> JBS’s five biggest beef plants in the U.S. -- which altogether handle 22,500 cattle a day -- have halted processing following a weekend attack on the company’s computer networks, according to JBS posts on Facebook, labor unions and employees.
It wasn't clear to me from the headlines that this is about meat plants.
Don't hacktivists/eco-terrorists usually claim responsibility? Shutting down beef/oil production for a few days isn't going to do much for the environment, if at all since demand basically stays the same, so claiming responsibility and/or getting awareness is the only reason for hacking.
This is being downvoted, but it seems like a reasonable theory to me. I know a decent number of brilliant engineers/hackers who are strong proponents of a vegetarian diet.
Or maybe it's just a general attack on US food production, and meat is the most vulnerable sector due to its complexity.
You could speculate that. Then you could ask yourself why a climate activist would create a situation where cattle starve at the plant and are put down and not used economically.
There are thousands of cattle in transit to just one of these facilities every hour of every day. Most are not equipped to feed incoming cattle - they arrive hungry and with minutes to hours to live. If you’re annoyed about the climate, forcing a manufacturer to throw out and waste hundreds of tons of perfectly fine beef does what, exactly? Send a message?
This isn’t spiking trees. You’re dealing with live animals. I have a hard time believing an activist environmentalist would be fine with exacerbating an animal welfare situation they already don’t like. Putting thousands of cattle through even worse experiences than usual. Yeah, no.
Source: One degree removed from a foreman at an impacted plant. What I’m describing is already happening - plant I’m aware of has 14k head on hand with about 24 hours to figure it out or kill and discard. The administration is already involved and aware of the details, too, and everyone should be vigilant regarding speculation as to who’s behind it (this is likely misdirection, given who it actually is).
>This isn’t spiking trees. You’re dealing with live animals. I have a hard time believing an activist environmentalist would be fine with exacerbating an animal welfare situation they already don’t like. Putting thousands of cattle through even worse experiences than usual. Yeah, no.
Animal rights activists aren't always known for thinking about the consequences of their actions.
Wait. So, you're saying that by virtue of being "one-degree removed from a foreman at an impacted plant", you know who the attackers actually are, and that it contradicts the White House's statement that it's "likely" Russia?
Although not a cyberattack it reminds me of the massive supply disruption and culling that occurred in the UK because of the mad cow disease.
There is still no clue as to why these disruptions happened but the educated guess mentioned in the article is ransomware. The one that is almost always forgotten is how they they escalated privileges through compromised passwords because most of these organizations don’t use multi factor authentication everywhere.
Although not a cyberattack it reminds me of the massive supply disruption and culling that occurred in the UK because of the mad cow disease
Still a form of information warfare attack, perpetuated by none other than Neil Ferguson, operating in plain sight. If he was a hacker he would be in prison but he does incalculable damage again and again and gets away Scot free every time!
Ransomware attacks were made more feasible (the ransom part) thanks to cryptocurrencies commoditizing low traceability for criminals. I'm pretty sure we're going to see more and more of them, especially with all "digital transformation" going on.
It could be, but that's something that only privileged elected officials e.g. members of the intelligence committee, US President, past presidents, etc, get to know. If you let yourself get into conspiratorial thinking you'll soon find yourself without any moorings whatsoever.
It could also be many other countries or even private entities that get excited about extracting money from big US companies. The list of possibilities is very long.
Cyber attacks between major powers targeting important infrastructure aren't conspiracy theories; we have plenty of confirmed cases of it at this point. Whether this situation in particular, or the recent oil disruption are targeted attacks is hard to say.
As with the "lab origin" situation, it's probably best to avoid whatever the mainstream media is saying and try to find the few rogue experts who aren't being paid to say the right thing (or nothing at all) and thus have no incentives other than the satisfaction of offering a frank assessment (with any luck, you can find them before they're banned from all social media platforms for "misinformation" (ie, disagreeing with the party line)). It took years for any official confirmation of Stuxnet being a state-sponsored attack. But if you were paying attention to the right people, you knew it had all the fingerprints of such an attack pretty early on.
As a layperson in basically all fields except the very narrow field of my professional career, I have basically a zero chance of finding the "right people" and about a 99% chance of finding someone who sounds like the "right people" and aren't.
It's because none of it is secured, and the US has a shit load of infrastructure that all has its own independent systems. Even a tiny percent being hacked per lifetime will be constant hacks in the news.
Theory: running the same system in pre-internet style would add overhead in salaries and delays that's more costly than being down for a few weeks after a hack.
Independent systems have their own problems but also benefits. The trendy word for this is ‘decentralized’. IMHO, I’d prefer we don’t have one big system. At least when the pipeline was shutdown it didn’t affect the entire country.
Posted this on the related thread on the front page: Klaus Schwab of the WEF “predicted” this a year ago [1]. Either the WEF and other NGOs are incredibly prescient on a number of unrelated issues, or we may be getting taken for a ride.
[1]https://m.youtube.com/watch?v=0DKRvS-C04o
I imagine it happens everywhere, but tends to make bigger news in the US. You can still find industrial control systems exposed to the internet with password free VNC...
Is there any other kind of "cyber attack" with respect to companies like this? This is a serious question, I can't imagine someone DDos'ing or trying to "steal passwords" or "private data" from a meat processor. But disrupting their business and holding them hostage? Seems to be a thing these days.
In terms of things that are not specifically targeted:
I still see things attacks on open SMTP ports to relay spam email, installing crypto mining software on PCs and servers, scanning for insecure VoIP phone systems and racking up long-distance phone bills..
The ransomware attacks makes a lot of headlines I think because it's somewhat easy to sensationalize without a lot of explanation of boring IT stuff, but there are still plenty of other things happening regularly to compromise insecure systems.
Sure, but those don't typically warrant telling anyone right? I mean "our email server just sent a zillion spam messages, we're working on it." would largely go under the radar I suspect.
The big difference is that ransomware is a strike directly against the people who got hacked, while turning servers into bot farms at worst costs them a little electricity. The victims of DDosSes, for example, aren't usually the ones whose compromised systems are running the DDoS.
1) Cyber warfare. Taking down critical capacity like food production weakens your enemy. I don't think hostilities are anywhere near bad enough with anyone for this to be an issue at this point; but it would not surprise me if the other major countries are already in our systems and could do this with the push of a button if they wanted to. (Similarly, it would not surprise me if we were in theirs as well).
Establishing the capacity to do this at the push of a button, could have the effect of accidentally shutting things down. Either because of a mistake from the attacker, or because the attack is discovered and production is shut down out of an abundance of caution while we figure out what happened.
2) Terrorism. Really, I consider this the same as warfare, just coming from "terrorists" instead of "countries". With this broader base of attackers, I think there are groups that would be willing to do so. The only question is if they have the technical know-how. Given how cheap these ransoms can be ($4.4 mill for the pipeline hack), and the fact that a payed randsom probably a good profit margin, in terms of raw funding, these hacks seem within the range of terrorist groups.
All valid if we were at war or there was an active anti-meat terrorist group (I don't consider PETA to be terrorists :-). Just using the process of elimination to guess what is up and "ransomware" is highest on my survey board at the moment. (weak hat tip to Family Feud)
Sure, you could have an attack whose goal is to cause damage like what happened in the Sony Pictures hack in 2014 [1]. Or follow through on a direct blackmail attempt of money for no disruption. Even if we limit ourselves to financially motivated actors there are plenty of ways to convert business disruption to money other than ransomware such as stock manipulation, competitive sabotage, etc.; they are just a little more sophisticated in the non-technical aspects. However, these tactics are quite rare currently because most hackers are extremely financially unsophisticated, being mostly young technically-minded people, so they focus more on the technical aspect of just doing more hacks rather than the business aspect of extracting the most value through solid financial engineering.
We can see this by the fact that just a few years ago they would take down the same types of companies they are hitting now and ask for a ridiculously low sum of like $10k, but now they are asking for a much more reasonable, but still low $1M. Nothing changed about who they were attacking, they just slowly realized that they underestimated how much companies would pay for their "services" by a factor of 100x. That is a classic mark of a business amateur who has no idea just how much money is involved in B2B deals.
But to your underlying question, yeah, it is probably ransomware.
The most obvious one to me, especially affecting a meat producer, is activism. Disrupting supply chains for meat production could very well drive demand for plant-based alternatives, and if it becomes a cost of doing business, perhaps it would balance out massive subsidies which keep meat prices competitive with prices for plant-based meats.
FWIW, I'm not saying it couldn't have some other motivation, I am saying that it is unlikely.
And now Bloomberg is reporting it was a ransomware attack -- "It’s unclear exactly how many plants globally have been affected by the ransomware attack as Sao Paulo-based JBS has yet to release those details."
> A CNN White House correspondent reported on Tuesday afternoon that JBS told the Biden administration it had received a ransom request from a criminal organization “likely based in Russia.”
And we computer scientists believe political vague statements with no evidence behind them why? It's not like there are dozens of cases of "intelligence" being wrong in the past 15 years...
Business-focused? How should that do anything about security? Do you want to charge an entry fee that evil people cannot afford? Or just label it "serious business only"? Have things audited somehow? I don't think any of that would do any good.
Honestly, "business-focused" decisions like cost-center accounting, and various schemes to save money, are really how we got into this mess. A lot of our appalling lack of computer security basically comes from the equivalent of a hospital administration refusing to allow surgeons the time to wash their hands.
As "reductio ad absurdum" of a metaphor as that seems, that was actually the huge culture battle that got fought when germ theory came out - tons of medical practices refused to waste time on such "silliness". Over time it became a cultural norm, and then became a protected practice through professional guilds, and through law, so that even if hospital administrators push for surgeons to hurry up and fit more patients into a day (and they do), their prerogative to take their time and do it right is institutionally protected.
Almost every concrete way to manifest "building a business focused internet" is something that the businesses can already do, today. They aren't doing it.
It doesn't do any good if your secretary needs access to the "business focused internet" and also has to get mail from the "normal" internet. The transitive nature of networks makes things very hard to isolate in practice. People and businesses are going to have to accept a lot more inconvenience to isolate things better, and that inconvenience is real money, too.
The problem is you end up with yet another manifestation of a common business problem; if you take the time and money to build a secure business, that carefully isolates everything correctly, that hires good security engineers, that accepts higher costs of doing business, you'll be in a position to handle a cyberpocalypse better than your competitors and you will reap the benefits when that day comes. The problem is, you'll never survive to see that day come because you'll have been utterly outcompeted by your competition that cut corners and carelessly, but effectively, integrated their systems, and over-optimized their internal systems to function more cheaply day-by-day. You may have taken the time to build on the rock while they threw shacks up on the sand but they end up killing you before the storm comes.
The first step is reliable backups. Preferably to write-once media. And both onsite and offsite. Hard backups aren't expensive.
