The FBI investigating hacking of Covid research by “PRC-affiliated cyber actors”(fbi.gov)
fbi.gov
The FBI investigating hacking of Covid research by “PRC-affiliated cyber actors”
https://www.fbi.gov/news/pressrel/press-releases/peoples-republic-of-china-prc-targeting-of-covid-19-research-organizations
232 comments
If you’re doing research of any significance in today’s world and don’t have an active security program looking for harmful actions by foreign intelligence your organization opens itself up for all sorts of nasty liabilities. You don’t even have to have an electronic intrusion. The PRC’s government also pays people off as the case of this former Cleveland Clinic researcher shows: https://www.cleveland.com/crime/2020/05/former-cleveland-cli...
I'm not sure I agree that it's the responsibility of the people doing research to protect against foreign nation state attacks (whether cyber or legacy intelligence).
1st: most people outside of government don't know how much they are expected/"required" to do to protect their work against foreign nation states. Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
2nd: many people expect that the {NSA, Cyber Command, et al} are actively defending all US organizations. I don't see evidence of this (although if there was evidence, I probably wouldn't see it anyway).
3rd: In a national emergency (which the COVID response was declared), there are limits to the liabilities which would otherwise be enforceable in court. There are frequently/always legal escape clauses like force majeure and act of god which would likely alleviate liabilities due to fallout from acts of war or a severe pandemic, so it's not clear that those "nasty liabilities" could be enforced. There are currently 2 important cyberinsurance cases[1] which are winding their way through courts right now which may effectively decide if cyberinsurance is a viable product (depending on whether). Violations of HIPAA are possible, but similarly may not amount to much in terms of prosecution because of the pandemic.
In reality, it's damn near impossible to protect against a motivated+targeted nation state attack (especially with the resources of PRC). If the liabilities incentives require all projects (large and small) be able to withstand nation-state attacks, then all of the project resources go to cybersecurity and none into research -- your productivity is now zero.
It's important to remember that it's the FBI's job to do counter-intel. If a medical research group is defrauded by PRC spies and you blame the researchers for not being able to spot a non-trivial espionage attempt, you are just victim blaming. I work as a product developer in cybersecurity and I doubt I could identify most spy craft if it were to happen right in front of me.
[1] https://www.cpomagazine.com/cyber-security/aig-case-highligh...
1st: most people outside of government don't know how much they are expected/"required" to do to protect their work against foreign nation states. Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
2nd: many people expect that the {NSA, Cyber Command, et al} are actively defending all US organizations. I don't see evidence of this (although if there was evidence, I probably wouldn't see it anyway).
3rd: In a national emergency (which the COVID response was declared), there are limits to the liabilities which would otherwise be enforceable in court. There are frequently/always legal escape clauses like force majeure and act of god which would likely alleviate liabilities due to fallout from acts of war or a severe pandemic, so it's not clear that those "nasty liabilities" could be enforced. There are currently 2 important cyberinsurance cases[1] which are winding their way through courts right now which may effectively decide if cyberinsurance is a viable product (depending on whether). Violations of HIPAA are possible, but similarly may not amount to much in terms of prosecution because of the pandemic.
In reality, it's damn near impossible to protect against a motivated+targeted nation state attack (especially with the resources of PRC). If the liabilities incentives require all projects (large and small) be able to withstand nation-state attacks, then all of the project resources go to cybersecurity and none into research -- your productivity is now zero.
It's important to remember that it's the FBI's job to do counter-intel. If a medical research group is defrauded by PRC spies and you blame the researchers for not being able to spot a non-trivial espionage attempt, you are just victim blaming. I work as a product developer in cybersecurity and I doubt I could identify most spy craft if it were to happen right in front of me.
[1] https://www.cpomagazine.com/cyber-security/aig-case-highligh...
> many people expect that the {NSA, Cyber Command, et al} are actively defending all US organizations. I don't see evidence of this (although if there was evidence, I probably wouldn't see it anyway).
If you keep your confidential research results on an unpatched server with weak passwords and exposed to the internet, what is the NSA supposed to do about that?
About the best thing they could do is to scan for and find the vulnerability before the attackers and notify you about it, which in general they don't. And it still wouldn't solve most of the problem because there would be objections if they did more than a cursory scan, which means they won't find most problems, but the attackers are under no such limitations.
> there are limits to the liabilities which would otherwise be enforceable in court
I don't think this is the kind of liability they're talking about. If your confidential research falls into the hands of economic spies, the problem isn't so much that someone is going to sue you as that your research and any relevant patents have now lost their economic value because a knockoff product will beat you to market.
