Didn't a ransomware gang just renege on a deal and release the data anyway. Seems like they are killing their own business model. If company X cannot depend on the gang delivering why pay in the first place. Boeing will have to pay for any fallout form the data breach - why have the added expense of paying the criminals for the privilege?
They do that all the time. The first ransom is to get the decryption keys to the target's data, the second ransom is to prevent them from publishing the decrypted data.
Perspective as CEO of a backup and disaster recovery company...
A lot of folks now have ransomware protected backups for critical data so they aren't paying for decryption keys.
This has escalated to hack and release, the attackers are now exfiltrating data and threatening to make it public in addition to encrypting it on the host system.
>> If they're going to publish the data publivally, what do you need decryption keys for?
Because they will publish the bad stuff, the stuff you really don't want public, but likely withhold the boring stuff, the stuff the business really needs to function. And whatever they release might not be in the format that it was taken.
They only tell you about the second extortion attempt after the success of the first. As I understand it, each gang operates differently, but most are consistent in their approach (e.g. x will always double ransom, but y will never).
This opens up an interesting (albeit highly unethical and illegal) strategy to combat ransomware, which could be implemented by state actors:
1. hack targets and hold their data for ransom
2. get the ransom and release the data anyway
This would largely discredit the actual ransomware gangs. A way to make this more ethical would be to have the data be insignificant or encrypted. The media will still have their story, and public perception will be changed.
An even better way would be to secretly coordinate with the "targets" of the hacks, turning the whole thing into a harmless spectacle that nevertheless decreases the incentive to hold data for ransom.
Certainly different companies put a different effort into their IT security measures, but I doubt any of them would claim that their system is "unhackable". So, I am not sure that not letting your data leak is an option you can really choose. You might be able to influence the probability of a hack, though.
Out of curiosity what's the source on that? AFAICS there's no clear legislation restricting it (although a lot of talk about such a bill in the future). It is in standard contract terms?
I think ITAR covers exporting, which is necessarily intentional. At least I'm not aware of any espionage victim also being subject to ITAR prosecution.
It also covers reexporting. You're still responsible for ITAR and EAR articles after they've been exported and the recipient wants to transfer them somewhere else.
I really hope this is not the case. Paying randsome is unethical, in some cases it’s also illegal.
At best you’re funding a criminal organisation, at worst you’re in collaboration with a criminal organisation.
In the case of digital files there is absolutely no guarantee that they delete the file, it’s like paying someone to go back in time.
The act has been done, the data is stolen, your negligence and wrongdoing is in the past and the only ethical option is to not fund the bad actors who are actually primarily responsible.
The never ending cost of low quality outsourced digital transformation. Pathetic how many large corps have been hit. And tax payer has to foot the ever growing bill to investigate and defend these useless orgs.
Basically every large, traditional business is relying on some offshore gig for certain key technical responsibilities. They probably don't consider it the real key as they are cost centers, but hey ransomewares are reminding them.
It's not even just offshore. Some onshore consultancies are really of agasp quality.
Customers care if your business is in security, especially b2b. Though the biggest downstream effects are probably from security tightening making it more difficult to get anything done.
I don't think in the case of airlines we have the option to care. We are just kind of stuck with whatever the government-backed airline oligarchy chooses to do. The airlines would be the ones to have to care for it to matter. When the 737-MAX crashes occurred many frequent travelers, including myself, flat out refused to fly 737-MAX even after we were given assurances by the regulatory bodies. But after a while it just didn't matter. Life goes on, your company will book you on the plane that's the cheapest or part of their plan or whatnot, and you just get stuck being a cog in the wheel again.
"digital transformation" was such a hot buzzword too, and yet the biggest market players don't want to spend enough to ensure it goes well, apparently.
> And tax payer has to foot the ever growing bill…
You might be put at ease to read all that debt is a hallucination humanity has no obligation to pay.
Also after decades in IT hearing about one lapse in security after another (including entire iron mountain trucks being robbed back in the day) yet society seems capable of shrugging them off, it’s hard to take the anxiety seriously.
It’s possible the CEOs are not the only people in IT inflating the value of their contributions and ideas.
I struggle to see how this business model would work in the first place. They pay you and you pinky swear not to release it? All you are doing by negotiating is to buy the victim time to harden their systems.
This sounds liked a failed ransomware attack. They encrypted the systems - Boeing says "no thank you, we have backups". There were no valuable zero-days to sell to GRU, so give a last ditch offer to try to salvage something.
I wouldn't be surprised if some ransomeware gangs are frontends of national (in)security agencies. They don't care about profits. Sure it's good to have some.
- "According to a European Parliament report, published in 2001, America's National Security Agency (NSA) intercepted faxes and phone calls between Airbus, Saudi Arabian Airlines and the Saudi government in early 1994. The NSA found that Airbus agents were offering bribes to a Saudi official to secure a lion's share for Airbus in modernising Saudi Arabian Airlines' fleet. The planes were in a $6 billion deal that Edouard Balladur, France's then prime minister, had hoped to clinch on a visit to see King Fahd in January 1994. He went home empty-handed."
- "James Woolsey, then director of the Central Intelligence Agency, recounted in a newspaper article in 2000 how the American government typically reacted to intelligence of this sort. “When we have caught you [Europeans]...we go to the government you're bribing and tell its officials that we don't take kindly to such corruption,” he wrote. Apparently this (and a direct sales pitch from Bill Clinton to King Fahd) swung the aircraft part of the deal Boeing's and McDonnell Douglas's way."
I imagine at least some (probably many) of the engineers who work for Boeing have a basically lawful-good/lawful-neutral temperament and are just disgusted by things like bribery. Maybe one of the parties in the conversation leaked it, no intelligence agencies needed.
Why exactly would the CIA or NSA want to do that? Boeing works so closely with the security apparatus they're practically an unofficial member so I don't understand what the motivation would be.
It doesn't hurt to hack into any corporation. You never know what kind of intelligence you might get out. There are also considerations of different factions I guess.
But we're not talking about getting information and keeping it but actually making it public. One doesn't get much leverage that way so the only real aim would seem to be damaging the target.
It's an open secret that FSB et all work with ransomware gangs. As long as they don't target Russian companies they don't care what they do otherwise. So it's not so much they're a front as they're in a sort of quasi officially sanctioned middle ground.
Yeah. I'm also thinking about ways to "promote" malware without getting impacted.
Let's say some three digit agencies create sort of malware distribution forums in the darknet. They make sure to only broadcast to people who wants to play with malwares so the net catches the "bad guys" mostly, except for a few curious researchers or journalists maybe. Then they start to share recent generarion malwares they created. They don't need to distribute them by themselves because they already have the CCC servers. Some malware gangs would eventually be the frontend and start the distribution.
In this way you not only distribute the malwares without getting impacted, you also get to know the gangs so whenever you want to catch a few fishes you just pull the net.
Once the darknet forum dies out or they need to wipe the records, they would just leave and create a new one.
As an example, the DarkSide malware (the one used against the Colonial Pipeline) explicitly checks if it's running on a computer in the CIS (Russia+countries nostalgic of the Soviet Union / without a better choice) and exits.
Well, this doesn't mean they work for FSB but rather they want to stay away from them.
If I was based in a country I would not want to target those that can more easily get me into jail and/or kill me.
I have no idea if FSB work for them, this is more speculation than open secret, but they certainly do tolerate them and see them in a good eye as long as they target western companies and agencies. The enemy of my enemies is my friend.
This isn't really true in general: intelligence agencies often want access to funds with less/no oversight from (or to skirt controls enacted by) other parts of the government. As an example, that was the dynamic at the basis of the Iran-Contra affair in the US.
> They pay you and you pinky swear not to release it?
Yes. If any of this information does end up getting leaked, it kills the credibility of the ransomware group and they'll never get paid again. Sort of mutually assured destruction.
Now of course, most people don't really trust criminals anyway so the business has a pretty strong bargaining position and I believe many of the ransoms are negotiated way down.
SilkRoad was a dark web market, so the comparison from the parent is a bit strange for me, but regarding your comment on reviews, yes they're very important and for the sites I've used, the reviews have been very reliable and useful.
My understand is that since it's a much more limited market, access is very difficult even under normal circumstances (not because of security but just because dark web markets usually have awful performance for various reasons), so it's a far different review landscape than say shopping on Amazon, at least the ones I have used. The markets themselves were fantastic about refunds/conflict resolution, better than most normal online shops. Reputation is key for basically everything dark web, and the main actors in this space are notoriously petty and bold towards anyone that makes it harder to conduct business.
I imagine it's very similar with Ransomware as there has to be some reason for the targets of the attack to believe paying the ransom is worth it, and anyone who upsets that balance for the ransomware gangs unexpectedly becomes rapidly unpopular, and usually a target for the other gangs. It very much so is heavily relying on the honor system, but it seems the groups are committed to such a system.
all the darknet markets have eBay style ratings, but for the vendor and products purchased, not for reviews on negotiating with a randomware group that weaponized it
Silk Road was 10 years ago that would have been like the smallest one ever since then, just curious why it is referenced at all, and in such an odd way
“I heard eBay has bulletin board like reviews” you know you can just go look, in a web browser “woah thats crazy talk, I prefer 10 year old hearsay”
anyway, they often have a separate forum where one could ask more about a group
Most people are inexperienced with the dark web. I would hazard a guess that even most of the HN crowd, as far as having actually used the dark web. There is a lot of fear and misinformation, even when it comes to a tech-literate crowd. People fear government agencies infiltrating the servers that they might visit, and that server dropping malware/spyware that reveals their identity. Even just having your name associated with visiting a darknet market could be disastrous for your reputation, and I assume this is the line of thinking most people give to the idea of visiting these servers. Unfortunately, this line of thinking keeps people away, which actually reduces the ability to stay anonymous as compared to having lots of traffic moving through Tor.
its fascinating how media driven this is if people are still talking about the silk road based on its media coverage
Department of Justice and Europol have lots of press releases about other markets and busts and ways they failed to bust them, and how their size eclipsed Silk Road
I guess as long as the media doesnt parade it around or makes movies about it nobody knows
Amazing satire, but I shudder to think that's how companies actually treat ransomware.
All companies and governments should take the stance that any randomwared or compromised data is now public. And if they don't have the backups, then they should consider it permanently lost.
Write it off as a business loss and hire better ops people.
