Whelp, that's the end of cryptocurrency... probably should sell your HODLings now. If we're going to Patriot Act the crud out of ransomware, Bitcoin is gonna be illegal.
I mean, does Bitcoin give people the sort of high that they'd risk going to prison for? I'm not sure nearly-random numbers has the staying power compared to addictive substances.
You won't be seeing 30%+ gains when they're throwing people in prison for it.
Most drug users are never prosecuted. But the threat of prosecution does very little to affect the quality of their purchase, relative to what it would do to BTC market as a whole.
I think this dynamic will play out very differently with something the value of which is mostly determined by current and future-expected transaction velocity & volume (to the extent that it's not sheer speculation). Now, the cost for services involving Bitcoin, like converting it into dollars, would probably shoot way up.
Outlawing Bitcoin (or cryptocurrency generally) would cause a huge demand reduction. Some coins might adjust supply to compensate, but total crypto "market cap" would surely plummet.
If you can't exchange BTC for dollars other than in person, and if you can't use it to purchase goods online other than via TOR, that is not going to increase the price. It's going to crash it.
I thought I smelled authoritarianism! Here we see the ultimate purpose of this entire desultory exercise. Having problems online? No backups? Don't fix your pathetic shit; just be the excuse for the USA military-enforcement-imprisonment-industrial complex to oppress everyone on earth. Good grief.
Nations make laws against bad things. People who violate those laws go to jail. A ban on cryptocurrency (or rather, exchanging it for dollars) will be a hell of a lot easier than banning popular intoxicants.
We're done putting up with this particularly pernicious iteration of tulip mania. Time to pull the plug before it does any more damage.
Do you know how absurd that would be? Crypto like Bitcoin are just a database in essence. Throwing someone in prison for running a database on their computer would probably spell the end of general purpose computers. You will not be allowed to run databases anymore unless they are approved.
> Do you know how absurd that would be? Bitcoin is just a database in essence
It’s really bot unusual for the law to treat things differently based on the purpose for which they are used when they are “just a database, in essence”.
I know, in theory you can have a law for everything. For example, in the Soviet Union basic electronics such as radios were restricted and you were not allowed to tune your sets to western stations.
I don't think a database or a computer murdered or kidnapped anyone. I mean, a computer which runs the B-tree algorithm and talks with the rest of the internet according to a bunch of loops/if/then/else statements is not exactly an assault rifle.
But yes, everything can be banned eventually. We'll just go back to living in the cave.
I assume you'd have no issue taking down a database full of child pornography? You know there are some who argue that CP is just "bits on disk".
What if society determines that cryptocurrency also has negative externalities? You're free to disagree but I just stuck my finger in the air and it's pretty clear which way the wind is blowing.
The only societies who determine that cryptocurrencies have negative externalities are the ones that are controlled by criminals in the highest levels of their government. Just google a map to see where crypto has been banned. (Note that many these may not even appear as criminals and project a legitimate image to their public)
Here's a thought experiment: If you're a political party that had taken over the government through criminal means such as election fraud or more coercive methods such as a disinformation/propaganda campaign or a coup, the first thing you will do is to make sure that you have control of the money. Since cryptocurrencies are too transparent and undermine the absolute control of state-issued currency, these will be seen as a threat to the criminal government and will be the first thing to get banned.
We can quickly see that the world's worst criminals at the highest levels hate cryptocurrency, and prefer to use the existing paper-based technologies instead, that allow them to be more opaque and retain absolute power.
I mean, look.. cryptocurrency is a deeply political disruption to nation states that always had absolute controll over their national currencies. If a totalitarian government ever is to maintain power, banning cryptocurrency would be a necessity, and so far there's direct evidence of this as I've pointed out. (Another thought experiment: why crypto is banned in North Korea?)
It would be a necessity and extremely easy. It's not preventing authoritarian states from doing anything. Men with guns in riot gear just show up and seize all of your hardware, and whatever other property you own that they want. See China's current mining crackdown if you don't believe me. Many authoritarian states are currently tolerating crypto because it's an excellent way to avoid international sanctions and launder hacking ransoms.
By pointing out that crypto is banned for regular North Korean citizens, did you not just prove my point that it's a worthless tool for countering authoritarianism?
Bitcoin is just math. The US isn't going to be able make holding bitcoin illegal, and I very much doubt it will ever be able to make the buying and selling of it illegal -- there are even free speech issues here. But what it can do is tax the hell out of it, regulate the exchanges as investment platforms, but they will have a hard time trying to make it illegal to pay someone to sign a cryptographic hash.
So if I give 10$ cash to buy something, the US government is right above my right shoulder approving that transaction? You realize that doesn't make any sense right.
That is a blanket statement that doesn't bear up to scrutiny as you are confusing things like international transactions with national transactions, regulations by states versus by the federal government, and completely ignoring all the constitutional restrictions we have. It's like someone talking about freedom of contract and you counter with trade sanctions against North Korea. How does one respond to such high level dismissals so removed from the specific legal issues at play here?
Drugs are renowned as a special case when it comes to states' enforcement power. Currency control is not.
Outside failed states, capital controls and foreign currency restrictions have been historically well enforced and followed.
The U.S. banning cryptocurrencies, sanctioning connected individuals and firms and committing to leveling repeated 51% attacks would functionally destroy most cryptocurrencies. (There is zero indication this is being contemplated.)
We're not outlawing math. You can still run your little calculations on your machine. You just can't exchange them for dollars. That's what we're proposing here. Currency control.
Are you confusing this with the debate around encryption? That wouldn't surprise me coming from someone who uses the phrase "nocoiner".
Thanks for finally admitting your intentions. I don't see a similar suggestion anywhere ITT or TFA, but it all did seem a bit too coy. Physically, it would be possible to shut down e.g. Coinbase. Legally, that seems a stretch. Politically, with the particular investors they now have, you're trying to shut the barn door after the horse has joined the circus.
Shutting down Coinbase, however, will have no effect on bitcoin or the people who use it. That's the point of bitcoin, and it has been since the protocol was published.
> Shutting down Coinbase, however, will have no effect on bitcoin or the people who use it.
You all are more than free to continue to associate with each other. As long as you're not breaking any preexisting federal laws (let's be honest: most of you are). It's the normie and Wall Street market we are targeting. Good luck maintaining the bull run, sweetheart.
It would be precious for you to suggest you might have some effect on "Wall Street". It's called "capitalism" because capital is in control; "democracy" would imply something else. Most humans break USA federal laws every day. That's the point of USA federal laws: if they couldn't be used to destroy any person at any time then the billionaires would come up with something else. At the same time, if rope is being sold, why wouldn't they sell it? Cops are sometimes surprised the first time they realize who they work for, but if you stick around you'll learn.
The most precious thought is that one might think to reign in authoritarian capitalists by attacking the one thing created in the last century that has a chance of actually undermining authoritarian capitalism. You don't actually think that, because ITT we see plenty of evidence you're on the other side of this conflict.
You’re well aware I’m not talking about opening your neighbor’s mail, or any other "crimes" that are still on the books but never prosecuted. When I refer to the federal crimes that are committed daily by crypto enthusiasts, I’m talking about blatant tax evasion that makes the Panama Papers look like child’s play. In a sane world, none of it would be possible. Soon enough.
Do you propose that Bezos should pay his taxes at the same rates my neighbors and I pay? That sounds good, but I don't see what it has to do with bitcoin. Do you allege that he is hiding income by not reporting it? It has been my impression that he prefers instead to hire people to write the tax law in his interests.
You keep focusing on the enforcement itself rather than the goals we hope to accomplish via enforcement. I infer that you have a special fascination for enforcement, but please understand that many people do not share this special fascination with you.
Just a special distaste for the crypto crowd. Who somehow manage to moralize all day about "authoritarian capitalism" while skimming off everyone in society with their tax avoidance scam.
I'm inclined to say Jeff Bezos is no better. But then I remember he and his companies have actually produced some innovations that are legitimately beneficial.
I think if you’re a criminal with a lot of Bitcoins you can do it. One way is through exchange insiders taking a bunch of your balance and giving you a bag of cash (but you sell your coins to them at a discount of course.) See eg https://cybernews.com/security/how-we-applied-to-work-with-r...
LSD was and still is one of the cheapest black market drugs you’ll find. There is no shortage. Imo it’s easier to get and test for safety than ever before.
Difference is if corporations and funds can't hold bitcoin/crypto - you're back to $1/BTC. The whole value proposition of BTC hype bubble bursts if it's illegal in a major market like USA. Don't doubt some cyberpunk nuts will keep playing with it.
And presumably if nobody can easily convert large quantities of crypto to and from USD. Sure, you find an international exchange, willing to give you some other fiat, but American KYC laws are still going to be chasing you all over the globe.
I mean, it could still be used as an IOU of sorts for illegal activities. But if this is the sole remaining use case, I'd imagine there are better means for this than hosting on a public ledger.
We have plenty of historical and current examples of governments imposing capital controls to restrict access to foreign currency. Very rarely does it result in the market price of the foreign currency going down. Usually quite the opposite.
Heck, even in American history we once tried to ban private ownership of gold bullion. The black market price of gold rose substantially.
> We have plenty of historical and current examples of governments imposing capital controls to restrict access to foreign currency. Very rarely does it result in the market price of the foreign currency going down. Usually quite the opposite.
That's a nonsense comparison. When governments impose capital controls it means their currency is already sinking and it's a last ditch attempt to prevent this inevitable scenario.
BTC valuation is entirely based on narratives about how it's going to replace standard currency in whatever story is popular, and from what I can see right now it's being pumped up by funds who can't find other good investments in this markets and are willing to play with crypto. If it's illegal for US funds/citizens to hold it/be involved with it - the selloff alone would kill the market instantaneously.
The US only constitutes 15% of global GDP. There's no reason to think that US investors represent an outsized position in crypto holdings. American funds may have large positions, but that's largely because the American asset managers tend to attract substantial overseas positions.
There's no reason to think that, say a Japanese pension fund, that's invested in Grayscale is going to say, "oh shoot, guess there's no possible way to allocate to this asset class now". They'll just reinvest that same allocation in a UK or Caymans domiciled fund.
