74 comments

[ 3.5 ms ] story [ 141 ms ] thread
Cyberattack day!

This one happened over a month ago, its obvious this is a trending headline likely not organically, so make sure to separate the dates before thinking we are under a coordinated attack all at once right now

The media needs something to scream about after corona is over. It looks like Russian and Chinese hackers are on the menu.
Corona isn't over and we should still be screaming at the top of our lungs at the Chinese for answers. Instead of going out to the shops and buying brooms to sweep the topic under the carpet (which are also recent buys).
> Instead of going out to the shops and buying Chinese made brooms to sweep the topic under the carpet (which are also recent buys).

FTFY

I think on HN this has always been a trend. a headline sparks more headlines of similar stories regardless of date. I've seen it happen quite frequently.
I've also noticed. I think once interest is sparked in a topic, any topic, people are thirsty for more. I don't think it's the most useful way to orderly accumulate knowledge of a subject but there it is, i'm as guilty as the next guy.
We can only talk about breaches on the day they happened otherwise it's propaganda?
Perhaps a pentester or security person can help answer this. Could a list of minimum network safety standards be made that:

a) would help the ransomware & hacking crisis, and, b) is practically enforcable at scale?

there are standards and operating procedures that can be used. it’s not that hard.

it comes down to training and cost cutting. If the penalty for failing miserably is 0 you won’t see any change. I would hold the companies responsible for things like this liable to the point they would be put out of business after an event like this. If the cost of being sloppy is that you no longer have a business people will start paying attention really quickly.

> there are standards and operating procedures that can be used

99% of these standards are completely useless and exist only to reduce legal liability. The other 1% are only incidentally slightly useful.

You will never ever create a secure company by following some stupid checklist, unless the checklist is so extreme as to be useless to most orgs. “Step 1: only run OpenBSD…”

a checklist is not where it begins, but it is where it starts. if you don’t have it you probably don’t know what you’re doing
This is almost the exact opposite of the truth. People who know what they’re doing don’t blindly follow some checklist. Doing this properly requires deliberation, or an implausibly large decision tree.
i disagree. having a set of rules and a domain expert that defines those rules is key. automation around enforcement and designing the system to make it as less painful as possible are also key.

you cannot just say: oh this is so complicated that we cannot possibly have a system for it and we have to rely on the people to do the “right thing”

> Perhaps a pentester or security person can help answer this

Not one of those but since they are [apparently] inadequate anyway...

I read an analogy that pinning this on "cyber security" is like accusing a mugging victim of having a lack of personal security guards. That's just not how civil society works.

Minimum safety standards: laws and ability to enforce them.

This is a short-term win for the bad actors. Just wait until the next "great firewall." Well gain safety, but we'll lose access to those low cost eastern European dev talent. That's more likely than every single US business being forced to hire private security just to operate.

I think of it more like someone's house getting robbed because of them having bad or no locks¯\_(ツ)_/¯
I don't think the analogy fits because there are so many ways for an attacker to compromise a system besides the "front door". If we want to stretch things, a member of your own family can unwittingly let a guest perform an action that enables the robbery weeks later.
> That's just not how civil society works.

This is a cope and also irrelevant.

Civil society works a certain way because of its social interaction dynamics. The internet works much differently (namely, retribution is much harder, which rules out most tit-for-tat transgression management strategies, and the scale is much larger than is possible with human interaction).

> I read an analogy that pinning this on "cyber security" is like accusing a mugging victim of having a lack of personal security guards. That's just not how civil society works

Civil society does punish businesses when bad things happen due to negligence. Especially when the result of the negligence negatively effects someone else.

A better analogy would be an armored truck full of cash parking overnight in a bad neighborhood with the doors unlocked, then crying to the media about how they were robbed by criminals. There has to be some level of personal responsibility; it's foolish to expect people to not do bad things just because the law says they shouldn't.
> it's foolish to expect people to not do bad things just because the law says they shouldn't

The parent comment:

> Minimum safety standards: laws and ability to enforce them.

