69 comments

[ 2.9 ms ] story [ 129 ms ] thread
The main link support the "Russia" cyber-attack gives me a 404. Who is upvoting this stuff?
> Who is upvoting this stuff?

HN is starved for conversation about this. There's a massively futuristic cyberwar happening between the US and Russia. Hackers galore, wild spy stories, technological innovation, clever ideas, things happening at scale, etc - all the kinds of topics HN would love to have a conversation about!

But every story about it gets flagged and removed. So HN never, ever talks about the most interesting topic of our day (IMO). I think that is why this is getting upvotes. It'll probably disappear soon, as the rest of posts do on this topic. I don't have any info about this source btw, it could be a useless site. Just trying to add some insight.

The topic isn't political btw. Saying the President is compromised by Russia, along with much of the Republican party is just a fact. But HN sees that as political I guess, and things are removed. It's really unfortunate.

Where is this being discussed by knowledgeable people and not getting deleted? I'm asking because I'd really like to know more of the details.
> The topic isn't political btw. Saying the President is compromised by Russia, along with much of the Republican party is just a fact. But HN sees that as political I guess, and things are removed. It's really unfortunate.

How could you realistically believe that is not a political comment?

Years of accepting an unquestionable narrative on either end of the spectrum tricks many people into thinking it is a fact as the perceived majority in their own social network bubbles push it as an undeniable truth as part of a multi-year long black/white narrative. Because it is a fact, it cannot be political :)
They seem to be using 'political' to mean false, propaganda, 'biased' or something. So then 'fact' and 'political' are non-overlapping categories. Like non-biased vs biased, opinion vs fact, lies vs reality. Not so surprising someone thinks the word means that - maybe that's how it's used in some circles...
I understand how they used it. It’s just ironic saying that something isn’t political and then immediately saying that is hyper-political right after.
Well the media also reported that by the Mayan calendar doom was imminent. What did they report? do they have informants from the inside? Otherwise this is hardly substantiating.
So... The Constitution? We just attack other countries whenever we feel like now?
The case can be made that we were attacked first in 2016, both by hacking (and releasing) the DNC emails and a coordinated propaganda campaign via social media, and this was an offensive move to prevent it from happening again in the 2018 elections. I don't see how this is just an "attack whenever we feel like it."
The DNC is not an institution of the US government.
Neither is social media. Your point?
My point is that the government shouldn't be itching to get itself in the business of retaliating against foreign attacks on non-government entities. Eventually the attackers and the attacked will sort themselves out. There's no need for taxpayer money to be spent on such things.
> retaliating against foreign attacks on non-government entities

So if they will blow up "non-government entity" it will be perfectly ok and will not require any retaliation? Where's the line?

How do you feel about attacks on cargo ships by a foreign Navy?

Protecting citizens and companies from foreign governments is one of the explicit purposes of the military.

Cargo ships get attacked & hijacked all the time. There exist some shipping lanes where such risks are well known. In fact, US Navy ships regularly patrol such shipping lanes in an effort to curtail or stop piracy. At the very least, many pirates are turned off by the prospect of facing off against a heavily armed Navy ship.

This isn't the same thing as retaliation. This is the US government deploying its considerable resources to mitigate an obvious vulnerability. Under international law, crews of merchant ships aren't allowed to carry weapons, leaving them defenseless against even the shabbiest of pirates. The navies - US and allied alike - are out there protecting ships that cannot legally defend themselves. Retaliation in this case would involve the American Navy sending landing parties ashore to Somalia, or attacking Somalian cargo ships in a tit-for-tat fashion.

Compare this with infosec vulnerabilities in the private sector. Are companies legally bound to stay vulnerable? No. Most choose to do so - consciously or not - because to date they've gotten away with a weak security posture. This is just the nature of business. An appropriate mitigation would be for Congress to pass legislation requiring companies to safeguard their systems. I would even go as far as commend the government for subsidizing infosec consultants for companies that are considered important for the continued functioning of society.

None of the above jives with retaliating in kind.

> Under international law, crews of merchant ships aren't allowed to carry weapons

That isn't true. It's perfectly legal for an American ship in international waters to carry weapons aboard. Shipping companies hire armed security to protect their ships even though it's not common.

Depending on the country, a very heavily armed ship may have a problem in certain ports, but small arms kept aboard aren't a problem in most places. If you want larger weapons, companies could hire escort boats.

>Are companies legally bound to stay vulnerable? No. Most choose to do so - consciously or not - because to date they've gotten away with a weak security posture. This is just the nature of business. An appropriate mitigation would be for Congress to pass legislation requiring companies to safeguard their systems.