Not of everything. Just the important stuff. Maybe a snapshot of the whole business once a month in addition to transaction backups.
Any business doing financial transactions should be backing them up to something like Blu-Ray disks. Preferably the blanks with the 1000-year lifetime. US banks are already required to do something like that, by the FDIC.
For one thing backups are no use if you do not test them. How often are you going to bring your systems down to test restorinig from backup? If you do not how do you know they work?
Also, even provided you have known-good backups from the time before an attack occured: restore takes time, for a whole-company-restore in the order of several weeks to several months. Can your business survive that long without doing anything?
Okay, let's assume that you have a bunch of Blu-ray disks with backups of your databases - for a round number suitable for some enterprise, let's assume a hundred separate systems, but you want to restore just the important stuff, so a dozen of them. How do you do that if all your infrastructure is toast? Also, how do you restore a cluster of interconnected systems from different vendors? I mean, all of that is done, but it's far from easy or trivial, and if you're not properly prepared, backups alone aren't enough as it'll take a lot of time and work until you have the systems functional and properly interconnected so what you can restore the data to them.
Those systems aren't simply deployable overnight, and I would presume that for at least half of these systems the enterprise never ever had the capability to deploy them, the initial install was and configuration done by a combination of vendor engineers and outside consultants and took six or more months. Sure, you'll recover the data eventually, but you'd rather pay a ransom to avoid as much downtime.
All true, and I think the solution is even harder than that. That is, even the best-intentioned and well-resourced companies would face severe headwinds in trying to "build [or rebuild] on the rock".
A lot of these businesses have been around for decades and are working on mountains of technical debt. They built ad-hoc systems over the years (before security was "a thing"), employ tenuously-functioning integrations with acquired company systems and more. To make matters worse, much of the technical knowledge has walked out of the door over the years.
In my consulting days it wasn't unusual to find that no one in a company really understood how systems worked (or even why). And, in some cases, they actually didn't work. I've seen billing systems that were unpredictable and relied on customers to call to report billing errors. Not a single person in the company even understood how it was supposed to work.
And, these were sizable companies. Agile has only exacerbated these issues as more software is built more quickly and with scant documentation.
All of that to say that it's difficult enough for many companies to build functioning software, let alone to secure it. And, the number of people who truly understand what it takes to secure networks/software is tiny relative to demand for engineers.
Throw in OSS, zero-days, social engineering attacks, etc. and it starts to become clear that any realistic solution includes a regime of deterrence through aggressive responses at the nation-state level. Sure, we should require companies to do more to secure their networks/systems, educate on best practices, etc. But, it's easy to issue an off-handed "they should've been more secure" response. The reality is that many companies simply aren't. We need to appreciate the difficulty and the protracted timeline over which any hardening might happen (if at all), and deploy a multi-faceted approach that also treats the problem as the national security issue it represents.
A "business focused internet" is a security measure.
That sounds a lot like "do not connect one's valuable and vulnerabe machines to the open internet" which is something one should aready be doing in the first place and one can and should be doing it right now with the current internet we have.
It needs heavy funding or subsidizing, this sort of product needs to be scaled up fast, because the price per lb of the meat is so much more expensive than low quality chicken, beef, pork etc. purchased at costco type bulk prices.
Does BK separate its griddles and fryers between vegetarian and non-vegetarian items? Because if they don't, then meat products will leach animal fats and proteins while they cook and your vegetarian items will pick them up.
There’s no reason to believe that the plants that produce vegan products are any more secure; if veganism became the norm then the infrastructure required to process that food would be as valuable a target as meat processing is today.
I hope it's beginning to sink in to corporate America: you need to get serious about security. Go Linux. Hire many permanent security experts with continuous audit processes. Acknowledge the true cost of IT.
Absolutely. Plenty of America runs on EOL Windows XP legacy apps that have been too complicated to migrate. Sometimes they run airgapped until someone realizes that isn’t practical. CEOs must demand better and be willing to pay for it. Without leadership support these migrations almost always fail.
And (operating) system and programming language designers must make security a foundational property of their systems. Most modern languages will never be secure, because their semantics necessitate things like global names. Trying to graft security extensions onto an existing language that wasn't built with them in mind will be painstaking and will always lag behind and is thus often abandoned: https://en.wikipedia.org/wiki/Caja_project
Or perhaps the choice makes a difference, but neither is sufficiently secure. Both likely have dozens if not hundreds of undiscovered array-out-of-bounds errors, stack overruns, and race conditions, some of which may have security implications.
I don't think that "re-write everything in Rust" is the final solution in terms of security, but in terms of something like the Linux kernel one can at least see how such a (difficult and unlikely) project might at least address many of the low-hanging fruit so developers can shift their focus to fixing higher-level vulnerabilities.
The risk of kernel exploits isn't the main threat. The complete lack of meaningful sandboxing is a much bigger problem.
Most applications need to be able to read:
- files that the user drops into them or opens through a file picker (which could be OS-controlled, giving access to only the selected file)
- their own storage/config directories
- read-only system libraries
- temp files (again, isolated per app)
Just moving everything into this model would already go a long way.
We see kernel exploits on phones because you need them to bypass the sandboxing. We don't see them often on computers, because why would attackers bother?
I can agree with that; writing applications the same way we did on 1980's Unix systems is no longer a sensible way of doing things, and I really wish there was some momentum around fixing that too.
Targeting politically important industries rather than strategically important ones (no price increases get people quite as fumed and likely to take to the streets as gasoline and meat price increases) is an interesting development in quasi-state-sponsored cybercrime.
Interesting. My third thought was “Huh, perhaps we’ll be eating less beef until the inevitable price shock and hoarding passes.”
(First thought was for the poor IT folks stuck in this mess and the second was remembering a sensitive machine that was open to all of AWS because the vendor’s servers “needed access to push frequent updates.” and “nobody has ever pushed back on that requirement before.”)
Klaus Schwab of the WEF “predicted” this a year ago [1]. Either the WEF and other NGOs are incredibly prescient on a number of unrelated issues, or we may be getting taken for a ride.
In the case of the pipeline disruption, it was reported that the USG disrupted the CCC of the ransomer and their crypto accounts were drained.
I wonder if a similar sort of reaction will happen here or if the attackers will move more quickly?
From a technical standpoint, why was JBS' backup chain a workable solution for JBS and not for the pipeline operator? Was it incompetence on the part of the attacker or just a better defense, or luck?
Looks like I'll end up having to pull brisket off the menu again this summer (I own & operate a BBQ food truck).
Before this latest blow to the supply chain I have already seen a 66% increase in brisket prices in the past 4 weeks ($2.99/lb about a month ago, current price is $4.99). The restaurant industry is already running on low margins so it will be interesting to see how this is all going to shake out.
Raising prices is an option but that is very market dependant. BBQ customers in general are more price sensitive than lobster customers and I would lose sales at a higher price point.
There is a certain price (which I have generally found is $4.50 - $4.99/lb, that is when my food cost for a brisket sandwich hits 50%. Target food cost should be somewhere around 30%) where it just isn't worth it to sell brisket. BBQ is somewhat unique in that you have to estimate your demand ahead of time - you can't just throw on another brisket if you run out and I don't reheat/re-use leftovers. So even if I raise my prices $2/sandwich to cover the increased cost my risk is still higher because any unsold product is now a higher loss.
Is it possible to purchase the cuts in advance and store them frozen or does that noticeably effect the quality? Seems straightforward to through some cuts in a deep freezer to smooth out supply costs. I do that on the small scale at home though obviously the capital costs would be proportionally larger at scale.
That's exactly what I did starting about a month ago - I've got enough on hand to last about a month (most of that is committed to catering jobs that already have a set price - so my forecasting is much easier but if I didn't lock in the price I would have to eat the difference).
As long as they are safely handled I've found no quality difference at all when freezing stuff that is cryo-vaced. More often than not it has already been frozen at least once before it gets to me.
I don't ever sell anything that has been re-heated after cooking though. You can also do that with little to no quality loss but I try to position myself as a premium brand so everything is 'cooked to order'. There are also a lot more food safety concerns (cooing it fast enough, re-heating it fast enough, etc.) that I don't want to worry about. I vacuum seal cooked BBQ at home and it's just as good as fresh but you can't do that in a commercial setting without special permits that aren't available to food trucks (at least not in my area).
I'm sure you know your business and market, but I'd just through out an example from my back yard.
Matt's BBQ is the best Texas style bbq in Portland by a considerable margin. I've been a customer and friendly with him since he started out in a pawn shop parking lot with zero foot traffic and almost no road visibility. He charges $13.50 for a 1/2 lb of brisket, similar prices for other meats. Sides are typically around $3.50.
He's up to multiple locations and his own commissary kitchen that's like 2000 sq feet.
He sells out every single day.
It's been really fun to watch his business blow up. It's all been from the strength of his product, and his personal hustle to get the momentum. His customer base is loyal and willing to pay a premium.
He even has a side hustle selling smoker rigs, via a partnership.
I'm enjoying this discussion and I'm glad you brought up your example, but keep in mind the sort of folks ordering BBQ in Portland are a very specific class of customers :)
Do you have any awareness how obnoxious it is to assert you know my neighborhood better than me? When it's clear you've never been to any of these places, talked with fellow customers, etc?
It's a mixed race neighborhood. For the first couple years his neighbor in the pawn shop parking lot was a soul food cart. The clientele at both looked basically the same in terms of demographics.
While you won't find as much good BBQ in Portland as say central Texas, the Carolinas, etc, it's not some sort of exotic novelty.
I don't know why you are so determined to stereotype this stuff, but it is not helpful.
You living someplace, eating at a restaurant, and having a general gestalt of the local experience does not make you (or any of us) an expert on statements about population-level demographics or the economic implication. There's no reason to get upset that someone on the internet doesn't believe your analysis, or to call them names.
It is a statistical impossibility that any given group in Portland is the same as any given group in Texas on the metrics I mentioned, so your claim is really that these metrics don't influence price sensitivity.
It's statements like this that are revealing:
> People do value authenticity in my town. The big corporate chain restaurants are a lot more sparse here, exactly because the local places are just as cheap, far higher quality, locally owned, and using local ingrediants, etc.
There's no trade-off between chain restaurants and locally owned? The latter is just an unalloyed good and other regions of the country are just making mistakes for no reason? So no, I don't find your analysis convincing, but as I already said I appreciate your input in the discussion.
Dude, it's literally my neighborhood, which I've been in for over a decade. These people are mostly my neighbors. They're who I talk to at the corner store, at the cart pods, at the bar when we're watching the Blazers games.
Just. Stop.
I never made any claim about blanket superiority, just described factually what this place is like. You'll find plenty of people and even data supporting that characterization if you want.
Likewise I did not claim anything about equality with Texas, just that your utterly naive assertion that the customer base for the food cart I mentioned must be slanted a particular way, based on literally nothing. It is not.