If anything the 85% of crypto investors who aren't invested, will most likely hoard in anticipation of the policy being reversed. For better or worse the US government has extremely low credibility when it comes to long-term policy consistency. Almost any US policy can simply be waited out until Congress/White House flips parties.
> The US only constitutes 15% of global GDP. There's no reason to think that US investors represent an outsized position in crypto holdings.
Holdings would seem to be more reasonably assumed to be proportional to wealth [0], not GDP. The US has a significantly larger share of global wealth than it does of GDP.
[0] or maybe more-than-linearly related, since less-wealthy people will have more of their wealth in directly-used assets like tools, vehicles, and homes.
Bitcoin is easier than hard cash to track. There's no need to make it illegal. I suppose you could argue that government is heavy handed enough to simply ban the mechanism by which ransomware payments are so easily conducted by. My intuition is that government would prefer to regulate it rather than outright ban it.
The majority of the uses of cash are legal. The majority of uses of Bitcoin are criminal. And bear in mind, Bitcoin hasn't just been a boon to ransomware, it's been a strategy to evade financial sanctions by countries like Iran: https://www.reuters.com/technology/iran-uses-crypto-mining-l...
So there's a lot of reasons the US government just may find themselves happier without it.
Do you have a source for your claim that the majority of Bitcoin uses are criminal? Research by blockchain analysis companies show that only a small percentage of Bitcoin usage is illicit [1][2][3].
I thought being a solution in search of problem was perhaps too charitable. Every joule we waste on hashes is another gram of carbon in the air. And it is all waste — the only problem cryptocoins solve better than other solutions is illicit transactions. It’s not even close to as anonymous as cash.
Coinage used to be more portable in the days of precious metal coins. But honestly I’ve had very little barriers in converting cash. It’s a solved problem.
bitcoin and related systems are a solution to the double spending problem. Perhaps a flawed solution based on the information we know now, but it is a solution nonetheless. some related systems such as monero, zcash, and GNU taler make attempts at ensuring spender privacy, like cash.
but the computational power is nessisary for the network to function in a manner that is provable to new nodes. Because you can use a digital signature to confirm a transaction happened after some time, but not before some time.
I don't think cash is a solved problem within the context of computer networks. If I could transfer money using a program by using a digital signature, I would be satisfied, but anyone who can get access to my credit card numbers (and name, billing address and other open source info) can make purchases in my name. And you of course must rely on the fractional reserves of some central entity.
AML, SDN lists - yes, all that is in scope. But enforcement has been uneven: it’s so far been about making US exchanges comply with KYC laws. Nobody has really gone further.
What happens when a company is a victim of a ransomware attack and OFAC puts the extortion wallet on an exclusion list?
The risk isn’t just to the person holding the wallet: it’s the risk of OFAC sanctions hitting the exchanges that takes dirty BTC and pays USD.
So now, know your customer turns from “be sure I don’t send USD to a specially designated national” to “be sure I never accept crypto from a burnt wallet.”
> Try taking $10,001 in cash into the US and tell me that again
You have to declare it. You’ll probably get follow up questions on how you got it and why a wire doesn’t work. But otherwise, large quantities of cash transit the U.S. border all the time.
How much success, historically, has the US government had at regulating math? I can't think of any, but it's not really my specialty so I'm curious if anyone's encountered a successful example.
They don't have to regulate math, they just have to regulate where cryptocurrency touches the "real" financial system which they're actually really good at.
I would assume most diehard bitcoin holders are just fine with no financial system entity touching them. After all, that's what many of them are trying to route around. They want peer-to-peer transactions independent of state actors, and have very little desire to hold BTC in their Fidelity-managed 401K portfolio.
Rather it's been the banks that have been clamoring to get a piece of the bitcoin action, not the other way around.
Curious if this will result in extraterritorial enforcement. For example, it's clear Moscow is either unwilling or unable to prosecute cyber criminals within its border.
That's one possible reading. Another is that the US will start working on their own Great Firewall, such that your packets need to be cleared by a metaphorical digital TSA to enter the country.
Something like SCION may be in the "Western" Internet's future, is my guess. I don't expect protection-at-edge or pervasive atop-the-current-Internet surveillance to be the solution for the OECD.
1) All security has weaknesses or work-arounds. That doesn't mean that all security is worthless. Forcing adversaries to take more risks and expend more effort is kind of the whole point, and that's exactly what you're talking about.
2) Are you arguing that the actual Great Firewall, a real thing we see actually working on a massive scale, does not make it much harder for foreigners to cyber-attack China?
3) See my other post on this thread—there's work toward re-designing the Internet to make evading state- or bloc-level origin control, including communicating with existing compromised nodes inside a state, remotely, way harder than it is now. I'm talking at the node-to-node routing and backbone level. It's interesting/terrifying stuff.
4) Couple 3 with some other minor and fairly obvious tweaks to how Internet access works, and even getting a foreign device with its own infinite-range radio into the target state would be reduced to step one of several to gain access to a target state's network, and that access would likely not last long if you start doing anything weird with it.
it's just a metaphor. in reality, they're just going to use the old Patriot Act mass surveillance infrastructure, which sits inside ISPs and processes every packet.
How are we going to have enough turns to intercept all of these flying white TicTacs? No really, if we don't even have anything fast enough to keep-up with whatever the heck these are (if they're real).
(Just don't equip your army with only nuke missiles because they destroy all of the good stuff and psy attacks would cross the streams.)
I think that's what they're referring to. Elerium-115 seems to be the current name* for Element-115, which is said to have antigravity properties and so is how UFOs are able to do their impossible maneuvers.
*Back when I was obsessed with this in the early 2000s I'd never heard of Elerium-115, it was always Element-115. Looks like the origin of the name is actually a game in 1994, but may not have become common until around 2013/2014.
Looking back with 20/20: clothing styles back then, even for the rockstars, were damn basic: 99% long-haired, half-naked paler-than-I people in jeans, jean jackets, and wifebeaters. xD
Hackers in Russia extorting Americans is illegal under U.S. law; that's extraterritorial jurisdiction. The U.S. government going into Russia (or Pakistan or Ethiopia) to punish those hackers without the home country's permission is extraterritorial enforcement.
We have a lot of precedence with the former. The latter's use is more limited, for obvious reasons.
I'm sure the Russians are as interested in these crooks as the Americans, as it would be attractive to seize their assets. They will not extradite them, but they might wish they had been.
Why would they shut them down when they can just recruit them? Think of these ransomware groups as the minor leagues, the best get to move up to Russia's cyberwarfare teams.
LOL. A good portion of cyber security attacks are government military operations. You think China or Russia is sad that hackers closed down our gas pipelines?
What about the other side of this? Instead of seeking backdoors and using them to spy on Americans, the NSA should be stepping up their game and securing vital infrastructure and domestic businesses against these attacks.
Generally speaking, you'll find the federal government has a litany of agencies, on both the offensive and defensive side of... everything. There are absolutely government resources working on securing American infrastructure.
At this point though we need to have entire new branch of the military. Otherwise, I just don't see how we are taking this serious enough.
The way the Air Force specializes in the air.
It is just incredible how we are always fighting the last war. From 9/11, instead of learning we need to constantly stay on top of a shifting battlefield we learned to fight Islamic terrorism. Not good.
I'd rather not see taxpayers have to foot the bill for the profit of megacorps neglecting proper cybersecurity while sitting on mountains of tax-evaded offshore cash, thank you. The industry should be magnitudes larger than it is currently, and we shouldn't encourage corporate recklessness by socializing the costs.
Sure, but they are up against state-sponsored, highly trained actors, and that's not a fair fight. This requires the resources of the US Government as their bodyguard.
Not really, the US military in particular has a lot of slack that could easily be funded into cyber stuff. I would bet there's plenty of (digital) offensive capability in the US so maybe it should be used?
If other States sent proper Armies over to attack critical infrastructure the US government would surely foot the bill to aid in security. Why should cyberarmies be treated more leaniently?
Because proper cybersecurity should be treated as a cost of business, unlike the use of force which is an exclusive prerogative of the state. If large companies want the state to step in to absorb some of their costs, they should stop trying to avoid contributing to said state at every step of the way. If said public involvement came at the cost of partial ownership of companies requiring it, with complete disclosure of their financials including offshore, I would not mind at all. I am simply extremely tired of corporations running to daddy at every inconvenience - sometimes of their own doing - while actively trying to crash the whole system into the ground by starving it. You can't have your cake and eat it too.
That assumes all cyber threats can be averted by private corporations. It's difficult for a company to play effective defense against nation-state levels of cyber attack R&D. Yes, companies need better security than they have now, but they cant do it without help.
This is where the threat of retaliation comes in as a deterrent, and the country should be equipped to do so. But publicly subsidizing private cybersecurity is both impractical (how would that work exactly?) and would encourage underspending even further.
Why do you think China or Russia prefer to hack foreign private competitors rather than sending a bunch of missiles on their infrastructure?
We publicly subsidize every other kind of security to some degree already. A company might have security guards, but police are certainly going to be there to provide a baseline policing the neighborhood, respond to calls, etc.
And security via threat of retaliation does not sound like a practical or effective solution either: we already have plenty of capabilities in that area, and it didn't stop east coast oil & gas infrastructure from going down or a sizeable portion of the nation's meat processing from going the same way. These attacks are escalating rapidly, and relying in the free market to find a solution doesn't look like it's going to happen fast enough.
This needs to be a national, not (just) a private corporate issue because of the enormous national security implications involved in cyber attacks against infrastructure. When a single company's security failure can cause national chaos, there needs to be a nation-level approach to this.
Then how about nationalizing that infrastructure, if it is so crucial for national security and the private sector is unwilling to spend enough to protect itself against threats? Let's not kid ourselves: this is first and foremost a matter of incentives and consequences rather than a lack of capabilities.
I don't see what the public could do better than private entities, besides absorbing their costs.
The only way I can see it practically working is if the private sectors would allow government entities full access to their IT infrastructure, submit themselves to random controls, audits and checks, and bear sizeable fines if they're found to be negligent.