Sure companies need better security, but no security policy will stop a sufficiently motivated attacker. Expecting private citizens to be solely responsible for protecting themselves from foreign militaries is absurd.

>Retaliation in this case would involve the American Navy sending landing parties ashore to Somalia, or attacking Somalian cargo ships in a tit-for-tat fashion.

Retaliation in this case would be the US launching cyber attacks and stealing trade secrets from private foreign companies. Instead they are directly attacking cyber combatants.

the government shouldn't be itching to get itself in the business of retaliating against foreign attacks on non-government entities.

At the end of the day, the reason the government exists is to protect the people and their property.

I agree that it's alarming that the US is doing this. But my alarm is because there's no Constitutional declaration of war, or even any apparent invocation of the War Powers Act.

I always thought that the reason the government exists is to collect taxes and spend them in the most inefficient way. Governments go to war to protect their cash flow, i.e. taxes.
Well we just had a presidential election if not decided, certainly influenced by this same group, I can't think of a better thing to spend taxpayer money on than ensuring that elections are free from interference.
I fail to see how what amounts to a whistleblowing action revealing horrendous actions done by one of the two viable political parties is "interference."

The information revealed was information I was happy to learn. It was true, factual information taken directly from the bad actors committing crimes, violating federal law, and committing election fraud.

The other point is that we don't even know who leaked the information. The emails were completely unsecured and they were likely hacked by everyone and their dog. If the leak came from a US whistleblower, would it still be "interference?"

Why on earth would you not want to know this information? Because of political bias?

Do you know the size of the Russian economy? https://en.wikipedia.org/wiki/Economy_of_Russia

How many individual US states have an economy larger than Russia? https://en.wikipedia.org/wiki/Comparison_between_U.S._states...

And the size of the PR industry? https://www.statista.com/topics/3521/public-relations/

We invented the modern PR industry, AI, and social media. That's our bailiwick.

You think Russia outclassed us at our own game, at home on our own platforms, on the biggest stage, in the highest stakes game of all?

That would be like the Russian basketball team [0] beating the US Dream Team [1] in all of our major sports at once. Not gonna happen.

[0] Russian Basketball https://en.wikipedia.org/wiki/Russia_national_basketball_tea...

[1] US Dream Team https://en.wikipedia.org/wiki/1992_United_States_men%27s_Oly...

I wonder if you know how silly your comment reads?
Tell me JohnJamesRambo. How so?
Would you feel differently if power plants (also mostly not government owned) were attacked?

I know my analogy is a bit of a stretch, but at least at present it seems like the political parties are at the very core of american civilization (or lack thereof, depending on perspective)

Protecting privately owned power plants at all costs is just another manifestation of the "too big to fail" mentality. If the comparison doesn't seem immediately relevant to you, see if you can find similarities between financial firms that failed to stay solvent and power plants that failed to adopt a security posture commensurate with the function they perform in modern society.

I'd much rather see the country face its problems and fix them, than hope Uncle Sam can paper over security vulnerabilities or the casino mentality on Wall St.

(comment deleted)
If 'first' only occurred in 2016, then I would be shocked. Foreign countries being active in attempting to affect the outcome of elections is just accepted. Dropping leaflets from the air to rain down on the population, funneling money in support of favored candidates, etc is all stuff well documented that the CIA has done. Social Media has just made this so much easier for the attacker. Leaflets raining down from the sky is pretty obvious. A social media post is so not obvious. I kind of feel like it's our own damn fault. It seems like the social is all about influencers. Russia used that desire of people to be influence in the most effective way.. It's kind of brilliant at how cunning, cheap, effective it was/is.
Everything you say could be true, but it doesn't address the comment you responded to. The Constitution requires a declaration of war by Congress. The War Powers Act gives the president the authority to respond to a military emergency for 90 days, giving the Congress time to make such a declaration. Neither of those things have triggered in this case.
Declaring war on Russia. Not a smart idea. I prefer a violation of the Constitution and everyone looks away than a war declaration on a nuclear power.
Everybody in Congress is too chicken shit to declare war because they don't want it on their voting record when things go bad.
Talking about exploiting poor information security as a "cyberattack" is the most dangerous thing here, as it paves the path for escalation into actual fighting. The appropriate context is two armies each residing on their side of the border, yelling insults back and forth.

"Prevent it from happening again" is utterly fallacious - there isn't one unique group that is capable of performing such actions, whereby vanquishing them will make everything "safe". Rather, the hacks are entirely in line what we should expect an anti-fragile society to tolerate. Rather than looking to shoot the messenger, we should even thank them when their proceeds align with the self-policing of our own institutions!

