring the "and whatever else is next" part of my statement. If you're on-prem, you don't need to worry about hostile neighbors. Google Cloud engineers could be great at securing public cloud workloads, but even they don't know what's yet to be found.
b) You're not running untrusted, random stranger code on your Fortune 500 VM's. I can't signup for an account on Ford's VM's and start ripping through memory like I can with a public cloud.
None of these attacks seemed to use the speculative execution vulnerabilities. They're not very relevant here
No, you're missing the point. The comment I replied to said, "your servers are vulnerable no matter on prem or cloud." If you're in the cloud, you're vulnerable to an entire suite of attacks that you're not exposed to on-prem. That's my point.
I could care less what was used in the attack detailed by the article. I was replying to a specific comment, not the article.
It's true in general. In practice, hosting memory-safe apps on OpenBSD rarely gets people hacked. If ever. You can also pick a better processor (AMD vs Intel) or even an obscure one like Freescale's PPC's that these hackers might not be able to exploit yet.
As long as more than a trivial number of people need to access your application from a network that is bigger than one room, your application is at risk.
But definitely running in public shared cloud exposes you to certain kinds of attack vectors that are not present in an on-prem deployment.
But it also protects you from certain types of attack vectors that your on-prem may not.
For example, you can be a co-incidental victim of a mass hack of public cloud. But it would be difficult to target your specific machines in the cloud (assuming your application surface is secure) but it might be easier when you are on-prem (easy to locate, isolate and infiltrate etc).
While "your servers are vulnerable no matter on prem or cloud" is true - there are some sitautions in which the cloud has other risks I never considered until it was an issue.
We had a set of sites on a special hardened security wise anti=hack anti ddos platform... and when that cloud got hacked they got all of our stuff and everyone else's and put it all on the dark net I believe. This was apparently because one of their customers was a semi-high profile target..
We found out a couple days later when the credit card on file started being used around the world, and that card had only ever been used at 2 places. We were not notified by the company.
We did read about it in a story a couple days later that named our hosting company in a sidenote when noting the one client that was hacked / defaced / exposed whatever.
Sadly in this case we would of been better off with non-cloud, non-extra-secure hosting.
As others have said, if it's connected it's vulnerable, I agree. There are different risks for different hosting situations.
If it's connected, it's vulnerable.
With sophisticated attacks like these, I won't be surprised if some of these stolen data were/are on air-gapped servers.
Wouldn't that require physical intervention?
Yes, but it can be innocent physical intervention.
With airgapped servers, the question is, how do you install updates? There's almost always a way; IT needs it. With those updates, you can get an attack, if the machine supplying the update has been compromised.
For example, even if the update comes via a DVD, some machine wrote the DVD. If you can corrupt that machine, you can corrupt the DVD. Now you have a way to (eventually) get hostile code on the airgapped server.
HPE cloud at least
Yeah, I would be more surprised if one of the big 3 was compromised.
Not saying it couldn't happen, it just seems unlikely.
>APT10 often attacked a service provider’s system by “spear-phishing” – sending company employees emails
sigh...
It's a fairly complex and difficult task to phish proof your corporation.
Especially when IT is more interested in outsourcing every possible service to a different company/domain. Office 365 alone involves a pretty staggering number, including such self-evidently trustworthy gems as "microsoftonline.com", "azurewebsites.net", and "aka.ms". It's hard to keep up with what's legitimate when seemingly everything you do involves a different domain with a different design language and account management process. Then there's the increasingly popular practice of running things "in-house" but actually on some half-assed cloud stack (What the heck are those stupid CloudFront subdomains, anyhow?).
> It's hard to keep up with what's legitimate when seemingly everything you do involves a different domain with a different design language and account management process.
This is so true. When you have app.<appname>.tld, <appname>app.tld, app.<appname>app.tld, cdn.<appname>.tld, cdn.<appname>app.tld, <appname>cdn.tld, <company>.tld, <appname>.<company>.tld, <company>corp.tld, etc, it's difficult for even tech-savvy users to spot fake domains, especially since there can be multiple TLDs used with seemingly no consistency. Then someone comes along and registers <cornpany>.tld, <company>.othertld, or <compаny>.tld (the "а" is a cyrillic "a")...