That probably wouldn't have a good outcome. If a company gets hit very hard, their options are either to pay or die. If you make it illegal to pay, their options are either to commit a crime (which will not kill the company even if they get caught) or die. All this will do is push companies into hiding when they get hit and not reaching out to the government and security companies for help, which makes catching these groups way harder. So, at best you kill some domestic businesses and at worst you kill domestic businesses AND help the attackers hit more companies.
To the contrary: the first company to die (or so) would set a fire under any companies who were not prepared. It's complacency and ignorance that creates problems.
The attackers attack for money, not to kill their prey, that's not profitable.
> All companies and governments should take the stance that any randomwared or compromised data is now public.
That's a somewhat reasonable stance. You definitely have no guaranteed assurance that it won't be leaked. However... depending on what you do have set up, you may have some reasons to believe that 45GB of encrypted data has not left your internal network (i.e. was only encrypted-in-place)
> And if they don't have the backups, then they should consider it permanently lost.
That's easy to say but way harder in practice. If the data in question is the design artifacts from a billion dollar project... it'd be a pretty hard sell to convince everyone "woops, we fucked up, billion dollars gone, time to close the doors and go home, we definitely shouldn't consider paying $500k or $1M or whatever they want to get all this data back".
Depends on what their SOP is. Attribution is hard but there are a lot of really, really smart people trying really hard to identify orgs by their TTPs.
You can rebrand as CaTBUTT, or Indrik Spider 2.0, or whatever, but if you're using some custom version of Mirai they'll eventually tag your M.O. and the threat intelligence briefings will reflect that.
Mirai is malware that was written by a college student but their code was released to the public, and a lot of other malware uses it as a base.
It (and other malware) tend to behave in specific ways and follow specific patterns, and those patterns can be analyzed. Ditto for the servers they use, targets they hit, etc.
These approaches are known as TTPs, and documenting them is how you attribute an attack to a specific group or actor. Even if you change your org and start using servers in a different country eventually your MO will give you away.
These approaches are cataloged by IT security types, and many cybersecurity orgs release publications about Group X using approach Y.
So when you get hacked by Group Z, but they sound like X and Y, you guess it was them. And if Group X has a history of burning ransom payers then you don't pay -- they'd fuck you anyway, so save the money and start rebuilding.
Very interesting.. so what makes Mirai so important as a base that they can't just rewrite it of sorts? Is it just a lot of work/boilerplate? Or would it be too time consuming to rewrite some base code so the fingerprint is different?
"states of mind" are all externally influenced. If you have a fundamentally "honorable" mindset, it's because your history has reinforced that acting honorable nets you an overall positive outcome.
Which just reinforces the "honor = iterative prisoner's dilemma" argument.
I’m not doubting this - but can you provide anything to substantiate that reputable ransomeware negotiators are a thing? [edit - nm I googled it, it’s a thing]
My brother did this with lawn care and HVAC companies. The first business lesson he learned was never name your business after yourself. He was about 16 when he learned this and ever since it’s been like AAA Lawn Care or Aces HVAC until he gets so many negative reviews he can’t get more business.
This was a plot point in The Accountant starring Ben Affleck.
He’s a criminal who launders money through small businesses he owns and the accounting firm he runs. He names it ZZZ Accounting so it doesn’t get a lot of calls through people looking up accountants in phone book.
When he was a teenager and had a business under his own name he’d get in trouble sometimes because he’d close all the deals himself then hire other kids to go out and do the work.
Some homeowners thought it was going to be him cutting their lawns and would get upset because the contract said he’d do it. So he’d just rip up the contract in front of them and refuse to cut their lawn ever again.
In Florida there were so many houses with lawns in so many subdivisions he was always busy anyway. Plus he liked getting into fights with adults. Win win, I guess.
It would, but publishing the data of someone who paid gives the ransomware gang almost nothing, and the downside would be to start as a no-name.
On the other hand, holding their side of the promise allows them to build a reputation, which makes it easier to get future victims to pay. Why would they leak the data if someone paid?
Are these rational actors who would even care about the collective long term effects? Eg the same could be said for drug dealers ripping off their customers, but that still happens daily because they often prioritize short term self interest over long term/collective concerns.
Many ransomware groups have learned that acting more like a business results in higher payouts. They're not all going to do it, but they have payment portals, negotiators using professional language, attempts to maintain reputation, etc.
Obviously this behavior doesn't apply to all of them, but it's a clear effort by some of them to immediately appear more palatable to random IT worker, the execs, and the lawyers who are watching the who process play out.
And it also lines up with the fact that ransomware groups have freaking HR departments to handle their employees.
It's not consistent across the broad category of criminal for sure but they're probably not the most long term oriented people as a rule now. Initial groups were more, for a lack of a better word, professional about the process with some groups even having a kind of tech support for helping victims to make sure people would believe they'd get their files back if they paid. Better preparation on the corporate side and a democratization of the tools to perform it has lead to some changes it looks like where ransomware groups didn't exfiltrate often before because it wasn't their main playbook.
Yes, mostly because the other actors are notoriously vengeful and petty; ransomware gangs, dark markets, etc, they don't just register complaints with each other, they typically look to ensure the bad actors are removed from the space entirely.
regarding drug dealers, I wouldn't consider it a good comparison. the actions of one dealer typically doesn't affect others, they're just not that connected beyond professional recognition/courtesy. If dealer A is shorting their customers, dealer B absolutely wouldn't care as why would they? they have no relationship, and it'd probably mean the customers go to dealer B instead. business will continue as usual even if one bad actor is doing shitty stuff to their customers.
with ransomware that is not the case -- if public opinion overwhelmingly tells there's no sense in paying because the ransomware gangs never follow their word, that affects all the gangs, not just the bad actor. the gangs already have a hard enough argument to make as to why the targets should pay so anything that frustrates that further is frowned upon.
By that logic, illicit food and drugs wouldn’t have a problem of being cut with fillers. A tragedy of the commons doesn’t really reign in the behavior of criminal organizations.
Data ransoms have existed for a long time before "ransomware" was even really a thing - there's just never been a market for ransoms for the "stolen" data. Once it's out you can't put that genie back in the bottle.
The reason ransomware worked was you didn't have to trust the group long-term - just enough to give you a copy of your data back.
It's the difference between you making a copy of my car keys and stealing them. Yes, I will pay for "a" key back - I only have to trust you enough to hand it over.
But you don't only want your data back, you want the data disappear from circulation. While ransomware ensures the former transaction, it still in no way ensures the latter, making it still a dubious transaction.
It's your naive comment that I find hilarious. it's a business like any other that puts food on peoples plates. in fact, a mature business with a deep and sophisticated industry. it benefits all participants when everyone behaves reliably and predictably. These aren't amateurs.
>it's a business like any other that puts food on peoples plates.
So is murder for hire. However, both being firmly within the "crime" category of business, all allusions to legitimate business concepts such as "reputation", "contract" and "predictability" are illusory, rhetorical and rarely survive first contact with some felonious scumbag who wants to screw you over. Particularly when one side of the interaction is not an experienced and dangerous criminal.
Not sure about review sites, but there are companies specializing in ransomware negotiations on behalf of the victims and they can advise not to pay a group that is known to release the data anyway
I am sure there are discreet nation state buyers, like Russia and China, who are happily to use the information without causing an incident. Russia does not even need to ask, as most ransomware gangs operate under the blessing of Putin.
> A portion of actors involved with Conti ransomware are based in Russia and some criminals operating from there already have documented ties with Russian intelligence apparatus
So a part of one gang made some claims and some other not-gang claims they have ties with FSB or SVR => all gangs are operating under personal Putin blessing. Even North Korean and Ukrainian, right?
> it kills the credibility of the ransomware group and they'll never get paid again
I don't buy it. There's nothing to stop the group from rebranding themselves. The company has no proof nobody else got a copy of the data. And the group could simply hang onto the data, extort a bunch of money from other companies, then start back at the beginning and demand even more (knowing that the data is worth _at least_ what was already paid for it).
New groups can't demand as much as the next. Also most of the big groups are RaaS (Ransomware as a Service), meaning their affiliates get approval to operate using LockBit's name, infrastructure, and software.
If LockBit does something to taint their image in the media and among security organizations, then rebrands to avoid their negative history, forensics will still eventually tie their new name back to their old org, and victim's will have to decide whether they should trust that their data will be handled correctly after payment.
As for re-victimizing old organizations, there's almost zero chance of that working. Most data is only sensitive for a certain time frame, long enough that they can make the proper notifications, change credentials, etc.
Lastly, there still needs to be someone to download and abuse the data they leak. I've monitored ransomware torrents a few times and not observed any downloads completed over the course of a couple weeks following a data leak.
Meh. They don't knowingly release it. But they could certainly continue to try to sell the data on the black market to competitors, etc, which the competitor would never disclose.
> I believe many of the ransoms are negotiated way down.
LockBit just did a sort of collective bargaining with affiliate groups that resulted in guidance for setting initial ransom amounts and rules restricting discounts about 50%.
You'd think that, but in practice these ransomware groups are pretty reliable, and actually many rasomees have remarked on how good the customer service is! Their ability to make money is dependent on them maintaining a reputation for being in the business for money, not lulz, and tmk the pinky swears are typically upheld.
That’s why you secret share the data across six Intel SGX instances using software that only reveals the plaintext if it doesn’t receive a blockchain-based payment after 30 days. (No, nobody does this. But they could!)
Because you write your ransomware to encrypt to a hardcoded set of public keys that include an SGX attestation from those instances. This can be verified forensically and the unencrypted plaintext never leaves the victim organization.
Intel could presumably help the ransomware authors bypass SGX protections but that’d be dumb. They might have some capability to trace attestations to a specific motherboard but I doubt any sophisticated ransomware group will be foiled by this.
Attestations are quite certainly traceable to the EPID, which is a fuse array -- it's on the die, not the motherboard. In order to attest, the key that encrypts the victim's data would have to be SGX-generated. What kind of RNG do you think it uses? Maybe Dual_EC_DRDBG?
Help the victims how? If the CPUs have been captured, there's no need for altered firmware. If the CPUs have not been captured, then how is the altered firmware going to get installed?
I suppose it helps them in the former case, if they also had no backups. But the hackers are already in a very bad place if the CPUs get captured, so I don't think they care about SGX at that point. The hackers don't need to trust SGX. They only need the victims to trust it.