Ultimately what we're seeing here is the same old "tell them they're being attacked" technique applied to the information realm. Categorizing the involuntary-opening of societal institutions as an "attack" has only one possible ending, and it is the direct opposite of a democratic society!

Do you think they're not attacking us? Cyber attacks are more easily deniable than missiles or troops on the ground (although Russia did that last one anyway), but that doesn't mean it's not happening.
This does not, in any way, provide an answer to the concern you're replying to.

Allowing electronic warfare to exist outside of US law and doctrine is not a good idea. That's how things escalate suddenly and unpredictably. Maybe you feel that, because we're being attacked, we must respond offensively. Fine. We should still have rules for how those operations are targeted, conducted and limited.

Electronic warfare exists within the law:

10 U.S. Code § 394. Authorities concerning military cyber operations

https://www.law.cornell.edu/uscode/text/10/subtitle-A/part-I...

As a "sensitive military cyber operation" this was likely reported to Congress within the required timeframe unless it was defined as a "covert action" which has its own set of laws.

Sensitive military cyber operation: https://www.law.cornell.edu/uscode/text/10/395

Covert actions: https://www.law.cornell.edu/uscode/text/50/3093

Doctrinally, offensive cyber operations have been extensively studied and debated for a number of years and the official joint military doctrine document is publicly available:

Joint Publication 3-12, Cyberspace Operations, 8 June 2018

https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_1...

We have been for decades. Often with actual bombs and bullets.
The Constitution has yet to be amended to reflect significant modern shifts: mutually-assured-destruction via nuclear warfare, stateless militants, etc.

US Congress often does authorize a US military offensive (Afghanistan, Iraq) though without a formal Declaration of War.

But who are we kidding? This is a covert offensive "skirmish", probably not too different from many that took place in the cold war or in Latin America. While I suppose I'd prefer if Congress authorized actions like these, I certainly don't want to declare war on a nuclear superpower foe.

> The Constitution has yet to be amended to reflect significant modern shifts

That doesn't excuse ignoring it, though the CIA generally did. Doesn't make that an acceptable policy, I can't imagine anyone proposing so for other aspects of the Constitution.

> I certainly don't want to declare war on a nuclear superpower foe.

But the current actions are the worst of both Worlds; not officially declaring war, yet waging war. Like throwing rocks at the hornets' nest whilst ducking behind a wall. When the hornets find you they'll sting just as hard.

If something is worth risking war for, then declare war. If it's not worth nuclear annhiliation then ... get on with boring old spying.

I'm mildly amused by comments about the "militarization" of the Internet given its origins.
Perhaps re-militarisation would be more accurate?
https://www.internetsociety.org/internet/history-internet/br...

Just to keep in mind:

> It was from the RAND study that the false rumor started claiming that the ARPANET was somehow related to building a network resistant to nuclear war. This was never true of the ARPANET, only the unrelated RAND study on secure voice considered nuclear war. However, the later work on Internetting did emphasize robustness and survivability, including the capability to withstand losses of large portions of the underlying networks.

The internet has always been militarized, it is just that some actors have picked up the pace (tech know-how, capabilities, etc) and that we are now seeing more emphasis in looking at the issue.
Two hard drives destroyed? I believe the enemy is in panic right now.

Either do a serious attack to destroy that Troll Factory once and forever or don't be clowns.

like, with a Tomahawk?
(comment deleted)
(comment deleted)
Same as when I read reports of Russia "attacking" the US, I'm having a hard time believing there was the actual evidence to support the origin of the attack in this case as well. Any even modestly sophisticated hacker, let alone US Cyber Command, would have no problem hiding the origin of the attack in order to have plausible deniability. Truth of the matter is, you don't know if it was USCC or some teenager in her parents' basement.

Don't get me wrong, I'm not saying the two countries don't ever attack each other's computer systems. I think they do it all the time. I'm just saying that when someone says "this particular attack was definitely from country X" they're usually full of shit.

Disclosure: I'm Russian-American.

As with most things, it's hard to prove what actually happened definitively, but there are clues you can piece together to make a claim within a reasonable degree of probability. Things like what type of binaries were installed, what servers were reached out to, even what commands were run...if you collect enough data, it is possible to see patterns in how certain attackers (like USCC) operate, and if we assume a teenager in her parents' basement doesn't have access to the same tools and procedures as USCC does, then it becomes pretty obvious it wasn't her.