Even if you try to integrate Oauth so you can tell users "only enter your username/password on auth.<company>.tld", it's not always consistent. Google will require your email before redirecting, some services require an email and a password (whether it's correct or not) before redirecting, others have special company-specific subdomains, and I've seen a couple where you have to click on an SSO link on the login page and type in your company's domain. Then you get services where you type in your username/password into their site and it authenticates through AD or another backend mechanism which never goes through your Oauth flow (my college had O365 setup like this), bypassing 2FA and defeating the "only auth.<company>.tld is trusted" message.
The best solution I've seen for all of this is an internal TLD, but that requires a VPN to access from offsite, you have to maintain your own CA and DNS (which a much greater impact when it goes down), some services will not allow Oauth redirects to them, and it only works for internally hosted applications.
What's particularly annoying is that HR and finance functions are often among the most likely to involve outsourcing, even as they're also the most sensitive. If I wanted to spear-phish someone, it would probably be through something that looks related to a care provider or financial institution that the company uses, not to the company itself.
> It's hard to keep up with what's legitimate when seemingly everything you do involves a different domain with a different design language and account management process.
Seriously, right!
https://microsoftazuresponsorships.com https://getlicensingready.com/ https://sysinternals.com (fairly popular and well-known!) https://www.microsoftpartnercommunity.com/ https://azureedge.net
etc
More egregious to me has always been my various banks which start out at with bankofamerica.com, chase.com etc but after authentication and some hops I'm usually at something phishtastic like bankfrontend.com.
Reading this gives me anxiety.
God the worst of these are the phishing sites using windows.net or hosted on azure with official/legitimate microsoft certs
Google claims they haven't been phished in over a year, since requiring hardware keys for auth.
Google also is running (or claims to be running, I don't work at their IT department) an interesting zero-trust-networking setup involving a lot of on the fly certificate generation and revocation, as well as some SDN trickery behind the scenes. I wouldn't be surprised if that had more to do with their no haxx than 2FA or hardware auth keys.
Link to their somewhat vague white papers on the matter:
https://cloud.google.com/beyondcorp/
Google also does not allow Windows Laptops/PCs anywhere near their campus.
Exactly: Google detected they were hacked by the Chinese government a decade ago ("Operation Aurora" affecting a lot of other companies including Adobe, Juniper, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical).
Google stopped allowing Windows to be used within the organisation in 2010 as a response.
I think any other organisation that continued to use Windows values features more than they value security (and I believe that is still the case: you can't secure Windows, Office or Microsoft browsers against state level actors).
Source? Looked online and couldn't find anything apart from one or two untrustworthy mentions on quora.
I doubt anyone from Google is going to publicly comment on their internal security policies, but AFAIK this is a known fact for many years. I'm sure there's plenty of people who work for Google who can comment anonymously.
Security by obfuscation of techniques involved. Classic trick. It's the best so long as each security measure and their interactions are fairly secure.
I would say obfuscation is a valid strategy if also coupled with good security practices / algorithmic security. You're no less secure than if you were using the common flavors of good security practices (assuming you didn't create a mistake in rolling your own, which is a difficult assumption) but the effort required to target you is much higher than normal, and you are somewhat shielded from blanket-applying zero days.
Can you help me understand how those relate to each other?
For instance, someone gets a malicious email, and clicks on a link which downloads a bit of code the exploits a bug in the software to install something, perhaps a key logger or screen reader.
What on earth does hardware keys do to eliminate that?
Seriously, I can’t make the connection (and if I understood I’d probably roll that out across my firm tomorrow!).
I phished for your login credentials, and I get them, but there is no way for me to effectively use them because there is still the hardware key step, which I do not have.
Malware downloads is a separate issue from phishing schemes.
Right, and even if they completely root an employee's laptop and phone they still can't get into the hardware key. Sure, they can "boop hijack" the key by popping up a convincing fake login prompt, but they have to synchronize their schedule to the employee they want to hijack and pull off a convincing fake login prompt each and every time they want to login, so the logistics are still much more challenging than copying a OTP seed.