Malware encryptors can be left on the system for forensic investigation to discover. You’re correct that there’s no perfect guarantee the ransomware group didn’t also exfiltrate data using another method, but that would be kind of stupid; the idea of this would be to reduce a hard problem (trust a criminal to secure your data and eventually safely delete it) to a simpler problem (trust a criminal group not to do something economically irrational that also requires extra work and stealth at infection time.) You don’t need network access to verify a PoW blockchain transcript is correct, provided the cost of forging that blockchain segment is high enough (plus you can script payment redemption so it requires a signature from the enclave attesting that the information was destroyed.) I’m pretty sure a resourceful ransomware group can source a few motherboards and CPUs that can’t be traced back to them.
What benefit is it to the ransomware group to release the data? They may be sloppy or careless with their data (like their victims) but I don't see a for-profit/non-ideological ransom group reneging and intentionally leaking the data. And plenty of reasons eg repeat actors to do their best not to.
Actually I'm often surprised that many ransomers/hostage-takers go through with their threats when they don't get their demands. The only reason I can see them doing it is if reputation matters to them for future negotiations. more than the risks from the greater liabilities they incur by going through with the threats.
You mean "yeah we were lying yesterday about this same thing, but we're telling the truth right now" type of negotiation? Has that ever worked for ransoms (of any kind) anywhere?
It's a business model that has certainly been working. If your business has been crippled due to your systems having been encrypted then you do often consider paying the ransom.
However if you have adequate backup and recovery mechanisms in place then you're not the best to prey on.
It's a business model that works until the majority of targets have appropriate backup and recovery processes.
Paying ransomware is not in any way illegal in the United States. Making payments to sanctioned entities (ransomware or otherwise) is. If companies go to their insurer, etc, they will probably get help to do the compliance to check to see if the payment requested would go to an OFAC sanctioned entity or not.
There isn't necessarily a way to know who you are actually dealing with. Maybe in some cases there might be some information to figure this out to some degree. But normally the only information that is certain is where the payment is going. Which is just a bitcoin wallet address.
If you aren’t a hospital, you are helping the ransomware gangs amortize the cost of their R&D. Thus directly helping those who hit hospitals, and, as a result, contributing to those deaths.
— If you don’t give me 10k$, I will tell the authorities that you have paid a ransom of 100k$.
— Ok, here’s the money.
— Thanks. If you don’t give me 10k$ more, I will tell the authorities about our previous deal.
No I did not pay a ransom, I paid a 7 figure consulting fee to a cyber security company not based in the US, who somehow magically resolved the issue for us...
There are instances where that doesn't make sense. For example, there was that plastic surgery office that got hacked a couple weeks ago. I get why they think it's better to at least try to prevent such private information from getting out. making it illegal to pay the ransom means that every patients' medical history and pre/post op photos would be leaked. That's a nightmare.
To rephrase: As McDonnell Douglas was crumpling under the ineptitude of its management, Boeing merged with McDonnell Douglas, keeping Boeing's name and McDonnell Douglas's management.
Welcome to McBoeing, would you like fries with that?
I really wish I could find the McBoeing stickers I was given when I worked as an outside contractor during the time of the merger. The stickers weren't standard issue swag but rather made by a frustrated employee, that said they were a common sight on toolboxes at various plants.
I worked installing, qualifying, training on the use, and maintaining CNC machine tools in many shops spread across multiple plants. The folks in the shops where I worked were seriously displeased about the merger. Many of the people I had the pleasure working with had decades of service under their belts and were worried what would come of the combined company. It turns out their fears were entirely valid, though, I suppose most of them retired years ago and are enjoying their pensions.
I wouldn’t place much faith in what you were told. McDonald Douglas and Boeing were fierce competitors for decades, and they were really the last major commercial competitor in the US. is it really all that surprising the boeing employees would be negative on the merger?
the things you’re relating here, this is one of the favorite myths of seattle boeing employees. you hear it everywhere, even today, and the people today, I mean, these are like stories of their parents, passed down from generation to generation about the boogey man. The only people left from that timeframe were almost all kids then. Very, very few of these people have any first hand experience with any of this. In seattle, generations of employees are a thing, and kids continuing that tradition aren’t going to question stories like this from their parents.
The merger myth gets lots of play in seattle because the commercial employees use it to shield themselves from the reality that BA would have gone bankrupt, twice, if the defense business wasn’t there to bail them out. They complain that those mcdonald douglas people were all overly focused on financials and not, I don’t know, i guess the spirit of flying? Well, the opinion of the mcdonald douglas folks was that boeing wasted incredible amounts of money on nothing because they had no concept (broadly speaking) of the financial restrictions that come with government contracts. A typical conversation would look like “No, sorry man, you can’t use taxpayer dollars to buy a new TV for the lobby. It’s literally illegal. It’s taxpayer money, you can’t just use it for whatever you want.” All of the baggage that comes with government contracts and foreign military sales was so alien to these people that they confused basic accounting and following the law with some sort of machiavellian plot to destroy the spirit of Old Mr Boeing. Some of them aren’t even aware you can’t just sell military aircraft overseas just because you want to make more money.
I would imagine that, if you asked those who like to bitch about the merger, they would consistently underestimate the percentage of revenue that the defense business brings in. There are a shocking amount of people in seattle that feel like they can give a detailed analysis of the corporate history, but they don’t even know where the money comes from. Like, even in general. Many of them seem to be under the impression that the defense business is about 15% of revenue, not the 30-60% it has been for the past 25 years.
I mean, literally the only reason some of those people still have jobs (after MAX and COVID wiped out all cash at the company practically overnight) is because BA owning the (countercyclical) defense business is the only reason there weren’t 10,000 or 20,000 additional layoffs. You have to be remarkably thick to have a career in aerospace and not know these things.
The money part of the myth is particularly funny, since it was the massive cash flow from the C17 that Boeing was most desperate for at the time. Mcdonald Douglas was fine at the time, but there was no great long term prospect because they had just lost two massive contracts (F22 and F35), so a sale before things got rough was a reasonable idea. In return Boeing picked up a ton of cash and a countercyclical business.
The “lost their way to MBAs” myth of course also covers up the fact that most of the layoffs from the merger were McDonald Douglas employees, as well as the fact that Boeing’s financial focus began well before the merger.
Ask one of these people to explain how it is that MD was a doomed company overly focused on cost cutting, yet had fantastic labor relations due in large part because of the willingness to compensate those same employees. I doubt they even knew relations were that good.
There’s two additional reasons this myth persists in seattle.
Lots of manufacturing employees in the 90s, the boomers, and early aughts were outsourced. The middle class shrunk. For many of these people, it wasn’t obvious this was caus...
Useful to whom? Email dumps and other data could be useful for further breaches and attacks against personnel. I'm sure their infosec will be going through everything but they could miss stuff and personal information is exploitable for fraud even with awareness.
Govs like China and aircraft/defense competitors to Boeing probably got a goldmine if they didn't already have their own access. Boeing does plenty of NATSEC and space stuff.
Like how can one download so many files from a company network and no alarm is set off ? What do the useless IT departments set up? Just employee spyware ?
Let's say you have 6TB a day going through your perimeter firewall. It's kind of hard to pick out a 40GB stream(s) on HTTPS going to some US cloud provider.
The 747 has around 6 million individual parts, 15 sheets of paper per part doesn't seem unreasonable.
Just detailed schematics of a given plastic knob in the cockpit should take at least a few pages, nevermind something more complex or critical like turbine blades.
The 6 million figure includes fasteners. Half of the parts of fasteners and there are only 75k engineering drawings. Engineering drawings rarely run more than a few pages per part.
Construction drawings are not done on A4. Typical drafted drawing is uses handful of ft by ft range, say 3x4. So that should give ~2 orders of mag less sheets. Does 10,000 sheets of drafting paper sound more reasonable?
Internet says 747 has 6,000,000 parts, half of which are fasteners. So 3m individual components. “171 miles” of wiring. Blah blah. I can easily see 10k drawings to cover that beast, soup to nuts.
3x4 is about right, but the original 747 drawings were not drawn on paper, they were inked on thick thermal and humidity stable mylar. Some detail parts may have been defined multiple (up to a half dozen) E sized (36”x48”) mylars. Then there were separate drawings for each assembly of detail parts. Then there was all the manufacturing planning and detailed work instructions to fabricate each level of assembly. Then there is all the documentation associated with lab qualification testing prior to flight. I have personally authorized qual test reports in excess of 3000 pages, where ~100 pages was my content and the rest was all backup data.
If the FileShare server itself was compromised one could mount it in a way that wouldn't show leakage, or just image the thing and bork the original.
Otherwise you could have a crawler that just traverses the FileShare and makes duplicates at a rate slower than what would look like BAU traffic. Given that most enterprise network shares host a TON of legitimate batch dump/upload file traffic it might be easy to skate by.
So many of the security monitoring tools that purport to detect things like that only work if the attacker is brainless. Modern networks are complex enough where a clever attacker (like a professional ransomware gang) can make malicious traffic look like any other traffic.
Unless this was just a public S3 bucket, there was probably some lateral movement involved, and I'd say time/money would be better spent reducing that particular risk in the future.
I just had to download a 69 GB database to my laptop of CAD design files (mostly libraries). I'm glad I have 1 Gbit download speeds, but peers aren't so lucky. Granted, if IT saw remote employees downloading TBs of data it should really raise red flags.
Sadly, this is pretty routine for us (not Boeing). Every goddamn day we have somebody plugging in a USB stick and copying 1-20 GB of data to it. We see similar volumes "accidentally" uploaded to iCloud whenever someone syncs their work laptop to their personal iCloud account.
We watch it happen. We have the tools to stop it. But we're not empowered to use them, for the exact same reasons that led to Equifax's fuckup-- we're not allowed to do anything that might impact production/pursuit of new revenue.
Lately, I'm not convinced this is even the "wrong" approach. Espionage was not invented alongside the Internet. If we build a Thing and it's the only Thing we sell, data concerning it will inevitably be stolen by someone in some way. But if we iterate on it fast enough, the value of older versions leaked diminishes. We're in the market of building and selling a moving target.
It also creates an inflated volume of data. You can't just break in, grab "the_flag.zip" and run like hell-- you have to exfiltrate a fuckton of data, make sense of it, and carve something usable from it. Like, checking binaries into a git repo makes the size bloom, but it doesn't add a proportionate amount of "value" to stealing that repo. It's padded with drafts and garbage.
> Like how can one download so many files from a company network and no alarm is set off ?
Slowly, hidden among legitimate traffic, and indirectly. For example, most companies don't notice 100 kb/sec increases in DNS traffic, slight increases in web server image sizes, or changes to server MOTDs.
