Based on the complete out of my behind number I'd say something like 99.9999% of successful hacks I read about use one level of abstraction or less. Heavy emphasis on the less.
So I think one layer of abstraction will get you pretty far with most targets.
Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties. I keep seeing it pop up again and again and it only makes sense in that context.
Its the boogyman like terrorism. We need infinite money to fight the bad guys.
> I keep seeing it pop up again and again and it only makes sense in that context.
Not saying that these companies would turn down corporate welfare given the chance, but I’ll offer an alternative explanation: it shifts accountability away from the company by positing a highly resourced attacker the company could not reasonably be expected to protect against.
If you have a physical security program that you’ve spent millions of dollars on, and a random drug addict breaks in and steals your deepest corporate secrets people are going to ask questions.
If a foreign spy does the same, you have a bit more room to claim there’s nothing you could have done to prevent the theft.
I’ve seen a bunch of incident response reports over the years. It is extremely common for IR vendors to claim that an attack has some hallmark or another of a nation-state actor. While these reports get used to fund the security program, I always read those statements as a “get out of jail free” card for the CISOs who got popped.
I agree. I think what we are split on is purpose/intent.
>could not reasonably be expected to protect against.
Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who? Number one is probably compliance/regulation.
> “get out of jail free”
This is one of my red flags I also keep seeing. Whoops we can't do the thing we say we do. The entire sec industry seems shady AF. Which is why I think they are a huge future rent seek lobby. Once the insurance industry catches on.
> these reports get used to fund the security program
> I agree. I think what we are split on is purpose/intent.
I… don’t think so? Your original comment was that companies claim nation state attack as a way to get government funding. That has nothing to do with assessing blame for an attack.
> Why not? If I'm hiring a cybersec thats probably in my top 3 reasons to hire them, if not them then who?
If you think you as a private entity can defend against a tier 1 nation state group like the NSA or Unit 8200, you are gravely mistaken. For one thing, these groups have zero day procurement budgets bigger than most company market caps.
That’s why companies reflexively blame nation state actors. It isn’t to get government funding. It is to avoid blame for an attack by framing it as something they could not have prevented.
When I went through a tech school cyber security program (10+ years ago now) we were told that the situation was "If Canada wants to hack you, it is improbable you can stop them. If the US wants to hack you, they will. Therefore we will not be focussing on strategies to counter nation state actors." It was a forgone conclusion that you would lose against them. I imagine the situation hasn't improved much in the last ten years.
Maybe not feasible now, but maybe it could be feasible at some point in the future if things are built on top of seL4 , with similar techniques used to demonstrate that the programs in question also have some desired security properties, building on the security properties the kernel has been proven to have?
Of course, one might still be concerned that the hardware that the software is running on, could be compromised. (A mathematical proof that a program behaves in a particular way, only works under the assumption that the thing that executes the program works as specified.)
Maybe one could have some sort of cryptographic verification of correct execution in a way where the verifier could be a lot less computationally powerful while still providing high assurance that the computations were done correctly. And then, if the verifier can be a lot less powerful while still checking with high assurance that the computation was done correctly, then perhaps the verifier machine could be a lot simpler and easier to inspect, to confirm that it is honest?
Sure, every little bit helps. But, keep in mind formal verification isn’t going to prevent configuration errors, and it remains to be seen if, for example, automated verifiers can do anything like the sel4 proof at scale. sel4 is tiny compared to most other software systems. There will still be technical avenues to attack, and if those get closed off nation state actors will just go back to spying the old fashioned way.
> Something about this statement screams that companies are setting themselves up for free money from big old gov'ment welfare titties.
From the published CISA mitigation[0]:
A nation-state affiliated cyber threat actor has
compromised F5’s systems and exfiltrated files, which
included a portion of its BIG-IP source code and
vulnerability information. The threat actor’s access to
F5’s proprietary source code could provide that threat
actor with a technical advantage to exploit F5 devices and
software.
> Its the boogyman [sic] like terrorism.
Or maybe it is a responsible vulnerability disclosure whose impact is described thusly[0]:
This cyber threat actor presents an imminent threat to
federal networks using F5 devices and software. Successful
exploitation of the impacted F5 products could enable a
threat actor to access embedded credentials and Application
Programming Interface (API) keys, move laterally within an
organization’s network, exfiltrate data, and establish
persistent system access. This could potentially lead to a
full compromise of target information systems.
