Why is Russia so into hacking? Would it help if there was a startup community there to absorb the talent? Or is this the inevitable byproduct of bright people living under a brutally corrupt and dishonest dictator and his cronies for most of their lives?
1. The Russian gov't looks the other way. Hackers in any other country might fear prosecution & extradition, but Russian hackers are protected as long as they don't attack Russians. There was some malware going around at one point where someone realized the payload didn't run if the user had a Russian keymap installed.
2. Kind of a "worse is better" phenomenon. This is apocryphal but while Americans and Europeans were digging into Apple IIs and Commodores, Russia just had crappy knockoff machines that didn't follow the behavior of the machines they were meant to be clones of, so anyone who stuck with it long enough basically taught themselves reverse engineering and the operation of "weird machines", how to operate in environments of undefined behavior. Thats just how I heard it, I'd like to learn more about their history since their space program was pretty one-to-one with ours, they definitely had computer engineers and programmers just as sophisticated as USA
> The Russian gov't looks the other way. Hackers in any other country might fear prosecution & extradition, but Russian hackers are protected as long as they don't attack Russians.
You can see some of this with Anonymous and the FBI these days, too, and NSO Group and Israel. I wouldn't be surprised if most countries do this, now.
That's boring maths though. Great, they found some people that can do hard maths. Cicada3301 winners prove they have a wide range of abilities. You're "tests" would be fine for the NSA types that just sit in a gov't cubicle going blind on cyphers. CIA wants people that can figure things out without getting caught.
I found Lex Friedman's interview with Nicole Perlroth discussion of hacker culture and the mechanics of creating and selling 0-days to nation-state actors interesting.
You really think there aren't computer security experts from government organisations on 4chan? I thought half of its schtick was it was a wide range of humans from all walks of life, pretending to be (or actually being) whatever-it-is that humans become without any form of supervision.
I'd imagine direct and indirect infiltration. Hackers charged with crimes, who are part of a larger group, sometimes get plea deals. As part of their deals, they might give up accounts, keys, data, or evidence from the group, and/or work as confidential informants for the government.
>they definitely had computer engineers and programmers just as sophisticated as USA
Russians also have a world-class reputation in math and physics. At least they did in the 20th century. Now that experiments are so capital intensive, theoretical physics has become unfalsifiable silliness, I would assume that these people went into software. Although I could be wrong.
> Why is Russia so into hacking? Would it help if there was a startup community there to absorb the talent? Or is this the inevitable byproduct of bright people living under a brutally corrupt and dishonest dictator and his cronies for most of their lives?
It may be worth taking a look at the conditions that first gave rise to the eastern European malware scene in the late 80's, particularly in the Soviet Union and Bulgaria:
In particular, the presence of the necessary information and lack of economic opportunity gave rise to the original scene, and today that has transformed into an environment where the economic opportunity is directly tied to various for-profit black-hat activities (ransomware, identity theft and credit card fraud, etc.).
It is possible to link the relative lack of other economic opportunities to corruption, and that is a valid observation, but if black hat activities weren't profitable and relatively safe from retaliation (as long as you avoid Russian targets), the scene would still be typified by disaffected individuals rather than organized professional groups.
I'm not sure if creating a bunch of startups to soak up the extra talent would work, as the incentives to get a leg up on the competition via the Dark Arts (DDOS your competitor, spear-phishing their sales people, etc.) would still be pretty strong.
They inherited the military of the Soviet Union, which was overhyped but large and not obsolete. They have invested money into keeping up with tech in principle, i.e. a few demo units, but they don't have money to actually equip their military with the new tech or to train correctly. So the Russian military has Soviet nukes and otherwise it's a Potemkin village. It may be that the nukes are also a Potemkin village, but it's dangerous to check.
Russia has been doing asymmetric operations, e.g. buying the US republican party was a lot cheaper than winning a war against the US but effectively was almost as good. Helping far-right, anti-democracy, anti-EU, anti-NATO politicians worldwide has been destabilizing. Organizing both the racist and the anti-racist demonstration at the same place and time has kept people and governments distracted. They do a lot of mafia style things to bribe, intimidate and kill people into doing what they want. Turns out going after politicians is more effective than going after military officers because counter-intelligence is more hesitant to act when they suspect a politician of working with/for Russia.