To a certain degree, if your server has malware X, and you can identify malware X (or something very similar) as belonging to actor A, and you know actors B, C, and D don't have X in their arsenal, then you can guess with high probability that you were attacked by A.

Intelligence is probably the most high stakes guessing game in history, and there are definitely smart people at the top who know that simple IP correlation is not enough to make this claim - but they likely have access to sensitive (confidential) data that further justifies that claim.

>> doesn't have access to the same tools and procedures as USCC does

If she's well connected, she does have access to almost everything that's available, short of something that offers no plausible deniablity because it's custom made for a particular system, like Stuxnet, or something that's full of zero days nobody else knows about yet. And the only thing you can conclude in these two cases is that you're _probably_ dealing with a state-level attacker, but you can't say which state unless there's something to further narrow things down, such as unfettered access to controlled nuclear technology in the case of Stuxnet.

Notice also how we are always expected to accept these reports on faith, and no _verifiable_ evidence is ever presented.

No verifiable evidence is presented because it shows your hand. If you show the enemy what you don't know, they could figure out what you weren't able to find out, and use that to their advantage. If they can trace the evidence back to a particular source, they can crack down on it and prevent future evidence from being collected through that pipeline. At best this means they change their security procedures, at worst it means they murder your spies.
>> because it shows your hand

Then why talk about it at all? I'll tell you why. It's propaganda. Someone is trying to shit into someone else's head.

It is, indeed, propaganda. But propaganda does not always have to be blatantly wrong - even a broken clock is right twice a day, etc.
> Intelligence is probably the most high stakes guessing game in history

Nope. Propaganda has higher stakes.

What's the guessing in propaganda? It's the complete opposite of sophisticated targeted attacks, basically propaganda is an iterative brute force.
Case and point. Most have no idea how sophisticated propaganda can be. At the highest levels, it washes over you without a trace. The PR industry has been perfecting it for 100 years. You'll never see it.
> I'm just saying that when someone says "this particular attack was definitely from country X" they're usually full of shit.

Coming from your average sysadmin that may be true but that's because they have little intel to work with. Some ssh logs implicating China in a brute-force attack, some malware with Cyrillic characters and linguistics, CNC in Iran, operational hours coinciding with a Brazilian workday...attribution is more an art than a science, hence the number of false positives.

That said, the government agencies have more metadata and packet tampering capabilities than they let on. When they need to make a point, they don't tip their hand-- evidence is fabricated through parallel reconstruction or we get just vague assertions with no evidence at all.

So who knows. At this level the question is less about technical ability and more about how much we trust our respective governments. Ours has certainly lied to us as the pretense for a military campaign before.

FYI, almost nobody in Russia uses Cyrillic in the programs/scripts. Most people write comments, variable names, even error messages in English. So when I read that some malware was attributed to us because of Cyrillic, for me it's a sure sign of bullshit.
Huh? So a perfect way for a Russian party to hide its tracks is to actually use Cyrillic.

No matter which option you pick, you set up yourself to be deceived.

In other words, better to just consider character set doesn't convey much information at all.

I think it's close to impossible to really tell where malware originated. It's a opening another way for US to blame any country arbitrarily.

You want to bomb Iran: just say that there were Farsi letters in the malware. Or the first infection happened in Iran. Or some Iranian was in the country where malware was spotted for the first time. It's not possible to prove or deny.

And nobody will ever be able to confirm anyway. US can say: "We have experts on Russian malware that said new virus contains a string "Сделано в СССР в помощь Трампу. С 23 февраля!", so Trump is definitely a Russian agent". There's zero logic or proof in this, but with strong propaganda almost everybody will believe it anyway.

This is a weakness of the United States. People here have never had to "read between the lines". Even now, when the whole propaganda apparatus was revealed in the aftermath of the 2016 election cycle most people refuse to admit they are being routinely manipulated and lied to.

In contrast, I'd say people who believe mass media in Russia 100% are in the minority. It's not even a question there in the minds of most Russians that they're being lied to.

Here in the US if it's in one of the main news outlets (all of which are controlled by like 5 people, who in turn are controlled mostly by the political establishment) easily 90% will take it at face value and won't see the narrative behind it.

Unless they have reproducible builds, information of the locale of the compiler gets added into metadata and other bits and pieces of the malware and that is how it gets tracked.

Yes this information can be faked, which is why they try to confirm with other intelligence

I suspect the US intelligence agencies have enough taps at enough points in the network that they can tell exactly where things are coming from. They aren't just looking at things from the destination system.
"hacked iPhone 7" how about that Apple fanboys?