The government could set & enforce standards for levels of security and disaster recovery, especially if critical systems. It could not just research but also pass on knowledge of vulnerabilities. I don't expect the government to actually run the security. I expect the government to provide the framework and tools so that everyone doesn't have to figure it out on their own.
Yes thank you for your responses. People wine but we're clearly pathetic as an industry, limping along with Unix etc. We know so much about how to build better systems, and yet it's more bandages on the status quo, all the while increasing complexity which makes things largely futile.
Unlike "real war", cyber defense also gets to design the battlefield, everytime time. There will always be social attacks, but the stupid C and Unix stuff that is the bread & butter today is completely preventable
The feds can’t even secure all their own systems. We had the OPM hack which resulted in the personal information of federal employees exfultrated who knows where. Also the federal government were still using passwords that were exposed in the breach 3 years after https://www.forbes.com/sites/leemathews/2018/11/15/office-of....
Tbh I trust the FAANG companies to run better security. Government is incompetent in this area.
Many times it's not the government securing their systems, they've outsourced it to places like SolarWinds. Maybe they would do a better job if political pressure didn't push for more and more privatization of critical operations.
Because that analogy doesn’t hold. These cyber attacks are all but literally one bored kid and a computer. If the Russians sent one bored kid over here to blow up Hoover Dam, and that actually worked, we’d blame the people who put up the dam.
The fact is that the correct and secure working of computer systems and networks has been severely neglected by companies in favor of their profit. If we are to have state response to such neglect, it should be funded by a huge tax on every copy of Windows.
> These cyber attacks are all but literally one bored kid and a computer.
Are you sure about that? A lot of this stuff is way more than just some bored kid. For the company I work for, there is almost certainly a group of well paid people who sit around every day trying to figure out new ways run scams using our site.
When there is financial motivation, people go through great efforts to get that $$$.
"Security" isn't some catch-all box you can check. It's a non stop game of whack-a-mole where your adversary spends each day getting around whatever you put into place.
Right, security is definitely not a box you can check but American business have decided that if they run Qualys to get that PCI-DSS everything is good. Nobody is out there seriously talking about the fact that the Linux kernel is written in fucking C. Well it's 2% faster than if we wrote it in an actual language with, I don't know, bounds checking, and we'd rather use the 2% for dividends, thanks very much. We need some economic and regulatory incentives here so the public endpoints of your critical oil pipeline are running applications written in safer languages on seL4 platforms with hardware roots of trust, instead of god-damned DOS.
The software industry should be ten times bigger than it is, but the economic incentive has been to make it cost less, rather than to make it safer.
How many exploits are because of the Linux kernel, and not userspace software? No kernel will protect you running public ElasticSearch with "username" and "password01" as the credentials.
These cyberattacks are all but literally boiler rooms full of bored Russian men wearing balaklavas and holding flashlights under their chins while they type.
The incentives are all misaligned and the solutions aren't obvious. How is the USG going to secure some random admin access password? Are they going to update the code in the repo?
I agree with hack-back. I agree with a number of proposed solutions, but at the very end of the day the problem with cybersecurity is that most orgs don't have the fiscal allocation that they need if they were to have any hope of stoping foreign states.
Rather than compare it to armies, I think we should compare it to spies. If this is truly at the army level we could send a couple dozen missiles and the attackers would get the message. But there are reasons we don't do that though. First, we're not always sure who did what. Second, it's a political quagmire. Armies don't come to your house and help secure it from air strikes. Armies understand attack asymmetry and they hit back.
But when it comes to dealing with foreign spies there is a different playbook. The government helps organizations that are critical to national security secure their entry points and resources. They help, but they don't do everything.
This only works if the parties involved are interested in working with the government. Long after Nortel was first told of the Chinese hacking / stealing of their IP they were still woefully insecure. They went from being a third of the Canadian stock index to bankruptcy in a couple of years.
I don't actually think cybersecurity is possible. I've tried very hard to get governments to change, and there is some progress on the most fragrant violations, but the space is growing too fast and the domain is too maneuverable. I don't think it is possible. All we can hope for is some combination of more defence and realignment of incentives of the actors involved limiting the eventual damage.
> The incentives are all misaligned and the solutions aren't obvious. How is the USG going to secure some random admin access password? Are they going to update the code in the repo?
They can publish best practices, research vulnerabilities, provide educational support, and generally do all the kinds of things governments do to encourage the right behaviors. We have some of this, but at some point, switched to the sexier "the best defense is a good offense". Likely because defense is hard.
I think if you had good attribution it's more like armies. We have been focused on locking our doors, on building better walls, etc. But there is a non-defensive side.
In meatspace we expect the government to use kinetic force to stop people from attacking us. Like if I leave my door unlocked and some person comes in to start stealing my stuff, the cops really will respond and come stop that person (I have had a home breakin they responded quickly to). They didn't blame me for having bad locks. I pay a lot of taxes so my walls and locks don't have to be perfect.
In cyber land, it's an anarchy. The government offers no defense. But there's no reason someone can't offer a deterrent. Like if you knew who broke into your servers, and there was a goon squad that went and broke down their door either kinetically or electronically I think a deterrent strategy could eventually work. Like it literally does for meat-space security.
(Not totally sure I want that, but I'm just saying it would probably work and we haven't really tried it yet.)
So you have group of 20 somethings in russia that you suspect are behind the hack.
What do you do ? Sending a single missile/drone wont work because Russia has air defense (probably - with them you never know how on top they are, but they will after the 1st one). Sending multiple might work, but Russia might fire back and start a war.
Sending special forces, or whatever would probably work better first few times, until Russia deliberately set's a trap for them.
How about if they are form China, or maybe France or India and you don't relay have prof that would stand in court ?
And then what, it's not like USA doesn't have its own hackers that do shady stuff internationally. Other countries have spacial forces as well.
I am not sure we want to go this way.
In practice that means US doing whatever they want in poor countries (where they already do whatever they want), and not doing much in powerful enough countries where most of those criminals actually are.
Most of the time we don't even know definitively who is behind the hacks, so it's kind of a moot point.
Yea, I'm not saying I want a kinetic or offensive solution either. More like, it might be possible. Like if someone kills a bunch of people in France and flees to Germany, then Germany is going to hand them back over to France. Clearly not everywhere has extraditions, but you can imagine a world where hacking isn't so much tolerated and defended against as punished and thus uncommon (like breaking into a house; you can but you're not supposed to and there's consequences).
oh this happens regularly inside EU. And even cooperating with US. A few years ago, someone from town I live was involved in making/selling one of those exploit toolkits on dark web. FBI contacted our police, he got arrested, and convicted. He didn't get extradited to US, but is in prison here.
When you can drop a bomb into a pickle barrel from 30000 ft, the question is not “how do I make my pickle barrel stronger?” it is “how do I decrease my reliance on this single pickle barrel?”
Spy-craft is notoriously laughable in its effectiveness. InfoOps, on the other hand...
I guess I’m saying comparisons to both Air based warfare and to the propaganda machine are both the most useful analogs, imho.
Except you can't do that, which is why the army metaphor doesn't work.
(If you want to argue that this is a realistic response, please explain how doing so would not be acts of war, inviting both retaliation and much worse acts then justified by ours.)
I mean, it can be argued that trying to damage our infrastructure by hacking our computers is just as much of an act of war as firing a missile at our infrastructure. In some cases, the effect of the damage is the same. (I admit the 'cleanup' of the Colonial Pipeline problem is much less than it would be if someone blew up the pipeline, but the impact it had on our country was similar.)
I don't expect the US to start handling this that way any time soon, but I'm not sure it'd be irrational for a nation to decide a cyberattack is, in fact, an act of war.
It really depends how that attack is being organized and backed though - in most cases we'll be left with only a strong suspicion of who actually launched the attack and, due to the nature of technology, it's much more likely with a cyber attack for the real perpetrators to frame someone else.
Even once that's all decided, we'd need to figure out if war would be a reasonable response. I'd propose that one of the main reasons the US hasn't ever escalated the situation with North Korea, even if we ignore China's likely response, is that actually subduing the populace and occupying the country would likely be extremely difficult. It's unlikely that a thoroughly bombed North Korea would be any more stable and friendly than the current North Korea.
War is extremely inefficient at bettering the lives in any of the countries involved - there are times when it is necessary, but it should be avoided whenever possible.
China is literally the only reason the US tolerates North Korea. And China solely tolerates North Korea because it causes all sorts of irritation for the US. Arguably, it would be better off for everyone living in North Korea if one of those two powers annexed it outright, but geopolitics loves backwater proxy wars.
> China is literally the only reason the US tolerates North Korea.
Closer to the active phase of the Korean War, the USSR was also a factor. Today, the US distaste for instability, and naiton-building, and North Korea not having a hoard of oil or something similar to overcome that distaste is also a reason, today.
> Today, the US distaste for instability, and nation-building
This is an unpopular opinion, but I feel like we should generally accept nation-building doesn't work well, countries we leave tend to go back to being horrible in a number of years after we set up a new nation there. And accepting that, and accepting sometimes that countries are completely failed, harmful to world security, and larger countries need to intervene: Annexation isn't actually a bad concept. It's absolutely frowned upon today, but I'm not sure is worse than what we've done to half a dozen countries in the past couple decades alone.
The barrier to war should be high, but at the point you obliterate a nation's governing structure, defenses, and likely civic infrastructure, you should accept you have a permanent responsibility for the civilians there. And maybe the best way to be democratic about it is to establish a process that states one annexes can petition and vote for secession after they've reached a more stable position.
> North Korea not having a hoard of oil or something
There's that. North Korea is a property that literally only Kim Jong Un wants. And major powers seem perfectly fine to let him have it as long as he mostlyish behaves.
This is strained reasoning. The threat of war with China and the literal guns pointed at millions of heads in South Korea are what prevents the US from picking off DPRK infrastructure and personnel. Compare to Iran if you doubt.
If US government authorizes the NSA/CIA to infiltrate/attack all bitcoin exchanges that accept payments from wallet ID with ransomware, the problem likely be solved very quickly.
And the threat of a Topol-M nuclear missile with a yield of 800 KT detonating over New York is a pretty good incentive not to launch tomahawk missiles at office buildings located in nuclear-armed countries. If you ever wonder why unfriendly countries have nuclear ambitions, rhetoric like this is part of it.