Is the appearance of a deep state the main reason why counterintelligence is reluctant to act when it's politicans being bribed instead of military officers?
Right. Without really solid evidence, it might look like a military junta asserting control over the people's elected representatives. Someone who's not an elected politician would have just lost their security clearance and been let go, if the authorities decided to not pursue espionage charges.
Another thing is that the US military has been trained to be deathly afraid of appearing to have an opinion on politics, and this is both good and bad.
Their buying power within Russia is probably 3x that or more, plus because they have an extractive economy a disproportionately high proportion of GDP goes directly to the state, and because they are an oppressive state a disproportionate amount of that goes to the military.
Russian defence spending is about 1/12 that of the US, but between having lower grade equipment, conscription and cheaper domestic prices they probably get 2x to 3x bang for their buck, at least on paper. As we can see in Ukraine, in practice much of the bang is over hyped, but it still gives them the brute muscle to do a lot of regional bullying.
They dont? Everyone assumed they did but given their performance in the last 2 weeks I'd say it was overblown.
The reason everyone thought they were a great military power is because the Soviets were presumably a great military power with a large army and a lot of hardware. Tanks, aircraft, artillery etc etc. And when it all fell apart the Russians inherited the lion's share.
Russia has lower costs in terms of personnel, lower wages and the like will somewhat lower the overhead of their military. But I think everyone overestimated how much that would help. See, raw materials costs the same around the world more or less. Titanium costs the same in Russia as it does in the US. Same for steel or any other resource that is on the global market. So Russia can only build a tank so much cheaper than Europe or the US can, but there is a floor to that price. On top of that they have been under sanctions for years for a lot of important things they can't make domestically like advanced semiconductors.
Then there is the fact Russia is a well known kleptocracy. They may very well have nominally lower personnel costs but that's likely balanced by much higher corruption.
And when you think of the sheer size of their military, all of those nuclear subs. All of those ICBMs, there are a lot of expensive things there that will easily take up large chunks of their budget.
I think much of the conventional side of the Russian military was left to rot and much of what we were shown pre-invasion was just that, a show. T14 functionally does not exist. Same with Su-57. They are cool show pieces but the real military are using 30+ year old hardware that has been piecemeal upgraded and not well maintained.
Same reason NK is. Same reason every country is. It is rather cheap in comparison. I mean even the largest super computers only cost a few hundred million. That's rather cheap when you consider other military adventures. One state of the art super computer is roughly the price of one (maybe 2) modern jets. The biggest cost is people. And you can do a ton of damage with hacking.
The costs are low, benefits are high.
[0] Summit was $350m, and a F22 costs $140m (per jet, not including development costs which is hundreds of billions)
Not really much, but it was giving an example of the costs of computing in general. More like an upper bound. That you could buy crazy expensive computers and it would cost nowhere near what actual weapons systems cost. I was just trying to say that the cost for hacking is more in man power rather than machinery. And man power is far cheaper than machinery.
Where are you getting hundreds of billions? Wikipedia says "As production wound down in 2011, the total program cost is estimated to be about $67.3 billion, with $32.4 billion spent on Research, Development, Test and Evaluation (RDT&E) and $34.9 billion on procurement and military construction (MILCON) in then year dollars."
Although not the F-22, modern fighters such as the F-35 can cost 100's of billions of dollars in R&D[0] (~150 billion iirc, with ~1.3 trillion total program cost).
On that subject we might ask if the Eastern recruiters care about things like background searches, "polygraphs" or what recreational substances the subjects use on their free time.
Less opportunities for startups for running actual stable business products there isn't helping either. I have heard a first hand story how the government just stopped some cloud access, which caused some company that had built its product on top of it to immediately close down.