You don't understand what I've already written if you think that any of this hinges on how many years you've lived in the neighborhood, or high integrated into the community you are.
I do I simply disagree strongly, just as strongly as you would had I tried to bulldoze you with a naive stereotyped view about something you personally are highly familiar with.
In any case, it's clear continuing this line of discussion is pointless.
No doubt, but the reason people do or don't get it vary widely be region. In Portland I expect it's more likely to be a novelty or cultural experience, and therefore the clientele to be less price sensitive than Texas.
> He charges $13.50 for a 1/2 lb of brisket, similar prices for other meats. Sides are typically around $3.50.
People in Portland and other liberal cities will paradoxically pay a premium for "poor people" food. When you are wealthy enough to consume whatever you want, the rarest commodity is something that feels like an authentic, meaningful experience. Cuisines that come from poor areas carry that sense of authenticity with them and can charge appropriately.
I don't think you can assume that pricing model will work well outside of a few places like Portland, SF, NYC, Seattle, LA. People that aren't wealthy enough such that they do care about food prices aren't going to pay extra because a brisket is served on a just-so-cute-and-"real" metal tray.
Food carts in Portland are extremely informal and very much a thing for everyday people, including people with low incomes by local standards. In fact it's one of the main drivers of their popularity here.
It's not a matter of wealthy people adopting "poor people's food" as a novelty. It's just good food no matter your situation in life. Matt is charging on the higher end, and a complete meal is still under $20. The best burger in my area is a double bacon cheese for $4.50 that uses really quality ingredients.
I've talked with customers at Matt's that live out in the country and make an hour plus drive to come by every once in a while.
People do value authenticity in my town. The big corporate chain restaurants are a lot more sparse here, exactly because the local places are just as cheap, far higher quality, locally owned, and using local ingrediants, etc.
The genesis of the food cart scene here was the city has some smart policies about making it affordable to start these businesses. Many people who dream of someday having a restaurant start out this way. You can make a serious shot at it with just $50k or so, which is tiny even by small business capital standards. They price their food accordingly.
It's true this place is getting more expensive, but I assure you, if you go out to any of the pods, you'll see a roughly even mix of people who are middle class, and young people that probably make barely enough to cover rent at a service industry job. Everyone will be hanging out, friendly and chatting.
Please don't project your own assumptions onto this scene if you've not been there. This town is pretty grossly misrepresented by a wide swath of media.
That price point is not outlandish. That foodtruck would probably be just as successful setting up outside of bars in Cleveland even. What I've noticed as an adult now visiting friends in various places, high cost of living low cost of living, is food and drink are basically the same exact price. Pints of beer from $6-9 or so. Entrees $12-16 or so. Everywhere in the country has settled at this median pricepoint, no matter what the cuisine.
> I don't reheat/re-use leftovers. ... any unsold product is now a higher loss.
Perfect yesterday BBQ meat! Coming from USSR/Russia with its food shortages in 198x-first half of 199x i still kind of mentally shudder reading such things even after 21 years of living here.
It’s not waste in that it goes into the trash - it’s just a sink cost that I’ll never recoup. Anything left over I keep for myself, give to friends/family, or donate (which is actually more difficult than you would expect since it is perishable)
I’m only open once or twice a week so secondary uses (beans, chili, etc) unfortunately don’t work for me.
That's because lobster roll customers are rich yuppies. BBQ is for poor people who cannot afford good cuts of meat so they resort to pulverizing bad cuts of meat with smoke heat and sauce.
You're exactly right that BBQ is popular and that's why BBQ is getting worse. I know I sound like a salty hipster but bear with me for a moment. There's some "show me the incentives I'll show you the outcome" reasoning behind my opinion.
When a thing becomes trendy among moneyed demographics there is now stupid money to be made selling a caricature of that thing to people with too much money. BBQ is one of those thigns becoming just another experience for yuppies to talk about in the break room on Mondays. When you're running a BBQ joint you're not selling meat cooked in a particular style, you're selling an experience. People don't care about whether your BBQ is a career long refinement of what grandma made. They care about whether it's something they can brag about. They're looking for an experience and if you want to stay in business you're gonna sell it to them. It's not about doing your thing well, it's about presentation and show. Many of the people running these restaurants hate bastardizing their craft and leaning into an image/stereotype like this but it's what pays the bills.
Maybe I'm just jaded from growing up in a tourism economy but money uncritically thrown at something tends to ruin it.
When I go looking for a restaurant I go for <censored>, <censored> and <censored>, because those three genres aren't trendy right now and any business specializing in them has to succeed on its own merits, it can't just print money by looking the part.
Fortunately, BBQ in particular is one of those cuisines that with close attention to detail and some hours spent researching on the Net, you as an individual can turn out a brisket that, if not as good as say Snow's or Franklin, is more than Good Enough for an extremely satisfying experience when done with some friends and family as a group effort. One of the glories of our current age is this outcome can be reproduced with many if not all other cuisines and dishes.
No less a pit master than Aaron Franklin will tell anyone who cares to listen that they individually can absolutely turn out a brisket that is equal to or better than what he serves up at his eponymous restaurant. He takes pains to point out it only takes caring attention to detail to that single brisket, which is why I think I run into a greater proportion of BBQ enthusiasts in hacker circles compared to my other communities when categorized by interests. He freely admits his and other pit masters' "secret sauce" lays in how they scale it up and keeps it close to what they produce when they are making only one brisket at home for family and friends.
I generally consider BBQ competitions overblown affairs that are arguing how many angels can dance on the head of a pin. To me, after a certain point it is quite good enough, and any further optimization for "better" doesn't pass my personal cost-benefit filter, and I'd rather spend the cognitive effort on my dining companions.
It is either that, or I possess a philistine palate. The latter is quite possible because I hold a similar opinion of many of the fine dining establishments I've eaten at, from quite fine kaiseki, omakase, Chinese, Michelin-starred French, various fusions, steak, and other restaurants, some with pretty eye-popping per-diner prices. That's mostly because I believe that we're at the nascent, fragile stages of achieving post-scarcity (by no means assured, and still many generations away), and part of that journey involves the elevation of increasingly finer experiences (perhaps some requiring ever-greater cognitive effort to appreciate that I'm not aware of) to a mass market.
Yup, there is craft everything now. For example, macaroni and cheese. To me, that will always be the poor folk food of my youth, even though my friends rave about eating it at fine dining establishments. I'm sure soon we'll have artisinal sloppy joes as well -- why not, with high quality ingredients and a creative chef, you can make any dish interesting.
Brisket prices have been going up for quite a while now, not least since the pandemic started. This event is likely going to be a blip. That said, typically one of the ways to hedge against volatile prices is through forward contracts. If you have a float, have you thought about pre-paying for brisket to get a discount? I only mention this because I remember reading a story told by Nick Kokonas, who co-owns Alinea, a famous 3 Michelin starred restaurant in Chicago. When he discovered he had a float, he decided to pre-pay his vendors instead of taking net 120 and in the process got a 50% discount on beef. (because pre-paying improved his vendor's cashflow and reduced their risk, they passed it back to him in the form of savings)
"Food costs money. But the way that everyone (in the F&B industry) looks at food costs, and paying for food is very weird. When COVID started, every famous chef that went on TV said, “This is the kind of business where this week’s revenues pay for bills from a month ago.” So when we started to bring in money from deposits and prepaid reservations, I suddenly looked and we had a bank account that had a couple million dollars in it — of forward money
"I started calling up some of our big vendors for the big, expensive items — like proteins: meat, fish; luxury items: like caviar, foie gras, wine and liquor, and I said, “I don’t want net-120 anymore, I want to prepay you for the next three months.” And they had never had that kind of a phone call from a restaurant before.
So how much should they discount it? So let’s say we’re going to buy steaks. We’re going to pay $34 a pound wholesale for dry aged rib-eye, we get net-120 (normally). So I call the guy and say “I’m going to use 400 pounds of your beef a week for the next 4 months, for our menu, which is about about $300,000 of beef, what (would) we get, if we prepay you?” And he was like “what do you mean?” I’m like “I want to write you a check tomorrow for all of it, for four months.” And he was like, “Well, no one has ever said that.” So he called me the next day, he said “$18 a pound” … so … half. Half price.
I went, “I’ll pay you $20 if you tell me why.” And he said, “Well, it’s very simple. I have to slaughter the cows, then I put the beef to dry. For the first 35 days I can sell it. After 35 days there’s only a handful of places that would buy it, after 60 days, I sell it $1 a pound for dog food.” So his waste on the slaughter, and these animals’s lives, and the ethics of all of that, are because of net-120! Seems like someone should have figured this out! As soon as he said that, everything clicked, and I went “We need to call every one of our vendors, every time, and say that we will prepay them.”
I think you have a well-reasoned, thoughtful post here, but perhaps the person who operates a BBQ food truck might not be the best positioned to take futures contracts out on brisket?
Also, aren't forward contracts by definition unsecured as compared to a futures market?? If the supplier genuinely doesn't have supply or goes out of business, you've lost your money, right?
You can contract around anything, including penalty clauses. But yes if there isn't any X to be had, your agreement to take delivery isn't really helpful today.
Quite right, it's just the seed of an idea. As for scale, that can be achieved through pooling (i.e. group buys), though it wouldn't work right now due to supply constraints.
Prices had come back down to pre-pandemic levels up until about a month ago. Nationwide easing of restrictions has increased demand faster than the supply chain has been able to keep up.
That is an excellent idea (having more than just a transactional relationship with you food vendor is a good idea in general) but my volume is way too low to have that type of leverage. The best I can do (and fortunately what I did when I saw the prices increasing) is pre-buy and freeze as much as I can to lock in the then-current pricing. Right now food supplies aren't even able to fill many wholesale orders because they don't have enough supply so I'm not sure pre-paying would help if they can't even get the product. For example one major vendor has changed their order cutoff time from 11PM to 5PM so they can spend that extra time allocating their available stock across all the orders because they don't have enough for everyone.
BBQ is my side hustle so I'll be ok either way - but if I was paying my mortgage via food service I would be alot more concerned.
Yes, a supply crunch does make it difficult to execute on these types of strategies. And you're certainly right that having a relationship with your suppliers is often advantageous -- very often, including upstream parties in one's system boundaries increases one's surface area for cost optimization.
Also, just thinking aloud, during normal times, if you happen to know other hobbyist BBQ folks, I'm wondering if there might be opportunities to enter into an informal group-buying situation where you pool your collective brisket demand and bulk buy at a discount. That wouldn't work right now but perhaps it might during normal times. There are websites based around this idea. Best of luck.
It would be very interesting to see a followup report from Nick on what happened with COVID. Did they refund those customers who pre-paid for dinners that couldn't happen? Were they left holding the bag for the dry-aged ribeye that they then couldn't sell? I would love to hear the story.
