55 comments

[ 3.5 ms ] story [ 28.5 ms ] thread
(comment deleted)
What exactly should we do with this information? It's clear there's a cyber war heating up. Between Stuxnet, the US gov's OPM getting hacked, kaspersky getting attacked, it's become pretty obvious. And since there's seemingly no need to declare such a war before doing it, it'll only get hotter.

So what do we do? Is it time to just start running open-bsd? Should I just assume my systems won't be a casualty because it won't get that hot? Air gap the important part?

It's the cyberwar equivalent of soliciting engineered microbes for which there is no vaccine or treatment. How long would anyone put up with that?
Don't you get it. The cyberwar isn't "heating up", what "cyberwar" exists has existed since the 90's. Yes technological pervasiveness is making vulnerabilities being taken advantage of hit larger swaths of devices, but that's not why you see the heating up of the arena.

The real reason is that we need a new boogieman to justify the level of surveillance. The public, as deluded and propagandised as they are, is starting to get tired of the same ol terrorism argument, so this is the new communism/terrorism, etc.

The point is that it's never about what they say it's about. It's about control. Inverted totalitarianism.

Not just surveillance, we also need a reason to keep the war machine going. And there'll be demands for more money for national security after this. Ad infinitum until there's a revolt or some kind of political evolution in the states.

That fiat cash will get tucked away by some established families and companies, revolving doors aplenty, and then a new threat will be invented/created when this one wears out. The Fed, or the people behind it, will sit back with their hands crossed on their fat, corrupt bellies and say, well, at least we'll enjoy the planet while we live. Screw the rest.

You're right, but what really gets me is that the internet was supposed to be the great equalizer, revealing that the emperor had no clothes, but it's almost as if as the corruption becomes more apparent, the more they have to push it to stay on top of the proletariat. It's worrisome where this trend will end up.
Ultimately I guess it depends on whether you're optimistic about human nature, over time.

I think we're seeing a gross abuse of it, esp. from the leaders of the US and the people pulling the strings. But, I'd like to think we improve over time, despite this kind of evil. And there is no doubt in my mind its an evil, perhaps not biblical, but a vast and greedy, sickening selfishness.

Pity we won't be around to see it if and when it turns right, but time is a great healer. I don't think the level of greed we're seeing now can be turned around in a generation.

Personally, I don't see much light at the end of the tunnel? This greed seems cool in some circles--which I can't comprehend. It is not cool in my world. I feel morality is lacking? I don't know how to install morality. I do know this "Just because it's legal, doesn't make it moral" said by a deceased friend of mine.
Idk, but longer term I'd think a co-operative approach would make more sense, and stop destroying the planet for elfish short-term gains.

Crazy idea though. Can't have anything compete with those beautiful oil, fracking, banking, warring people though - they mean well! I mean, its just short term, we'll just cut down all the forests, ruin all the topsoil, drill all the oil, frack all the rocks and lpg, and ... well, we don't care, go fuck yourselves, we made money, and we don't care about children or grandchildren. Cya.

I don't see any light either, that is what is very depressing.

We're ruled by very greedy, short-sighted people, that don't care what you think, or care what they are doing.

I guess Wolf of Wall St puts that behaviour on a bit of a pedestal. I personally don't know anyone that is that kind of a prick, but presumably they exist.

I think we all know what is selfish, and what is greedy. Some will choose to ignore it though, and/or justify it.

The problem is realism in foreign policy. Even the nicest kid entering Harvard for a polisci degree is going to have to reconcile information asymmetry / anarchy in international relations with democracy and civil society. It's harder than you think. I once asked a foreign policy friend of mine if ethics entered foreign policy decisions. He sat and thought for about 2 or 3 mins before saying "sometimes, sure, if the stakes aren't too high". On his own this guy wouldn't hurt a fly, and in general he accepts that liberalism and US soft power is sometimes effective, but at his core he's a realist, and realists tap the internet and throw revolutions in the Ukraine.
I'm thinking nonsense. We have to descend to the lowest common denominator to make things work? That seems lazy to me.

The system we have at the moment is geared towards a few, extremely wealthy individuals and companies, and they basically created the system and need to see it continue. And its from the US it came and gets enforced.

There is absolutely no need to have a system we have in the US where the corporations basically call the shots, via campaign funding and revolving door bribery, or for the warmongering. Its like someone holding a gun to your face complaining that the other person "just won't see sense, they refuse to put their gun down". Small wonder, when they're being threatened.