So it's not just the law but also the potential for repercussions, of which there are currently zero.

There are definitely strategies that significantly reduce the cost of such an attack - one being append-only backups of a sufficient frequency and with a fast enough restore time. We have the tech to do this cheaply (mount user shares via ZFS-backed NFS, for example) but I’m not sure many places have the organizational competence to implement something so simple and effective. They need to spend 100x more money on something 10% as useful.

It’s also possible to eliminate these attacks entirely, but it probably requires corporate tech infra that looks totally different from what most orgs now. If it were my job to set up some sort of hardened corporate setup, my first step would probably be to restrict most employees to iPads. There’s not really any reason a shift manager at a meat packing plant or whatever needs or benefits from a Windows box.

The primary thing to help randsomemware would be to have tested backups, where you can reimage the computers and restore from backups reasonably quickly.
And offline backups
And to add to that, offline backups that go back 90+ days. Ransomware gangs frequently use time bombs to deploy their encryption after sitting within a system for a month or two. If you get hit by one of those gangs and only keep backups for 45 days, you're screwed, because your backup is still infected.
I think the perpetrators are now taking data "hostage", and threatening to release it publically unless the ransom is paid - in this case backups don't help, though it depends on how sensitive your data is.
In any case, that type of attack wont disrupt the business (in the short term)
But first you have to figure out how you got owned the first time and fix the issue. Otherwise you'll just get owned the next day again...
Backups are absolutely essential but I think you understate the amount of hours needed to restore an entire corporate network if it's compromised and encrypted at once. (As Colonial apparently found out)
> To gain access to the M.T.A. and other systems, the hackers took advantage of vulnerabilities in Pulse Connect Secure, a widely used connectivity tool that offers workers remote access to their employers’ networks. [...] The hackers took advantage of a so-called “zero day,” or a previously unknown coding flaw in software for which a patch does not exist.

The Pulse VPN has a history of security issues (see e.g. https://arstechnica.com/information-technology/2020/01/unpat...) - so much so that the second and third Google autocomplete results are "pulse vpn vulnerability" and "pulse vpn hack". One practically enforceable at scale rule is to pay attention to whether your vendors have a bad security track record and also be meaningfully prepared to switch (switching VPNs is no fun, but it's doable).

Another one is to ask your vendors what they're doing about their security track record and whether they are taking systematic measures to make zero days less frequent and not just fixing individual bugs. "Stop using memory-unsafe languages" is one of my favorite answers to that, but there are a lot of others: "use sanitizers," "test your code with fuzzers," "use open-source components for the privileged portions," "get frequent third-party audits," etc. are all potential answers too. Some work better than others; any of them is better than not having an answer.

> “The M.T.A.’s existing multilayered security systems worked as designed, preventing spread of the attack,” said Rafail Portnoy, the M.T.A.’s chief technology officer. [...] there was “no employee or customer information breached, no data loss and no changes to our vital systems.”

The other really good answer here is to not have an all-or-nothing architecture for your network, and it sounds like the MTA is doing that already. Don't wire the train-switching network to the email-checking network just because you can. This is much harder to practically enforce at scale in an environment that wasn't designed for it, but it's a great rule to enforce in new systems. Any time you build something that would be worse to get taken over by hackers/ransomware/whatever than the rest of your company's computerized systems, build it separately and make limited interfaces for people to interact with it.

The move to put everything in the cloud really ought to make this easier: you can make a new cloud account for new systems and use bastion hosts etc. for developer access to them, instead of throwing it in your existing account.

You need a "mature" security organization that can stick it's tentacles into everything and still be effective or embed security people directly on teams to gate changes like a CI tool does. A security team that operates at a distance is totally ineffective.

I've worked a bunch of places that have passed various audits and certifications, you know, PCI, SOC, and unfortunately the audits of infrastructure isn't as deep as the average Joe would expect. They place heavier weight on processes over technical safeguards. It's like what they say about the CISSP exam, a mile wide and an inch deep.