I don't have the full story on what happened to the tickets and the dry aged beef, but on several podcasts, Kokonas talked about how they pivoted hard to takeout and actually did some of their best sales during COVID than at any other time.
A lot of folks work like mad in tech to build up a small nestegg and then go pursue a passion. Starting with a food truck is a great way to suss out and ease into eventually owning and running restaurants. It's like the MVP of a cuisine/restaurant idea.
I still have my tech job and don’t plan on going full BBQ anytime soon. I do it enough that it keeps me busy but I can always say no to a catering job or event so it’s still enjoyable and not a chore.
The right opportunity would have to come along for me to jump onto the restaurant world. It’s definitely something I’ve looked into but one thing I have learned is that the BBQ is the easy part of running a BBQ business - it’s everything else that is tricky. Right now I don’t have to worry about employees, rent, etc. so someone with those strengths would have to make a pretty good pitch to get me to open a restaurant.
The short answer is BBQ is “hobbies gone wild” for me.
My “9-5” is in IT and that’s what pays the bills by BBQ is my passion.
I’ve being doing BBQ professionally for 10+ years. It started out just done some small catering jobs and has grown from there. Through BBQ I’ve been able to do lots of cool stuff that I would have never imagined when I started. I was heavily involved in competition BBQ for several years and through that I’ve worked with several big brands . Currently I’m focused on my food truck and rub and sauce products. I’ve also done several BBQ classes and hope that as we turn the corner on COVID I can start that up again soon.
Growing a passion into one that makes money isn't rare. One of the optical engineers I work with is a master brewer at a local brewpub, working on recipes evenings and weekends, after decades of home-brewing. He does his side gig because he wanted to go bigger, meet more experienced people and try new things.
Losses due to underinvestment will motivate investment. Some companies will invest more wisely than others. Eventually every company will be wisely investing in security, by copying companies that got it right or by being replaced by them.
* Non-tech industry belatedly starts prioritising cyber security; security gradually gets better while costs increase and infosec consultants enjoy a Y2K-style boom.
* Tech-competent startups outcompete non-tech industries through avoiding ransom costs.
* The international internet degrades into mostly-closed national networks with end-to-end government control and monitoring.
* The US government starts treating these attacks as national security threats and goes all War on Terror, probably triggered by a hit on critical infrastructure that costs lives. Heinous collateral damage.
Data security will get better as the risk calculus changes. A lot of companies are mentally doing math:
(Probability of cyber attack per year) * (cost of ransom + costs of downtime) = X,
(Overhead of additional cybersecurity personnel)= Y
If X < Y, it's basically just a no brainier to just eat the costs and pay the X million if it happens. If Y > X, they hire security personnel and it "gets better".
If the government makes paying the ransom less attractive (via basically labeling it as a financial transaction with a sanctioned entity making it illegal) OR the probability of the cyber attack goes up (as this becomes more lucrative), risk calculus changes, security is improved, and it "gets better".
Most small and medium enterprises will eventually have to outsource their technology infrastructure to a few huge cloud vendors that have sufficient scale and technical expertise to build secure systems.
I seriously think one solution to this problem is for the US gov to start designating some of these gangs as something similar to enemies of the state and start taking military action against them. If there were serious repercussions for these actions, like serious jail time or even something more grave... then that changes the calculus for people running these gangs. At minimum, this shows the gov is taking this threat seriously.
EDIT: ok bad idea, lets take it easy on my poor account :)
Why not? $40 trillion dollars in weapons spending would easily save $10 billion dollars it would cost to hire security professionals on an annual salary to patch software and ensure that intrusion was more difficult.
This is exactly what they're doing now, they're just doing it with law enforcement agencies and not military. Military is honestly going to be worse at all of this, as they don't have the investigative capacity. This also ducks the very thorny political problems where Ukraine (never mind Russia!)are NOT going to allow US military involvement in domestic affairs, but do have agreements with Interpol that make this possible. Nobody wants extrajudicial military extraction squads acting on their turf.
I'm sure the various 3 letter agencies (NSA, CIA, etc) are already involved to a degree that's not publicly known.
There's a continuum of responses existing between "do nothing" and "drop missiles". For example, it'd probably be relatively easy for special forces to assassinate key personnel, even deep within enemy territory.
Do you really see nothing wrong with the US military carrying out assassinations of foreign nationals, in foreign territory, on behalf of private companies who can't be bothered to just invest in a decent security team?
The vast majority of participants on this forum work in an environment where the shelf of footguns and gotchas and stupid legacy cruft that is modern software development inherently makes sense. Anyone fucking that house of cards up gets attention not because of the state of modern software development that led them here, but because clearly something is wrong with the external world and that should be handled with cops or whatever the next step after that is. It is in no way an indictment of modern software as practiced, from toolchain on up.
Reminder: Memorial Day was yesterday and this thread is discussing killing human beings in yet another war because of holes in some stupid software that SV won’t lift a finger to fix. If you offer such a suggestion to fix the woes of vulnerable infrastructure, I’m assuming you’re volunteering to go pull the trigger, right? Or were you expecting someone else to do that for you?
Put down the assault keyboard and Clancy novel and get some perspective, subthread. Sheesh. Diddling around in the network of a company you didn’t know existed until five minutes ago is suddenly a capital offense because...Whoppers might run out?
You are absolutely right about the footguns, legacy cruft, and the joke-not-a-joke-it's-so-stupid that is modern web software development. That all needs to be fixed, and here at home
However, it is also not merely about the Whoppers running out - this is just this morning's example.
When even major "security" vendors can be turned into serious NatSec attack vectors, and much more critical infrastructure can also be attacked with ease, and they are doing it, it becomes a bona-fide NatSec issue.
Like any other NatSec issue, this requires both serious hardening actions at home, and serious threats against bad actors abroad. Whether that involves, some kind of diplomacy, economic sanctions, targeted software attacks, targeted covert actions, or overt drone strikes, is up to the experts in those domains, but we do need to treat this as a serious NatSec issue that it is.
On a planet with seven and a half billion people becoming more connected and tech-savy everyday, security by intimidation simply isn't a viable solution, or a meaningful component of a larger solution.
>On a planet with seven and a half billion people becoming more connected and tech-savy everyday, security by intimidation simply isn't a viable solution, or a meaningful component of a larger solution.
It absolutely is and must be a viable component. Those increasingly connected people are also increasingly vulnerable in real-world ways that go well beyond tech. And, it is near impossible to completely secure networks/systems with their near limitless attack surfaces.
Treating it as a game of cat and mouse in which you know the mouse will invariably lose with some regularity, then consigning yourself to ever playing the mouse is disastrous policy.
It is both. How many hackers from Russian & fmr Soviet countries attack within those countries?
Very few. So few that they literally encode checks for RUS language / keyboard installs and skip that machine, and doing such install is at least for now a legit security measure [1]. This isn't just from RUS legal structure and no extradition treaties, but their very intimidating response to anyone acting up internally (I've read of at least one instance where a hacker was found dead at his keyboard with missing hands). RUS security doesn't eff around, and we shouldn't either.
Many people will not play at the pointy end of the NatSec game because you are risking your life, and some do because of that. It is definitely a useful measure, among others, to make it known that trespassing with such intent on western computer systems is also getting you into that risk category.
>is suddenly a capital offense because...Whoppers might run out?
We know the stakes are much higher. We all know there have been attacks on hospitals, law enforcement systems, government agencies, infrastructure companies, etc. And, we know that none of us have a clue where the next attack will be.
>and stupid legacy cruft that is modern software development
Yes, modern software development is stupid, crufty and all of those things. But, these are actual attacks by actual actors, not some self-imploding poor designs. In many cases, these attacks are state-sanctioned, if not outright state-sponsored. So, of course they should be treated just as we treat other attacks. And, under what other scenario do we respond to an attack by declaring "Oh, you got us. We should have better protected that".
These are clear national security threats and should, accordingly, be subject to the full range of responses as any other threats. That includes deterrence. It doesn't necessarily mean dropping bombs. But, it does mean more than blaming ourselves.
>Diddling around in the network of a company you didn’t know existed until five minutes ago
I'd wager there are many companies that the average person has never heard of that, if knocked offline, would result in considerable disruption, economic costs, and even physical danger to a significant portion of the population.
The United States invaded a country under false pretenses and killed almost 300,000 of their civilians... is using a B2 with a laser guided bomb to blow up a team of hackers really all that bad?
The entire computing apparatus of humanity ostensibly can’t figure out secure systems by default without fifty vigilant FAANGineers on hand to rewrite everything quarterly, and then spends the day after Memorial Day arguing for drone strikes and targeted assassinations against two-bit racketeering operations calling them on it to avoid fixing the actual problem. Video at 11.
At least companies that are paying for a ransomware should be condemned for financing criminal groups. Because you can be certain that part of the ransom is used to grow their activities. If nobody was paying the ransom, their would be no interest in developing ransomware.
The cyberattack and the fact that one company had 20% of the country's beef processing capacity. A more distributed economy with smaller operators means fewer, less valuable targets for piracy, as well as more supply chain resilience when one company is taken offline.
A few years, back, Maersk went down for almost a week due to encryption-type malware.[1] Things happen slowly enough in sea shipping that the impacts were mostly to Maersk itself. It cost them about US$330 million.
But the lack of backups is just a symptom. From the article:
In 2016, one group of IT executives had pushed for a preemptive security redesign of Maersk’s entire global network. They called attention to Maersk’s less-than-perfect software patching, outdated operating systems, and above all insufficient network segmentation. That last vulnerability in particular, they warned, could allow malware with access to one part of the network to spread wildly beyond its initial foothold, exactly as NotPetya would the next year.
The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
And higher prices. I'm all for the smaller distributed suppliers, but let's remember that scale makes things cheaper/easier and there's a reason companies join up. Your local delivery organised between a few farms will be beaten on price by JBS.
That can be true, but it's also massively oversimplified. Efficiency is usually overrated - lower prices come from cutting labor costs and product/service quality. In some cases, combination doesn't wind up lowering prices for the customer in the long run. Once market power is sufficiently concentrated, pricing power gets shifted to the suppliers and distributors, so prices can be raised back up to increase margins.
The local delivery may lose on end price, but they also provide a ton of structural benefits. Usually the cost savings the customer is pretty marginal compared to what has been given up.
This is one of the intractable problems of human society. There is no optimal solution:
Consolidation gives you consistency, network effects, and economies of scale. But it also gives you monocultures, stagnation, and overfitting.
Heterogeneity and competition gives you incentives to optimize, innovation, and robustness. But it also gives you redundancy, knowledge loss, and inefficiency.
Technically there probably is an optimal solution, if you decide on a system for valuing each of those positives/negatives. Once you manage that, there's almost certainly a point on the curve that gives you the highest total value. And yes, it is probably impossible to be objective here, but a subjective optimal solution can be helpful too.