I think it would be a problem if people started digging, but I suspect most people just don't have the time, inclination, or willingness to take the legal risk.
Competition will love to have a look at this data but obviously they won't announce it to the whole world that they are digging through the files. One day Airbus will build a new plane before Boeing or just win a lucrative contract and we will never know whether this happened naturally or because of the knowledge they got from this data.
Airbus is not a person but a company. Of course some of the employees will look at this data. They will all pretend that they dont but companies pay for industry secrets why would they stay away from free ones.
For what you don't want your direct employees to do, you can always hire a contractor who will do the dirty job and give you the (in this case literal) TL;DR.
that doesn't matter. if an employee were to read it and perhaps glimpse some trade secret and include that, even inadvertently into a future product, that could open them up for litigation.
Rumor has it airbus used to have a secure cabinet of Boeing analysis data that people would go reference once in a while in the 90s but I doubt that happens anymore
That will be the guidance from the legal department for sure.
and I would hope most bigwigs would know this without being told.
If however, a completely separate company, perhaps in a different country,
that has no business associations with Airbus in any manner, and there
will never exists payments between Boeing and this company went through
all of it would be no problem.
If a specific bigwig later on received among photos and videos, a steganographic encrypted document whilst visiting an anonymous sex site then read it and deleted it,
nobody would ever know. (lest someone talks, always the human factor)
I made up all of the second paragraph.
Companies specializing in what i described over to exist.
They are not of course limited to ransomware leaks.
If you are under defense industry rules, viewing data is generally on a Need-To-Know basis. For any data that is classified, or CUI (Controlled Unclassified Information), EVEN IF that data becomes publicly available, it is illegal to view it.
Now, I'm sure if a headline came up in a Google search you wouldn't get busted, but if you go ahead and download it, that is at least putting your ability to continue working with classified/CUI at risk.
So yes, it's a hot potato which no one (smart) in the civilized democratic world will touch.
I bet the internal emails would be infinitely more valuable than design docs. let's see what the last link on the chain (of responsibility) actually said when they were told MCAS wasn't working. Let's hear how they worded the spin on the first batch of ~150 deaths to do damage control, and then how they reacted to the next. I'd fire up my popcorn maker for that!
When Sony was hacked by North Korea, the leaked payroll revealed women were paid less than men for the same job. I'm not sure what the ramifications of that leak were though.
What that article says is that one woman with the same job title as a man makes 1 million dollars less than the man. I doubt that's just a fixed salary, so it's hard to say how damning it is.
It also says that a spreadsheet from 2004 states that 85% of the top earners were men. This is unrelated to the pay gap argument.
The rest of the article is fluff completely unrelated to the leak. I'm no surprised there were no ramifications from this. If this is all that was found, it pretty much says there's no or practically no pay gap at Sony.
I mean, it's hard to say whether two different actors really perform the same job; speaking for myself the only name I recognize in that article is Christian Bale's. Plus presumably they all have representatives that negotiate their cuts, so if they agreed to work for that amount, I don't think there's much room to complain. Finally, I can't really tell if there's a trend here. The article talks about the cases of three men and three women, where all three women are paid smaller cuts than the men, but is this the case for everyone else as well?
The moment a company pays good money, that legitimizes the hacking group and emboldens them to keep going. You can’t trust that they’ll not leak even after they get paid.
45GB of data could be like a dozen employees' or less Outlook PST files. For this to be astounding we would need to know the quality of the data. Otherwise it is a bunch of hype and hoopla.
I'm not sure about the legality and ethics of training models on stolen data, but for reference, but so far as I can tell the Enron email data set is about 1.5GB (much lower than I expected to be honest!).
And I believe some of the more interesting things found in that data set (outside of the fraud) were people cheating on their partners.
I do believe that 1.5GB is tarred and gzipped though, so it is a fair bit bigger. That's also supposedly half a million emails, so 45gb is quite a bit.
The Enron dataset was not leaked - it was made public by the US government as evidence from an investigation by the Federal Energy Regulatory Commission.
Yes my understanding is that this is why it's such a common training set - it's interesting, large(ish) and free and legal with no licence requirements. I think it's public domain? But I'm not from the US, so don't quote me.
It depends upon the size of the individual email. In the early 2000's email attachments were less common and on average smaller in size. Today, 20 years later, it is common in my line of work to see email attachments in the 5-10MB range. Pass them back and forth a couple of dozen times for changes and approvals and it doesn't take long for it to balloon. Yesterday, I worked on an outlook email issue on a PST file that contained 40,000 emails and was over 10 GB in size. His PST was new less than two years ago.
It really depends upon how it is used, misused or abused.
You're absolutely right. That's one thing that I didn't follow up on, I only briefly looked at the csv in the kaggle page and didn't see anything that looked like images.
we should be careful making the assumption that this is all the data they exfiltrated. this could easily just be the first tranche to prove that they’re serious
Can we stop using disk size as a measure of leaked data?
There are bluray movies larger than this leak and there are files smaller than 10kb a lot more critical in most businesses.
It'd be nice if there was some sort of scale for data leaks like (just spitballing here):
1. Leak destroys all core company functions (crypto-exchange leaks all wallet keys, CA leaks all root keys and becomes banned from all trust stores, etc.)
2. Leak causes regulatory issues criminal enough to shut down company
3. Leak severely hinders core company functions (deploy keys for a cloud computing SaaS are deleted which stops all new deployments until all infra is reconfigured)
4. Leak severely looses company competitive advantages (new products leak that are replicable by competitors)
5. Leak causes severe PR disaster
6. Leak shows embarrassing internal company communication without any of the above
Sure, but instead of saying "Boeing leaked 45GB" it would say "Boeing leaked files of undetermined severity".
The disk size does not matter, and when the severity was actually determined it would show up in the headlines as "Boeing leak determined to be a level 3 leak" instead of just being "That boeing leak 5 months ago was kinda bad".
These are journalists publishing breaking news. They are not autistic IT professionals.
Relevant quote from the article: "I haven’t gone over the whole data set but Boeing emails and a few others stand out as useful for those with malicious intent"
Journalists are almost never deep experts of the fields they report on (although I hope well versed), but given the tools to report the news in a way that is more understandable to the public I think they will use them.
Both journalists and the public need a better way to understand how different breaches affect them.
As someone wrote earlier, they won't know the severity until it is analyzed. That could take a long time. Days or weeks. This is just the breaking news. Also what incentive does anyone have to waste their free time analyzing the data and issuing a report to you after this headline that the general public will not give a shit about a few days later?
I'm not saying to delay the report. I'm saying to not headline the size of the leak unless it has some sort of significance. If the severity is later known report that as news.
If anything this would create two stories where there now is one, so journalists would not have less or later to report.
At this point, I think there's quite a lot of "breach fatigue" now where the general public doesn't care about these stories. It's just "oh, I guess I get another year of free identity theft services".
Well, first, I'd expect Boeing already had some idea of the scope of what was compromised simply by investigating their own systems. After all, they knew enough to declare there was no impact on flight safety.
And second, even if a company has no idea of the scope, the hackers would somehow want to prove at least privately what the scope was, else their threat is not as manipulative as it could be. On the other hand, the hackers can't credibly bluff and inflate the scope too far beyond reality because the company can just say "prove it or I don't believe you and I won't pay." And the hackers want to get paid.
It's a business deal after all. A really crappy one involving criminals. But at the end of the day, the company must have already assessed the value of the leak in order to reach a decision.
Because half the time companies can’t be trusted to even admit there’s a leak, let alone the severity of it.
Groups that leak are likely to want to inflate the severity of the leak to ensure they get paid.
The larger a leak, the higher the probability there’s sensitive information in there, and the better opportunities/more time attackers had to exfiltrate it.
Agreed, but journalists need a better way to communicate. Saying 45GB sounds like a lot of emails to a technical person and nothing to someone who bought a bargain-bin 64GB USB memory stick the other day and filled it with a single HD movie.
The info says nothing, it conveys nothing. Even skipping the size and saying it leaked "emails" says more in the headline than the size.
A single video recording of an all-hands meeting could fill that size but it could also be emails containing the keys for accessing a large part of DOD.
Or at least say what the 45GB (for this example) of data compromises. As you say, if it were video files, that would add up pretty quick, but if it were 45GB of emails, then that's a hellalotuvdata. That would be the equivalent of a hostile law firm dumping a truck load of banker boxes on a smaller law firm to bury the lede.
Kind of like saying I have 10. 10 what? As my math/science teachers always said, don't forget to include your units.
I was working (very recently, during the 5000+ companies that were hacked via some what I presume were zero day hacks) for an MSP. 600 GB of data were exfiltrated from a law firm with several terabytes of storage of customer data kept due to data retention laws.
They asked for almost a million USD. FBI got involved, everything was restored from backups (thankfully, a month loss of digitalized work, and absolutely nothing was given to the ransomware group.
To your point, there are severe regulatory issues that have to be addressed due to the exfiltration. I no longer work for them, so I don't know the extent of their cost in 1. notifying affected clients and 2. providing credit protection coverage due to leaking of personal data.
For me the disk size is interesting because it tells me how long I'd have to wait if I wanted to download the leak myself, which I do from time to time. (not downloading this one though)
They leak this stuff on their Tor leak site. Downloading 45GB from LockBit's site takes something like a week. Then you have to review the contents to determine its value.
I'm at an en-passe here, on the one hand I think Boeing sucks as it's primary business is now hyper focused for defense purposes. On the other, ransomware generally hurts companies and municipalities that generally don't deserve it.
Boeing, Lockheed Martin, Facebook, etc...deserve it
> Boeing sucks as it's primary business is now hyper focused for defense purposes
This is a childish 2000s take. The world is rougher, Pax Americana is over, we need effective defense contractors because the world is full of assholes. Grow up.
its rougher because of america, not in spite of it. its a self-reinforcing feedback loop. implying you are the grown up in the room because you are 'realist' about this or whatever is a classic dimwit take.
No this is a very 2023 take, everything has to be looked at from the lens of the Oppressor vs oppressed narrative, and since America, the great satan, is always the "oppressor", America is always bad and must be opposed
Any company that helps support America is also bad and most be opposed
Any person that that does not view America as bad is a bigot alt-right extremist and must be opposed
That is the state of politics for 2023, and anyone born after the year 1990 or so
On the contrary, it's less violent than previous decades. The difference is you get to hear about EVERYTHING due to nearly ever human on earth has a smart phone and access to the web.