If the world had a small fraction of the will necessary to counterattack, seize assets, and capture perps, we could shut many of these clowns down quickly. The DarkSide group is an example of a swift law enforcement action, only days after the Colonial hack. Maybe that only happens if you threaten oil profits but we could pretend.

https://threatpost.com/darksides-servers-shutdown/166187/

There are none. Compliance is bargaining with a universe that doesn't care.

Hold product managers and non-tech execs accountable for security breaches. Stop treating IT/ops like the suckers. Since that's never going to happen, buy some Monero to increase your bargaining leverage on the ransom price.

The bar is not very high, it's bike theft economics. Your stuff only needs to be less vulnerable than the next guys, unless you are a political target. If you are a political target, please forget my name.

CEO of a pentesting company here, I've participated in or supervised close to ~2k tests of applications and networks.

Sadly I have to report what you state is possible, but not plausible in today's modern heterogenous enterprise.

If I had a static environment with no new software or business processes, then NO PROBLEM. I can lock it down in every kinda way and it stays locked down to a known baseline.

Add to that new biz processes and now I have interconnection internally and externally which make detection and prevention difficult. Things are much more difficult now.

Add to that new software, ever changing dev env, OS updates, firmware updates, software version updates, dev env dependency updates, now you're talking near impossible to keep up.

And that's the state we're in today. There are some generic mostly effective controls that if implemented correctly can stop most advanced attackers (the so called "20 security controls") https://www.yumpu.com/en/document/read/6582321/20-critical-s...

But even in spite of that, any major nation state had an arsenal of "capabilities" that allow them to dominate most cyber warfare area of operations in the civilian sector. US can do it, UK, Israel, China, Russia, probably even India and others!

Against nation states, there is no stopping nation states in the civ sector, despite what every F500 company's CSO wants you to believe.....sad but true.

Those are all reasons why a network/company cannot be 100% invulnerable to hacks, but it doesn't answer the question of if a company can be be significantly more resistant to ransomware. My answer to that question is "absolutely".

These ransomware attacks are so devastating in no small part due to decisions Microsoft made many years ago. Combining authentication, remote administration, file sharing, printing, event monitoring, security policy updates, and the kitchen sink into Windows Networking. An attacker compromises a single Windows machine and has leeway to attack critical servers across the network. If real segmentation of services were reasonably possible in a Windows environment a single credential couldn't be used to hop between systems and encrypt file services everywhere. Not to say some segmentation isn't possible in these environments but the skills and hours needed to accomplish it are far beyond what most companies have available.

And that doesn't even begin to cover the Exchange/Outlook dominance and poor security choices that lead to the higher rate of success for phishing attacks.

>These ransomware attacks are so devastating in no small part due to decisions Microsoft made many years ago.

This is true for almost all types of malware these days, especially when it comes to privilege separation/escalation attacks. All of your observations about segmentation/AD are true here.

As for ransomware specifically, a lot can be done to stop most ransomware, especially small-time stuff. Unlike most malware ransomware is intentionally loud, and performs the same generic actions of enumerating and encrypting files, which makes detecting and stopping most samples with heuristics much more effective than a lot of people would admit: https://www.youtube.com/watch?v=3pH13DxClag

A lot has happened with ransomware in the past five years, but a lot really hasn't - this stuff still works, and would have an effect against the big RaaS strains that people are talking about today.

No. The reality is that nobody cares about security unless it's their job to, so you have a handful of security people trying to get things fixed, meanwhile the rest of the organization just sees you as a speedbump in the way of implementing new features or buying some new SaaS product. Devs where I work even went to my manager and asked if I could only be allowed to report security findings during specific timeframes because they get behind schedule when they have to fix things. We even have a document that lists a bunch of security controls to cover almost every situation imaginable, and most of the time the devs just say it's impossible to fix the vulnerability without breaking the feature, so they go to management and get a waiver for the security issue.

Realistically, the only way for an organization to actually be secure is if it's part of the culture from the start.

Although password routine expiry is not a recommended strategy now, it'a really good indication of how this can look.