> cyberinsurance
This is liable to be more of a grant hog than liability would. Not only do you have to pay the premiums -- which would be high unless researchers adopt good security practices, which having the insurance would give them the incentive to do the opposite of -- but you also then have the insurance company imposing some kind of bureaucratic best practices procedures that gives you even more compliance costs than you would get from having liability, because the insurance company has misaligned incentives with respect to the level of compliance burden to impose, since they don't pay any of it but get all the benefits.
The reality is, the researchers are the ones operating the systems their research is on. They're the ones who have to secure them. And they already largely have the right incentives to want to do that, but they also have a poor understanding of the necessity of it and the process for doing it.
What would help here are the things that would help in general. Fund vulnerability research in free software so that the software people are using (because it's what they can afford) is secure by default, and easy enough to use that people don't commonly make mistakes, and well-documented. Things like that. Make it easier to do the right thing so more people do.
If you keep your confidential research results on an unpatched server with weak passwords and exposed to the internet, what is the NSA supposed to do about that?
About the best thing they could do is to scan for and find the vulnerability before the attackers and notify you about it, which in general they don't. And it still wouldn't solve most of the problem because there would be objections if they did more than a cursory scan, which means they won't find most problems, but the attackers are under no such limitations.
> there are limits to the liabilities which would otherwise be enforceable in court
I don't think this is the kind of liability they're talking about. If your confidential research falls into the hands of economic spies, the problem isn't so much that someone is going to sue you as that your research and any relevant patents have now lost their economic value because a knockoff product will beat you to market.
> cyberinsurance
This is liable to be more of a grant hog than liability would. Not only do you have to pay the premiums -- which would be high unless researchers adopt good security practices, which having the insurance would give them the incentive to do the opposite of -- but you also then have the insurance company imposing some kind of bureaucratic best practices procedures that gives you even more compliance costs than you would get from having liability, because the insurance company has misaligned incentives with respect to the level of compliance burden to impose, since they don't pay any of it but get all the benefits.
The reality is, the researchers are the ones operating the systems their research is on. They're the ones who have to secure them. And they already largely have the right incentives to want to do that, but they also have a poor understanding of the necessity of it and the process for doing it.
What would help here are the things that would help in general. Fund vulnerability research in free software so that the software people are using (because it's what they can afford) is secure by default, and easy enough to use that people don't commonly make mistakes, and well-documented. Things like that. Make it easier to do the right thing so more people do.
> 1st: most people outside of government don't know how much they are expected/"required" to do to protect their work against foreign nation states.
This is very true, sadly. It ought not to be, but level of practical cyber abilities seems sorely lacking. I see lots of "governance" style cyber, but not a lot of "deep technical expertise being allowed to develop defences".
University research lab type environments deserve a special call-out though for being near-impossible to defend. Most of the time these are "defended" by pooled central IT staff without specific awareness of the significance of the systems or threats faced. University networks are also notoriously open, and even in lab environments, they're often connected directly to the internet or campus network (airgapped computers for internet access are less convenient and someone would have to pay for them, and nobody wants to). Let's not even go into the various shadow IT remote access systems in use, which circumvent the institution firewall to let them get work done from home in the evenings...
University lab environments are an incredibly tough target to secure. And the researchers will find ever more ingenious workarounds to security measures that they find getting in the way of their work.
> Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
Even some of these sectors sorely lack ability in cyber, at least in some very developed and otherwise capable countries. There is still a very real barrier between 3 letter agencies, and the industries you mentioned that need this help. Information sharing is often too little too late, or not specific enough to be actioned.
That said, I do think cyber security needs to be a bigger priority in all sectors, but nobody wants to pay for it, and as long as there's no routine cost to business, I don't see that changing. Not while traditional "value for money" metrics are used to measure and compare options - it's very hard for those reviewing tenders or proposalsto see and differentiate between good security and some "military grade, unbreakable, quantum sprinkles" snake-oil security that has SQL injections everywhere.
This is very true, sadly. It ought not to be, but level of practical cyber abilities seems sorely lacking. I see lots of "governance" style cyber, but not a lot of "deep technical expertise being allowed to develop defences".
University research lab type environments deserve a special call-out though for being near-impossible to defend. Most of the time these are "defended" by pooled central IT staff without specific awareness of the significance of the systems or threats faced. University networks are also notoriously open, and even in lab environments, they're often connected directly to the internet or campus network (airgapped computers for internet access are less convenient and someone would have to pay for them, and nobody wants to). Let's not even go into the various shadow IT remote access systems in use, which circumvent the institution firewall to let them get work done from home in the evenings...