Alternatively, news about hacking that you read, including their primary sources like Google/Microsoft/FireEye/whatever, usually suppress news about hacking by U.S. and allies. IIRC last year Google publicly announced a zero day actively exploited by the U.S. which was considered highly unusual, since apparently they usually just patch it without fuzz. The article was discussed here but I can’t find it now.
This thread was kicked off by discussion about ransomware hacking, though. I'm sure US intelligence agencies get up to all sorts of no good, and I'm sure our news is less likely to report on it, but there doesn't seem to be an equivalent ransomware industry in the US (and the news has no reason to cover for petty hacking criminals in the US).
Actually I don't see a ton of news about national-security related hacking by Russia.
Oh, TFA is about nation states so I was talking about that.
Asymmetric commercial hacking is pretty easy to explain: hacking foreign entities is safer than hacking domestic ones in terms of risk exposure, and hacking entities in countries richer than yours is more attractive than the other way round.
Nah, most of the stories are about ransomware type schemes from Russian criminal gangs. I'm sure both of our intelligence agencies get up to no good, and US news sources are less likely to cover US intelligence agencies, but they have no real reason to cover for petty hacking criminals.
I don't think they're obvious, and this comment strikes me as baseless innuendo.
What precisely are the incentives for multinational corporations to censor news about American cyber malfeasance, especially given how acute and prolonged a regulatory headache unchecked American surveillance created for them in Europe?
are you living under a rock? Do you remember the recent oil pipeline and meat packing facilities that got ransomwared? Ton's of government sites and corporations get hacked. It's way more than what's publicly available too. Most of the time entities just pay up and keep it secret. Lots of the attacks come from russia. They pump out a shit load of malware.
This sort of thing has always been the domain of organized crime syndicates.
Narcotics, prostitution, gambling, smuggling, and computer crime all take organization and capitalization. It's just that in some places such organizations control the reigns of political power brazenly and shamelessly.
Since the war began, a number of supposedly independent ransomware groups have publicly announced their allegiance to the Kremlin and the war effort, and their intention to carry out strikes. So the idea of the January arrests was probably part of a larger pattern of arresting criminals and telling them they get out of jail free if they come work for the state. Whether these particular ones have already been turned into assets useful against Ukraine is not clear. At minimum they’re not working against Putin.
The idea of “ransomware diplomacy” was probably just a side benefit.
Interesting that they're targeting media publications - those users (journalists) are probably less technical / security hardened than operators of critical infrastructure, but have a great deal of influence over the country's wellbeing nonetheless.
I wonder what other similar professions are? Doctors and lawyers?
This combined with the announcement that software piracy is legal in Russia now perhaps suggests a new front is opening up again in cyber.
>All you need to do is convince one of their customers that you are speaking on behalf of the lawyer and get them to send the money to you instead. I know this because I've been a victim of this attack.
IIRC, there was a guy who was sending letters to the finance department of big tech companies and was claiming to be the CEO and that they had to make various payments to his accounts, and they were paying him without anyone at the company questioning this. He got away with millions before getting caught and he wasn't part of some crime group but some random guy sending letters from home, lol.
Maybe people should be trained in snail mail phishing detection too.
> Maybe people should be trained in snail mail phishing detection too.
This attack would might be even more effective as snail mail actually because in my case, that's where the official notification of recipient account was supposed to be delivered (and was a couple days later). If you can sleuth the email comms to find an address, you'd probably send the fake info to both.
To protect yourself from this attack, always, always, always speak with person to get the account details to which you're sending a large amount of money. Preferably face to face.
If the BBC World Service hasnt taught people a thing or two (winning hearts and minds through propaganda), what will?
Its interesting that some tech firms are jumping on this, there isnt that much data sharing going on between tech firms, I know of email domains which will not work on some webforms or websites, but I think Europes higher levels of privacy and anti surveillance will be a disadvantage at this time.
or diplomatic negotiations where people just talk past each other delivering pre-written speeches repeatedly like someone is going to hear something new the 3rd time you read the speech.
Its not one person, these are groups of people who likely have a single strength in a particular area. the guy who is good at hacking, is the guy sending phsining emails isnt the guy setting up the bank accounts.