How many people are you ready to kill over ransomware?
And weren't we just splitting hairs the other day over whether or not Belarus forcing an airplane flying over Belarus to land is excessive use of force? Apparently, ballistic missiles targeted at office buildings aren't?
At this point, with repeated attacks against our infrastructure, we need to get said countries to either help us route said cyber attacks (state sponsored or not).
If this continues to happen we are looking at a really bleak future. There is an -insane- amount of money at stake here. How many meat/farm futures got affected by just taking out the meat industry this time? How much money can these people get not just by the ransomware attack, but by also knowing how fucked an industry is about to be and cashing out.
When they can do this shit with impunity it's a problem. And there's potentially a lot of money available.
This is all just ignoring the fact that some of this might be state sponsored.
I think it's time to start getting some sort of cooperation from said nation states and allowing us to help take out some of their trash.
Because the other option is to treat this like state sponsored attacks on our infrastructure and no one is going to like that.
How do you get countries to cooperate that have no incentive to cooperate?
Cyber warfare, whether ransomware or espionage, is largely asymmetric. Why would these other countries want to play ball when they have everything to gain?
The answer tends to be that you make them cooperate by attaching additional costs to the actions, in order to make them less attractive. These costs come in two major forms, which we might want to categorize as passive and aggressive.
Aggressive costs might include:
- Offensive hacks
- Military response
The issue here seems to be that the passive responses aren't likely to be strong enough to dissuade the other actors, while the aggressive responses are too costly. Aggressive counter hacks might just normalize cyber hacking and espionage, and the US is on the wrong side of that asymmetric gamble. Normalizing the behavior would be likely to make it worse than it already is!
Military responses go too far. You can't reaaalllly militarily respond to another nuclear power. Not directly. The potential outcomes there are almost uniformly bad. If you want to play the longer game maybe you do some poking and prodding by supporting third party combatants (IE: Soviet support of Vietnam against the Americans) or political opponents. But there aren't really that many great options on that front today for Russia or China.
So that leaves trying to increase the cost of the passive responses. This is kind of troublesome with China, since they'll just throw identical costs right back at you. It's a bit more possible with Russia, but Europe's entanglement with their power sector screws everything up. And it's not like we're lacking on Russian sanctions as it is.
You can try to play a strong defense, but that's kind of like putting a bandaid on a gunshot wound at this point.
Yadda yadda yaddad, I don't know what to do but I think it's an interesting problem!
Edit: Maybe I shouldn't say European entanglement with Russian power sector. I suppose it's more appropriate to say gas sector?
I think the argument is more that if we taxpayers are footing the bill for the corporations then we should also have some say on how much of the profits the corporations get to run away with. The same ought to apply to traditional war too: the government should pay, but the supplier shouldn’t get to charge literally whatever they want.
Physical security is a public good, while computer security is a private good. (Websearch the definitions if you don’t know them already.) The economics just don’t match up.
This is well within the scope of what the government should be doing--just as a country's navy protects merchant ships from pirates and the police protect shopkeepers from burglary. If a foreign military were launching physical attacks on your business we'd expect any government in the world to intervene.
Realistically even with government support, effective cybersecurity is going to require significant private effort and investment as well.
Should our society collectively pay for walls, doors and locks for every company in the country? How about paying for private security on every site? How about paying for personal bodyguards for every CEO? How about we all chip in to buy a password manager subscription for every private employee in the country?
We should regulate and punish, not subsidize. The same way we have dealth with corporate recklessness for decades.
I'm not sure what specifically is being proposed here. I gave some specific examples of government actions to protect its citizens engaging in commerce going back hundreds if not thousands of years. I'm not aware of any government which has paid for doors, locks, or walls for every company in their country, I suspect any action taken by the NSA would be guided by similar restraint.
As the parent comment said, I'd like to see the NSA working to get zero day vulnerabilities fixed as opposed to hoarding them for future exploitation. At least this is my perception, to be honest aside from a few examples I've heard of I don't actually know whether I've correctly characterized their activities, they may already be doing this.
I agree to a point, but to continue the physical-security analogy: while private businesses should not be negligent in securing their property, a patrolling police force should also exist to discourage theft and vandalism at large.
I think the private and public sector have both been negligent when it comes to cybersecurity. Both need to improve. (Like you, I'm willing to bet the private sector is hoping to sit back and let the taxpayer foot the bill for everything. This is a problem too.)
The costs are already socialized - it's our data that gets stolen in hacks. The problem is, the megacorps who lose it must only pay a negligible reputational penalty.
If you could claim compensation for data lost, if businesses had to foot the bill for everybody who's security and privacy is impacted by data breaches, then it would quickly become something they would have to insure against, then the insurers would demand they take reasonable precautions. A system of fines would work well, for instance - an aggressive enforcement of the GDPR or similar, for instance, could create this kind of virtuous circle.
Or, alternatively, the NSA could be tasked with constantly pen testing US companies' computer security. If they find a problem then they would mandate fixes and assess a hefty fine. The fine would be used to cover the NSA's costs and to pay a bounty to the individual who discovered the weakness.
Corporations pay tax too, if I was an American shareholder of a company that went to the wall due to a 0 day vulnerability that was known by the NSA I would not be happy. Imagine if you found out that the NSA knew about COVID but didn't develop or release a vaccine because they wanted to use it themselves, why is it really and different if corporations are people too?
Modern Corporations don't pay reasonable tax though. For NSA to know about covid, and for that vaccine to be developed requires that there are thousands of people educated, mainly from public schools to which they aren't paying anything towards nurturing by avoiding tax in the first place.
Police forces are paid for with taxes and respond to private businesses. What if publicly funded cybersecurity ends up costing everyone less money over the long term?
Tax laws are a different issue, even though I agree some megacorps aren't paying their fair share of "private security" right now.
Let's say you're a CEO at Big Pipeline Co. One day your phone rings. It's the NSA.
They say your systems are vulnerable as hell. That you're very likely going to be breached in a quite expensive way very soon. It could shut down all the pipes on which Big Pipeline Co depends!
They offer to patch your systems for you. Do you accept, knowing that your staff will have to hand over hundreds to thousands of credentials? Knowing that the employees of the NSA care more about patching than if your systems work afterwards, and you have no real recourse if they screw up?
If you don't accept, what would you prefer the NSA do to secure your company's systems?
The NSA’s mission-statement in domestic civic cybersecurity is to ensure the flow of commerce, i.e. to protect GDP. They aren’t going to patch things in a way that makes them not do their jobs any more. That’d be an “attack on commerce” just as much as exploiting the vuln would be.
That's true in broad strokes, but I'm trying to portray things from the position of an executive. Having a bunch of outsiders that you have no real influence over in charge of your systems is terrifying.
The alternatives are a regulatory system for information security or offering advice and hoping companies implement it. There's a lot of advice on offer.
The law should require certain minimums of security for infrastructure deemed vital, like oil pipelines. If entertainment companies and HIPPA can ensure those they work with practice good cybersecurity, why can't the government do the same?
There's already branches of cabinet-level departments that try to do this. In my opinion they're having about the same level of efficacy as one might expect in any other set of large-scale changes in very large old companies with a wide variety of internal systems and needs. If you look you'll find a plethora of government-led attempts to secure various critical industries.
You'll also note that entertainment companies and hospitals are routinely breached. There's perhaps room to question if they are indeed practicing good cybersecurity.
I’d prefer the NSA put in the hard effort to shed their reputation as spies and start by offering plain security advice in the open that can be verified by independent experts. The best way forward is for the NSA to focus on providing high quality security advice, best practices, and guidance to critical infrastructure. This doesn’t involve handing over the “keys to the kingdom”.
The NSA seems to agree with you. So do the Departments of Energy, Commerce, and Defense, all of which have various efforts to provide independently verifiable high quality security advice, best practices, and guidance. In some cases, they've been doing so for years.
But let's skip the NSA bit. Let's say you, CEO of Big Pipeline Co, have been called up by someone at The Office of Cybersecurity, Energy Security, and Emergency Response within the Department of Energy. They offer you all the advice and guidance you could wish for. Now it's up to you to budget resources. What do you do?
Realistically, you probably hand that advice off to your IT or software staff and hope for the best. Though I realize that reasonable people may differ on this point.
Surely the NSA can tell companies about their vulnerabilities without having to actually log in and fix them? "You have a server on 23.117.25.208:3999 which is vulnerable to CVE-2021-1120, fix it."
Realistically, I find it not credible to believe that nobody in big infrastructure companies with IT departments is aware that they have vulnerable systems. I find it far more likely that people are aware and people in positions of leadership making decisions about risk have decided that these risks are acceptable.
Do you think getting an email from the NSA telling IT what they already know is going to change those calculations? My experience with bug bounty programs is that leaders who make risk decisions are more likely to shrug and say "I know, we're OK with that risk".
I realize that this is a personal judgment, and other people may have had wildly different experiences.
> an email from the NSA telling IT what they already know
No, that's not what the email from NSA would say. It would not say "there is a risk of your systems being compromised by cyberattack" in general terms, which is what IT already knows. It would say "your systems are vulnerable to these specific attacks", which IT does not know. So yes, getting this new information should change the risk-benefit calculation dramatically.
I've been on the receiving end of various emails like that. They have details on specific systems and specific attacks. They're occasionally useful, but often not. Knowing that a particular app is vulnerable to XSS might be useful, if I have staff that can fix it and they have the spare cycles.
For example, a hospital IT department might get an email telling them that their MRI is exposing remote desktop to the internet with default credentials. They know that. They don't change it because if they do, their vendor will drop support. This is a real thing that real medical hardware has to deal with, and it's only slowly getting better.
A big industrial company might easily have it worse than a hospital. Fixing the specific CVE on a specific port on a specific machine might mean having to retire a whole series of obscure, niche bits of SCADA hardware that don't support anything modern. It's like all those IoT gadgets that don't support 5GHz, writ large.
Somewhere between those two, you have your well-run Windows network. It's probably a month to several months of patching behind. IT has a whole process to test any new patches for stability and compatibility with line-of-business software to ensure that nothing breaks. Knowing that their systems are vulnerable to the CVE that's fixed by a patch they're testing - or tested and found broke something important - might not always help them very much.