What would make sense for me is for a few people in powerful positions to grow a backbone and start to demand changes; but I think the apparatus is so strong now, that those that do, meet an untimely fate, and the remaining few have courage in the face of certain death/social destruction.

I think we've been had, basically, in a really large way, and I don't see a way out of it. Its a successful, long game play that has won out. Nice if you're part of it, sucks if you're not.

And the Arab Spring was supposed to result in a great liberalization of MENA countries.

I don't know whether it's optimism or naiveté–or likely some mixture of the two–but the western public tends to ignore how large changes in technology and society can (and usually does) tilt the balance of power towards the establishment.

Control for what purpose?
for its own sake. for the thrill of being the top-dog, for the giggle of a nation of minions scared shitless into begging you to take more power so you can scare them more.
Suppression of dissent primarily, which is why the internet is and will increasingly be under legislative attack. It has served as one of the last bastions of anarchistic freedom of thought, which threatens the powers that be.

Said suppression only happens when you can reliably tie identities online to identities offline. Hence parallel construction, etc.

So many different purposes. Sometimes control is necessary for everyone's benefit - government has a legitimate claim to power. Sometimes control is self-interested - it does one party more good than it can do the other. Sometimes control is about a brace for an uncertain future - the American Empire right now is being seriously challenged for its global primacy. Sometimes control is about self-benefit - it consolidates power specifically to disadvantage the other power. Etc. Etc.

Power consolidation right now is a mixed bag. Those who want power for their own purposes find a good partner with those who consolidate power for noble purposes find a good partner with those who brace for the future, etc.

You can only pick voices from the cacophony if you train your ear in one direction. They are all there and it takes every singer in the chorus to work.

If by "has existed" you mean to say that there were people who attacked computers in the 90s, yes, that's technically correct. However - I think the parent post was trying to say rather than 100s of millions being spent worldwide on this, 100s of billions are now being spent.
By cyberwar he means that nation states were investing in state-of-the-art capabilities to use Computer Network Exploitation for the purposes of espionage and sabotage.

This has been happening since the 90s.

It is true that it has gotten consistently warmer on the internet. There is a term called "hybrid warfare" now that is being traded in the US defense sector.

Hybrid warfare means assymetric capabilities in tandem with ground forces: IO (intelligence operations) with kinetic operations.

IO itself is a broad category consisting of Military Deception (MILDEC), PSYOPS or Strategic Communication (propaganda operations), Electronic Warfare (to disrupt communication, coordination and execution), and Signals Collection for espionage (SIGINT).

The US now considers hybrid warfare the norm and deploys IO operations with every kinetic force. In Syria this meant hacking their air force and grounding their planes - in Ukraine it means winning the 'idea war' in neutral territories and providing morale and information support to civilians and the military alike.

Cyberwar continues to change, as does all war, with the advancement of technology, the capabilities of the parties, the state of the art, and the scale of conflicts. But we've had it now for a couple decades in one stage of evolution or another.

The control is not always in the hue of totalitarianism or evil or malice.

Some control is necessary of any government.

Some control is perceived to be, but is not actually, necessary.

Some control is self-interested and self-concerned.

Some control is conspired by those who seek to wield it for their own benefit.

When it comes to the US government, there's a big mix of the above and its never enough to establish one grand motive behind everything.

This of course doesn't take away your point - it is about power. It's just that the angle on this power has to be negotiated circumstantially and available alternatives. (If there's an simple, cheap and effective way to solve a problem but a power consolidating method is chosen instead the mask has slipped).

Can someone "ELI5" this to me? How is it possible that in the Western world there is a collective 'they' that are doing this? It seems more reasonable that the behavior we dislike is emergent. Anyone working in even a medium-sized company knows that it couldn't possibly collude to get out of its own way. How is it that the US government can do it? Who is this magical 'they' we keep blaming and criticizing? Sorry if I'm being dense - sincerely trying to understand.
I dunno, AT&T had room 641a running for an awful long time. And when someone finally DID speak up, they were dismissed as a kook.

I think you're greatly, GREATLY underestimating the amount of collusion that can and does occur.

Thank you for your response.