My novice POV is that you would expect russians to have a higher ratio of hackers to script kiddies as opposed to a country like Ghana who scams just as many that is mostly just script kiddies trading techniques on underground markets.
From what I've seen on OSINT Twitter, I think what you're missing is that Russia is not actually all that good at cyberwarfare in terms of hacking high security systems, or even securing their own systems. There was a story today about a high ranking general who was killed and it was picked up by the OSINT community due to Russians using unencrypted phones to communicate on the battlefield. Extremely rookie mistake. Russia's cyberwarfare strengths seem to end with simple DDoS attacks and propaganda bot nets on social networks.
At the same time, there's a difference between cyberwarefare strengths and operational security being practiced (or not) by the soldiers in the field. It only takes one person to break protcol and pull out an unsecure device. Or it could be done on purpose as a bit of plausible deniability of sabatoge.
There's a bunch of reasons I can think of than just Russia is weak about secure comms.
It's an insecure protocol rather than a device. If they'd used an encrypted VOIP app it would literally be secure, but they banned those out of paranoia and weren't able to provide their own replacements.
I think the actual intercept was real intelligence tapping the cell phone network and OSINT accounts just repeated it, but not sure.
Since Google doesn't really own much infrastructure outside of the US, I don't think Google can do much, and maybe doesn't even have that much insight on what is going through the pipes elsewhere.
There is a lot more things happening that just phishing attacks though, from both sides. While Russia is attacking Ukrainian IT-infrastructure, Russian IT-infrastructure is getting hit by every other country at the moment.
> Since Google doesn't really own much infrastructure outside of the US
What is that claim based on? I think they have alot of presence here in Europe. I doubt it would be economically to transfer too much data over the atlantic. Think of every Youtube video that is being watched. However, for services requiring central storage longer like e.g. email, I have no idea. I am not sure whether mailboxes have a home region.
Disclaimer: No insider knowledge here. Just what Iremember from tracouting years ago and trying to apply some common sense.
Is it not worrying that this kind of response is left to Google? They are not a benevolent actor but a business who ultimately only does things to improve their own bottom line and their reach over the internet. [edit: I'd appreciate a response if you are going to downvote as is being done to me]
> Is it not worrying that this kind of response is left to Google?
What do you mean “left to” (or “response” for that matter)? Google chooses to do report this information (which is a mix of info gathered from other sources and it's own work to protect it's own critical infrastructure), no one leaves it to them.
The government does it's own publication of extensive cybersecurity information of this type, too; see, generally:
Thanks for the response (and to others too). In retrospect my point wasnt clearly made. I think somw have understoof but not others.
To spell it out further - My concern is google effectively becoming essential internet infrastructure here - the only reason i see for them to support such a process is a view that they can charge a for profit service for the same in the future (though may still remain free to some). In the past the internet has been a free, open, equitable and low cost platform. Googles interest as a commercial company is not to stop ddos altogether but to commodotise and profit from it. Is that the internet we are heading towards? Are there better alternatives?
The question you ask is valid. If I were to guess (I didn't downvote you), it's because of your second sentence. It hints that you're thinking about it in a zero-sum kind of way. Google benefits from a healthy and secure web. This means they are going to engage in projects that aren't directly tied to what they do, like letsencrypt, Project Zero and TAG.
There is absolutely no way that Google will derive direct financial benefits from defending some Ukrainian journalism project from DDOS attacks. So it should be obvious that your assumptions about their motivation is wrong.
Yes, maybe their actions will garner some sympathy among the public. But that mechanism is so generic, it just leads to the same conclusion, i. e. that companies are capable, interested, and legally free to act in the public interest.
Look at this from pure selfish Google perspective. With the large market penetration, Google earns some share of the total ad revenue of the Internet. Hence, it is in Google's selfish best interest to see the Internet grow and stay healthy.
> They are not a benevolent actor but a business who ultimately only does things to improve their own bottom line and their reach over the internet.
Google has interests, just like you and I. Neither you, me or Google are “benevolent actors”.
I don’t at all mind when less-than-perfect entities help people — regardless of what else they do that is right or wrong.