Why go thru all that trouble when you can just phish with malware?
I’m reminded of back when Kevin Mitnick said it wasn’t that he was a great hacker, but that he was good as social engineering. What made him good was that he took the easiest way in, which is kind of what my point is. I don’t care if you block the hardest hack - I care about blocking the easiest.
(FWIW, I am a huge fan of 2FA, I just don’t understand how it stops phishing.)
You're moving the goalposts. GP was just explaining why base level phishing has been elevated to a higher difficulty level than without U2F.
The way U2F prevents phishing is by binding auth requests to the requesting origin and generating unique key pairs for each origin, so it doesn't matter if the user is convinced and manually activates the key, the phishing site gains nothing it can use on a different origin—even in real time.
Thank you. Indeed I was missing that - your last sentence in particular.
> I don’t care if you block the hardest hack - I care about blocking the easiest.
My entire argument was "with U2F, this is the easiest hack, and it is very hard."
What do you think the easier alternative was?
The word "phishing" has many definitions.
One definition is tricking users into giving valuable information (such as passwords, 2FA codes, bank account details, credit card numbers, social security numbers, etc). Malware doesn't meet this definition of phishing.
That's interesting. This should bring us to the realization that we should think of this as an engineering problem, rather than having an expectation of humans being "bug-free".
We definitely should! The current state of infosec as practiced, regarding, say, vulnerability to email trojan horses, is like using sharp knives for door handles, that instead of just mangling your fingers make a copy of the door keys and mail them to people who sent you emails. And then insisting that repeated user training is enough, and a cost-efficient counter-measure. Even in the face of repeated evidence that it's not.
A rested, focused, well-trained human is almost bug-free. No one is rested, focused or well-trained 100% of the time.
Well, after everybody and their mother pushed for 2FA they realized people can still get phished for the 2FA token, so...
If the service that you're running is not made by idiots that will store your password with anything weaker than PBKDF2 then a strong (unique) password is still a good bet.
Human factors are an issue and I believe lack of enforcement and prosecution is another issue.
To me it is obvious that passwords are insecure. Just think how many people are saving them in a browser without a master password, share them in internal chats, use same password everywhere because it's difficult to remember several passwords etc.
http://knowbe4.com has a pretty good training platform for creating more security awareness and for testing your users with generated phishing emails.
Which ends up being darkly hilarious when they're whitelisted, leading to a situation where literally every "phishing attempt" an employee ever sees is a fake crafted to conform to the stereotypes given in the training.
My employer uses PhishMe. Every "phishing attempt" I see is from my own employer. It is not adaptive. They don't scale up the apparent sophistication of the attack if previous attempt didn't work. So I am continually getting e-mails from "HR" asking me to update my contact info, or from "Expense Reports" asking me to verify some info to get reimbursed for my travel expenses.
It's annoying.
Indeed. I setup a rule in outlook to look for knowbe4 in the header to dump those. Although, to be fair, I doubt it is the devs they are worried about.
So they're state sponsored attacks and then they deny any and all culpability? Europe needs to join the hard line on China.
What hardline though? One can't on the one hand sell manufacturing, technology, companies and even infrastructure to China and on the other claim to be uncompromising. I wouldn't mind an actual uncompromising stance on for example labour conditions and investments. But that certainly isn't the case now. Ericsson probably employs less people in Sweden than Chinese companies do at this point.
Technology from China isn't the case yet.
Manufacturing is and that can be relocated.
So where's the proof that they are state sponsored? I failed to find that from the article?
> Computer systems owned by a subsidiary of Huntington Ingalls were connecting to a foreign server controlled by APT10.
APT10 is a state sponsored hacking group.
How are you making that claim? The only evidence I can find is an Uber receipt showing someone allegedly connected to APT10 visiting a MSS building.
Which claim are you doubting? Are you doubting that APT10 hacked Huntington Ingalls, or are you doubting that APT10 is state sponsored?