This is a blessing and a curse. Given your handle, I'm surprised you haven't figured that out.
Thank you for making this comment. I completely agree that Boeing and Lockheed suck. They are some of the most immoral companies in the world and I'm happy for any damage done to them, but I didn't see anyone else comment their dislike of these companies in this thread which concerned me.
A writer contacted me about my thoughts (unrelated and separate from this event) about how the disclosure of vulnerabilities and methods of hacking (of all types and in almost all situations) aids bad actors vs. helps companies protect their systems (by knowing vulnerabilities that are often so obscure they would reasonably never be exploited).
Point is what is the upside of disclosure (I think) vs. the downside. Nobody is suggesting no disclosure but the writer seemed to think that the security industrial complex has lawmakers believing that everything should be open and there should be constant white hat hacking which seems to feed and benefit the security industry.
I am curious if anyone has a thought on this topic.
For an external party, having access to the 45 GB is the easy part. Now, you will need to create a company and supplier base the size of Boeing to make any use of this :-)
2. Imagine the sheer pain of duplicating every single process and spec to the minutest detail, nobody is flying an airplane that only 'works' 99.99% of the time. Probably easier to start from scratch and learn it. BTW, this was tried by Russia in the all through the '80s, they tried to steal all advanced tech. but by the time they duplicated the stolen technology, the next generation appeared. A losing battle.
From inception to the second crash, numbers were abysmal. The 737 Max was crashing at a rate of about one per hundred thousand flights, two order of magnitude worse that the 737 NG (one fatal crash per 10 million flights).
Said differently, the Max 8 was working safely 99.999% of the time, while the 737 NG was working safely 99.99999% of the time. An order of magnitude better than 99.99%, but two orders of magnitude worse than expected...
It is certainly a lot safer now. Hopefully even better than the 737 NG.
Yes, there is a better, more accurate method than my napkin math, which was only to provide a baseline most could understand to see we are well beyond the two nines
though that one was so defective that even the Soviets didn't want to risk flying it. it could barely get into the air, and that'd be with several major faults and alarms blaring.
I disagree that it's possible to estimate how dangerous an aircraft is based on its incidents/flight ratio. There's lots of other factors: Russian weather, inadequate training, inadequate maintenance, and far more landings on poorly maintained and even totally unpaved runways:
> Capable of operating from unpaved and gravel airfields with only basic facilities, it was widely used in the extreme Arctic conditions of Russia's northern/eastern regions, where other airliners were unable to operate.
1. It was USSR, not Russia. For many who were USSR citizen till 1991, but neither ethnically or geographically Russians, this rubs very wrong way.
2. Aviation in the USSR was developing completely independent, and you can accuse USSR in stealing technology in many areas but certainly not in aviation.
That wouldn't even help. It'd have to be part of the original supply chain and certification chain for anything to be allowed out of the country that cloned any parts.
I remember taking a procurement class in graduate school(MBA).
One of the more interesting points of discussion was that when big companies negotiate purchase agreements for parts, the actual cost of the parts can be very transparent. The negotiation is generally about the actual markup e.g. "I think we should pay X% over cost.
Someone, logically, brought up: "What if the company is not willing to share the cost upfront?".
The professor responded: "Well, if it's a public company you can generally deduce a rough cost/part and use that as your starting point in the negotiation"
Student: "Well what if the company says we're wrong?"
Professor: "No problem: ask them what the correct number is. If they don't want to give it to you, ask them how you expect to have a long term partnership if you are not willing to talk openly and honestly about things like parts costs."
That's kind of a softball, can easily be counted with "part costs vary a lot based on the market" or something like, regardless of cost we guarantee you this price point
No business wants to share it's internal costs, it's their prime competitive advantage
If the deal is big enough, it’s absolutely on the table. These are “cost plus” contracts. See Walmart and the federal government for examples of consumers that require these terms.
Now, the federal government, particularly with drugs pricing, turns a blind eye towards the suppliers just jacking up the purported cost. E.g. Pharma:“we want to make $100 per pill, it costs us $5 to produce”. Fed: “we demand cost + 10%, because the people”. Pharma:”Fine, let’s say it costs $90 to produce.” Fed:”Where do I sign?”
Whereas Walmart would say to somebody like Nabisco, “GFY; if you want your product on our shelves, you’ll open your books and give us audited cost + 10%”.
Their prime competitive advantage is their product and quality:cost ratio. For a product company, at least.
If your business' primary competitive advantage is that it gets ICs for 1c less/per thousand, your business is built on shaky foundations. One that you would still want to disclose during negotiations ("yeah, our product is the exact same quality as Widget Co; but we've found a supply for some internal parts at slightly below market value").
The idea that someone could hide parts/manufacturing costs is ridiculous on its face. You, as a consumer, can get a general BOM for most any device. It's how we know that the original Beats headphones were "worth" 7-8usd.
Just as we as consumers know we pay extra to the company (even if the numbers aren't oblique), businesses know the same. It's about how much you're willing to spend, not how much they spent to build it.
> You, as a consumer, can get a general BOM for most any device.
I wish this dumb naïve argument would just die quietly in a corner.
A the value of a device is not its BOM. It has never been and it will never be.
There are so many other additional costs to factor in. Costs related to the manufacturing plant, its people, its tooling and its processes. Logistics costs related to bringing in parts. QA costs. R&D costs. Software maintenance costs. Marketing costs. Certain parts and software may have royalty fees associated with them. The list goes on, and on, and on.
So please, enough of the dumb "$device is only $2USD because its only a bunch of 2c resistors and capacitors on a PCB".
> So please, enough of the dumb "$device is only $2USD because its only a bunch of 2c resistors and capacitors on a PCB".
The thread was about literal parts costs and how knowing those means nothing to the value of a produced item. In which case, a BOM is directly and literally applicable.
No one is saying what you're so annoyed and frustrated about. Literally the entire thread is about how the value of a product is far greater than it's actual parts cost and why knowing that is useless for negotiation.
Learn to listen/read before you get yourself into a tissy about a made up sleight.
R&D definitely forms a huge part of many product costs, and not for many products where you just churn them out by the millions
For a plane, it's going to be the former
That and the reason it's easy to get a BOM of cheap products is because you can buy them and tear them down. I can't see Airbus managing to buy a boeing and tear the entire thing down without Boeing noticing
In aviation it does not work like that usually.
Supplier provides a full BOM including all labour and invoices for materials.
Company pays x% over the top of the costs
I'm not sure you could really add some kind of protection to somewhat unprotected cables, hoses or pipes which must run behind the passenger compartment walls.
Economic and industrial espionage has a long history. Father Francois Xavier d'Entrecolles, who visited Jingdezhen, China in 1712 and later used this visit to reveal the manufacturing methods of Chinese porcelain to Europe, is sometimes considered to have conducted an early case of industrial espionage.[16]
Historical accounts have been written of industrial espionage between Britain and France.[17] Attributed to Britain's emergence as an "industrial creditor", the second decade of the 18th century saw the emergence of a large-scale state-sponsored effort to surreptitiously take British industrial technology to France.[17] Witnesses confirmed both the inveigling of tradespersons abroad and the placing of apprentices in England.[18] Protests by those such as ironworkers in Sheffield and steelworkers in Newcastle,[clarification needed] about skilled industrial workers being enticed abroad, led to the first English legislation aimed at preventing this method of economic and industrial espionage.[19][18] This did not prevent Samuel Slater from bringing British textile technology to the United States in 1789. In order to catch up with technological advances of European powers, the US government in the eighteenth and nineteenth centuries actively encouraged intellectual piracy.
It's a very fair point but it's a then and now thing lmao.
I can't justify slavery in x country because "well the west did it before and so now it's their turn" (to use an extreme example and yes I know that slavery has already occurred in almost every country/is still occurring in some).
Well, if you've managed to create an airliner, starting from not having made one at all before, then the sound isolation would be the most trivial thing to improve in an update.
Because it takes time, not just data. To set up infrastrcuture, to do tests, to train, etc. Hell, it takes Boeing itself several decades to design a new aircraft model, even though they have done it several times before.
The US for example trying to get back some of its domestic manufacturing prowess, after decades which has outsourced it to China which has gotten really good at it, has a 10-20 year barrier to overcome before it can even start to get to the same level, and that's if all goes well and no stupid decisions are made. Which is not very likely.
The best way to mitigate attacks like this is simple: don't hold the data in the first place. Beyond that, encrypting and limiting who has access to what, and
logging who opens what when makes it much harder for attacks like these to go under the radar. Obviously, not every company is Google and having super sophisticated security practices is both hard to do from an engineering standpoint (requires lots of infra) _and_ requires staff to have a security focused mindset. This is not something a lot of places have, not even tech companies by trade. The cost benefit analysis isn't high, so you end up with orgs that do things akin to dumping all corporate code into one Github account and then wonder how things went wrong when something bad happens.
Boeing Co, as a government contractor being hacked is obviously more concerning than a breach at $x company. It's a shame. I'd say this is a learning opportunity, but it likely won't be. Onto the next round of "cybersecurity" speak...
413 comments
[ 3.4 ms ] story [ 307 ms ] threadA lot of folks now have ransomware protected backups for critical data so they aren't paying for decryption keys.
This has escalated to hack and release, the attackers are now exfiltrating data and threatening to make it public in addition to encrypting it on the host system.
Because they will publish the bad stuff, the stuff you really don't want public, but likely withhold the boring stuff, the stuff the business really needs to function. And whatever they release might not be in the format that it was taken.
1. hack targets and hold their data for ransom
2. get the ransom and release the data anyway
This would largely discredit the actual ransomware gangs. A way to make this more ethical would be to have the data be insignificant or encrypted. The media will still have their story, and public perception will be changed.
An even better way would be to secretly coordinate with the "targets" of the hacks, turning the whole thing into a harmless spectacle that nevertheless decreases the incentive to hold data for ransom.
It always felt funny how these criminal groups in this case have to project an image of trustworthiness and honesty.
They service several large commonwealth departments and were instructed by them not to pay.
The Australian orgs I have deal with in large compromises have universally opted to pay to prevent release, where it was financially feasible.
In the case of digital files there is absolutely no guarantee that they delete the file, it’s like paying someone to go back in time.
The act has been done, the data is stolen, your negligence and wrongdoing is in the past and the only ethical option is to not fund the bad actors who are actually primarily responsible.