And I'd argue that we have chosen such an optimal solution, where robustness is given a low weighting, and now we are experiencing a predicted downtime event. The cost of this event is spread across the whole economy, and the executives (in industry and govt) who made the decisions which led to this will experience no downside personally. Executives at rivals who have just as bad an IT problem will receive bonuses.
Essentially, we have a very weak correction incentive. Until capable hackers are endemic and ransomware hits everyone, there is little likelihood of change. Next week it could be RJR Nabisco, or Synnex/TurboTax/DuPont, or just 10,000 variants of {tiny $20m company that makes software for auditing sewerage pipe and is used by 370 of the 3000 counties in the US, and every client gets the DB corrupted}.
I think we are constantly tweaking things over time.
For much of human history, consolidation was natural but the relative simplicity of technology kept barriers of entry low which enabled competition and new entrants. Also, poorer logistics and transportation meant you have many smaller semi-independent markets instead of fewer monolithic ones.
Industrialization and powered transportation upended that and gave a lot of power to consolidation. That led to the era of robber barons.
That power concentration was so bad for society that eventually the labor and antitrust movements came around to somewhat correct it.
I think now we're seeing another oscillation. Software creates huge network effects and economies of scale. If a business writes a single program once, they can run it on as many servers or sell it to as many users as possible. Services that let users interact benefit exponentially from network effects. AI generates a lot of value, but requires extremely large datasets that only the largest corporations have access to.
We are essentially in the era of digital robber barons right now. Six of the top ten richest people in the world according to Forbes got there through software. (Arguably seven if you consider Musk's wealth to be software-driven.)
We are clearly nowhere near the optimal point on the consolidation continuum. With luck, we'll get something like an "information labor movement" and more teeth in our antitrust regulation to correct that.
Sure, there is an optimal meta-solution if you're able to define which set of trade-offs represent a "winning" solution.
But that's different from other problems where you can simply try to optimize the result itself directly. For example, we probably don't need to have hard discussions of trade-offs when it comes to, I don't know, infant mortality. There's almost no upside to babies dying (assuming you aren't heartless enough to consider less overpopulation to be an "upside").
But with business size, there are many desirable factors and improving any of them reduces another directly opposed but also desireable factor.
Competition is good. Cooperation is also good. Increasing one by definition lowers the other.
I disagree. I prefer the variety of different stores. I prefer the unique floor plans, esthetics, and in house products. I don’t like having Walmart, target, Dunkin, and Starbucks in every city I go to. I may be near poor but I go out of my way to avoid big box stores whenever and wherever I can. I like stores that have been run by the same owner or manager for decades. I’ve seen multiple local shops balloon into chains and in every single case their service, product quality, and in store experience got markedly worse. If I’m going to support Big Box Store then I’m going to nickel and dime every transaction I make with them because that’s how they treat me, their customer. Take the personality out of the experience and all that’s left is the transaction, no loyalty, no good feelings, just the exchange of cash for product. No amount of Twitter wokeisms, virtue signaling, or advertising will replace their dehumanization.
Today, I was finally able to incorporate the "Where's the beef!?!" catch-phrase into daily conversation! But, it just didn't land as funny as I was expecting in my mind.
Hackers are laughing at the idea of concentrating large amounts of the economy at a single company. The whole internet will be coming to a halt once this can replicated on at least one of the big web companies.
So this random article [0] I googled says it's ransomware.
Can that really be called an "attack" ?
JBS said:
not aware of any evidence that any customer,
supplier, or employee data has been compromised
So the "attackers" didn't steal anything. Give them the finger then, restore from backup, get upset about losing 25 minutes of data and keep going.
How are ransomware "attacks" still a thing ? Why is any of the software that controlls meat-cutting/oil pipeline hardware not air-gapped under normal operations? How is there no plan on how to continue operating when losing power, so that stuff still works?
One of these "attacks" pops up every three days and I get that if data is exfiltrated then the problem is not the same.
BUT
"someone encrypted all my data" and "oh shit, my harddrive crashed" have almost the exact same recovery plan and we have dedicated a complete international holiday called World Backup Day[1] over ten years ago to remind people of the principles of how that works that were known since at least when harddrives where invented.
It's not an attack, it's pure negligence.
It's not special IT SuperHighTechnologyKnowledge either. It's a simple principle:
Things need to exist in at least three places in case one of them breaks and the other explodes/tornadoes/earthquakes.
The slightly advanced corollary is:
Make sure that the thing in the three places is actually the thing that it should be.
... It's not like I do not understand how organizations fail at this that or the other and that maybe the tradeoffs here were made correctly, but it still boggles the mind.
It is cheaper to build a shoddy system out of the pre-made parts that software companies sell. A shiny very capable system can be built quickly, and cheaply.
To build a robust system, segmented, properly backed up, maintained professionally... costs a lot more.
To have staff on your payroll who understand your systems, who can maintain your systems and recover your systems in a disaster means having expensive professionals on the payroll who look like they are doing nothing.
When your whole business goes into a paralysis because of the costs you saved, there will be some one to blame. Some clerk in a office that "clicked on a attachment" - it is their fault....
Yes, it is cheaper in the long run to build robust maintained systems. But in the long run we are all dead, and our bonuses will be paid before the catastrophe, and anyway it is "some body else's fault".
I think a lot of the "cost savings" and "efficiency" of sticking everything on computers and putting them online would evaporate if it all had to be secured properly, even for fairly generous values of "properly".
It's always a weird phase. A proper one would be "we have no records of data exfiltration, so we hope it didn't happen". Attackers had the access, otherwise the data wouldn't be encrypted.
> restore from backup, get upset about losing 25 minutes of data and keep going.
Unless you want to be owned again in 30min, you need to first analyse how did it happen the first time and how to mitigate it, before getting everything back online. That takes time.
> Why is any of the software that controlls meat-cutting/oil pipeline hardware not air-gapped
None of those were affected. The pipeline hack took their billing system down, not the operations. I haven't seen the details here, but it's not like the meat saws and trucks just stopped - more likely the stock/communication/billing system was stopped as well.
They're probably using some insane piece of crap corporate management system written by a Fujitsu subsidiary or something. "Restore from backup" might not be something that's possible for them.
It is interesting how many companies end up paying $30M for pre-packaged garbage when they could get something a lot better by hiring a competent IT/developer for a few years at 10% of the cost. I think the biggest impediment is finding the small fraction of people who could actually pull it off; there's a huge opportunity there for anyone who can figure out how to connect top-tier devs to companies who just need to hire one person and don't have the domain expertise to know who/how to hire.
One of these "attacks" pops up every three days and I get that if data is exfiltrated then the problem is not the same.
Even exfiltration seems less dire in these recent cases than it would in other industries. If anything, beef carcasses seem less likely to require HIPAA or PCI compliance than gasoline deliveries...
Core count seems a less-than-useful restriction on its own. Clock rate, cache sizes, and instructions per cycle need to be limited for this to be effective. Then bandwidth has to be constrained to avoid people building Beowulf clusters of RISC-V systems (which we won't be able to buy in the US thanks to "munitions" import restrictions from overseas producers).
RAM and disk capacities will also have to be limited for similar reasons. As will their speeds.
CPU enthusiasts, builders, and overclockers would get put on a government list, then shadowbanned from social video platforms for encouraging domestic cyber terrorism.
If those countries take away the legal system route of extradition for attacks on critical infrastructure, then in my mind its justifiable to go the batman style of extradition with a special forces team.
Fixing infrastructure won't get done because the people in charge are too stupid, lazy and greedy to fix it. Most of them are so wealthy they're completely insulated from the consequences of their actions (or inaction, as the case may be). Folks need to wake up and realize they're living in a global public-private idiocracy.
More like, don’t harbor or foster attacks on critical infrastructure or we will take action to bring those that do to justice. At what point do those actions by other countries become acts of war?
It's interesting to compare this to the physical-world analog. What if somebody shows up at the US-Canada border, start shooting rockets at Canada, and the US refuses to acknowledge this as a crime or extradite? What if the rockets are aimed at a critical piece of infrastructure near the border and can cause billions in damage? One could argue that if the US condones these attacks, they have effectively already declared war on Canada.
Well that's the main issue, currently the states do not consider such cyberattacks the equivalent of sending troops or rockets across the border that justify a "kinetic" response but rather the equivalent of earlier espionage activities which usually justifies only a diplomatic response. Of course, that might change in the future.
It's generally not illegal to pay ransom, though with ransomware you have the issue that the recipients may be subject to US sanctions and it could be illegal to send them money on those grounds.
Or identify certain certain specific "hacks" and setup a bounty program. If you can gain root access by guessing the CEOs password, he should be punished not you.
Edit: doubly so if the company is question is part of important infrastructure (including food supply).
"The U.S. needs to make it illegal to pay ransom."
Ugh. So you get attacked through some old wordpress install, freak out to get your company online, pay, now you also go to jail for paying a ransom. Not a fan of this plan.
Even with backups we've seen companies are more than willing to pay a modest ransom, like the pipeline last month. It takes a long time to fully restore big infrastructure from backup--especially if it's something like old tapes.
But yeah, companies should stop viewing security and IT as a cost center and start paying up for good penetration testing every few years.
Ransom is actually quite efficient (in a utilitarian sense) in scenarios like this. The net long-term result is an efficient allocation of resources towards computer security.
See Matt Levine's 10 laws of insider trading. In particular, "5. Don’t do it by planting bombs at a company and shorting its stock." Somebody nicely put a non-paywall link here: https://github.com/0xNF/lawsofinsidertrading.com
Buying puts in this fashion will generally be a remarkable, traceable event. There's a reason ransoms typically go through cryptocurrency.
> Then respond with force, arresting people, targeting however you can.
Yeah that's a nice fantasy. "Hands up, Russky bastards, the Navy Seal Bin Laden crew is here to take you out." Shoots up a row of laptops while bearded Russian hackers cower in fear.
Except for that to happen the Seals would have to have reliable intel from inside an uncooperative foreign state, and the ability to move freely, carrying guns, in that foreign state; and if they raided in it without permission, that would be an act of war.
Oh, so it's Russia the root of all evil again. Without a single piece of evidence. How convenient!
Thanks god we have nuclear weapons, otherwise we'd definitely experience another incursion like Iraq or Afghanistan, that were made under absurd pretexts and only led to great numbers of civilian casualties and some economical gain for the US and/or US government officials tied to the military complex.
The US needs to make it illegal to have private data left in a database without a password (hello equifax), or on a old machine with obsolete OS with known vulnerabilities.
Or to sell routers, wifi printers, cameras and smart TVs with known security flaws, and to leave it without updates.
Then respond with force, arresting people, targeting however you can.