Likely both. I'm no expert in this domain, but from my perspective, due to the nature of cyber warfare, it's all but impossible to have any kind of concrete evidence or smoking gun. Cyber security firms are deliberately very careful in levelling specific accusations with the lack of concrete evidence.
For example, researchers at Malwarebytes [1] say:
> "While this supports the thesis of APT10 being a government threat group, we caution defenders against associating any one piece of malware exclusively with one group. Countries maintain multiple threat groups, all of whom are fully capable of collaborating and sharing TTPs."
> "Variants of PlugX and Poison Ivy were developed and deployed by Chinese state-sponsored actors. They have since been sold and resold to individual threat actors across multiple nations. At time of writing, it is inappropriate to attribute an attack to Chinese threat actors based on PlugX or Poison Ivy deployment alone."
Likewise, the report put out by PwC and BAE [2] label APT10 only as a "China-based actor". They cite things like attacks occurring during Chinese timezones and CCP-interest aligned hacking as evidence. This is all great circumstantial evidence and while compelling, it is far from conclusive. The report does not mention the Chinese Ministry of State Security even once.
We can say how likely or unlikely something is, but the likelihood of something in the context of circumstantial evidence should not be taken as a full-on indictment. The most one could say conclusively is that it is likely to be state sponsored.
[1] https://blog.malwarebytes.com/cybercrime/2019/01/advanced-pe...
[2] https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report...
The latter.
There's a fair amount of evidence that APT10 is sponsored by China here[1]. It's not 100% proof, but what are the alternatives, and what chances do they have? The alternative possibilities seem slim to me.
The US government accused them of working for China[2]. Of course not everything the US government says is true, but it seems likely to me this is true and they have some non-public evidence to back it up.
[1] https://www.crowdstrike.com/blog/two-birds-one-stone-panda/
[2] https://www.justice.gov/opa/press-release/file/1121706/downl...
>There's a fair amount of evidence that APT10 is sponsored by China here
All I'm seeing is the Uber receipt, which even they say they can't verify.
>It's not 100% proof, but what are the alternatives, and what chances do they have?
The alternative is that they are black hat hackers, which is very likely.
>Of course not everything the US government says is true, but it seems likely to me this is true and they have some non-public evidence to back it up.
The default position should be skepticism, and any evidence should be made public before a "hard line" is taken on China.
>All I'm seeing is the Uber receipt, which even they say they can't verify.
There's other stuff there. For example Gao was recruiting for Laoying Baichen Instruments which shares an address with CNITSEC (which is run by MSS). CNITSEC has in the past been confirmed to work with APT3.
>The alternative is that they are black hat hackers, which is very likely.
Are there a lot of advanced Chinese black hat hackers that don't work with the Chinese government? Because it seems like there are a lot of advanced Chinese hackers that work for the government. For example APT3 and APT1. Also the APT10 stuff appears to have happened during Chinese working hours, which is indicative of government work[1].
[1] https://intrusiontruth.wordpress.com/2018/08/09/was-apt10-th...
>There's other stuff there. For example Gao was recruiting for Laoying Baichen Instruments which shares an address with CNITSEC
They can't verify that was Gao, that the poster represented that company, or show that they occupied the office building with the other company.
>Are there a lot of advanced Chinese black hat hackers that don't work with the Chinese government? Because it seems like there are a lot of advanced Chinese hackers that work for the government
Any hack reported by the western media immediately gets linked to the government, no matter how thin the evidence is. Chinese people can be smart and motivated by greed too, and they have a ton of people.
If you personally think China is behind this based on the released evidence, that's fine. Using it as justification for attacks on the Chinese requires more proof to even be considered.
>Any hack reported by the western media immediately gets linked to the government, no matter how thin the evidence is.
The October hack of Facebook[1] didn't seem to be blamed on any government by the media. It seems to me like a fairly sophisticated attack that could have been done by a government.
And the western media blames some hacks on the US government and its allies as well[2][3].