It's not even just offshore. Some onshore consultancies are really of agasp quality.
My current impression is: consumers don't care, regulators don't care... so why should CEOs care?
Source: my company was hit a couple months ago
You might be put at ease to read all that debt is a hallucination humanity has no obligation to pay.
Also after decades in IT hearing about one lapse in security after another (including entire iron mountain trucks being robbed back in the day) yet society seems capable of shrugging them off, it’s hard to take the anxiety seriously.
It’s possible the CEOs are not the only people in IT inflating the value of their contributions and ideas.
This sounds liked a failed ransomware attack. They encrypted the systems - Boeing says "no thank you, we have backups". There were no valuable zero-days to sell to GRU, so give a last ditch offer to try to salvage something.
Usually we blame the Chinese, but in this case I think its a toss between CIA and NSA.
(I think I'm on some kind of list now)
Edit: I am an idiot. I was thinking of Airbus, see @perihelions comment below
https://www.economist.com/special-report/2003/06/12/airbuss-...
- "According to a European Parliament report, published in 2001, America's National Security Agency (NSA) intercepted faxes and phone calls between Airbus, Saudi Arabian Airlines and the Saudi government in early 1994. The NSA found that Airbus agents were offering bribes to a Saudi official to secure a lion's share for Airbus in modernising Saudi Arabian Airlines' fleet. The planes were in a $6 billion deal that Edouard Balladur, France's then prime minister, had hoped to clinch on a visit to see King Fahd in January 1994. He went home empty-handed."
- "James Woolsey, then director of the Central Intelligence Agency, recounted in a newspaper article in 2000 how the American government typically reacted to intelligence of this sort. “When we have caught you [Europeans]...we go to the government you're bribing and tell its officials that we don't take kindly to such corruption,” he wrote. Apparently this (and a direct sales pitch from Bill Clinton to King Fahd) swung the aircraft part of the deal Boeing's and McDonnell Douglas's way."
Let's say some three digit agencies create sort of malware distribution forums in the darknet. They make sure to only broadcast to people who wants to play with malwares so the net catches the "bad guys" mostly, except for a few curious researchers or journalists maybe. Then they start to share recent generarion malwares they created. They don't need to distribute them by themselves because they already have the CCC servers. Some malware gangs would eventually be the frontend and start the distribution.
In this way you not only distribute the malwares without getting impacted, you also get to know the gangs so whenever you want to catch a few fishes you just pull the net.
Once the darknet forum dies out or they need to wipe the records, they would just leave and create a new one.
Just my wild thought.
If I was based in a country I would not want to target those that can more easily get me into jail and/or kill me.
I have no idea if FSB work for them, this is more speculation than open secret, but they certainly do tolerate them and see them in a good eye as long as they target western companies and agencies. The enemy of my enemies is my friend.
https://www.wsj.com/articles/how-north-koreas-hacker-army-st...
This isn't really true in general: intelligence agencies often want access to funds with less/no oversight from (or to skirt controls enacted by) other parts of the government. As an example, that was the dynamic at the basis of the Iran-Contra affair in the US.
Yes. If any of this information does end up getting leaked, it kills the credibility of the ransomware group and they'll never get paid again. Sort of mutually assured destruction.
Now of course, most people don't really trust criminals anyway so the business has a pretty strong bargaining position and I believe many of the ransoms are negotiated way down.
(or do we need eBay-like "seller ratings" and customer reviews for ransomware groups?)
Didn't Silk Road have eBay-style ratings/reviews?
My understand is that since it's a much more limited market, access is very difficult even under normal circumstances (not because of security but just because dark web markets usually have awful performance for various reasons), so it's a far different review landscape than say shopping on Amazon, at least the ones I have used. The markets themselves were fantastic about refunds/conflict resolution, better than most normal online shops. Reputation is key for basically everything dark web, and the main actors in this space are notoriously petty and bold towards anyone that makes it harder to conduct business.
I imagine it's very similar with Ransomware as there has to be some reason for the targets of the attack to believe paying the ransom is worth it, and anyone who upsets that balance for the ransomware gangs unexpectedly becomes rapidly unpopular, and usually a target for the other gangs. It very much so is heavily relying on the honor system, but it seems the groups are committed to such a system.
Silk Road was 10 years ago that would have been like the smallest one ever since then, just curious why it is referenced at all, and in such an odd way
“I heard eBay has bulletin board like reviews” you know you can just go look, in a web browser “woah thats crazy talk, I prefer 10 year old hearsay”
anyway, they often have a separate forum where one could ask more about a group
Department of Justice and Europol have lots of press releases about other markets and busts and ways they failed to bust them, and how their size eclipsed Silk Road
I guess as long as the media doesnt parade it around or makes movies about it nobody knows
Superhost for my datas
All companies and governments should take the stance that any randomwared or compromised data is now public. And if they don't have the backups, then they should consider it permanently lost.
Write it off as a business loss and hire better ops people.
The attackers attack for money, not to kill their prey, that's not profitable.
https://ofac.treasury.gov/recent-actions/20210921
That's a somewhat reasonable stance. You definitely have no guaranteed assurance that it won't be leaked. However... depending on what you do have set up, you may have some reasons to believe that 45GB of encrypted data has not left your internal network (i.e. was only encrypted-in-place)
> And if they don't have the backups, then they should consider it permanently lost.
That's easy to say but way harder in practice. If the data in question is the design artifacts from a billion dollar project... it'd be a pretty hard sell to convince everyone "woops, we fucked up, billion dollars gone, time to close the doors and go home, we definitely shouldn't consider paying $500k or $1M or whatever they want to get all this data back".
You can rebrand as CaTBUTT, or Indrik Spider 2.0, or whatever, but if you're using some custom version of Mirai they'll eventually tag your M.O. and the threat intelligence briefings will reflect that.
And then no ransom.
It (and other malware) tend to behave in specific ways and follow specific patterns, and those patterns can be analyzed. Ditto for the servers they use, targets they hit, etc.
These approaches are known as TTPs, and documenting them is how you attribute an attack to a specific group or actor. Even if you change your org and start using servers in a different country eventually your MO will give you away.
These approaches are cataloged by IT security types, and many cybersecurity orgs release publications about Group X using approach Y.
So when you get hacked by Group Z, but they sound like X and Y, you guess it was them. And if Group X has a history of burning ransom payers then you don't pay -- they'd fuck you anyway, so save the money and start rebuilding.
Understand: For the ransomer's point of view this is another monday, albeit one where a big fish walked away.
Which just reinforces the "honor = iterative prisoner's dilemma" argument.
He’s a criminal who launders money through small businesses he owns and the accounting firm he runs. He names it ZZZ Accounting so it doesn’t get a lot of calls through people looking up accountants in phone book.
Look to Amazon for new ideas on DGA-derived names for your fly-by-night business.
Some homeowners thought it was going to be him cutting their lawns and would get upset because the contract said he’d do it. So he’d just rip up the contract in front of them and refuse to cut their lawn ever again.
In Florida there were so many houses with lawns in so many subdivisions he was always busy anyway. Plus he liked getting into fights with adults. Win win, I guess.
On the other hand, holding their side of the promise allows them to build a reputation, which makes it easier to get future victims to pay. Why would they leak the data if someone paid?
Obviously this behavior doesn't apply to all of them, but it's a clear effort by some of them to immediately appear more palatable to random IT worker, the execs, and the lawyers who are watching the who process play out.
And it also lines up with the fact that ransomware groups have freaking HR departments to handle their employees.
regarding drug dealers, I wouldn't consider it a good comparison. the actions of one dealer typically doesn't affect others, they're just not that connected beyond professional recognition/courtesy. If dealer A is shorting their customers, dealer B absolutely wouldn't care as why would they? they have no relationship, and it'd probably mean the customers go to dealer B instead. business will continue as usual even if one bad actor is doing shitty stuff to their customers.
with ransomware that is not the case -- if public opinion overwhelmingly tells there's no sense in paying because the ransomware gangs never follow their word, that affects all the gangs, not just the bad actor. the gangs already have a hard enough argument to make as to why the targets should pay so anything that frustrates that further is frowned upon.
The reason ransomware worked was you didn't have to trust the group long-term - just enough to give you a copy of your data back.
It's the difference between you making a copy of my car keys and stealing them. Yes, I will pay for "a" key back - I only have to trust you enough to hand it over.
Hilarious.
So is murder for hire. However, both being firmly within the "crime" category of business, all allusions to legitimate business concepts such as "reputation", "contract" and "predictability" are illusory, rhetorical and rarely survive first contact with some felonious scumbag who wants to screw you over. Particularly when one side of the interaction is not an experienced and dangerous criminal.
There are people who consider these groups credible?? The world really has gone insane.
There are review sites for ransomware groups?
"honored promise not to disclose, didn't gloat or taunt, would pay again, 10/10"
At least for 'most'.
So a part of one gang made some claims and some other not-gang claims they have ties with FSB or SVR => all gangs are operating under personal Putin blessing. Even North Korean and Ukrainian, right?
I don't buy it. There's nothing to stop the group from rebranding themselves. The company has no proof nobody else got a copy of the data. And the group could simply hang onto the data, extort a bunch of money from other companies, then start back at the beginning and demand even more (knowing that the data is worth _at least_ what was already paid for it).
Apart from the fact that nobody would pay them if they have no reputation.
If LockBit does something to taint their image in the media and among security organizations, then rebrands to avoid their negative history, forensics will still eventually tie their new name back to their old org, and victim's will have to decide whether they should trust that their data will be handled correctly after payment.
As for re-victimizing old organizations, there's almost zero chance of that working. Most data is only sensitive for a certain time frame, long enough that they can make the proper notifications, change credentials, etc.
Lastly, there still needs to be someone to download and abuse the data they leak. I've monitored ransomware torrents a few times and not observed any downloads completed over the course of a couple weeks following a data leak.
LockBit just did a sort of collective bargaining with affiliate groups that resulted in guidance for setting initial ransom amounts and rules restricting discounts about 50%.
Hard to say...
You're effectively trusting the liar they wont lie again
Its possible they leak it to high profile customers without publicly announcing it
Business should make decision assuming the data will be leaked eventually regardless of random paid or not
Perhaps only thing business can assume is the data wont be publicly released in short amount of time
Trust isn't all-or-nothing. When I ride a bus I'm trusting the driver with my life, but I wouldn't trust them to babysit my kids.
Mutability is deniability. I don't trust hardware companies with that. And I don't have to, either.