436 comments
[ 902 ms ] story [ 625 ms ] threadIt wasn't clear to me from the headlines that this is about meat plants.
One could speculate that those are climate activist attacks.
Or maybe it's just a general attack on US food production, and meat is the most vulnerable sector due to its complexity.
Otherwise..
There are thousands of cattle in transit to just one of these facilities every hour of every day. Most are not equipped to feed incoming cattle - they arrive hungry and with minutes to hours to live. If you’re annoyed about the climate, forcing a manufacturer to throw out and waste hundreds of tons of perfectly fine beef does what, exactly? Send a message?
This isn’t spiking trees. You’re dealing with live animals. I have a hard time believing an activist environmentalist would be fine with exacerbating an animal welfare situation they already don’t like. Putting thousands of cattle through even worse experiences than usual. Yeah, no.
Source: One degree removed from a foreman at an impacted plant. What I’m describing is already happening - plant I’m aware of has 14k head on hand with about 24 hours to figure it out or kill and discard. The administration is already involved and aware of the details, too, and everyone should be vigilant regarding speculation as to who’s behind it (this is likely misdirection, given who it actually is).
Animal rights activists aren't always known for thinking about the consequences of their actions.
https://www.independent.co.uk/news/freed-mink-bring-death-to...
https://slate.com/technology/2017/07/thousands-of-minks-die-...
There is still no clue as to why these disruptions happened but the educated guess mentioned in the article is ransomware. The one that is almost always forgotten is how they they escalated privileges through compromised passwords because most of these organizations don’t use multi factor authentication everywhere.
https://en.wikipedia.org/wiki/Bovine_spongiform_encephalopat...
Still a form of information warfare attack, perpetuated by none other than Neil Ferguson, operating in plain sight. If he was a hacker he would be in prison but he does incalculable damage again and again and gets away Scot free every time!
It could also be many other countries or even private entities that get excited about extracting money from big US companies. The list of possibilities is very long.
As with the "lab origin" situation, it's probably best to avoid whatever the mainstream media is saying and try to find the few rogue experts who aren't being paid to say the right thing (or nothing at all) and thus have no incentives other than the satisfaction of offering a frank assessment (with any luck, you can find them before they're banned from all social media platforms for "misinformation" (ie, disagreeing with the party line)). It took years for any official confirmation of Stuxnet being a state-sponsored attack. But if you were paying attention to the right people, you knew it had all the fingerprints of such an attack pretty early on.
I hope this is because of a self hardening mechanism and not what it looks like, continued assault by adversaries.
I still see things attacks on open SMTP ports to relay spam email, installing crypto mining software on PCs and servers, scanning for insecure VoIP phone systems and racking up long-distance phone bills..
The ransomware attacks makes a lot of headlines I think because it's somewhat easy to sensationalize without a lot of explanation of boring IT stuff, but there are still plenty of other things happening regularly to compromise insecure systems.
2) Terrorism. Really, I consider this the same as warfare, just coming from "terrorists" instead of "countries". With this broader base of attackers, I think there are groups that would be willing to do so. The only question is if they have the technical know-how. Given how cheap these ransoms can be ($4.4 mill for the pipeline hack), and the fact that a payed randsom probably a good profit margin, in terms of raw funding, these hacks seem within the range of terrorist groups.
We can see this by the fact that just a few years ago they would take down the same types of companies they are hitting now and ask for a ridiculously low sum of like $10k, but now they are asking for a much more reasonable, but still low $1M. Nothing changed about who they were attacking, they just slowly realized that they underestimated how much companies would pay for their "services" by a factor of 100x. That is a classic mark of a business amateur who has no idea just how much money is involved in B2B deals.
But to your underlying question, yeah, it is probably ransomware.
[1] https://en.wikipedia.org/wiki/Sony_Pictures_hack
And now Bloomberg is reporting it was a ransomware attack -- "It’s unclear exactly how many plants globally have been affected by the ransomware attack as Sao Paulo-based JBS has yet to release those details."
> A CNN White House correspondent reported on Tuesday afternoon that JBS told the Biden administration it had received a ransom request from a criminal organization “likely based in Russia.”
I'm now starting to think that it's necessary.
I know a lot of people will just say that these companies just need to pay attention to security, but the problem is asymmetrical.
Focusing on security is like being a pacifist when dealing with a hostile bully. You get your butt kicked a lot.
Honestly, "business-focused" decisions like cost-center accounting, and various schemes to save money, are really how we got into this mess. A lot of our appalling lack of computer security basically comes from the equivalent of a hospital administration refusing to allow surgeons the time to wash their hands.
As "reductio ad absurdum" of a metaphor as that seems, that was actually the huge culture battle that got fought when germ theory came out - tons of medical practices refused to waste time on such "silliness". Over time it became a cultural norm, and then became a protected practice through professional guilds, and through law, so that even if hospital administrators push for surgeons to hurry up and fit more patients into a day (and they do), their prerogative to take their time and do it right is institutionally protected.
We don't have anything like that in programming.
1. Has enterprise-grade auditing and report generation. For what? Doesn't matter, nobody reads them.
2. Has an account manager for every open port.
3. Has IBM/Oracle style exponential cost increases for locked-in customers.
They exist. Radianz, BPIPE and several more.
It doesn't do any good if your secretary needs access to the "business focused internet" and also has to get mail from the "normal" internet. The transitive nature of networks makes things very hard to isolate in practice. People and businesses are going to have to accept a lot more inconvenience to isolate things better, and that inconvenience is real money, too.
The problem is you end up with yet another manifestation of a common business problem; if you take the time and money to build a secure business, that carefully isolates everything correctly, that hires good security engineers, that accepts higher costs of doing business, you'll be in a position to handle a cyberpocalypse better than your competitors and you will reap the benefits when that day comes. The problem is, you'll never survive to see that day come because you'll have been utterly outcompeted by your competition that cut corners and carelessly, but effectively, integrated their systems, and over-optimized their internal systems to function more cheaply day-by-day. You may have taken the time to build on the rock while they threw shacks up on the sand but they end up killing you before the storm comes.
Not of everything. Just the important stuff. Maybe a snapshot of the whole business once a month in addition to transaction backups.
Any business doing financial transactions should be backing them up to something like Blu-Ray disks. Preferably the blanks with the 1000-year lifetime. US banks are already required to do something like that, by the FDIC.
For one thing backups are no use if you do not test them. How often are you going to bring your systems down to test restorinig from backup? If you do not how do you know they work?
Those systems aren't simply deployable overnight, and I would presume that for at least half of these systems the enterprise never ever had the capability to deploy them, the initial install was and configuration done by a combination of vendor engineers and outside consultants and took six or more months. Sure, you'll recover the data eventually, but you'd rather pay a ransom to avoid as much downtime.
A lot of these businesses have been around for decades and are working on mountains of technical debt. They built ad-hoc systems over the years (before security was "a thing"), employ tenuously-functioning integrations with acquired company systems and more. To make matters worse, much of the technical knowledge has walked out of the door over the years.
In my consulting days it wasn't unusual to find that no one in a company really understood how systems worked (or even why). And, in some cases, they actually didn't work. I've seen billing systems that were unpredictable and relied on customers to call to report billing errors. Not a single person in the company even understood how it was supposed to work.
And, these were sizable companies. Agile has only exacerbated these issues as more software is built more quickly and with scant documentation.
All of that to say that it's difficult enough for many companies to build functioning software, let alone to secure it. And, the number of people who truly understand what it takes to secure networks/software is tiny relative to demand for engineers.
Throw in OSS, zero-days, social engineering attacks, etc. and it starts to become clear that any realistic solution includes a regime of deterrence through aggressive responses at the nation-state level. Sure, we should require companies to do more to secure their networks/systems, educate on best practices, etc. But, it's easy to issue an off-handed "they should've been more secure" response. The reality is that many companies simply aren't. We need to appreciate the difficulty and the protracted timeline over which any hardening might happen (if at all), and deploy a multi-faceted approach that also treats the problem as the national security issue it represents.
That sounds a lot like "do not connect one's valuable and vulnerabe machines to the open internet" which is something one should aready be doing in the first place and one can and should be doing it right now with the current internet we have.
Permissions should be able to be set in a fine grained way, capability security needs to become much more well known: https://github.com/void4/notes/issues/41
I don't think that "re-write everything in Rust" is the final solution in terms of security, but in terms of something like the Linux kernel one can at least see how such a (difficult and unlikely) project might at least address many of the low-hanging fruit so developers can shift their focus to fixing higher-level vulnerabilities.
Most applications need to be able to read:
- files that the user drops into them or opens through a file picker (which could be OS-controlled, giving access to only the selected file)
- their own storage/config directories
- read-only system libraries
- temp files (again, isolated per app)
Just moving everything into this model would already go a long way.
We see kernel exploits on phones because you need them to bypass the sandboxing. We don't see them often on computers, because why would attackers bother?
USE OF MCAFFE INTENSIFIES
(First thought was for the poor IT folks stuck in this mess and the second was remembering a sensitive machine that was open to all of AWS because the vendor’s servers “needed access to push frequent updates.” and “nobody has ever pushed back on that requirement before.”)
[1]https://m.youtube.com/watch?v=0DKRvS-C04o
These hackers sure are progressive. I wonder what they'll target next: plastics, flights, or ammo?
I wonder if a similar sort of reaction will happen here or if the attackers will move more quickly?
From a technical standpoint, why was JBS' backup chain a workable solution for JBS and not for the pipeline operator? Was it incompetence on the part of the attacker or just a better defense, or luck?
Before this latest blow to the supply chain I have already seen a 66% increase in brisket prices in the past 4 weeks ($2.99/lb about a month ago, current price is $4.99). The restaurant industry is already running on low margins so it will be interesting to see how this is all going to shake out.
There is a certain price (which I have generally found is $4.50 - $4.99/lb, that is when my food cost for a brisket sandwich hits 50%. Target food cost should be somewhere around 30%) where it just isn't worth it to sell brisket. BBQ is somewhat unique in that you have to estimate your demand ahead of time - you can't just throw on another brisket if you run out and I don't reheat/re-use leftovers. So even if I raise my prices $2/sandwich to cover the increased cost my risk is still higher because any unsold product is now a higher loss.
As long as they are safely handled I've found no quality difference at all when freezing stuff that is cryo-vaced. More often than not it has already been frozen at least once before it gets to me.
I don't ever sell anything that has been re-heated after cooking though. You can also do that with little to no quality loss but I try to position myself as a premium brand so everything is 'cooked to order'. There are also a lot more food safety concerns (cooing it fast enough, re-heating it fast enough, etc.) that I don't want to worry about. I vacuum seal cooked BBQ at home and it's just as good as fresh but you can't do that in a commercial setting without special permits that aren't available to food trucks (at least not in my area).