I don't disagree that there is collusion - I disagree that it is as effective as we give it credit for. Namely, that there is a systematic 'them' which is against 'us'. That the NSA can tap communication is to me an example of very small collusion. It's the level alluded to here that confuses me:

>... a new boogieman to justify the level of surveillance... the point is that it's never about what they say it's about. It's about control. Inverted totalitarianism.

Is there really this kind of 'collusion' going on? Is there a backroom where people say this with a straight face? I'm completely prepared to hear this is the case but I'm trying to find a reasonable explanation. It seems to me these people go home to their wives and kids at the end of the day just like the rest of us.

To build this a little further. I toy with the idea that we ourselves are creating these mythical boogymen and THAT is what hurts our ability to change anything. I don't know :\",

I hesitated to respond because honestly, it's a dangerous question you are asking, and a truthful answer in the wrong place or time can be social and political suicide.

I understand your view, and generally agree with your primary point that it's not a single overarching group in total control. The world of Machiavellian Realpolitik is much more nuanced and complex than that, and I mostly chalk it up to our tendency as humans seek to simplify things.

First, I would like to point out that I consider Hanlon's razor a logical fallacy that should be relegated to the dustbin of debate. It is far too often used in the discussion of this matter.

Now to your original question of who "they" is. In short, my conclusion is that it is primarily but not restricted to the supranational aristocratic elite, in particular the ones who desire global governance (at least on the surface). The most obvious example of this is the kinds of people who are C-level or board level who have positions across the world. A good primary jumping point for this would be the analysis of control networks in this very good paper: http://arxiv.org/pdf/1107.5728.pdf

All that paper does though is show the level of interconnectedness, but what it doesn't show is intent. That wasn't your question though and is best left for another discussion.

The bottom line to me is that "they" is the uber-wealthy, and that class-warfare and return of a type of neo-feudalism is right around the corner if not already here.

If you want to know where the collusion happens, look to the round table groups; eg. the council on foreign relations, the bilderberg group, the trilateral commision, and various think-tanks, superpacs, and tax-exempt foundations, and yes, even secret societies. The main mistake though is to think they are all in on it or even understand it. That's not how control at a high level works.

Imagine how control of a secretive org such as the CIA/NSA works. It's so wrapped up in compartmentalization that it's easy to take people who mean well and task them with something they don't understand the bigger picture implications of, and combine many of them to accomplish a big thing that none of them understand but a few key people at the top.

I propose that the majority of "the key people at the top" are comprimised in some form or fashion, so even they are pawns in a game they don't fully understand... many simply want to make money or protect their reputations, though some are most definitely being blackmailed or threatened with much, much worse.

Thank you arca_vorago!

First - I am saddened that a line of questioning could be deemed dangerous. So much for our 'progress'.

> The main mistake though is to think they are all in on it or even understand it.

I hope I have not misunderstood but what you've said really confirms to me that what we see is roughly emergent from individual actors (consider a group an actor as well) seeking out their own interests. Of course it makes obvious sense that people of like status/wealth know closely other people of similar status/wealth. This can only lead to collusion the same way my close friends and I could be seen to collude in relation to our, admittedly, far smaller sphere of influence.

In general I agree with what you've said about Hanlon's razor but I also feel it is a useful approach simply as an exercise. Brute force remains a useful way to find the truth.

Thanks again for your response! I truly appreciate being able to discuss a topic like this without it devolving ala. most reddit boards etc.

"what we see is roughly emergent from individual actors (consider a group an actor as well) seeking out their own interests."

I would slightly adjust this and say that the emergent actors are guided and coaxed from a distance, but yes, I agree, at base it is the self-interests that drive it among individual actors. That being said, there were supposed to be mechanisms in place to help prevent such power to accumulate, and it is the deliberate undermining of these separations, and balances and checks, that indicates to me intent beyond simple local non-state actor self-interest.

I also greatly appreciate the fact that HN is one of the few places I feel comfortable enough conversations will maintain a certain level. Honest and open discussion is too far and few between these days, especially on such subjects as this.

Sorry to break it to you, but air gapping is not really an impediment for a determined adversary.
Neither is paper only storage. But it's still going to make it harder for the adversary than being connected to the internet.

Security is all about striking a balance between how hard you make it for the adversary vs how hard you make it for yourself.

Even committing only to memory and never writing it down is not going to stop a committed enough adversary kidnapping and torture do exist after all. The only question is where do you want to draw the line.