This is a mean-spirited interpretation of what happens when you claim nation state.
Generally the government (as of now) is not paying private (but maybe some Critical Infrastructure companies) companies to secure things. We are in the very early stages of figuring out how to hold companies accountable for security breaches, and part of that is figuring out if they should have stopped it.
A lot of that comes down to a few principles:
* How resourced is the defender versus the attacker?
* Who was the attacker (attribution matters - (shoutout @ImposeCost on Twitter/X)
* Was the victim of the attack performing all reasonable steps to show the cause wasn't some form of gross negligence.
Nation state attacker jobs aren't particularly different from many software shops.
* You have teams of engineers/analysts whose job it is to analyze nearly every piece of software under the sun and find vulnerabilities.
* You have teams whose job it is to build the infrastructure and tooling necessary to run operations
* You have teams whose job it is to turn vulnerabilities into exploits and payloads to be deployed along that infrastructure
* You have teams of people whose job it is to be hands on keyboard running the operation(s)
Depending on the victim organization, if a top-tier country wants what you have, they are going to get it and you'll probably never know.
F5 is, at least by q2 revenue[0], we very profitable, well resourced company that has seen some things and been victims of some high profile attacks and vulns over the years. It's likely that they were still outmatched because there's been a team of people who found a weakness and exploited it.
When they use verbage like nation-state, it's to give a signal that they were doing most/all the right things and they got popped. The relevant government officials already know what happened, this is a signal to the market that they did what they were supposed to and aren't negligent.
HN can be unnecessarily vicious when it comes to these situations. They have a very narrow slit in which they see companies because they extrapolate their understanding into the large corporation.
The attacker needs to find 1 fault in a system to start attacking a system, the company needs to plug ALL of them to be successful, continually for all updates, for all staff, for all time.
Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
> Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
Being on the defenders side, I would say it is not a losing battle.
It is a matter if convenience versus security: not using up to date libraries because it requires some code rewrites and “aint nobody got time for that”, adding too much logic to functions and scooe creep instead of segregating services, not microsegmenting workloads, using service accounts with full privileges because figuring out what you actually need takes too much time; and the list could go on.
I am not blaming all developers and engineering managers for this because they might not know about all the intricacies of building secure services - part of the blame is on the ops and security people who don’t understand them either and think they’re secure when they are not. Amd those folks should know better.
And third, hubris: we have all the security solutions that are trendy now, we’re safe. Do they actually work? No one knows.
There's huge incentive for nation-state level actors to recruit, train and spend oodles on extremely sophisticated hacking programs with little legal oversight and basically endless resources. I have no idea why you're incredulous about this.
If I were running a country practically my highest priority would be cyberattacks and defense. The ability to arbitrarily penetrate even any corporate network, let alone military network, is basically infinite free IP.
If there was some government program I was previously unaware of that pays organizations that were compromised by nation state hackers then I’m going to be upgrading all my networking infrastructure to F5 products and start reading up on BIG-IP migrations.
That is to say, sometimes nation state hackers _were_ behind the compromise. F5 is a very believable and logical target for such groups.
I don't believe Equifax received money, just a long list of demands to be allowed to continue as a viable business.
That it was a nation-state actor may have allowed them some grace, as it didn't result in individuals' details being wholesale sold on the dark web, and the fallout was most-likely a national security issue.
It would definitely have helped the CCP target individuals who were vulnerable to recruitment due to their financial status. Especially when combined with the Office of Personnel Management data hack.
Nation-states sponsored hackers make up a huge amount of known targeted intrusion groups. This is not some random company tilting at windmills, these are real threats that hit American and American-aligned companies daily.
I once reported this kind of interview scam repository with the full backstory and explanation why I was reporting it and Github's support asked for a proof that it was a scam. As if I was supposed to do the detective's work. I just wrote back to them that they can do whatever they want with it as I've done my part.
A "legitimate" blockchain company wants me to run their mystery code on my PC for a job. Yeah. Full stop right there. Klaxon alarm sounding incoming attack.
I've noticed that I'm commenting a lot lately on the naivety of the average HN poster/reader.
I've found for the most part account age/usage is not considered at all in major online service providers.
I've straight up been told by Google, Ebay and Amazon that they do not care about account age/legitimacy/seasoning/usage at all and it is not even considered in various cases I've had with these companies.