> Chinese people can be smart and motivated by greed too
How do they plan to make money by hacking NASA and the US military's shipbuilder? They're not installing ransomware asking for bitcoin payment. If they want to hack for money, I would think they would target credit cards, or banks, or better yet: cryptocurrency exchanges. Or maybe popular websites whose databases they can use for credential stuffing. One way to make money by hacking NASA is to be paid by the Chinese government.
[1] https://www.nytimes.com/2018/10/12/technology/facebook-hack-...
[2] https://www.reuters.com/article/us-usa-cyber-yandex-exclusiv...
[3] https://www.nytimes.com/2010/09/30/world/middleeast/30worm.h...
>The October hack of Facebook[1] didn't seem to be blamed on any government by the media. It seems to me like a fairly sophisticated attack that could have been done by a government.
Sorry, I should have said "any hack originating in China." Poor wording on my part.
>How do they plan to make money by hacking NASA and the US military's shipbuilder?
Their methods were to gain access to a machine, and then try to use that access to jump to client servers. There's nothing saying NASA or government contactor's were specifically targeted, but seem like excellent jump targets if an opportunity arose.
They stole data for years and didn't try to blackmail the companies for money. What other possibilities do you deduce?
If it is not A, then it must be B, loll, not to mention we don't even know if it is A.
This is not a valid reasoning.
Your fundamental assumption is that all nation states do not engage is such cyber activities.
Yes, nearly-indiscriminate colossal-scale industrial espionage being funneled to state-controlled companies is NOT a cyber activity in which most nation states engage.
If your reply is going to be about British textile machinery or some one-off accusation from the last century, please focus on the scale of the accusations against the CCP, as well as consensus global norms of the current era.
>... please focus on the scale of the accusations against the CCP, as well as consensus global norms of the current era
There is no consensus on 'norms' for cyber-espionage and every country is operating the the gray-areas. There is no red-line that defines what an act of war is. It wasn't long ago that the NSA was listening to Angela Merkel's phone calls; this is far more aggressive than industrial espionage, in my book.
Every nation does industrial espionage - in the "national interest"
My assertion is that all advanced nation states engage in cyber warfare against one another, sometimes for the purpose of industrial espionage, sometimes for the purpose of achieving geopolitical goals (regime change, influencing elections, etc).
As long as we're talking about unsubstantiated claims (and yes, that is all they are at the moment unsubstantiated), I would hazard a guess that the U.S is by far the largest, most capable and most pervasive wager of cyber warfare and espionage of them all -which incidentally is probably the reason why they are so paranoid. One would have to be supremely naive to think otherwise.
Many tools used by these alleged Chinese state hackers were likely generously donated by the NSA themselves during their own cyber operations [1].
The consensus global norms of the current era is that everybody is hacking everybody at massive scale in order to further their own strategic interests -the same as it has always been. The only thing worthy of attention is the fact that these attacks are only being publicly disclosed now, coincidentally in the middle of a trade war, when the U.S administration is grasping for support from the American public against China.
[1] https://www.nytimes.com/2019/05/06/us/politics/china-hacking...
There's important nuance here that has a large impact. I'm not talking about geopolitical espionage, which I'd agree goes in all directions.
I'm talking about concerted IP / business secrets theft which is then funneled to domestic companies. I call these companies "state-controlled" because they are ultimately susceptible to the authoritarian central government's will.
I can't think of anywhere else in the world where this is not only routine, but coordinated at massive scale. Can you inform me what I'm missing?
Edit: I disagree with your last point too. There's been plenty of reporting on Chinese IP theft dating back years, it's only increased in prominence. Trump is waging the trade war partially because of the history of hacking. It was a point of contention throughout Obama's admin too, but Trump is handling it his way. (Obama's answer was TPP, but deployed too late)
> I call these companies "state-controlled" because they are ultimately susceptible to the authoritarian central government's will.
If the companies are susceptible to the government's will, then attacks against the government would also be attacks on the companies. Defense and recovery against geopolitical espionage diverts resources away from those companies. Why is the drain on profit industrial espionage causes a problem while a drain on resources is acceptable?