If the message comes with, "You have X time to fix this or you will have Y penalty" it definitely changes the risk/reward equation. Severe enough penalties moves it from "if we have spare cycles" to "how do we get this done."
That is certainly not how it works. See the links others posted for context. NSA is more likely to inform you of the vulnerabilities and associated mitigations.
I understand that's not how it works. I'm constructing a deliberately absurd example to show both how the NSA could help and why companies wouldn't accept it.
Let's say you're the Chairman of the Board of Directors at Big Pipeline Co. One day your phone rings. It's the NSA.
They say your systems are vulnerable as hell, and they told the CEO about it, but he did nothing. He didn't allow the NSA to come in and fix anything; he also didn't take any action on his own to have people internal to the corporation fix it.
What's your obvious response? Fire the CEO and install a new one who will direct the appropriate resources to fixing the problem.
What CEOs have ever been fired for security breaches? If the "free market" doesn't care, why would any "I told you so" from the gov't make any difference. He'll have already taken his golden parachute and some poor CSO will take the fall.
> What CEOs have ever been fired for security breaches?
None. That's part of my point: the root problem is not actually security by itself, it's bad corporate governance. CEOs should be fired for such things, but they're not.
> If the "free market" doesn't care
Corporate governance is not a free market nowadays. It was more of one in the past (although an argument can be made that there were important non-free market forces even then), when most stock ownership was in the hands of individuals who at least had some incentive to hold boards of directors accountable for long-term stewardship, since they were investing with a long time horizon for their own retirement.
But now most stock ownership is in the hands of large mutual funds (since that's where most people's retirement funds are now), which don't care about long-term stewardship; they only care about short-term earnings. So corporations have a positive incentive to overlook things that, to be fixed, will require sacrificing short-term earnings for long-term stewardship. Individual investors never even see this; all they see is the overall rate of return of their mutual funds. So they don't realize the long-term consequences of what is going on and aren't able to apply free market incentives to correct things.
To play devil's advocate, how much money did this breach actually cost the pipeline? A few million bucks?
That's probably a rounding error on their quarterly report. Heck, it might have cost them more money to hire more people to provide adequate security to prevent such attacks than to just suck it up and get attacked.
It may actually be economically favorable to stay insecure!
If that were the case, the market would actually encourage CEO's to spend less money on security, not more.
Let's say that you're a CEO at Big Pipeline Co. One day your phone rings. It's the NSA.
They have a report with a list of vulnerabilities. If you don't fix them to your satisfaction, you will be fined in 2 months, 2 months after that you get fined and publicly reported as negligent, and 2 months after that you get fined again and your outstanding vulnerabilities will be published for everyone to take advantage of.
How much effort are you going to put in to securing your infrastructure?
What exactly do you expect the NSA to do? This is entirely preventable. Something as simple as an offsite tape backup completely thwarts the attack.
Do you want the NSA to send agents out to every Fortune 500 with a blank check so taxpayers can pay for a sane backup strategy to stop a problem we solved 30 years ago?
Wasn't NSA involved in finding Osama or Suleimani? Find them, then send In Tom Cruise, drone strike what have you. Israel isnt targeted cuz thats what their response woule be to this type of stuff.
Are Russia or China going to react any different from Iran or Pakistan? They currently think they are untouchable. That needs to change.
"Something as simple as an offsite tape backup completely thwarts the attack."
Not true when they are also blackmailing companies to not release their internal data.
Even something as simple as a companies customer base and contracts with them can do a huge amount of damage to the company if it's publicly released. So paying a 2 million dollar ransom is the more profitable choice for the company.
Even if the company isn't doing anything illegal or that it's ashamed of.
The DHS in conjunction with the FBI is supposed to be protecting our critical systems from foreign attackers -- and they are failing spectacularly. New laws and new approaches will be required to even begin to make headway, especially where private companies' operations intersect with national security issues. When should the feds be allowed to access my network to verify my assets are secure.
The NSA's charter is foreign signals intelligence (including computer networks), not law enforcement -- They can't spy on Americans in America except under extraordinary circumstances (Must have a FISA warrant and that person must be talking to one of a few thousand foreign bad actors). And even then, the collected data is not court admissible. Only the FBI and other law enforcement agencies can spy on Americans in America in legally admissible ways using court orders.
The real issue here is when exploits should be weaponized or shared with industry. Should we prioritize the protection of our networks or should we penetrate the networks of our adversaries? This is a tricky political question that needs to be seriously addressed, the status quo is broken.
Ransomware is actually a legitimate threat to the well-being and health of all people. They lock down government and health records. It a huge risk to the American people
That doesn't mean you avoid making laws for the legitimate threats, it means you also keep tabs on how they're used. A system of laws, and a system of oversight for the use of those laws.
Yes, keep tabs on how it's used. But also, when it's being written, try to think about how it's likely to be misused, and write it in a way that it can't be misused like that. (Amusingly, I made a typo, and misused came out mis-sued.) Legislators try to write laws broad enough that they cover everything and can't be weaseled out of, but that leads to them covering more than intended.
If the USG treats this even close to the way they treat terrorism in regards to policy and funding, I’m curious what that will look like and how nation-states harboring those people will react.
They absolutely should. We are in the midst of a cyberwar against criminal gangs sheltered by a kleptocracy that already attempted political sabotage against this country. All options must be on the table including physical retaliation - the threat isn’t going away.
I think a lot of people don't realize this, because I never see it mentioned, but when the Soviet Union dissolved we (U.S.) convinced the Ukrainians to give up their loose nuclear weapons with the promise that we would protect them going forward. I may be time to ratchet up on that promise and help the Ukrainians drive the Russians back across their border. Crimea will stay gone because it belonged to Russia to begin with (https://en.wikipedia.org/wiki/1954_transfer_of_Crimea) There are a lot of things we could do with Ukraine to punish Russia.
Everyone points at Moscow as if they are behind the attacks, when, in fact, all we know is that the hackers are probably based in Russia (if treating Cyrillic keyboards specially isn't a silly false flag). They say Russia is unwilling to do anything etc. But did the FBI actually reach to their Russian counterparts for assistance? Or are they waiting for Moscow to come forward and fix all their security problems on its own? 10 years ago when mail bride order scams were popular (targeted at US/Canada/Australia), Russian police actually did catch and imprison a lot of scammers after American/Canadian requests; some of them in my own town
Bruce Schneier, our country needs you! If you—or someone with your mindset—isn’t in authority and we get the technical equivalent of the TSA, we’re in for a world of hurt and trouble.
Of course you get the technical equivalent of the TSA. Even if you had Bruce Schneier setting it up, he won't run it in perpetuity; government in the long run descends to maximum power exercised with minimum intelligence unless prevented by the people governed.
For me "Terrorism is, in the broadest sense, the use of intentional violence to achieve political aims", there is no political aims here, their goal is to extort as much money as they can from their victims. This is a criminal activity and any small or big companies that pay for it are feeding the monster and should be persecuted. But the US has been ignoring it for years and now it comes right back to them.
They haven’t said ransomeware is terrorism, only that they’re going to prioritize it like terrorism. As in, it will follow a similar centralized reporting process. I don’t think the goal is to start sending hackers to Guantanamo or categorize ransomware as WDMs. Not yet, at least.
The willful ignorance and non-action by states that provide a safe haven for launching these attacks seems to be potentially political to me. If the attackers are state backed, then its definitely political. If the attackers are not state backed, it seems plausible that the state has made a decision to allow the attacks to take place because sowing chaos and discord in the united states is an aim of their government.
It's the international "finger in front of the face, I'm not touching you" game. But by any reasonable interpretation, yeah, it looks the lack of prosecution of ransomware groups is lacking for one reason or another.
Finally we going to get security research paid properly and companies punished for not fixing their zero-day-sponges. Oh, its just another monstrous deterrence Three letter agency.
But yeah, in a game-theory sense, its the cheapest option, to have a nuclear counter strike, instead of building all cities like underground bunkers. Security, by strike team. That would actually work, if all countries agreed on that.
Or the internet is expected to break into allegiance-sized parts. The server only connects to country, who will extradite cyber-criminals and adhere to this connection contract.
Before the yacht was launched, before it was first put in the water, there was a big problem with rats entering through the large holes in the bottom of the hull. To remedy the situation, the yacht builders began feeding a large number of cats around the base of the yacht while they finished the furnishings and painted the gold trims. The rat problem was solved and the happy day of launch is near.
They'll just hire a million little Dutch boys with SCUBA to put their fingers where less wholy materials up to ship-building codes belongs. Problem solved!
wholy -> holey? Definitely not wholy. That's partly wholly. Wholly is derived from whole (all/everything/complete) and not relating to a hole.
This is an adjective derived from a noun, so hole -> holey. It could be hole + ly -> holely but it isn't.
Now, we have the word pinned down. How on earth do you pronounce the bloody thing? For me (en_GB): hole-ee. The dash "-" is not a pause, I would run the word hole straight into the ee sound. The ee phoneme is quite short.
So we are going to launch a trillion dollar war on ransomware which inevitably leads to more ransomware before patting ourselves on the back and saying "mission accomplished"? Are we also going to make ordinary citizens take off their shoes and get probed before using their computer?
US Constitution empowers Congress to issue "Letters of Marque and Reprisal" - to wit grant permission for private entities (people, companies) to wage war on other private entities. Enacted to help shipping companies deal with pirates, applies today for the likes of ransomware perpetrators.
They fucked up by targeting infrastructure. If they stuck with small companies they could keep doing it till the cows came home. But now they have governments against them so now they will be hunted down.
These groups aren't really "targeting" anyone. These ransomware attacks are as sophisticated as nigerian prince emails. Send out a lot of spam, wait for someone who clicks on it and is running outdated software and boom. Sooner or later you will encrypt something important enough to pay for.
Ehh, you can have reasonable security and still be a terrorism victim, you can have reasonable security and still be a crypto-ransomware victim.
This is like tut-tutting arson victims for using wood in the construction of their buildings.
I'm okay with encouraging reasonable levels of security while also making life horrifically miserable for people engaged in criminal enterprises that attack those victims.