Stop hawking this SGX snakeoil. Except maybe to ransomware authors, who deserve what they'll get.
Attestations are quite certainly traceable to the EPID, which is a fuse array -- it's on the die, not the motherboard. In order to attest, the key that encrypts the victim's data would have to be SGX-generated. What kind of RNG do you think it uses? Maybe Dual_EC_DRDBG?
I suppose it helps them in the former case, if they also had no backups. But the hackers are already in a very bad place if the CPUs get captured, so I don't think they care about SGX at that point. The hackers don't need to trust SGX. They only need the victims to trust it.
You mean:
1. generate a public/private key in enclave
2. generate attestation from SGX enclave with public key hash.
3. seal the public/private key somewhere so it can be reused later, otherwise pc restart or app failures / no data.
4. publish source code that generates mrenclave somewhere that can be audited.
5. encrypt in place and assume remote trusts you when you say data was only exfiltrated encrypted or not at all.
Now, 5 is the problem i mentioned. Why would anyone trust that data was not exfiltrated unencrypted and copied a few times.
> and the unencrypted plaintext never leaves the victim organization.
You also mentioned this to be fair. Why would this be trusted?
6. Release data if no payment on bitcoin.
SGX enclaves do not have magic trusted access to network to get bitcoin payments data.
It can be man in the middled or fooled by omission by who controls machibe.
So key can be releases by feeding it bad data (payment was not done and time expired - release to the world).
There's also the problem that attestation might lead to the originating group if cpu is identifiable.
Actually I'm often surprised that many ransomers/hostage-takers go through with their threats when they don't get their demands. The only reason I can see them doing it is if reputation matters to them for future negotiations. more than the risks from the greater liabilities they incur by going through with the threats.
It doesn't have to be the whole group; perhaps one guy decides to branch out on his own, and grabs the data on his way out the door.
However if you have adequate backup and recovery mechanisms in place then you're not the best to prey on.
It's a business model that works until the majority of targets have appropriate backup and recovery processes.
The purpose of the law is that now ransomware gangs will be less likely to target US companies because companies are unlikely to risk paying them.
That doesn't stop companies from paying for it. If you're a hospital, you're weighing breaking the letter of the law with killing a bunch of people.
[1] https://www.gma-cpa.com/technology-blog/paying-ransom-on-a-r...
[2] https://cbs12.com/news/cbs12-news-i-team/hospital-ransomware...
Given the sources of many of these attacks, one should reasonably assume they are likely to be doing business with a sanctioned entity, right?
I really wish I could find the McBoeing stickers I was given when I worked as an outside contractor during the time of the merger. The stickers weren't standard issue swag but rather made by a frustrated employee, that said they were a common sight on toolboxes at various plants.
I worked installing, qualifying, training on the use, and maintaining CNC machine tools in many shops spread across multiple plants. The folks in the shops where I worked were seriously displeased about the merger. Many of the people I had the pleasure working with had decades of service under their belts and were worried what would come of the combined company. It turns out their fears were entirely valid, though, I suppose most of them retired years ago and are enjoying their pensions.
the things you’re relating here, this is one of the favorite myths of seattle boeing employees. you hear it everywhere, even today, and the people today, I mean, these are like stories of their parents, passed down from generation to generation about the boogey man. The only people left from that timeframe were almost all kids then. Very, very few of these people have any first hand experience with any of this. In seattle, generations of employees are a thing, and kids continuing that tradition aren’t going to question stories like this from their parents.
The merger myth gets lots of play in seattle because the commercial employees use it to shield themselves from the reality that BA would have gone bankrupt, twice, if the defense business wasn’t there to bail them out. They complain that those mcdonald douglas people were all overly focused on financials and not, I don’t know, i guess the spirit of flying? Well, the opinion of the mcdonald douglas folks was that boeing wasted incredible amounts of money on nothing because they had no concept (broadly speaking) of the financial restrictions that come with government contracts. A typical conversation would look like “No, sorry man, you can’t use taxpayer dollars to buy a new TV for the lobby. It’s literally illegal. It’s taxpayer money, you can’t just use it for whatever you want.” All of the baggage that comes with government contracts and foreign military sales was so alien to these people that they confused basic accounting and following the law with some sort of machiavellian plot to destroy the spirit of Old Mr Boeing. Some of them aren’t even aware you can’t just sell military aircraft overseas just because you want to make more money.
I would imagine that, if you asked those who like to bitch about the merger, they would consistently underestimate the percentage of revenue that the defense business brings in. There are a shocking amount of people in seattle that feel like they can give a detailed analysis of the corporate history, but they don’t even know where the money comes from. Like, even in general. Many of them seem to be under the impression that the defense business is about 15% of revenue, not the 30-60% it has been for the past 25 years.
I mean, literally the only reason some of those people still have jobs (after MAX and COVID wiped out all cash at the company practically overnight) is because BA owning the (countercyclical) defense business is the only reason there weren’t 10,000 or 20,000 additional layoffs. You have to be remarkably thick to have a career in aerospace and not know these things.
The money part of the myth is particularly funny, since it was the massive cash flow from the C17 that Boeing was most desperate for at the time. Mcdonald Douglas was fine at the time, but there was no great long term prospect because they had just lost two massive contracts (F22 and F35), so a sale before things got rough was a reasonable idea. In return Boeing picked up a ton of cash and a countercyclical business.
The “lost their way to MBAs” myth of course also covers up the fact that most of the layoffs from the merger were McDonald Douglas employees, as well as the fact that Boeing’s financial focus began well before the merger.
Ask one of these people to explain how it is that MD was a doomed company overly focused on cost cutting, yet had fantastic labor relations due in large part because of the willingness to compensate those same employees. I doubt they even knew relations were that good.
There’s two additional reasons this myth persists in seattle.
Lots of manufacturing employees in the 90s, the boomers, and early aughts were outsourced. The middle class shrunk. For many of these people, it wasn’t obvious this was caus...
The article mentions citrix and emails, but that could be anything
Govs like China and aircraft/defense competitors to Boeing probably got a goldmine if they didn't already have their own access. Boeing does plenty of NATSEC and space stuff.
Now, if it is 2,000,000 text files totaling 25gb, then that is harder to explain away.
(I just read the article and saw that it deals with a vendor we use daily... so... great news.)
Just detailed schematics of a given plastic knob in the cockpit should take at least a few pages, nevermind something more complex or critical like turbine blades.
https://www.boeing-747.com/fun_facts_from_boeing.php
Internet says 747 has 6,000,000 parts, half of which are fasteners. So 3m individual components. “171 miles” of wiring. Blah blah. I can easily see 10k drawings to cover that beast, soup to nuts.
Otherwise you could have a crawler that just traverses the FileShare and makes duplicates at a rate slower than what would look like BAU traffic. Given that most enterprise network shares host a TON of legitimate batch dump/upload file traffic it might be easy to skate by.
Unless this was just a public S3 bucket, there was probably some lateral movement involved, and I'd say time/money would be better spent reducing that particular risk in the future.
We watch it happen. We have the tools to stop it. But we're not empowered to use them, for the exact same reasons that led to Equifax's fuckup-- we're not allowed to do anything that might impact production/pursuit of new revenue.
Lately, I'm not convinced this is even the "wrong" approach. Espionage was not invented alongside the Internet. If we build a Thing and it's the only Thing we sell, data concerning it will inevitably be stolen by someone in some way. But if we iterate on it fast enough, the value of older versions leaked diminishes. We're in the market of building and selling a moving target.
It also creates an inflated volume of data. You can't just break in, grab "the_flag.zip" and run like hell-- you have to exfiltrate a fuckton of data, make sense of it, and carve something usable from it. Like, checking binaries into a git repo makes the size bloom, but it doesn't add a proportionate amount of "value" to stealing that repo. It's padded with drafts and garbage.
Slowly, hidden among legitimate traffic, and indirectly. For example, most companies don't notice 100 kb/sec increases in DNS traffic, slight increases in web server image sizes, or changes to server MOTDs.
Have there ever been massive problems from one of these leaks for the targeted company?
I seem to remember quite a lof of similar leaks over the past two years where the market and public shrug it off.
Clearly 45gig is a lot. I would think if there was a major horrible thing to find that Boeing would have paid the ransom (and told no one).
Will it have any real negative consequences for Boeing?
It is a black mark against them that they were vulnerable. I guess it is favorable point for many that they didn't pay.
The ones looking at this will be China, Russia and their associates that don't care about (Western) law.
Let's not even bring project Echelon into this..
For higher-level people it really just isn't worth the risk, unless there's some incredibly valuable secret.
Actually, the French government intelligence agency is famous for IP theft. This one is placed at their feet.
If however, a completely separate company, perhaps in a different country, that has no business associations with Airbus in any manner, and there will never exists payments between Boeing and this company went through all of it would be no problem.
If a specific bigwig later on received among photos and videos, a steganographic encrypted document whilst visiting an anonymous sex site then read it and deleted it, nobody would ever know. (lest someone talks, always the human factor)
I made up all of the second paragraph. Companies specializing in what i described over to exist. They are not of course limited to ransomware leaks.
If you are under defense industry rules, viewing data is generally on a Need-To-Know basis. For any data that is classified, or CUI (Controlled Unclassified Information), EVEN IF that data becomes publicly available, it is illegal to view it.
Now, I'm sure if a headline came up in a Google search you wouldn't get busted, but if you go ahead and download it, that is at least putting your ability to continue working with classified/CUI at risk.
So yes, it's a hot potato which no one (smart) in the civilized democratic world will touch.
How to shoot yourself in the foot with bad management?
(On the other hand maybe some other company's board went through the docs, hmm)
https://slate.com/human-interest/2014/12/sony-pictures-hack-...
It also says that a spreadsheet from 2004 states that 85% of the top earners were men. This is unrelated to the pay gap argument.
The rest of the article is fluff completely unrelated to the leak. I'm no surprised there were no ramifications from this. If this is all that was found, it pretty much says there's no or practically no pay gap at Sony.
https://www.theguardian.com/film/2014/dec/12/sony-email-hack...
https://www.theguardian.com/film/2015/may/28/george-clooney-...
45GB can be a lot, or it can be a couple of people's worth of marketing presentations.
And I believe some of the more interesting things found in that data set (outside of the fraud) were people cheating on their partners.
https://www.kaggle.com/datasets/wcukierski/enron-email-datas...
https://www.ferc.gov/electric/industry-activities/addressing...
It really depends upon how it is used, misused or abused.