For a long time, people like insurance companies had an "enforceable standard" for 60/90 day password rotation. And in every single business I looked at, they "had a password rotation policy", but then three key executives didn't like it so "do not expire password" got ticked on their accounts as some "accepted exemption". This sort of thing always passed audits, and marketing always wrote information about how the business had a strict password expiry policy. And those executives were the most likely to be compromised.

I think if you go too far down a "minimum standard" path, that's the sort of thing you're going to see.

Most people will say no, but I think if you add some constraints it gets a lot easier. Things like MFA and a zero trust approach are extremely effective against attackers. If you have the ability to start early and get that sort of approach in place you're going to be one of the harder targets out there.

There's obviously way more to it than that, but a huge problem today is that once an attacker gets into a network they can hop around as they please due to implicit trust. Removing that implicit trust and checkpointing access via u2f are huge barriers.

It's also not super hard imo to gradually move to.

Is there any group at all lobbying our limpwrist Congress to do something about these?
> limpwrist Congress

That's quite the choice of adjective given the month.

That doesn't necessarily have to be a gay slur. Could refer to somewhere sitting around all day doing...that.
National Defense is the realm of the Executive.
The executive branch using a crises to seize power is dubious. In the US the legislative branch has the authority to declare war, make laws, create, and direct agencies. Power is delegated to the President by congress (a progressively more common occurrence)
Just curious if "ties to China" means "an IP address that may or may not be allocated to Chinese geography, and may or may not simply be a Tor exit node or a VPN service."

People are far too trusting of these claims of where these attacks originated. Very few people in the world, including journalists, know how IP networks work.

To give them the benefit of the doubt, they said "a hacking group believed to have links to the Chinese government", which makes me think they probably used tools and techniques associated with a known group.
That kind of statement is designed to make you think they have good reasons to make the claim, but if they did they would just share the reasons. One past example of a "hacking group believed to have links to the Chinese government" was someone they suspected as a hacker taking an rideshare to a large office building that rented space to a government organization.
The new york times target audience is not likely to understand a reference to metasploit, let alone digital forensic techniques. They wouldn't go into chemistry when writing a mass market article on batteries either, they'd just say "new breakthrough in battery technology".
So they would know which techniques to change? The reason not to share is obvious.
As a person who works in cyber security, no, no we probably wouldn't share those details. It gives an edge to attackers about how we track them. Those details are only made public when the malicious activity is aggressive or widespread enough, at which point it's for the greater good to go public and bare it all. There is so much that goes into that blurb that you cannot even comprehend unless you work at a security agency/company, and many times on the specific incident in question.
>There is so much that goes into that blurb that you cannot even comprehend unless you work at a security agency/company, and many times on the specific incident in question.

Sure, but as a result that statement could also be full or complete bullshit and anyone not related would be unable to distinguish the difference. The times you've made that statement may have had substantial evidence behind them, but (presumably) you know just as much as me about what's being used to make this statement.

Well, it's also fair to say your comment is designed to cast doubt on the article's claim, despite the fact that you have no proof whatsoever to the contrary.

> One past example of a "hacking group believed to have links to the Chinese government" was someone they suspected as a hacker taking an rideshare to a large office building that rented space to a government organization.

Did they say it was the only evidence they had to tie the incident to China linked hackers, or was that one thing they were willing to share?

>Well, it's also fair to say your comment is designed to cast doubt on the article's claim, despite the fact that you have no proof whatsoever to the contrary.

I have proof that they have not printed any evidence for their statement in this article. It's your decision whether you believe they should be trusted without evidence, I personally don't think so.

>Did they say it was the only evidence they had to tie the incident to China linked hackers, or was that one thing they were willing to share?

They also found a supposed job listing with tenuous links as well, I linked it elsewhere. I have no clue if they have better evidence.

>That kind of statement is designed to make you think they have good reasons to make the claim, but if they did they would just share the reasons.

Well, no, because obviously the Chinese government's teams don't want to get tracked and attributed, and obviously the people trying to catch them don't want to reveal the techniques they use to track and attribute their alleged activity.