So let's look at the chain of events: companies start to become monopolies, make billions of dollars that way. They become "too big too fail", important "infrastructure" for the US. Then, start to expose their user's data on public networks, and don't follow proper security procedures. Now, the public has to pay for the government to secure the magacorp networks! It's a non-stop scam, where they fail their (already small) responsibilities and use public funds to increase their monopolies!
It is good, but it still does not beat JIT. First MBAs various JIT acolytes did everything to make sure there is nothing on hand or manufactured in US just in case it ate into the profits and then when the 'everything shortage' happened, they had the balls to run to the government asking for bailou.. sorry.. incentives to move manufacturing to US. It is fascinating to watch, because it is done with a very straight face and expensive lawyers.
The Colonial Pipeline is a monopoly? It appears to be a joint venture between at least 5 energy companies. Or to what monopoly are you referring? There is not mention of any other companies in this article.
When hackers start to interfere with American food and energy supply chains, it rises to the level of national security, IMHO.
With all due respect, it seems like you might be jamming this story into a pre-chosen narrative.
I too dislike megacorps, but you could say the same thing about a business being robbed - they most likely could have done something to prevent it but police will still respond and not charge them for it.
Well it's one thing getting robbed when you took precautions like securing your back entrances, putting security cameras in your store, putting the cash in some kind of safe and it's a different if you take no precautions whatsoever and everything is out in the open.
Many of these companies that get hacked haven't even done the bare minimum, so it's not even remotely comparable to a robbery imo.
590 comments
[ 0.79 ms ] story [ 303 ms ] threadMost drug users are never prosecuted. But the threat of prosecution does very little to affect the quality of their purchase, relative to what it would do to BTC market as a whole.
Outlawing Bitcoin (or cryptocurrency generally) would cause a huge demand reduction. Some coins might adjust supply to compensate, but total crypto "market cap" would surely plummet.
I thought I smelled authoritarianism! Here we see the ultimate purpose of this entire desultory exercise. Having problems online? No backups? Don't fix your pathetic shit; just be the excuse for the USA military-enforcement-imprisonment-industrial complex to oppress everyone on earth. Good grief.
Nations make laws against bad things. People who violate those laws go to jail. A ban on cryptocurrency (or rather, exchanging it for dollars) will be a hell of a lot easier than banning popular intoxicants.
We're done putting up with this particularly pernicious iteration of tulip mania. Time to pull the plug before it does any more damage.
It’s really bot unusual for the law to treat things differently based on the purpose for which they are used when they are “just a database, in essence”.
See? I can do it too.
But yes, everything can be banned eventually. We'll just go back to living in the cave.
What if society determines that cryptocurrency also has negative externalities? You're free to disagree but I just stuck my finger in the air and it's pretty clear which way the wind is blowing.
Here's a thought experiment: If you're a political party that had taken over the government through criminal means such as election fraud or more coercive methods such as a disinformation/propaganda campaign or a coup, the first thing you will do is to make sure that you have control of the money. Since cryptocurrencies are too transparent and undermine the absolute control of state-issued currency, these will be seen as a threat to the criminal government and will be the first thing to get banned.
We can quickly see that the world's worst criminals at the highest levels hate cryptocurrency, and prefer to use the existing paper-based technologies instead, that allow them to be more opaque and retain absolute power.
Good luck pushing that line anywhere other than technolibertarian friendly HN or the various ancap subreddits.
By pointing out that crypto is banned for regular North Korean citizens, did you not just prove my point that it's a worthless tool for countering authoritarianism?
If you don't see how this mean the price will crash, I don't know what to tell you.
Drugs are renowned as a special case when it comes to states' enforcement power. Currency control is not.
Outside failed states, capital controls and foreign currency restrictions have been historically well enforced and followed.
The U.S. banning cryptocurrencies, sanctioning connected individuals and firms and committing to leveling repeated 51% attacks would functionally destroy most cryptocurrencies. (There is zero indication this is being contemplated.)
Are you confusing this with the debate around encryption? That wouldn't surprise me coming from someone who uses the phrase "nocoiner".
Shutting down Coinbase, however, will have no effect on bitcoin or the people who use it. That's the point of bitcoin, and it has been since the protocol was published.
You all are more than free to continue to associate with each other. As long as you're not breaking any preexisting federal laws (let's be honest: most of you are). It's the normie and Wall Street market we are targeting. Good luck maintaining the bull run, sweetheart.
The most precious thought is that one might think to reign in authoritarian capitalists by attacking the one thing created in the last century that has a chance of actually undermining authoritarian capitalism. You don't actually think that, because ITT we see plenty of evidence you're on the other side of this conflict.
You keep focusing on the enforcement itself rather than the goals we hope to accomplish via enforcement. I infer that you have a special fascination for enforcement, but please understand that many people do not share this special fascination with you.
I'm inclined to say Jeff Bezos is no better. But then I remember he and his companies have actually produced some innovations that are legitimately beneficial.
https://en.m.wikipedia.org/wiki/William_Leonard_Pickard
Heck, even in American history we once tried to ban private ownership of gold bullion. The black market price of gold rose substantially.
That's a nonsense comparison. When governments impose capital controls it means their currency is already sinking and it's a last ditch attempt to prevent this inevitable scenario.
BTC valuation is entirely based on narratives about how it's going to replace standard currency in whatever story is popular, and from what I can see right now it's being pumped up by funds who can't find other good investments in this markets and are willing to play with crypto. If it's illegal for US funds/citizens to hold it/be involved with it - the selloff alone would kill the market instantaneously.
There's no reason to think that, say a Japanese pension fund, that's invested in Grayscale is going to say, "oh shoot, guess there's no possible way to allocate to this asset class now". They'll just reinvest that same allocation in a UK or Caymans domiciled fund.
If anything the 85% of crypto investors who aren't invested, will most likely hoard in anticipation of the policy being reversed. For better or worse the US government has extremely low credibility when it comes to long-term policy consistency. Almost any US policy can simply be waited out until Congress/White House flips parties.
Holdings would seem to be more reasonably assumed to be proportional to wealth [0], not GDP. The US has a significantly larger share of global wealth than it does of GDP.
[0] or maybe more-than-linearly related, since less-wealthy people will have more of their wealth in directly-used assets like tools, vehicles, and homes.
Bitcoin market swings on Elon Musks tweets, a full scale ban in the US would obliterate it.
While BTC may burst, it wouldn't go to $1/BTC. it would go to a small percentage of what it is now, but still retain some value.
I haven't bought any Monero, but I saw this website the other day: https://localmonero.co/
If that's legitimate, it seems pretty easy.
I buy Monero by buying Litecoin at any exchange and then swap it for Monero using blocktrades.
Notably, Binance allows buying Monero directly.
Bitcoin is easier than hard cash to track. There's no need to make it illegal. I suppose you could argue that government is heavy handed enough to simply ban the mechanism by which ransomware payments are so easily conducted by. My intuition is that government would prefer to regulate it rather than outright ban it.
Terrorist financing is illegal. Cash is not.
So there's a lot of reasons the US government just may find themselves happier without it.
[1] https://www.elliptic.co/resources/typologies-concise-guide-c...
[2] https://ciphertrace.com/2020-year-end-cryptocurrency-crime-a...
[3] https://blog.chainalysis.com/reports/2021-crypto-crime-repor...
There's a ridiculous amount of volume on Bitcoin and it's mostly moving to and from exchanges. There's no way a majority of those are illegal.
Barely. The portability usually ends at country borders.
> Bitcoin is a problem in search of a solution.
Don't you mean "a solution in search of a problem?" Nice Freudian slip, though :)
Coinage used to be more portable in the days of precious metal coins. But honestly I’ve had very little barriers in converting cash. It’s a solved problem.
but the computational power is nessisary for the network to function in a manner that is provable to new nodes. Because you can use a digital signature to confirm a transaction happened after some time, but not before some time.
I don't think cash is a solved problem within the context of computer networks. If I could transfer money using a program by using a digital signature, I would be satisfied, but anyone who can get access to my credit card numbers (and name, billing address and other open source info) can make purchases in my name. And you of course must rely on the fractional reserves of some central entity.
If ransomware gangs are directly or indirectly targeted by OFAC, that would have massive ramifications.
Doesn't existing anti-terrorist financing (ATF) law cover this?
What happens when a company is a victim of a ransomware attack and OFAC puts the extortion wallet on an exclusion list?
That wallets gets tainted? Its coins become less valuable? Marked wallets have been an obvious thing coming down the pipes.
So now, know your customer turns from “be sure I don’t send USD to a specially designated national” to “be sure I never accept crypto from a burnt wallet.”
You have to declare it. You’ll probably get follow up questions on how you got it and why a wire doesn’t work. But otherwise, large quantities of cash transit the U.S. border all the time.
Rather it's been the banks that have been clamoring to get a piece of the bitcoin action, not the other way around.
https://en.wikipedia.org/wiki/SCION_(Internet_architecture)
2) Are you arguing that the actual Great Firewall, a real thing we see actually working on a massive scale, does not make it much harder for foreigners to cyber-attack China?
3) See my other post on this thread—there's work toward re-designing the Internet to make evading state- or bloc-level origin control, including communicating with existing compromised nodes inside a state, remotely, way harder than it is now. I'm talking at the node-to-node routing and backbone level. It's interesting/terrifying stuff.
4) Couple 3 with some other minor and fairly obvious tweaks to how Internet access works, and even getting a foreign device with its own infinite-range radio into the target state would be reduced to step one of several to gain access to a target state's network, and that access would likely not last long if you start doing anything weird with it.
(Just don't equip your army with only nuke missiles because they destroy all of the good stuff and psy attacks would cross the streams.)
*Back when I was obsessed with this in the early 2000s I'd never heard of Elerium-115, it was always Element-115. Looks like the origin of the name is actually a game in 1994, but may not have become common until around 2013/2014.
Ominous music plays
:big hair band emoji:
:hairbear (too much hairspray) emoji:
:big feline pants emoji:
:leather pants emoji:
:excessive silver jewelry emoji:
:loud motorcycles emoji:
:mosh-pit emoji:
\m/
Looking back with 20/20: clothing styles back then, even for the rockstars, were damn basic: 99% long-haired, half-naked paler-than-I people in jeans, jean jackets, and wifebeaters. xD
https://en.wikipedia.org/wiki/Extraterritorial_jurisdiction#...