There are bluray movies larger than this leak and there are files smaller than 10kb a lot more critical in most businesses.
It'd be nice if there was some sort of scale for data leaks like (just spitballing here):
1. Leak destroys all core company functions (crypto-exchange leaks all wallet keys, CA leaks all root keys and becomes banned from all trust stores, etc.)
2. Leak causes regulatory issues criminal enough to shut down company
3. Leak severely hinders core company functions (deploy keys for a cloud computing SaaS are deleted which stops all new deployments until all infra is reconfigured)
4. Leak severely looses company competitive advantages (new products leak that are replicable by competitors)
5. Leak causes severe PR disaster
6. Leak shows embarrassing internal company communication without any of the above
The disk size does not matter, and when the severity was actually determined it would show up in the headlines as "Boeing leak determined to be a level 3 leak" instead of just being "That boeing leak 5 months ago was kinda bad".
Either way, listing the size says very little.
Relevant quote from the article: "I haven’t gone over the whole data set but Boeing emails and a few others stand out as useful for those with malicious intent"
Both journalists and the public need a better way to understand how different breaches affect them.
If anything this would create two stories where there now is one, so journalists would not have less or later to report.
What does autism have to do with having the professional integrity to understand what it is you're writing about before publishing sensational claims?
And second, even if a company has no idea of the scope, the hackers would somehow want to prove at least privately what the scope was, else their threat is not as manipulative as it could be. On the other hand, the hackers can't credibly bluff and inflate the scope too far beyond reality because the company can just say "prove it or I don't believe you and I won't pay." And the hackers want to get paid.
It's a business deal after all. A really crappy one involving criminals. But at the end of the day, the company must have already assessed the value of the leak in order to reach a decision.
I've seen companies say this sort of thing with high confidence. But that seems hard to me, assuming some level of administrative access was breached.
I think that is a good way of measuring it.
Maybe the world needs a standardized place to catalog and rank all the data breaches that have been disclosed.
Groups that leak are likely to want to inflate the severity of the leak to ensure they get paid.
The larger a leak, the higher the probability there’s sensitive information in there, and the better opportunities/more time attackers had to exfiltrate it.
The info says nothing, it conveys nothing. Even skipping the size and saying it leaked "emails" says more in the headline than the size.
A single video recording of an all-hands meeting could fill that size but it could also be emails containing the keys for accessing a large part of DOD.
Kind of like saying I have 10. 10 what? As my math/science teachers always said, don't forget to include your units.
Could be the alternative headline.
They asked for almost a million USD. FBI got involved, everything was restored from backups (thankfully, a month loss of digitalized work, and absolutely nothing was given to the ransomware group.
To your point, there are severe regulatory issues that have to be addressed due to the exfiltration. I no longer work for them, so I don't know the extent of their cost in 1. notifying affected clients and 2. providing credit protection coverage due to leaking of personal data.
No news org is going to go through that effort.
Boeing, Lockheed Martin, Facebook, etc...deserve it
This is a childish 2000s take. The world is rougher, Pax Americana is over, we need effective defense contractors because the world is full of assholes. Grow up.
I know you're better than that.
Pray tell how do you counter an all or nothing assertion?
Such idiotic comments don't deserve nuance.
Also, pro-tip: Just shouting "fallacy", doesn't mean it is.
Simple, you don't engage in it, because you're able to recognize the fallacy. Not every conversation needs to dissolve into a debate-fest.
Any company that helps support America is also bad and most be opposed
Any person that that does not view America as bad is a bigot alt-right extremist and must be opposed
That is the state of politics for 2023, and anyone born after the year 1990 or so
On the contrary, it's less violent than previous decades. The difference is you get to hear about EVERYTHING due to nearly ever human on earth has a smart phone and access to the web.
This is a blessing and a curse. Given your handle, I'm surprised you haven't figured that out.
Point is what is the upside of disclosure (I think) vs. the downside. Nobody is suggesting no disclosure but the writer seemed to think that the security industrial complex has lawmakers believing that everything should be open and there should be constant white hat hacking which seems to feed and benefit the security industry.
I am curious if anyone has a thought on this topic.
2. Imagine the sheer pain of duplicating every single process and spec to the minutest detail, nobody is flying an airplane that only 'works' 99.99% of the time. Probably easier to start from scratch and learn it. BTW, this was tried by Russia in the all through the '80s, they tried to steal all advanced tech. but by the time they duplicated the stolen technology, the next generation appeared. A losing battle.
Not the ones that were forked due to abandonment, but the forks due to “irreconcilable differences”.
Might I introduce you to the Tupolev Tu-134?
https://en.m.wikipedia.org/wiki/List_of_accidents_and_incide...
Also perhaps the 737-MAX. :)
* https://en.wikipedia.org/wiki/Maneuvering_Characteristics_Au...
Some searching says...
1. >1000 flights per day for the family
2. 2 US carriers accounting for more than 200 Max 8 per day
So one would have to get to 20,000 flights after two crashes to get 2 nines. We're well past that threshold
Said differently, the Max 8 was working safely 99.999% of the time, while the 737 NG was working safely 99.99999% of the time. An order of magnitude better than 99.99%, but two orders of magnitude worse than expected...
It is certainly a lot safer now. Hopefully even better than the 737 NG.
Air safety seems the quintessential "discounting the horror of extremely rare accidents from the actual total safety rate" mental trap.
When it's years between incidents, and that widely used? Yeah, I'd still fly on one if I needed to.
But I swim in the pool during thunderstorms too, so not really a zero risk type person.
https://en.wikipedia.org/wiki/Tupolev_Tu-144
though that one was so defective that even the Soviets didn't want to risk flying it. it could barely get into the air, and that'd be with several major faults and alarms blaring.
> Capable of operating from unpaved and gravel airfields with only basic facilities, it was widely used in the extreme Arctic conditions of Russia's northern/eastern regions, where other airliners were unable to operate.
The 737 Max 8.
https://news.ycombinator.com/item?id=38358542
2. Aviation in the USSR was developing completely independent, and you can accuse USSR in stealing technology in many areas but certainly not in aviation.
One of the more interesting points of discussion was that when big companies negotiate purchase agreements for parts, the actual cost of the parts can be very transparent. The negotiation is generally about the actual markup e.g. "I think we should pay X% over cost.
Someone, logically, brought up: "What if the company is not willing to share the cost upfront?".
The professor responded: "Well, if it's a public company you can generally deduce a rough cost/part and use that as your starting point in the negotiation"
Student: "Well what if the company says we're wrong?"
Professor: "No problem: ask them what the correct number is. If they don't want to give it to you, ask them how you expect to have a long term partnership if you are not willing to talk openly and honestly about things like parts costs."
No business wants to share it's internal costs, it's their prime competitive advantage
Now, the federal government, particularly with drugs pricing, turns a blind eye towards the suppliers just jacking up the purported cost. E.g. Pharma:“we want to make $100 per pill, it costs us $5 to produce”. Fed: “we demand cost + 10%, because the people”. Pharma:”Fine, let’s say it costs $90 to produce.” Fed:”Where do I sign?”
Whereas Walmart would say to somebody like Nabisco, “GFY; if you want your product on our shelves, you’ll open your books and give us audited cost + 10%”.
If your business' primary competitive advantage is that it gets ICs for 1c less/per thousand, your business is built on shaky foundations. One that you would still want to disclose during negotiations ("yeah, our product is the exact same quality as Widget Co; but we've found a supply for some internal parts at slightly below market value").
Just as we as consumers know we pay extra to the company (even if the numbers aren't oblique), businesses know the same. It's about how much you're willing to spend, not how much they spent to build it.
I wish this dumb naïve argument would just die quietly in a corner.
A the value of a device is not its BOM. It has never been and it will never be.
There are so many other additional costs to factor in. Costs related to the manufacturing plant, its people, its tooling and its processes. Logistics costs related to bringing in parts. QA costs. R&D costs. Software maintenance costs. Marketing costs. Certain parts and software may have royalty fees associated with them. The list goes on, and on, and on.
So please, enough of the dumb "$device is only $2USD because its only a bunch of 2c resistors and capacitors on a PCB".
The thread was about literal parts costs and how knowing those means nothing to the value of a produced item. In which case, a BOM is directly and literally applicable.
No one is saying what you're so annoyed and frustrated about. Literally the entire thread is about how the value of a product is far greater than it's actual parts cost and why knowing that is useless for negotiation.
Learn to listen/read before you get yourself into a tissy about a made up sleight.
For a plane, it's going to be the former
That and the reason it's easy to get a BOM of cheap products is because you can buy them and tear them down. I can't see Airbus managing to buy a boeing and tear the entire thing down without Boeing noticing
China: hold my baijiu
Economic and industrial espionage has a long history. Father Francois Xavier d'Entrecolles, who visited Jingdezhen, China in 1712 and later used this visit to reveal the manufacturing methods of Chinese porcelain to Europe, is sometimes considered to have conducted an early case of industrial espionage.[16]
Historical accounts have been written of industrial espionage between Britain and France.[17] Attributed to Britain's emergence as an "industrial creditor", the second decade of the 18th century saw the emergence of a large-scale state-sponsored effort to surreptitiously take British industrial technology to France.[17] Witnesses confirmed both the inveigling of tradespersons abroad and the placing of apprentices in England.[18] Protests by those such as ironworkers in Sheffield and steelworkers in Newcastle,[clarification needed] about skilled industrial workers being enticed abroad, led to the first English legislation aimed at preventing this method of economic and industrial espionage.[19][18] This did not prevent Samuel Slater from bringing British textile technology to the United States in 1789. In order to catch up with technological advances of European powers, the US government in the eighteenth and nineteenth centuries actively encouraged intellectual piracy.
I can't justify slavery in x country because "well the west did it before and so now it's their turn" (to use an extreme example and yes I know that slavery has already occurred in almost every country/is still occurring in some).
[0] https://en.wikipedia.org/wiki/Comac_C919
You sure? C919 didn't start commercial flights until this year (2023)
The US for example trying to get back some of its domestic manufacturing prowess, after decades which has outsourced it to China which has gotten really good at it, has a 10-20 year barrier to overcome before it can even start to get to the same level, and that's if all goes well and no stupid decisions are made. Which is not very likely.
Boeing Co, as a government contractor being hacked is obviously more concerning than a breach at $x company. It's a shame. I'd say this is a learning opportunity, but it likely won't be. Onto the next round of "cybersecurity" speak...