They simply don't care about customers at all. They are only looking at various legal repercussions balanced against what makes them the most money and that is their real metric.
Ebay: Had a <30day old account make a dispute against me that I did not deliver a product that was over $200 when my account was in good standing for many years with zero disputes. Ebay told me to f-off, ebay rep said my account standing was not a consideration for judgement in the case.
Google: Corporate account in good standing for 8+ years, mid five figure monthly spending. One day locked the account for 32 days with no explanation or contact. At day 30 or so a CS rep in India told me they don't consider spending or account age in their mystery account lockout process.
Eventually, some of these companies will realize that a well-managed customer service org is a profit center and they will get an enormous amount of business. Unfortunately, they'll all keep fucking over customers until they realize that accepting life in the crab bucket is a negative-sum game.
I'm considering going back to school to write a "Google Fi 2016-2023: A Case Study in Enshittification" thesis but I'm not sure what academic discipline it fits under.
(I'll say it again for those in the back, if you're looking for ideas, there's arbitrage in service.)
Unfortunately ebay has a lock on large parts of the market and only a small number of people have been called frauds by them. I personally can't buy from you because they have decided my account is compromised, but I'm just one person and so that is a tiny number of potential customers.
The problem with onsite or colo is always the same. You have to keep fighting the same battle again and again and again. In 5 years when the servers need replaced even though you have already proven it saves orders of magnitude in costs.
I've never once been rewarded for saving 100k+ a month even though I have done exactly that. I have been punished by having to constantly re justify the decision though. I just don't care anymore. I let the "BIG BRAIN MBA's" go ahead and set money on fire in the cloud. It's easier for me. Now I get to hire a team of "cloud architects" to do the infra. At eye bleeding cost increases for a system that will never ever see more than a few thousand users.
Not just vulns. It is possible to simply purchase access or become a provider in the SS7 system (<$20-50k USD). SMS is basically a completely open system at this point. Cybersecurity companies do it all the time for pentesting. So do "Cybersecurity companies".
Horrifying that nearly banks still require you to use sms as a 2fa and do not offer any other alternative.
Did you really think the US Gov was OK with facebook running the biggest "encrypted" SMS system on earth. LOL of course they already had access to all the messages.
Hijacking WhatsApp SMS authentication codes can be prevented by just adding a PIN to your account. Doing this attack also doesn't grant you access to someone's old WhatsApp messages, and contacts with "security notices" enabled will see that your device has changed. It's quite different than big gov just having access to all your WhatsApp messages. (But there might be other ways they can do this, but just SMS sniffing doesn't get you there)
> Horrifying that nearly banks still require you to use sms as a 2fa and do not offer any other alternative.
In my country banking applications are tied to your phone via IMEI, SIM and other hardware dependent information available.
Forget getting banking details and use another device without the user knowing, either.
If someone clones your SIM or gets a replacement in behalf of you, your all banking access is blocked until you enable them one by one with your ID card or other means.
One of the banks can use FaceID as a secondary factor, too.
So, other methods are possible. It's an "implementation detail" at this point.
I think HN skews towards a somewhat naive but good natured crowd. Every time ethics or morality comes up on here there is no shortage of defenders that simply don't want to accept the fact. Yes there are bad people out there that are not only ok with the bad things they do but even some that actively enjoy it and pursue more of it.
Well, I'll admit that I hadn't even really thought of the option where they know it's evil but they just enjoy it until these responses. I figured they'd either hate their job or have convinced themselves that they're actually doing good. To be fair I think a lot of outwardly-evil people have convinced themselves internally that they're good people.
The question isn't whether there are bad people who enjoy what they do but whether they recognize that what they are doing is bad rather than deluding themselves in some way.
The whole point of ethics is to have an independent roadmap of what is right/good/moral other than just your subjective feelings that may change even from day to day.
Again you are reinforcing my point. I've directly meet people that have said things like this real life Exec quote.
"I love bopping them, just like turtles when they pop their head up for air, bop" *gestured fist hammer motion
In regard to treating people like disposable slaves in order to get what they want.
While Its a cool experiment. Is there some purpose I'm missing? Go can already do this natively and compilation speed is already its selling point so not sure how rust could help there.
Seems like effort would be better towards improving rust compilation speed. Unless you just wanted to create a compiler for learning or HN points which here ya go.
Might be.
reply