In fact, I would be surprised if we *didn't* have extraterritorial enforcement of any ransomware laws.
Hackers in Russia extorting Americans is illegal under U.S. law; that's extraterritorial jurisdiction. The U.S. government going into Russia (or Pakistan or Ethiopia) to punish those hackers without the home country's permission is extraterritorial enforcement.
We have a lot of precedence with the former. The latter's use is more limited, for obvious reasons.
https://www.goodreads.com/book/show/41436213-sandworm
And here's an interview with the author
https://www.theverge.com/21344961/andy-greenberg-interview-b...
And shifting from one to the other appears to be happening, to some degree: https://breakingdefense.com/2021/06/dod-budget-appears-to-cu...
The way the Air Force specializes in the air.
It is just incredible how we are always fighting the last war. From 9/11, instead of learning we need to constantly stay on top of a shifting battlefield we learned to fight Islamic terrorism. Not good.
Which is it?
This discussion is more policing, which is out of scope.
Why do you think China or Russia prefer to hack foreign private competitors rather than sending a bunch of missiles on their infrastructure?
And security via threat of retaliation does not sound like a practical or effective solution either: we already have plenty of capabilities in that area, and it didn't stop east coast oil & gas infrastructure from going down or a sizeable portion of the nation's meat processing from going the same way. These attacks are escalating rapidly, and relying in the free market to find a solution doesn't look like it's going to happen fast enough.
This needs to be a national, not (just) a private corporate issue because of the enormous national security implications involved in cyber attacks against infrastructure. When a single company's security failure can cause national chaos, there needs to be a nation-level approach to this.
I don't see what the public could do better than private entities, besides absorbing their costs. The only way I can see it practically working is if the private sectors would allow government entities full access to their IT infrastructure, submit themselves to random controls, audits and checks, and bear sizeable fines if they're found to be negligent.
Unlike "real war", cyber defense also gets to design the battlefield, everytime time. There will always be social attacks, but the stupid C and Unix stuff that is the bread & butter today is completely preventable
Tbh I trust the FAANG companies to run better security. Government is incompetent in this area.
The fact is that the correct and secure working of computer systems and networks has been severely neglected by companies in favor of their profit. If we are to have state response to such neglect, it should be funded by a huge tax on every copy of Windows.
Are you sure about that? A lot of this stuff is way more than just some bored kid. For the company I work for, there is almost certainly a group of well paid people who sit around every day trying to figure out new ways run scams using our site.
When there is financial motivation, people go through great efforts to get that $$$.
"Security" isn't some catch-all box you can check. It's a non stop game of whack-a-mole where your adversary spends each day getting around whatever you put into place.
The software industry should be ten times bigger than it is, but the economic incentive has been to make it cost less, rather than to make it safer.
I feel this deeply within my soul.
I think it's actually harmful, because people that don't know any better thinks a Qualys scan means something.
https://www.google.com/search?q=holland+russian+hackers
I agree with hack-back. I agree with a number of proposed solutions, but at the very end of the day the problem with cybersecurity is that most orgs don't have the fiscal allocation that they need if they were to have any hope of stoping foreign states.
Rather than compare it to armies, I think we should compare it to spies. If this is truly at the army level we could send a couple dozen missiles and the attackers would get the message. But there are reasons we don't do that though. First, we're not always sure who did what. Second, it's a political quagmire. Armies don't come to your house and help secure it from air strikes. Armies understand attack asymmetry and they hit back.
But when it comes to dealing with foreign spies there is a different playbook. The government helps organizations that are critical to national security secure their entry points and resources. They help, but they don't do everything.
This only works if the parties involved are interested in working with the government. Long after Nortel was first told of the Chinese hacking / stealing of their IP they were still woefully insecure. They went from being a third of the Canadian stock index to bankruptcy in a couple of years.
I don't actually think cybersecurity is possible. I've tried very hard to get governments to change, and there is some progress on the most fragrant violations, but the space is growing too fast and the domain is too maneuverable. I don't think it is possible. All we can hope for is some combination of more defence and realignment of incentives of the actors involved limiting the eventual damage.
They can publish best practices, research vulnerabilities, provide educational support, and generally do all the kinds of things governments do to encourage the right behaviors. We have some of this, but at some point, switched to the sexier "the best defense is a good offense". Likely because defense is hard.
How are we going to handle the calls from very angry officials in Ukraine, Belarus, Poland, Hungary, Slovakia, the Czech Republic and Germany?
In meatspace we expect the government to use kinetic force to stop people from attacking us. Like if I leave my door unlocked and some person comes in to start stealing my stuff, the cops really will respond and come stop that person (I have had a home breakin they responded quickly to). They didn't blame me for having bad locks. I pay a lot of taxes so my walls and locks don't have to be perfect.
In cyber land, it's an anarchy. The government offers no defense. But there's no reason someone can't offer a deterrent. Like if you knew who broke into your servers, and there was a goon squad that went and broke down their door either kinetically or electronically I think a deterrent strategy could eventually work. Like it literally does for meat-space security.
(Not totally sure I want that, but I'm just saying it would probably work and we haven't really tried it yet.)
What do you do ? Sending a single missile/drone wont work because Russia has air defense (probably - with them you never know how on top they are, but they will after the 1st one). Sending multiple might work, but Russia might fire back and start a war.
Sending special forces, or whatever would probably work better first few times, until Russia deliberately set's a trap for them.
How about if they are form China, or maybe France or India and you don't relay have prof that would stand in court ?
And then what, it's not like USA doesn't have its own hackers that do shady stuff internationally. Other countries have spacial forces as well.
I am not sure we want to go this way.
In practice that means US doing whatever they want in poor countries (where they already do whatever they want), and not doing much in powerful enough countries where most of those criminals actually are.
Most of the time we don't even know definitively who is behind the hacks, so it's kind of a moot point.
It's not that uncommon.
Spy-craft is notoriously laughable in its effectiveness. InfoOps, on the other hand...
I guess I’m saying comparisons to both Air based warfare and to the propaganda machine are both the most useful analogs, imho.
I love the smell of marginally improved security practices in the morning.
(If you want to argue that this is a realistic response, please explain how doing so would not be acts of war, inviting both retaliation and much worse acts then justified by ours.)
I don't expect the US to start handling this that way any time soon, but I'm not sure it'd be irrational for a nation to decide a cyberattack is, in fact, an act of war.
Even once that's all decided, we'd need to figure out if war would be a reasonable response. I'd propose that one of the main reasons the US hasn't ever escalated the situation with North Korea, even if we ignore China's likely response, is that actually subduing the populace and occupying the country would likely be extremely difficult. It's unlikely that a thoroughly bombed North Korea would be any more stable and friendly than the current North Korea.
War is extremely inefficient at bettering the lives in any of the countries involved - there are times when it is necessary, but it should be avoided whenever possible.
China is literally the only reason the US tolerates North Korea. And China solely tolerates North Korea because it causes all sorts of irritation for the US. Arguably, it would be better off for everyone living in North Korea if one of those two powers annexed it outright, but geopolitics loves backwater proxy wars.
Closer to the active phase of the Korean War, the USSR was also a factor. Today, the US distaste for instability, and naiton-building, and North Korea not having a hoard of oil or something similar to overcome that distaste is also a reason, today.
This is an unpopular opinion, but I feel like we should generally accept nation-building doesn't work well, countries we leave tend to go back to being horrible in a number of years after we set up a new nation there. And accepting that, and accepting sometimes that countries are completely failed, harmful to world security, and larger countries need to intervene: Annexation isn't actually a bad concept. It's absolutely frowned upon today, but I'm not sure is worse than what we've done to half a dozen countries in the past couple decades alone.
The barrier to war should be high, but at the point you obliterate a nation's governing structure, defenses, and likely civic infrastructure, you should accept you have a permanent responsibility for the civilians there. And maybe the best way to be democratic about it is to establish a process that states one annexes can petition and vote for secession after they've reached a more stable position.
> North Korea not having a hoard of oil or something
There's that. North Korea is a property that literally only Kim Jong Un wants. And major powers seem perfectly fine to let him have it as long as he mostlyish behaves.
If US government authorizes the NSA/CIA to infiltrate/attack all bitcoin exchanges that accept payments from wallet ID with ransomware, the problem likely be solved very quickly.
How many people are you ready to kill over ransomware?
And weren't we just splitting hairs the other day over whether or not Belarus forcing an airplane flying over Belarus to land is excessive use of force? Apparently, ballistic missiles targeted at office buildings aren't?
If this continues to happen we are looking at a really bleak future. There is an -insane- amount of money at stake here. How many meat/farm futures got affected by just taking out the meat industry this time? How much money can these people get not just by the ransomware attack, but by also knowing how fucked an industry is about to be and cashing out.
When they can do this shit with impunity it's a problem. And there's potentially a lot of money available.
This is all just ignoring the fact that some of this might be state sponsored.
I think it's time to start getting some sort of cooperation from said nation states and allowing us to help take out some of their trash.
Because the other option is to treat this like state sponsored attacks on our infrastructure and no one is going to like that.
Cyber warfare, whether ransomware or espionage, is largely asymmetric. Why would these other countries want to play ball when they have everything to gain?
The answer tends to be that you make them cooperate by attaching additional costs to the actions, in order to make them less attractive. These costs come in two major forms, which we might want to categorize as passive and aggressive.
Passive costs might include: - Sanctions - Investigation/Arrests
Aggressive costs might include: - Offensive hacks - Military response
The issue here seems to be that the passive responses aren't likely to be strong enough to dissuade the other actors, while the aggressive responses are too costly. Aggressive counter hacks might just normalize cyber hacking and espionage, and the US is on the wrong side of that asymmetric gamble. Normalizing the behavior would be likely to make it worse than it already is!
Military responses go too far. You can't reaaalllly militarily respond to another nuclear power. Not directly. The potential outcomes there are almost uniformly bad. If you want to play the longer game maybe you do some poking and prodding by supporting third party combatants (IE: Soviet support of Vietnam against the Americans) or political opponents. But there aren't really that many great options on that front today for Russia or China.