You’re making a distinction between cyber industrial espionage and cyber geopolitical espionage and I’m not. I would classify all of these actions under the broad umbrella of cyber warfare. In this context, the OP’s assertion that Europe and the U.S need to “join the hard line on China” is based on the fundamentally flawed assumption that the EU and the U.S are simply innocent victims of cyber attacks. It implies that they, as pure, liberal and democratic as they are, have never, and would never engage in such reprehensible and illegal activities as hacking, unlike the big bad evil Chinese. It is my view that this is an untenable and fundamentally flawed position.
> I can't think of anywhere else in the world where this is not only routine, but coordinated at massive scale. Can you inform me what I'm missing?
Why would you need me to inform you about something that I’ve never claimed? My claim is that nobody’s hands are clean when it comes to cyber warfare, not that China has never before engaged in the type of espionage you describe.
> Edit: I disagree with your last point too. There's been plenty of reporting on Chinese IP theft dating back years, it's only increased in prominence. Trump is waging the trade war partially because of the history of hacking. It was a point of contention throughout Obama's admin too, but Trump is handling it his way. (Obama's answer was TPP, but deployed too late)
I’ve addressed the industrial espionage point above. As far as the trade war: Trump is waging his trade war because of the trade imbalance between the U.S and China as he has repeated ad nauseam since day one. There was a particular point in time (probably around the time of the as-of-yet unsubstantiated and unretracted Bloomberg Supermicro story) where the hacking narrative was retroactively shoehorned in as a reason. I stand by my opinion that the timing of this report, along with the other recent mountains of anti-China mainstream media stories and social media posts, is highly suspect.
Well put.
To be fair, isn't this functionally equivalent to the NSA attacks on Huawei and Chinese aircraft manufacturers over the past decade?
To be fair, isn't this....
No, we don't buy that anymore.
Why not?
Because they steal technology for enterprise purposes
Not sure about the parent comment's stance, but for me, simply because it's "whataboutism" and all it does is distract from the issue at hand.
Can anyone explain the popularity and persuasiveness of "whataboutism"?
If "To be fair, isn't this functionally equivalent to the NSA attacks on Huawei and Chinese aircraft manufacturers over the past decade" is indeed a logically valid comparison, is that not a perfectly valid rebuttal to ~scare mongering accusations of "state sponsored attacks" from China? It doesn't nullify it, but it puts it in accurate perspective, no? And should not accuracy be an important part of such conversations?
I think it is a telling commentary on the mores of the time that there is a specific, derogatory word for the act of pointing out someone's hypocrisy.
Whataboutism is using the hypocracy of B to argue that A shouldn't be held to account for its misdeads.
Constructively pointing out hypocracy is to also call for B to be held to account. Whataboutism isn't constructive; it's obstructive.
In many cases, it's even worse. Whataboutism is often used to argue that the hypocracy of B negates the complaints of third party C against A. Nobody is claiming HP or the journalists have tried to hack the Chinese government, or that HP or the journalists support the NSA's misdeads.
Whataboutism impedes progress and should be called out when encoutered.
'Whataboutism!' is a relevant response when someone brings up some unrelated problem of another country. For example, you are touring North Korea, see a broken escalator, ask the tour guide about it, and they say: 'But you are lynching Africans in America.'
When you bring up something quite related to the presented problem, that's not whataboutism.
Ah I see, this makes sense.
In my experience, it's almost always used in the latter (incorrect) sense.
In a logical discussion whataboutism is never a relevant response. If something is bad it is bad if any side does it. But hypocrisy as a fallacy don't necessarily apply when discussing geopolitical power struggles. This is because people on one side using a tactic but not the other is usually a disadvantage, so when someone accuses you of hypocrisy they're basically saying that you're trying to get me to stop, but you won't, which will give you the upper hand, so... why should I stop?
An accusation of "whataboutism" is an easy put-down if somebody disagrees with your comment, but doesn't have any counter-argument...
Pretty low-effort stuff, tbh. It's up there with "fake news!" as a credible rebuttal.
Just because one person does bad things, doesn’t excuse the other person from doing bad things, even if they are the same kind of bad thing.