Matt's BBQ is the best Texas style bbq in Portland by a considerable margin. I've been a customer and friendly with him since he started out in a pawn shop parking lot with zero foot traffic and almost no road visibility. He charges $13.50 for a 1/2 lb of brisket, similar prices for other meats. Sides are typically around $3.50.
He's up to multiple locations and his own commissary kitchen that's like 2000 sq feet.
He sells out every single day.
It's been really fun to watch his business blow up. It's all been from the strength of his product, and his personal hustle to get the momentum. His customer base is loyal and willing to pay a premium.
He even has a side hustle selling smoker rigs, via a partnership.
It's a mixed race neighborhood. For the first couple years his neighbor in the pawn shop parking lot was a soul food cart. The clientele at both looked basically the same in terms of demographics.
While you won't find as much good BBQ in Portland as say central Texas, the Carolinas, etc, it's not some sort of exotic novelty.
I don't know why you are so determined to stereotype this stuff, but it is not helpful.
It is a statistical impossibility that any given group in Portland is the same as any given group in Texas on the metrics I mentioned, so your claim is really that these metrics don't influence price sensitivity.
It's statements like this that are revealing:
> People do value authenticity in my town. The big corporate chain restaurants are a lot more sparse here, exactly because the local places are just as cheap, far higher quality, locally owned, and using local ingrediants, etc.
There's no trade-off between chain restaurants and locally owned? The latter is just an unalloyed good and other regions of the country are just making mistakes for no reason? So no, I don't find your analysis convincing, but as I already said I appreciate your input in the discussion.
Just. Stop.
I never made any claim about blanket superiority, just described factually what this place is like. You'll find plenty of people and even data supporting that characterization if you want.
Likewise I did not claim anything about equality with Texas, just that your utterly naive assertion that the customer base for the food cart I mentioned must be slanted a particular way, based on literally nothing. It is not.
In any case, it's clear continuing this line of discussion is pointless.
People in Portland and other liberal cities will paradoxically pay a premium for "poor people" food. When you are wealthy enough to consume whatever you want, the rarest commodity is something that feels like an authentic, meaningful experience. Cuisines that come from poor areas carry that sense of authenticity with them and can charge appropriately.
I don't think you can assume that pricing model will work well outside of a few places like Portland, SF, NYC, Seattle, LA. People that aren't wealthy enough such that they do care about food prices aren't going to pay extra because a brisket is served on a just-so-cute-and-"real" metal tray.
Food carts in Portland are extremely informal and very much a thing for everyday people, including people with low incomes by local standards. In fact it's one of the main drivers of their popularity here.
It's not a matter of wealthy people adopting "poor people's food" as a novelty. It's just good food no matter your situation in life. Matt is charging on the higher end, and a complete meal is still under $20. The best burger in my area is a double bacon cheese for $4.50 that uses really quality ingredients.
I've talked with customers at Matt's that live out in the country and make an hour plus drive to come by every once in a while.
People do value authenticity in my town. The big corporate chain restaurants are a lot more sparse here, exactly because the local places are just as cheap, far higher quality, locally owned, and using local ingrediants, etc.
The genesis of the food cart scene here was the city has some smart policies about making it affordable to start these businesses. Many people who dream of someday having a restaurant start out this way. You can make a serious shot at it with just $50k or so, which is tiny even by small business capital standards. They price their food accordingly.
It's true this place is getting more expensive, but I assure you, if you go out to any of the pods, you'll see a roughly even mix of people who are middle class, and young people that probably make barely enough to cover rent at a service industry job. Everyone will be hanging out, friendly and chatting.
Please don't project your own assumptions onto this scene if you've not been there. This town is pretty grossly misrepresented by a wide swath of media.
I don’t have any plans to go full time with BBQ anytime soon but that’s exactly the model I’ve looked into.
Perfect yesterday BBQ meat! Coming from USSR/Russia with its food shortages in 198x-first half of 199x i still kind of mentally shudder reading such things even after 21 years of living here.
I’m only open once or twice a week so secondary uses (beans, chili, etc) unfortunately don’t work for me.
This is really not true anymore. BBQ has become a high-ticket item thanks to “Craft BBQ” and growing demand
https://www.khou.com/mobile/article/news/brisket-prices-are-...
When a thing becomes trendy among moneyed demographics there is now stupid money to be made selling a caricature of that thing to people with too much money. BBQ is one of those thigns becoming just another experience for yuppies to talk about in the break room on Mondays. When you're running a BBQ joint you're not selling meat cooked in a particular style, you're selling an experience. People don't care about whether your BBQ is a career long refinement of what grandma made. They care about whether it's something they can brag about. They're looking for an experience and if you want to stay in business you're gonna sell it to them. It's not about doing your thing well, it's about presentation and show. Many of the people running these restaurants hate bastardizing their craft and leaning into an image/stereotype like this but it's what pays the bills.
Maybe I'm just jaded from growing up in a tourism economy but money uncritically thrown at something tends to ruin it.
When I go looking for a restaurant I go for <censored>, <censored> and <censored>, because those three genres aren't trendy right now and any business specializing in them has to succeed on its own merits, it can't just print money by looking the part.
I generally consider BBQ competitions overblown affairs that are arguing how many angels can dance on the head of a pin. To me, after a certain point it is quite good enough, and any further optimization for "better" doesn't pass my personal cost-benefit filter, and I'd rather spend the cognitive effort on my dining companions.
It is either that, or I possess a philistine palate. The latter is quite possible because I hold a similar opinion of many of the fine dining establishments I've eaten at, from quite fine kaiseki, omakase, Chinese, Michelin-starred French, various fusions, steak, and other restaurants, some with pretty eye-popping per-diner prices. That's mostly because I believe that we're at the nascent, fragile stages of achieving post-scarcity (by no means assured, and still many generations away), and part of that journey involves the elevation of increasingly finer experiences (perhaps some requiring ever-greater cognitive effort to appreciate that I'm not aware of) to a mass market.
Was this just a joke or are you genuinely censoring your own opinions on what food you like because you're scared of them becoming more popular?
Huh? The cuts are tough, yes, but they're also the most flavorful. There's nothing bad about them.
Go try and use a ribeye to make a cheeseburger sometime. It's incredibly bland compared to the flavor you're used to getting from chuck.
From: https://commoncog.com/blog/cash-flow-games/
"Food costs money. But the way that everyone (in the F&B industry) looks at food costs, and paying for food is very weird. When COVID started, every famous chef that went on TV said, “This is the kind of business where this week’s revenues pay for bills from a month ago.” So when we started to bring in money from deposits and prepaid reservations, I suddenly looked and we had a bank account that had a couple million dollars in it — of forward money
"I started calling up some of our big vendors for the big, expensive items — like proteins: meat, fish; luxury items: like caviar, foie gras, wine and liquor, and I said, “I don’t want net-120 anymore, I want to prepay you for the next three months.” And they had never had that kind of a phone call from a restaurant before.
So how much should they discount it? So let’s say we’re going to buy steaks. We’re going to pay $34 a pound wholesale for dry aged rib-eye, we get net-120 (normally). So I call the guy and say “I’m going to use 400 pounds of your beef a week for the next 4 months, for our menu, which is about about $300,000 of beef, what (would) we get, if we prepay you?” And he was like “what do you mean?” I’m like “I want to write you a check tomorrow for all of it, for four months.” And he was like, “Well, no one has ever said that.” So he called me the next day, he said “$18 a pound” … so … half. Half price.
I went, “I’ll pay you $20 if you tell me why.” And he said, “Well, it’s very simple. I have to slaughter the cows, then I put the beef to dry. For the first 35 days I can sell it. After 35 days there’s only a handful of places that would buy it, after 60 days, I sell it $1 a pound for dog food.” So his waste on the slaughter, and these animals’s lives, and the ethics of all of that, are because of net-120! Seems like someone should have figured this out! As soon as he said that, everything clicked, and I went “We need to call every one of our vendors, every time, and say that we will prepay them.”
Scale matters.
That is an excellent idea (having more than just a transactional relationship with you food vendor is a good idea in general) but my volume is way too low to have that type of leverage. The best I can do (and fortunately what I did when I saw the prices increasing) is pre-buy and freeze as much as I can to lock in the then-current pricing. Right now food supplies aren't even able to fill many wholesale orders because they don't have enough supply so I'm not sure pre-paying would help if they can't even get the product. For example one major vendor has changed their order cutoff time from 11PM to 5PM so they can spend that extra time allocating their available stock across all the orders because they don't have enough for everyone.
BBQ is my side hustle so I'll be ok either way - but if I was paying my mortgage via food service I would be alot more concerned.
Also, just thinking aloud, during normal times, if you happen to know other hobbyist BBQ folks, I'm wondering if there might be opportunities to enter into an informal group-buying situation where you pool your collective brisket demand and bulk buy at a discount. That wouldn't work right now but perhaps it might during normal times. There are websites based around this idea. Best of luck.
https://news.yahoo.com/nick-kokonas-pivoted-hard-onset-19010...
COVID is weird in that it doesn't have a uniform effect on everyone.
I still have my tech job and don’t plan on going full BBQ anytime soon. I do it enough that it keeps me busy but I can always say no to a catering job or event so it’s still enjoyable and not a chore.
The right opportunity would have to come along for me to jump onto the restaurant world. It’s definitely something I’ve looked into but one thing I have learned is that the BBQ is the easy part of running a BBQ business - it’s everything else that is tricky. Right now I don’t have to worry about employees, rent, etc. so someone with those strengths would have to make a pretty good pitch to get me to open a restaurant.
I’ve being doing BBQ professionally for 10+ years. It started out just done some small catering jobs and has grown from there. Through BBQ I’ve been able to do lots of cool stuff that I would have never imagined when I started. I was heavily involved in competition BBQ for several years and through that I’ve worked with several big brands . Currently I’m focused on my food truck and rub and sauce products. I’ve also done several BBQ classes and hope that as we turn the corner on COVID I can start that up again soon.
* Non-tech industry belatedly starts prioritising cyber security; security gradually gets better while costs increase and infosec consultants enjoy a Y2K-style boom.
* Tech-competent startups outcompete non-tech industries through avoiding ransom costs.
* The international internet degrades into mostly-closed national networks with end-to-end government control and monitoring.
* The US government starts treating these attacks as national security threats and goes all War on Terror, probably triggered by a hit on critical infrastructure that costs lives. Heinous collateral damage.
(Probability of cyber attack per year) * (cost of ransom + costs of downtime) = X, (Overhead of additional cybersecurity personnel)= Y
If X < Y, it's basically just a no brainier to just eat the costs and pay the X million if it happens. If Y > X, they hire security personnel and it "gets better".
If the government makes paying the ransom less attractive (via basically labeling it as a financial transaction with a sanctioned entity making it illegal) OR the probability of the cyber attack goes up (as this becomes more lucrative), risk calculus changes, security is improved, and it "gets better".