So that leaves trying to increase the cost of the passive responses. This is kind of troublesome with China, since they'll just throw identical costs right back at you. It's a bit more possible with Russia, but Europe's entanglement with their power sector screws everything up. And it's not like we're lacking on Russian sanctions as it is.
You can try to play a strong defense, but that's kind of like putting a bandaid on a gunshot wound at this point.
Yadda yadda yaddad, I don't know what to do but I think it's an interesting problem!
Edit: Maybe I shouldn't say European entanglement with Russian power sector. I suppose it's more appropriate to say gas sector?
Realistically even with government support, effective cybersecurity is going to require significant private effort and investment as well.
We should regulate and punish, not subsidize. The same way we have dealth with corporate recklessness for decades.
As the parent comment said, I'd like to see the NSA working to get zero day vulnerabilities fixed as opposed to hoarding them for future exploitation. At least this is my perception, to be honest aside from a few examples I've heard of I don't actually know whether I've correctly characterized their activities, they may already be doing this.
I agree to a point, but to continue the physical-security analogy: while private businesses should not be negligent in securing their property, a patrolling police force should also exist to discourage theft and vandalism at large.
I think the private and public sector have both been negligent when it comes to cybersecurity. Both need to improve. (Like you, I'm willing to bet the private sector is hoping to sit back and let the taxpayer foot the bill for everything. This is a problem too.)
If you could claim compensation for data lost, if businesses had to foot the bill for everybody who's security and privacy is impacted by data breaches, then it would quickly become something they would have to insure against, then the insurers would demand they take reasonable precautions. A system of fines would work well, for instance - an aggressive enforcement of the GDPR or similar, for instance, could create this kind of virtuous circle.
Tax laws are a different issue, even though I agree some megacorps aren't paying their fair share of "private security" right now.
They say your systems are vulnerable as hell. That you're very likely going to be breached in a quite expensive way very soon. It could shut down all the pipes on which Big Pipeline Co depends!
They offer to patch your systems for you. Do you accept, knowing that your staff will have to hand over hundreds to thousands of credentials? Knowing that the employees of the NSA care more about patching than if your systems work afterwards, and you have no real recourse if they screw up?
If you don't accept, what would you prefer the NSA do to secure your company's systems?
The alternatives are a regulatory system for information security or offering advice and hoping companies implement it. There's a lot of advice on offer.
There's already branches of cabinet-level departments that try to do this. In my opinion they're having about the same level of efficacy as one might expect in any other set of large-scale changes in very large old companies with a wide variety of internal systems and needs. If you look you'll find a plethora of government-led attempts to secure various critical industries.
You'll also note that entertainment companies and hospitals are routinely breached. There's perhaps room to question if they are indeed practicing good cybersecurity.
The NSA seems to agree with you. So do the Departments of Energy, Commerce, and Defense, all of which have various efforts to provide independently verifiable high quality security advice, best practices, and guidance. In some cases, they've been doing so for years.
But let's skip the NSA bit. Let's say you, CEO of Big Pipeline Co, have been called up by someone at The Office of Cybersecurity, Energy Security, and Emergency Response within the Department of Energy. They offer you all the advice and guidance you could wish for. Now it's up to you to budget resources. What do you do?
Realistically, you probably hand that advice off to your IT or software staff and hope for the best. Though I realize that reasonable people may differ on this point.
Realistically, I find it not credible to believe that nobody in big infrastructure companies with IT departments is aware that they have vulnerable systems. I find it far more likely that people are aware and people in positions of leadership making decisions about risk have decided that these risks are acceptable.
Do you think getting an email from the NSA telling IT what they already know is going to change those calculations? My experience with bug bounty programs is that leaders who make risk decisions are more likely to shrug and say "I know, we're OK with that risk".
I realize that this is a personal judgment, and other people may have had wildly different experiences.
No, that's not what the email from NSA would say. It would not say "there is a risk of your systems being compromised by cyberattack" in general terms, which is what IT already knows. It would say "your systems are vulnerable to these specific attacks", which IT does not know. So yes, getting this new information should change the risk-benefit calculation dramatically.
For example, a hospital IT department might get an email telling them that their MRI is exposing remote desktop to the internet with default credentials. They know that. They don't change it because if they do, their vendor will drop support. This is a real thing that real medical hardware has to deal with, and it's only slowly getting better.
A big industrial company might easily have it worse than a hospital. Fixing the specific CVE on a specific port on a specific machine might mean having to retire a whole series of obscure, niche bits of SCADA hardware that don't support anything modern. It's like all those IoT gadgets that don't support 5GHz, writ large.
https://en.wikipedia.org/wiki/SCADA#Security_issues
Somewhere between those two, you have your well-run Windows network. It's probably a month to several months of patching behind. IT has a whole process to test any new patches for stability and compatibility with line-of-business software to ensure that nothing breaks. Knowing that their systems are vulnerable to the CVE that's fixed by a patch they're testing - or tested and found broke something important - might not always help them very much.
That is certainly not how it works. See the links others posted for context. NSA is more likely to inform you of the vulnerabilities and associated mitigations.
They say your systems are vulnerable as hell, and they told the CEO about it, but he did nothing. He didn't allow the NSA to come in and fix anything; he also didn't take any action on his own to have people internal to the corporation fix it.
What's your obvious response? Fire the CEO and install a new one who will direct the appropriate resources to fixing the problem.
None. That's part of my point: the root problem is not actually security by itself, it's bad corporate governance. CEOs should be fired for such things, but they're not.
> If the "free market" doesn't care
Corporate governance is not a free market nowadays. It was more of one in the past (although an argument can be made that there were important non-free market forces even then), when most stock ownership was in the hands of individuals who at least had some incentive to hold boards of directors accountable for long-term stewardship, since they were investing with a long time horizon for their own retirement.
But now most stock ownership is in the hands of large mutual funds (since that's where most people's retirement funds are now), which don't care about long-term stewardship; they only care about short-term earnings. So corporations have a positive incentive to overlook things that, to be fixed, will require sacrificing short-term earnings for long-term stewardship. Individual investors never even see this; all they see is the overall rate of return of their mutual funds. So they don't realize the long-term consequences of what is going on and aren't able to apply free market incentives to correct things.
That's probably a rounding error on their quarterly report. Heck, it might have cost them more money to hire more people to provide adequate security to prevent such attacks than to just suck it up and get attacked.
It may actually be economically favorable to stay insecure!
If that were the case, the market would actually encourage CEO's to spend less money on security, not more.
They have a report with a list of vulnerabilities. If you don't fix them to your satisfaction, you will be fined in 2 months, 2 months after that you get fined and publicly reported as negligent, and 2 months after that you get fined again and your outstanding vulnerabilities will be published for everyone to take advantage of.
How much effort are you going to put in to securing your infrastructure?
Do you want the NSA to send agents out to every Fortune 500 with a blank check so taxpayers can pay for a sane backup strategy to stop a problem we solved 30 years ago?
Are Russia or China going to react any different from Iran or Pakistan? They currently think they are untouchable. That needs to change.
Not true when they are also blackmailing companies to not release their internal data.
Even something as simple as a companies customer base and contracts with them can do a huge amount of damage to the company if it's publicly released. So paying a 2 million dollar ransom is the more profitable choice for the company.
Even if the company isn't doing anything illegal or that it's ashamed of.
The NSA's charter is foreign signals intelligence (including computer networks), not law enforcement -- They can't spy on Americans in America except under extraordinary circumstances (Must have a FISA warrant and that person must be talking to one of a few thousand foreign bad actors). And even then, the collected data is not court admissible. Only the FBI and other law enforcement agencies can spy on Americans in America in legally admissible ways using court orders.
The real issue here is when exploits should be weaponized or shared with industry. Should we prioritize the protection of our networks or should we penetrate the networks of our adversaries? This is a tricky political question that needs to be seriously addressed, the status quo is broken.
we had water, power, etc before computers so the computer part is not essential to operation.
[1] - https://upload.wikimedia.org/wikipedia/commons/thumb/1/10/Hs...
https://en.wikipedia.org/wiki/Government_negotiation_with_te...
https://foreignpolicy.com/2014/06/03/the-u-s-does-negotiate-...
But yeah, in a game-theory sense, its the cheapest option, to have a nuclear counter strike, instead of building all cities like underground bunkers. Security, by strike team. That would actually work, if all countries agreed on that.
Or the internet is expected to break into allegiance-sized parts. The server only connects to country, who will extradite cyber-criminals and adhere to this connection contract.
It was a nice dream, while it lasted.
This is an adjective derived from a noun, so hole -> holey. It could be hole + ly -> holely but it isn't.
Now, we have the word pinned down. How on earth do you pronounce the bloody thing? For me (en_GB): hole-ee. The dash "-" is not a pause, I would run the word hole straight into the ee sound. The ee phoneme is quite short.
Edit: I blame running out of coffee and almost falling-asleep at the keybbbbbbbbbbbbbbbbbbndfjhkngbc
[0] https://ourworldindata.org/grapher/fatalities-from-terrorism...
I get it, this is serious stuff.
What's the current official policy, is this still on the table (probably only for massive attacks)?
Over the past few years, threat actors have shifted to much more targeted attacks that net higher Bitcoin payment returns for their efforts.
https://blog.cloudflare.com/targeted-ransomware-attack/
Edit: Commonly mentioned in the same breath:
- the move from just demanding a ransom for the key, to threatening publication of sensitive info
- trawling through the data to look for anything especially sensitive, as well as clues to what number to ask for in financial records
outdated Windows software
That's not the case for terrorism.
This is like tut-tutting arson victims for using wood in the construction of their buildings.
I'm okay with encouraging reasonable levels of security while also making life horrifically miserable for people engaged in criminal enterprises that attack those victims.
When hackers start to interfere with American food and energy supply chains, it rises to the level of national security, IMHO.
With all due respect, it seems like you might be jamming this story into a pre-chosen narrative.
Many of these companies that get hacked haven't even done the bare minimum, so it's not even remotely comparable to a robbery imo.