Of course, their saying "just take my word for it" doesn't mean you should trust them or their findings, but it doesn't mean you should necessarily distrust them just because they don't reveal their methods.

>One past example of a "hacking group believed to have links to the Chinese government" was someone they suspected as a hacker taking an rideshare to a large office building that rented space to a government organization.

What's the source on this one? Sounds like an interesting story.

> and obviously the people trying to catch them don't want to reveal the techniques they use to track and attribute their alleged activity.

Most of these methods are already public knowledge, usually advanced versions of "don't reuse email addresses."

>Of course, their saying "just take my word for it" doesn't mean you should trust them or their findings, but it doesn't mean you should necessarily distrust them just because they don't reveal their methods.

I should assume their statement is false until evidence is provided. That's a fairly universal concept.

>What's the source on this one? Sounds like an interesting story.

https://www.crowdstrike.com/blog/two-birds-one-stone-panda/

>Most of these methods are already public knowledge, usually advanced versions of "don't reuse email addresses."

Yes, a decent chunk of it comes down to that general idea, but in practice you're dealing with a ton of permutations of that idea. You don't want the adversary to know the specific data types or values you were pivoting off of and correlating against.

So it's not about the general methodology but the specific applications and indicators. Plus there are many other attribution methods beyond just that.

>I should assume their statement is false until evidence is provided. That's a fairly universal concept.

I don't think that's how that works. You just have no evidence or reason to believe their statement is true. That's different from assuming their statement is false. "Failing to reject the null hypothesis" isn't the same thing as "confirming the null hypothesis".

>https://www.crowdstrike.com/blog/two-birds-one-stone-panda/

>One past example of a "hacking group believed to have links to the Chinese government" was someone they suspected as a hacker taking an rideshare to a large office building that rented space to a government organization.

That seems like a major misrepresentation. Here're the two posts that that CrowdStrike post is based on:

https://intrusiontruth.wordpress.com/2018/08/02/who-is-mr-ga...

https://intrusiontruth.wordpress.com/2018/08/15/apt10-was-ma...

I'm not going to summarize everything IntrusionTruth and CrowdStrike reported, but it definitely wasn't just "someone they suspected as a hacker taking a rideshare to a large office building that rented space to a government organization". It was someone whose name and other personal information they already had likely associated with APT10 - through several different means - allegedly also appearing on multiple Uber ride receipts with a destination of the regional headquarters of the Ministry of State Security, which is in the city he appears to work and live in. (Among several other indicators pointing to his likely involvement, including potential associations between local companies he was affiliated with and the Ministry of State Security Tianjin Bureau + APT campaigns.)

What are you basing this "rented space to a government organization" on? Could you imagine the NSA putting a regional headquarters in some rented office space, for example?

In my opinion, the totality of the combined analyses makes a pretty good case that Gao was part of APT10, and a moderate case that he may have worked for or with the Ministry of State Security Tianjin Bureau. Combined with other reports published by both parties, the case for associations between APT10 and MSS Tianjin Bureau is additionally strengthened.

Then a few months later, the Justice Department announced this indictment: https://www.justice.gov/opa/pr/two-chinese-hackers-associate...

>Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information

>Defendants Were Members of the APT 10 Hacking Group Who Acted in Association with the Tianjin State Security Bureau and Engaged in Global Computer Intrusions f...

>I don't think that's how that works. You just have no evidence or reason to believe their statement is true. That's different from assuming their statement is false. "

I have no evidence to believe the statement "meowface is a Chinese hacker" is true, but I shouldn't assume it is false? Accusations need evidence. This isn't science, it's criminal justice.

As for the rest, all of the evidence they provided was pretty unsubstantiated in my opinion, but I had combined "an uber receipt they can't verify saying an alleged hacker went to an MSS building" and "a supposed recruiting message gave the same address as CNITSEC." I had not read the details in several years, that was my mistake. That was the grand total of the evidence provided though, and the indictment does not provide anymore.