That is the essential problem of whataboutist arguments
There was US-China spy agreement in 2015 that China slowly reneged on- perhaps due to the trade war.
There are even more compelling reasons to adopt a hard line with the CCP:
"Report on forced organ harvesting in China"
https://news.ycombinator.com/item?id=20249489
We're in a situation where we are confronted by our own fundamental values and what they mean to us and what we're willing to do about it.
As a European I think the West are pussies, why won't they fight back against these blatant attacks? Is it because computer hacking laws are much more stringent and punitive here?
As a fellow European I think this fight back rhetoric is pretty stupid. Instead of amassing 0days by the military and the secret services while gaining us, the population, zero benefits for the millions spent (because we will still get hacked, regardless of the number of 0days hoarded), why not invest all these ressources into securing our broken software infrastructure? Forcing companies to fix their shit?
That would actually help against foreign hackers while also helping the actual population.
How do you force a company who uses OSS to fix the vulnerability? Do you hold the company or the OSS organization accountable? Who do you fine? Both?
I use OSS all the time but I am not capable of fixing a lot of it. I’d just use something else. Companies will just buy closed software instead from companies who will do the support and fixing for them. “It’s closed source we can’t fix it.”
We are talking about hundreds of millions of Euros here. The resources are there, just used for propping up prices in the black market instead of securing the software. The EU could pay a bunch of security researchers to review open source software (analog to e.g. Googles project zero). Or implement bug bounty programs for the most used open source software.
In general, though, I think the company using the software should be held liable. Almost every OSS license explicitly disclaims warranty and liability. That means the company has to provide this if it wishes to use the OS software.
> EU could pay a bunch of security researchers to review open source software (analog to e.g. Googles project zero). Or implement bug bounty programs for the most used open source software.
Some EU programmes have done exactly that.
The answer to your first question seems obvious for me. If it's open source, you contribute improvements, rather than forcing anyone else to do so.
How do you in a democracy force a company to do this?
With liability law? If a company sells a broken car or lawnmower, liability is expected. Just software seems exempt from this. This has to change.
How do you know they're not? I hardly expect either side to put out a press release if they are.
But the West is quite capable of its own state-assisted industrial espionage, such as between Airbus and Boeing. Or random incidents like https://www.theguardian.com/uk-news/2018/sep/21/british-spie... - would you expect retaliation by Belgium, and how?
the airbus case you mention was a corruption investigation and was done in conjunction with german state intelligence, not industrial espionage. the belgian telecom hack you link was regular espionage. there is an actual difference between what china is doing and what the rest of us do.
I’d say the EU lacks capability and likely a legal route to actually do it. The US and UK certainly do. Obama and Trump have both confirmed the use of cyber weapons in 2 instances against Iran.
I think it’s very much a hush hush matter for the US and UK. There’s probably a few stories on HN that the US or UK are actually behind.
Europe will have to push back a lot more against persistent campaigns. This isn’t a one off. It’s persistent. Maybe the EU should leverage NATO or something pan-national because small countries individually fighting off a giant isn’t as effective.
The US/UK/EU need to push back hard. They are probably the only places that will actually hold their citizens accountable for cybercrime. Russians and Chinese can hide behind no extradition.
The west needs to draw lines, create treaties, create legal definitions and frameworks. It all needs to be done in a very public forum. Not secret courts. If the lines are crossed there needs to be real and serious consequences that aren’t all for show like the recent Russian and Iranian sanctions.
For god sakes no limited strikes.
Those Iranian sanctions aren't for show. I don't think the Iranians share your perspective at all. They're brutally crushing the Iranian economy at the moment and causing the regime to lash out aggressively. The Russian sanctions are more reasonably in the for show category by comparison.
Their oil output has collapsed by 50%, from roughly 4m barrels per day. Their currency has lost 2/3 of its value versus the dollar and is near record lows. Inflation has skyrocketed, around 30% in 2018 and perhaps 40% in 2019. It's hammering living standards:
"In the past 12 months, the cost of red meat and poultry has increased by 57%, milk, cheese and eggs by 37%, and vegetables by 47%, according to the Statistical Centre of Iran."