EDIT: ok bad idea, lets take it easy on my poor account :)
I'm sure the various 3 letter agencies (NSA, CIA, etc) are already involved to a degree that's not publicly known.
How would you feel if they decided to declare some enemies on US soil and start hunting them on your patch?
Unless your assumption is that Russia/China would agree to the hunting of course, but that does seem unlikely.
Anything has risk of course, any hunting need be covert and expertly done.
>How would you feel if they decided to declare some enemies on US soil and start hunting them on your patch?
I would assume they already did that.
Reminder: Memorial Day was yesterday and this thread is discussing killing human beings in yet another war because of holes in some stupid software that SV won’t lift a finger to fix. If you offer such a suggestion to fix the woes of vulnerable infrastructure, I’m assuming you’re volunteering to go pull the trigger, right? Or were you expecting someone else to do that for you?
Put down the assault keyboard and Clancy novel and get some perspective, subthread. Sheesh. Diddling around in the network of a company you didn’t know existed until five minutes ago is suddenly a capital offense because...Whoppers might run out?
However, it is also not merely about the Whoppers running out - this is just this morning's example.
When even major "security" vendors can be turned into serious NatSec attack vectors, and much more critical infrastructure can also be attacked with ease, and they are doing it, it becomes a bona-fide NatSec issue.
Like any other NatSec issue, this requires both serious hardening actions at home, and serious threats against bad actors abroad. Whether that involves, some kind of diplomacy, economic sanctions, targeted software attacks, targeted covert actions, or overt drone strikes, is up to the experts in those domains, but we do need to treat this as a serious NatSec issue that it is.
It absolutely is and must be a viable component. Those increasingly connected people are also increasingly vulnerable in real-world ways that go well beyond tech. And, it is near impossible to completely secure networks/systems with their near limitless attack surfaces.
Treating it as a game of cat and mouse in which you know the mouse will invariably lose with some regularity, then consigning yourself to ever playing the mouse is disastrous policy.
Very few. So few that they literally encode checks for RUS language / keyboard installs and skip that machine, and doing such install is at least for now a legit security measure [1]. This isn't just from RUS legal structure and no extradition treaties, but their very intimidating response to anyone acting up internally (I've read of at least one instance where a hacker was found dead at his keyboard with missing hands). RUS security doesn't eff around, and we shouldn't either.
Many people will not play at the pointy end of the NatSec game because you are risking your life, and some do because of that. It is definitely a useful measure, among others, to make it known that trespassing with such intent on western computer systems is also getting you into that risk category.
[1] https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
We know the stakes are much higher. We all know there have been attacks on hospitals, law enforcement systems, government agencies, infrastructure companies, etc. And, we know that none of us have a clue where the next attack will be.
>and stupid legacy cruft that is modern software development
Yes, modern software development is stupid, crufty and all of those things. But, these are actual attacks by actual actors, not some self-imploding poor designs. In many cases, these attacks are state-sanctioned, if not outright state-sponsored. So, of course they should be treated just as we treat other attacks. And, under what other scenario do we respond to an attack by declaring "Oh, you got us. We should have better protected that".
These are clear national security threats and should, accordingly, be subject to the full range of responses as any other threats. That includes deterrence. It doesn't necessarily mean dropping bombs. But, it does mean more than blaming ourselves.
>Diddling around in the network of a company you didn’t know existed until five minutes ago
I'd wager there are many companies that the average person has never heard of that, if knocked offline, would result in considerable disruption, economic costs, and even physical danger to a significant portion of the population.
https://www.statista.com/statistics/198206/share-of-leading-...
https://shippingwatch.com/carriers/Container/article12930338...
[1] https://www.reuters.com/article/us-cyber-attack-maersk-idUSK...
https://www.wired.com/story/notpetya-cyberattack-ukraine-rus...
But the lack of backups is just a symptom. From the article:
The local delivery may lose on end price, but they also provide a ton of structural benefits. Usually the cost savings the customer is pretty marginal compared to what has been given up.
Centralization leads to systemic risk, as we see in this case.
Oh wait
Consolidation gives you consistency, network effects, and economies of scale. But it also gives you monocultures, stagnation, and overfitting.
Heterogeneity and competition gives you incentives to optimize, innovation, and robustness. But it also gives you redundancy, knowledge loss, and inefficiency.
Essentially, we have a very weak correction incentive. Until capable hackers are endemic and ransomware hits everyone, there is little likelihood of change. Next week it could be RJR Nabisco, or Synnex/TurboTax/DuPont, or just 10,000 variants of {tiny $20m company that makes software for auditing sewerage pipe and is used by 370 of the 3000 counties in the US, and every client gets the DB corrupted}.
For much of human history, consolidation was natural but the relative simplicity of technology kept barriers of entry low which enabled competition and new entrants. Also, poorer logistics and transportation meant you have many smaller semi-independent markets instead of fewer monolithic ones.
Industrialization and powered transportation upended that and gave a lot of power to consolidation. That led to the era of robber barons.
That power concentration was so bad for society that eventually the labor and antitrust movements came around to somewhat correct it.
I think now we're seeing another oscillation. Software creates huge network effects and economies of scale. If a business writes a single program once, they can run it on as many servers or sell it to as many users as possible. Services that let users interact benefit exponentially from network effects. AI generates a lot of value, but requires extremely large datasets that only the largest corporations have access to.
We are essentially in the era of digital robber barons right now. Six of the top ten richest people in the world according to Forbes got there through software. (Arguably seven if you consider Musk's wealth to be software-driven.)
We are clearly nowhere near the optimal point on the consolidation continuum. With luck, we'll get something like an "information labor movement" and more teeth in our antitrust regulation to correct that.
But that's different from other problems where you can simply try to optimize the result itself directly. For example, we probably don't need to have hard discussions of trade-offs when it comes to, I don't know, infant mortality. There's almost no upside to babies dying (assuming you aren't heartless enough to consider less overpopulation to be an "upside").
But with business size, there are many desirable factors and improving any of them reduces another directly opposed but also desireable factor.
Competition is good. Cooperation is also good. Increasing one by definition lowers the other.
I very much enjoy the fact that I can go to nearly any city in America and they'll have a few dozen well-known stores with recognizable product.
There are certainly bad forms of consolidation, but it's easy to overlook the good forms.
Today, I was finally able to incorporate the "Where's the beef!?!" catch-phrase into daily conversation! But, it just didn't land as funny as I was expecting in my mind.
Can that really be called an "attack" ?
JBS said:
So the "attackers" didn't steal anything. Give them the finger then, restore from backup, get upset about losing 25 minutes of data and keep going.How are ransomware "attacks" still a thing ? Why is any of the software that controlls meat-cutting/oil pipeline hardware not air-gapped under normal operations? How is there no plan on how to continue operating when losing power, so that stuff still works?
One of these "attacks" pops up every three days and I get that if data is exfiltrated then the problem is not the same.
BUT
"someone encrypted all my data" and "oh shit, my harddrive crashed" have almost the exact same recovery plan and we have dedicated a complete international holiday called World Backup Day[1] over ten years ago to remind people of the principles of how that works that were known since at least when harddrives where invented.
It's not an attack, it's pure negligence.
It's not special IT SuperHighTechnologyKnowledge either. It's a simple principle:
The slightly advanced corollary is: ... It's not like I do not understand how organizations fail at this that or the other and that maybe the tradeoffs here were made correctly, but it still boggles the mind.[0] https://townhall.com/tipsheet/leahbarkoukis/2021/06/01/cyber...
[1] http://www.worldbackupday.com/en/
It is cheaper to build a shoddy system out of the pre-made parts that software companies sell. A shiny very capable system can be built quickly, and cheaply.
To build a robust system, segmented, properly backed up, maintained professionally... costs a lot more.
To have staff on your payroll who understand your systems, who can maintain your systems and recover your systems in a disaster means having expensive professionals on the payroll who look like they are doing nothing.
When your whole business goes into a paralysis because of the costs you saved, there will be some one to blame. Some clerk in a office that "clicked on a attachment" - it is their fault....
Yes, it is cheaper in the long run to build robust maintained systems. But in the long run we are all dead, and our bonuses will be paid before the catastrophe, and anyway it is "some body else's fault".
It's always a weird phase. A proper one would be "we have no records of data exfiltration, so we hope it didn't happen". Attackers had the access, otherwise the data wouldn't be encrypted.
> restore from backup, get upset about losing 25 minutes of data and keep going.
Unless you want to be owned again in 30min, you need to first analyse how did it happen the first time and how to mitigate it, before getting everything back online. That takes time.
> Why is any of the software that controlls meat-cutting/oil pipeline hardware not air-gapped
None of those were affected. The pipeline hack took their billing system down, not the operations. I haven't seen the details here, but it's not like the meat saws and trucks just stopped - more likely the stock/communication/billing system was stopped as well.
It is interesting how many companies end up paying $30M for pre-packaged garbage when they could get something a lot better by hiring a competent IT/developer for a few years at 10% of the cost. I think the biggest impediment is finding the small fraction of people who could actually pull it off; there's a huge opportunity there for anyone who can figure out how to connect top-tier devs to companies who just need to hire one person and don't have the domain expertise to know who/how to hire.
Even exfiltration seems less dire in these recent cases than it would in other industries. If anything, beef carcasses seem less likely to require HIPAA or PCI compliance than gasoline deliveries...
Does this fall under violating the First Amendment, or the Second?
RAM and disk capacities will also have to be limited for similar reasons. As will their speeds.
Further, this should be a wake up call. If you're a business harden your network and make backups.
There’s a reason people hire these intermediary “consultants” to pay the ransoms.
Edit: doubly so if the company is question is part of important infrastructure (including food supply).
Ugh. So you get attacked through some old wordpress install, freak out to get your company online, pay, now you also go to jail for paying a ransom. Not a fan of this plan.
But yeah, companies should stop viewing security and IT as a cost center and start paying up for good penetration testing every few years.
They don't need ransom if they can buy put options.
Buying puts in this fashion will generally be a remarkable, traceable event. There's a reason ransoms typically go through cryptocurrency.
Yeah that's a nice fantasy. "Hands up, Russky bastards, the Navy Seal Bin Laden crew is here to take you out." Shoots up a row of laptops while bearded Russian hackers cower in fear.
Except for that to happen the Seals would have to have reliable intel from inside an uncooperative foreign state, and the ability to move freely, carrying guns, in that foreign state; and if they raided in it without permission, that would be an act of war.
Thanks god we have nuclear weapons, otherwise we'd definitely experience another incursion like Iraq or Afghanistan, that were made under absurd pretexts and only led to great numbers of civilian casualties and some economical gain for the US and/or US government officials tied to the military complex.
Or to sell routers, wifi printers, cameras and smart TVs with known security flaws, and to leave it without updates.
Then respond with force, arresting people, targeting however you can.