>I have no evidence to believe the statement "meowface is a Chinese hacker" is true, but I shouldn't assume it is false? Accusations need evidence. This isn't science, it's criminal justice.

Yes, you shouldn't assume it's false. People should simultaneously assume I'm not guilty of any accusation until conclusive evidence is produced, and also not prima facie assume any such claim is false. Purely as a standalone statement, you can't assume it's either true or false. You shouldn't assume it to be true, but that doesn't mean you should assume it to be false.

To use an extreme example, let's say someone you know tells you they were assaulted by some individual, and at that moment you have no other information besides that. Should your immediate reaction be to assume the statement is false?

This is why one should simultaneously give both accusers and accused the benefit of the doubt. You should simultaneously grant victims the presumption of not lying and grant the alleged perpetrators the presumption of non-guilt. A victim makes an accusation, and the accused says they didn't do it, and you have no other information besides that. Do you simultaneously assume both statements from both people are false? No. You assume both are indeterminate at the present time, given you have no other information.

The burden of proof is always on the accuser, but there's still a difference between "not assuming something to be true" and "assuming something to be false". This is also why courts never find someone innocent; they just find you to be guilty or not guilty. Not guilty means the prosecutor/plaintiff failed to conclusively demonstrate guilt. Innocence would be a positive claim rather than a mere failure to accept a claim.

There's an exception if a claim is particularly extraordinary. If you have an extremely low prior, it's fine to assume the claim is false. "This person talking about security stuff online is a Chinese hacker" is a big claim, but not an extraordinary claim like "telekinesis is real".

Also, in this case with the MTA, it's not (yet) criminal justice. It's some private firms saying they believe they have evidence that indicates the perpetrators are likely affiliated with the Chinese government. If they were standing trial instead of just having some company making some claims about them, of course the standard of evidence would be much, much higher.

>Should your immediate reaction be to assume the statement is false?

No, they have provided evidence, their statement they were assaulted by x. Whether that evidence is reliable is a different matter. Not making your mind up but proceeding as if they are telling the truth is a logical action.

A comparable event would be a stranger coming to you, saying person y was assaulted, and there is evidence x was responsible. You have no way of knowing how strong the evidence is, or if it even exists. And their motive for telling you this is unclear. The burden is on them to provide some kind of evidence before that statement should even be considered undetermined.

In this case, I don't doubt the ransomware attack happened, and I assume they have some idea of who is responsible as ransomware requires communication with the hackers. The claim that they have links to the Chinese government is extraordinary enough that evidence is required.

>The claim that they have links to the Chinese government is extraordinary enough that evidence is required.

I agree. I just think this is a language debate. "Assuming [X] is false" is just different from "not assuming [X]" / "not assuming [X] is true" / "not believing [X]". It's fine to not believe it without evidence (I wouldn't, either), but to assume it's false is to make a positive statement rather than a rejection of another positive statement.

Crowdstrike attributed the 2015/2016 DNC "Hacks" to Russia based solely on a file creation timestamp in the same timezone as Moscow and the presence of Cyrillic in a Word document's metadata, and the western world ran with it for years. Don't expect much.
Is there a source for this? If true, this is a new low for all these "cybersecurity" firms even though I already took their claims as a pinch of salt.
The "Russian" Twitter propagandists were identified based on a similarly specious methodology, and I only ever encountered one article (Wired) they even bothered to mention it. And in many, many internet conversations I've had, I've not once met a believer who had the ability to consider whether authenticity was important, even while they mocked their outgroup for believing whatever story pleases them.

People are funny.

Why would you think this? They found shared infrastructure and TTPS related to other attacks for the actors.

edit: And what's with the "hacks" scare quotes? We know exactly how the attack happened, step by step... in what way was it not a very straightforward hack?

This was still straw grasping. Tactics and techniques get imitated all the time. Covering your tracks and laying down false trails is standard opsec.

This hack wasnt special in this respect though. Hack attribution is usually based on pathetically thin evidence.

For a high profile hack attack it really isn't feasible politically to say that you aren't sure who the attacker is, though. It makes you look weak and powerless.