Google, as a group of human beings, does both good and bad. To claim that it’s problematic to accept help from people who are members of a group of people who also do bad things means we would also have to deny help from e.g. well-meaning Russian citizens.
> Neither you, me or Google are “benevolent actors”.
This is nihilism. Google is definitely not a benevolent actor, as we can determine by examining the actions of the company over the past many years.
I assume you also are malevolent, by your own admission.
But your insinuation, that no-one is a benevolent actor, is so far off the mark I struggle to imagine how you hold that opinion. Have you considered therapy?
You have a point, but I recall that when WW2 started many car companies started making tanks, etc, and mostly for the same reason: a specialized skill set that the government simply didn't have the capacity to meet at that time. The unmet need for IT security related work in government is vast.
No company is benevolent. Every company ultimately seeks to maximize its bottom line. The whole premise of capitalism is that in a healthy market there will be some agents whose selfish interests happen to align with your own. For example, while Apple finds it advantageous to play up the privacy angle when competing with Google in the US, its PR statements shouldn't be confused with benevolence. In this case, Google burnishes its image from flexing its internet muscles to "help the little guy".
> as well as services like Liveuamap that are designed to help people find information. We expanded eligibility for Project Shield, our free protection against DDoS attacks
Really nice that they're doing that. I had noticed Liveuamap giving lots of 5* error codes earlier in the invasion, for obvious reasons, but now it looks like it works pretty well. Again, good job from the people of Google (I usually am very critic about them).
HN has been awkwardly silent on the ongoing conflict. I'll be curious to see where the discussion leads when the conflict starts escalating in the info/itsec areas. I read the Nicole Perlroth's book this year, and I'm not excited about this at all.
Look at https://news.ycombinator.com/active. It’s been practically overflowing with Ukraine and Russia stories for days now, to the point it’s almost a bit of a chore to pick through them all and find discussion of anything else.
> HN has been awkwardly silent on the ongoing conflict
I hate to be the “you’re holding it wrong” guy, but...
Like most major, general-interest news, it doesn't make the front page or, if it does, it doesn't stay very long.
But if you check /newcomments, it's been a continuously active discussion. And an absolute majority of current stories on /new relate to the conflict in one way or another.
HN isn't “awkwardly silent” on the ongoing conflict.
It's not my only news source given I work in politics/civics, but HN is what I use for understanding the way the conflict is impacting the Internet on a technical level and the discussions of tech politics. For example, the request to ICANN, discussions on whether or not to cut off Russians' ability to use foreign infrastructure, etc.
It's invaluable for helping me follow this one specific area.
Edit: Also, I would like to say that the idea that 'every place on the Internet has to address every major event' is not really great for anybody who works in a related area. Think of political issues taking over hobby subreddits: I'm literally a civics educator, it's not super fun for me to log in to talk about video games and get greeted with 'if you don't agree with VERY REDUCTIVE BASIC 101 POSITION/don't want to see discussion in these spaces, you're terrible.' I put in almost 40 hours a week and do more than you do, random (likely 16-20 year old) Reddit mod. I don't need your lectures, I need to see crazy ways to break video games.
Like no. It's just that it's like being a math teacher and logging in to see people sharing (often wrong) math test answers in your beer group. You need a break for your own mental health.
I'm starting to get really concerned for the overall mental health of the journalist class + political staffers. The ability to step away from the pressure cooker is integral to maintaining your stability.
Totally agree with this. My work and study involves a fair amount of statistics. Yesterday I got accidentally nerd sniped by some bad date based numerology which I promptly spent 20 minutes angrily demolishing. It would have been nice to not see numerology on my fb feed because I could have put that effort towards something more constructive.
I work in communications for a non-partisan civic/political non-evil organization (Think like the Congressional Research Service or parts of NARA, nothing sexy or cool) and my graduate focus was on filter bubbles/social media algorithms/information policy (back in 2015). I also do front-end/UI/UX work.
There have been multiple times when I've logged into my social media (or my regular media feeds) and felt nauseated. I can just see all the fingerprints everywhere, pushing us this way and that, and I have also seen the effect that it has had on my loved ones over the past 7 years. It's like everything now is covered with this disgusting, vampiric slime that prevents you from making genuine connections with others.
"Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably off-topic."
It's not unusual for top breaking stories to get flagged off the HN front page, simply because they're top stories that are broadly covered in the mainstream media.
Now, niche responses to ongoing current events (like the InfoSec, supply chain, or technical aspects of the Ukraine invasion) are another matter, and I've seen several of them on the HN front page recently.
This is probably a good thing. HN discussions about geopolitics are usually poor.
But I share your curiosity on the seeming lack of discussion, or on another level, organisation. I feel disturbed by Russia indiscriminately murdering people, and threatening the end of civilisation, all conducted with gleeful mendacity. They have also shut off a large proportion of global food supply which developing nations rely on. I feel I should be doing something about it, but I don’t know what to do.
But in the end, HN is just a bunch of people on the internet.
They often get flagged into oblivion after they become infested with flamebait. Guidelines preclude speculating as to the authenticity of the often-new accounts engaging in this, but authenticity is not the same as intentionality and polluting the comments is a well established way to get a story off the front page.
Wow, I actually hadn't noticed I could flag stories and even comments, I assumed it had the same points threshold as down voting (I say this as a relatively new account).
There were many posts which reached the front page about the war in Ukraine. Although I devoured them with interest, they are off-topic, therefore it’s good that HN doesn’t dwell on it. Other social media became single-topic about the war for a week, HN offers a reprieve by keeping IT and startups at the center.
This. There's just not that much to say. There's nothing to debate; we're pretty much unanimously for peace and against aggression. There's nothing that we techies and entrepreneurs are going to do to make any difference, unless you're up at Elon Musk's scale. The only arguing is going to be politics (NATO response, appease Russia, etc) and that's exactly what HN tries to avoid.
At most we're involved in tangential economic affairs, like cutting off the payment infrastructure. Topics like that do seem to be getting about the right amount of attention here, a thread or two per day.
Multiple times I noticed a technique being used to push undesirable articles off the first page - you flag an article and then quickly unflag it (1-2 minutes). It will be bumped off the first page, but very few will notice the fleeting flagging.
It has already escalated a lot in terms of "cyberwar" or whatever people call it nowadays. Ukrainian infrastructure is under heavy attack from Russia and Russia is under heavy attack from volunteers from literally ever single country in the world, so heavy that Russia is now cutting off the rest of the internet because they can't handle the attacks.
That sounds a bit fanciful because how do you "actively fight cyberattacks"? It's all attack and no defense - even the passive defense is attack (via red teaming).
Speaking for myself working in cybersecurity, I suspect a lot of corporate and government IT/InfoSec folks are too busy rolling out recommended mitigations and observability improvements to have too much to say. Mainstream media does a good job covering where our (InfoSec/IT) industry fails. A job done well you will likely never hear about.
The occasional disconnect there isn't surprising at all. Whichever group at Google works on anti-phishing attacks probably has rules like "does it say it's coming from Google, does it look like a Google email, is there a picture of a Google logo, does it talk about your account, did a whole bunch of emails that look just like this one just get sent to a bunch of gmail users," etc. Legitimate emails from Google trip pretty much all of those alarms, and it makes a lot of sense to lean on the side of "phishing warning" if you're not sure. Plus, those teams are probably pretty far from each other on a big corporate organizational tree. Seems like a very reasonable sort of mistake to make.
Or maybe parts of google are sending emails that look too much like phishing. It wouldn’t be the first time my personal phishing meter triggered on some corporate emails.
They have been sending them for around 20 years. It's not like these are new emails. The phishing team has been flagging them for a few years now, not sure how long.
Whether it’s reasonable for them to make the mistake or not (see my other replies) the possible detrimental effect of this is summed up by the well-known “boy who cried wolf” story. So it’s a mistake they should fix.
https://krebsonsecurity.com/2022/01/at-request-of-u-s-russia...
Those people must be now be back to the business, national heroes and the era of ransomware diplomacy ended as fast as it started.