It occurs to me that zero days are kind of like lethal force. We would really rather the government have none, but it must to deal with defense. It could be levied at us, but we usually believe it won't.

Does that mean we need a Second Amendment for encryption?

$27.5m fixed bid for a 24 month contract. That's extremely good work if you can get it.
It doesn't say that. the number $27.5 million is the cut off for a business to be considered a "small business" which would receive special considerations under the law.
Does anyone have a link to the original solicitation?
Why not 0 seconds, instead of 0 days? I didn't think you can buy time anywhere, but why the gratuitous use of the “days” unit when the quantity is zero anyway?

Still, a gov't agency would surely pay plenty, even for nothing at all, so what's the going rate for “no time at all” these days?

Days convey immediacy and scale. "Today" and "same day" balance precision. If time between an exploit becoming known and fixed consistently happened in 100 seconds or less, 0-sec might sound ok. Come to think of it, 0-sec is a fitting pun.
"0-sec" isn't too bad, but the plural can make for awkward conversation.
0-sec is a terrible name if you're working in sec...
This is why the mission of securing America's networks needs to be removed from the NSA.

“What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities,” wrote Nate Cardozo and Andrew Crocker of the Electronic Frontier Foundation. “As we’ve explained before, the decision to use a vulnerability for ‘offensive’ purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users.”

To be fair, they don't monitor whether the 0Day exploits are widely used so they have no idea when they should make them public for general security purposes. (yes, that's sarcasm)

But the way the entities operate that are actually seeking these, is by thinking of themselves as outside of the regular set of rules and even reality. They are seeking 0Day exploits with an assumption that the individual or individuals that provide them will not sell them to someone else or even use them for themselves.

I can guarantee that these "cyber wars" are going to result in some sort of cluster-fuck-up at some point because humans have a tendency to entrust the least responsible people with the most devastating technologies even remotely before we fully understand the ramifications.

On a side note; please take note of the fact that many of the current issues regarding anonymity and security on the internet and in technology in general is a direct fractal result of prior decisions by researchers and developers to not focus on anonymity and security as a primary requirement. The internet is a security nightmare, precisely because some researchers decided to ignore security requirements early on.

> This is why the mission of securing America's networks needs to be removed from the NSA.

And who should be responsible for this mission? Are you saying that the offensive and defensive cyber capabilities should be split between different agencies?

> “What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities,”

The article mentions that the government itself acknowledges that there is a delicate balance between disclosure and maintaining the ability to accomplish other missions [1]. That dilemma never going away, no matter how the responsibilities are organized.

> “As we’ve explained before, the decision to use a vulnerability for ‘offensive’ purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users.”

Haven't read the EFF paper yet (and I hold the EFF in high regard), but in the context of zero-days, that quote is a bit of a strawman. You don't burn zero-days by indiscriminately propagating exploits (eg, for mass surveillance), it would be found out pretty quickly. You tap cables and get NSLs for mass surveillance. Payloads attached to a zero-day would be used for more specific purposes, rather than slurping up data en masse.

[1] https://www.whitehouse.gov/blog/2014/04/28/heartbleed-unders...

> And who should be responsible for this mission? Are you saying that the offensive and defensive cyber capabilities should be split between different agencies?

In theory, they already are. The Navy, Air Force, Army, and NSA all maintain somewhat separate cyber capabilities.

US Navy terrorists of the World and Defenders of the New World Order.
Didn't foresee all this nonsense when I started to enjoy IT back in the younger days.

Wish I didn't see it now either. What a mess. Long live the petrodollar and killing other humans for a fiat currency.

Just to be clear, this is not really the Navy as most of you think of it that is seeking this.
Give it some more time, all dissenting posts will be greyed out hehe.
I find it really strange the Navy is doing this. Does it actually have an intelligence wing capable of taking advantage of this? And if you thought the NSA was the cyber intelligence wing of the DoD, so did I.
Considering the Navy (Naval Research Laboratory) built TOR...
The ONI (Office of Naval Intelligence) is the US's OLDEST Intelligence agency, so yes.. :)
What you are seeing is the so called "black budget" at work. Money is allocated for say, the NSA, to get 10 new exploits but the actual funds go to the Navy or Air Force who handle the procurement process. Sometimes the supplier doesn't even know who is receiving the final product.