Not being sure who the enemy is or being utterly sure and wrong for long periods of time is a weird feature of cyberwarfare that I'm not sure any country is capable of adapting to yet.

So there's lots of evidence to support attribution, but your flimsy hand waving about uncertainty is supposed to carry weight?

Once again, we have:

* Shared infrastructure

* Shared TTPs

* Clues like language

* No evidence to the contrary

And that's just what's public. I assure you that quite a lot stays between people. I know many people in the field who can't share public details about breaches due to pending legal issues - Dropboxers couldn't talk about aspects of the 2012 breach until just this last year.

What specific evidence did you find most compelling? Please, share it, if it's more convincing than Cyrillic in a document header or a Russian IP address.

Or, you could just hit us with the oft repeated 2003 weapons of mass destruction talking point of "the evidence is there it's probably just classified" if you want to make me reminiscent for the good old days.

Yeah, unrelated things decades ago were wrong or something therefor... uh, something.

I'm not really interested in doing research for you.

I researched it a while back. That's how I reached this conclusion - in particular, the idea that one hacker used broadly similar techniques to another ("shared TTPs" as you so obliquely put it) being used as evidence stood out precisely because of how flimsy it was. Likewise when IP addresses from specific countries are cited it's like waving a red flag saying "we actually don't know" to anybody with a rudimentary understanding of networking.

I asked in case I missed or misinterpreted some specific piece of evidence that was particularly compelling.

I don’t think regular person/organisation can host Tor node or VPN server in China.
This seems rather suspicious all these reports of a sudden - are they plotting to bring back the Clipper chip V2 ???.
Just like Klauss Schwab from the World Economic Forum says the "cyber pandemic" is coming.

First they test the idea at Cyber Polygon (similar to event 201 which simulated a virus pandemic just before the fake "cov1d" outbreak)

https://cyberpolygon.com/

And then they will just do it. Problem is, just like cov1d - IT'S ALL FAKE

Bring your own equipment. It works for rock stars and counter terror teams because there's no excuses. It increases demand and education. There's a breach, or a hack, next man up. You messed up? Liability is yours. Best to hit the road. Worst though, you're not it. You're just not good.

Smart contracts on existing exploits would make a great state backed cryptocurrency. Stopped pipelines make great labs for chemical electricity generation. Attack on the food supplies can be used as tallow. Go ahead world. Wake the sleeping giant.

Stand up for yourself. The USA, you're better. Stop the relativism. The law applies to everyone, or there is no law. Limit the violence, don't add to it. Lessen enemies, don't create them. Don't tell everyone what to do when you're not willing to do it yourself. Walk away. Doing the minimum is a lot easier than ruling the world.

The dead fight with weapons, they dying, tricks and traps and deceipt. Soon they fall into a trap of their own making. Or what they are fighting against wises up and defeats it. We're strong enough to live among bad people, where other people have to outright kill them. They only know barbarism.

I'm John Williams from the United State of America, i was scammed by two hacker's while trying to look for a recovering agent and Mobile spy access to my girlfriend's iPhone 12 pro Max. I lost a lot of money online to fake broker's and as well fake hacker's who I came across in the first place when I searched on google engine. I was on trust pilot trying to see some review when i came across (wizardharry@programmer.net) i quickly contact him but was nervous because i have had a lot of bad experience over the internet, it was hard to believe him but i put it to try anyway, then i discover he is a legend and honest hacker, both my lost funds where recovered and i got more than i lose, right now i have mobile spy remote access to my girlfriend phone without her knowledge. All thanks to wizard Harry. You can also WhatsApp him (+1-807-808-6168)
"The hackers did not gain access to systems that control train cars and rider safety was not at risk, transit officials said, adding that the intrusion appeared to have done little, if any, damage."

Isn't this because the systems that control train cars & rider safety on the MTA are all manual/electromechanical, with some dating back to the LaGuardia administration? Hard to hack those without being local to the tracks, and handy with a soldering gun....