2019-04-29: "Iran’s economy is expected to shrink for the second consecutive year and inflation could reach 40 percent, an International Monetary Fund senior official said, as the country copes with the impact of tighter sanctions imposed by the United States."
https://www.reuters.com/article/us-iran-economy-imf/iran-inf...
https://www.bbc.com/news/world-middle-east-48119109
https://www.theguardian.com/world/2018/nov/28/we-are-despera...
https://www.jpost.com/Middle-East/Iran-News/Iranians-stock-u...
I was thinking more serious things than sanctions. For example, if Iran launches a cyber attack on the west like the Saudi-Americo wiper attack we shut off their internet for a few days. Hack our infrastructure, we shut down the whole power grid.
> Under the 1949 Geneva Conventions, collective punishment is a war crime. By collective punishment, the drafters of the Geneva Conventions had in mind the reprisal killings of World War I and World War II. In the First World War, the Germans executed Belgian villagers in mass retribution for resistance activity during the Rape of Belgium. In World War II, both the Germans and the Japanese carried out a form of collective punishment to suppress resistance. Entire villages or towns or districts were held responsible for any resistance activity that occurred at those places.[5] The conventions, to counter this, reiterated the principle of individual responsibility. The International Committee of the Red Cross (ICRC) Commentary to the conventions states that parties to a conflict often would resort to "intimidatory measures to terrorize the population" in hopes of preventing hostile acts, but such practices "strike at guilty and innocent alike. They are opposed to all principles based on humanity and justice."
Geneva convention seems to be working very well in the Middle East and Russia.
Russian used a nerve agent in London and not much happened. They’ve also annexed part of a sovereign nation in Europe. The last time that happened WWII started. They likely provided chemical agents or technical know how to Syria. The Saudis do whatever they please.
Ukraine is not part of Europe. They have a trade agreement with the European Union.
Still, there was much more pushback against Russia before Trump took office. Sanctions hurt their economy and Russia was forced to sell from their gold reserves to defend large dips in the ruble's value.
"Ukraine is not part of Europe."
Ukraine is 100% part of Europe, as per any conceivable map or definition of Europe.
The Ukraine is not an EU member country.
i don't disagree, except the cw stuff. the US breaks the conventions too (eg waterboarding) but they're still there for a reason. many people, mostly elderly or critically ill, would die in the event of a power grid being shut down. it is effectively indistinguishable from terrorism.
Your points are very valid. The US should absolutely be held accountable.
Smarter and more experienced people than me need to draw the lines.
We do have the UN for that. Unfortunately, all permanent members (except possibly France) are guilty of state sponsored cybercrimes, so nothing comes of it, as with many other issues.
> Europe will have to push back a lot more against persistent campaigns.
If they start that, they might target the US. Do you believe they should?
> Maybe the EU should leverage NATO or something pan-national because small countries individually fighting off a giant isn’t as effective.
The EU isn't a small country, it is already a pan-national union.
It’s the Wild West in cyber warfare right now. Draws lines for the US and UK to follow with plans of action if they are crossed.
The EU is a bunch of small countries and last time I checked there is no EU army or intelligence service. So yes it is a pan-national countries fighting off giants.
NATO needs to have offensive and defensive cyber ware capabilities if they don’t already have it.
Why would the EU do this its a massive overreach and I say this as a remainer.
Because in this case it's a European company being hacked (Ericsson).
It's a Swedish company.
Sweden is in the European Union.
Sure, but the bodies that would attempt to push back against this form of attack sit within the nation-state, not the EU.
The EU doesn't really have a military capability of its own, let alone a "cyberwarfare" one. There's no "overreach" going on.
Not all offensive cyber is military, although there's certainly ambition within the EU there. That aside, the EU didn't have a Cybersecurity Agency with legal powers to prevent and respond to cyber threats yesterday.
Coincidentally, it does today.
Baby steps I'm sure and with the imminent potential withdrawal of a 5 eyes member it isn't unsurprising. So this picture looks to be changing in the future.
https://www.europarl.europa.eu/doceo/document/TA-8-2019-0151...