University lab environments are an incredibly tough target to secure. And the researchers will find ever more ingenious workarounds to security measures that they find getting in the way of their work.
> Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
Even some of these sectors sorely lack ability in cyber, at least in some very developed and otherwise capable countries. There is still a very real barrier between 3 letter agencies, and the industries you mentioned that need this help. Information sharing is often too little too late, or not specific enough to be actioned.
That said, I do think cyber security needs to be a bigger priority in all sectors, but nobody wants to pay for it, and as long as there's no routine cost to business, I don't see that changing. Not while traditional "value for money" metrics are used to measure and compare options - it's very hard for those reviewing tenders or proposalsto see and differentiate between good security and some "military grade, unbreakable, quantum sprinkles" snake-oil security that has SQL injections everywhere.
You conflate so many facets into an hopeless image. Yes, all research facilities are potential targets. Yes, it's wise to assume that no single one can realistically deflect a full frontal attack from a state agent. But each possibility doesn't happen all at once because resources are limited. It's like saying you can't defend a country because each of your soldiers is mortal.
A large part of cybersecurity is removing the low hanging fruit (eg. Gitlab's recent phishing test). The current stakes might probably target an unprecedented level of attention towards research facilities where people weren't concerned about all this stuff, and it's safe to assume aren't experts in the matter. So there's probably a lot that can be done to strengthen the security landscape, making life difficult to attackers, and generally consuming their attention and resources, resulting in a net positive. Even if each one would still succumb, maybe fewer will.
A large part of cybersecurity is removing the low hanging fruit (eg. Gitlab's recent phishing test). The current stakes might probably target an unprecedented level of attention towards research facilities where people weren't concerned about all this stuff, and it's safe to assume aren't experts in the matter. So there's probably a lot that can be done to strengthen the security landscape, making life difficult to attackers, and generally consuming their attention and resources, resulting in a net positive. Even if each one would still succumb, maybe fewer will.
They don't even have to pay.
Chinese citizens are forced by law to spy when asked.
https://www.canada.ca/en/security-intelligence-service/corpo...
Chinese citizens are forced by law to spy when asked.
https://www.canada.ca/en/security-intelligence-service/corpo...
Let's not pretend that you have to be a Chinese citizen, or even Chinese in order to spy for China. Or for any other country for that matter.
https://www.cnn.com/2020/01/28/politics/harvard-professor-ch...
https://www.cnn.com/2020/01/28/politics/harvard-professor-ch...
It is a good bayesian prior to note that most Chinese spies are Chinese.
True, although having a good bayesian prior working in your favour can also make you more effective and valuable as a spy.
What kind of liabilities? That looks like a case against an individual.
Are you talking human counter-intelligence as well as IT security?
Are you talking human counter-intelligence as well as IT security?
Imagine a state actor hitting the contract research organization in charge of the last phase of a clinical trial for a blood pressure medication and changing data. Due to the nature of double blind trials, catching these modifications can become really hard to catch and could lead to a lot of human suffering.
If they target a CRO the sponsor still has the original data from the trial sites. I can say that at least for the company (one of the 10 largest pharmaceutical companies) I work for this would almost be impossible to not be caught.
Even the crappy little cowboy CRO I worked for had a fleet of CRA's go out and manually verify documents against the EDC. It's required by law. I think the FDA audit also repeats that process with a random sampling for some studies, though I couldn't swear to that.
I get the point the parent comment was trying to make, but yeah, bad example.
I get the point the parent comment was trying to make, but yeah, bad example.
The harmful action being getting info that will be published in Cell or Nature six months early?
So two questions (not to you, but the general audience):
1. Are you ok if some entity steals your research and publishes it under their name in a venue under their name before you publish it?
2. Are you okay if the entity stealing the research is not similarly liberal with their own research on the same subject?
1. Are you ok if some entity steals your research and publishes it under their name in a venue under their name before you publish it?
2. Are you okay if the entity stealing the research is not similarly liberal with their own research on the same subject?
if the research was published published ongoing, like open source software, it would not be aproblem.
the problem only exists because people want to 1) hold data hostage for money and power 2) only publish success.
the problem only exists because people want to 1) hold data hostage for money and power 2) only publish success.
> if the research was published published ongoing
Are you aware that there are protocols in medical research against this?
Publishing research in an ongoing basis will taint the results (placebo effects etc).
There are blackout periods etc. just to make sure that the analysis is valid and not tainted.
Also a lot of research has lag time. Experiments can take a lot of time.
There is also a hidden assumption China is hacking for the greater good.
Are you aware that there are protocols in medical research against this?
Publishing research in an ongoing basis will taint the results (placebo effects etc).
There are blackout periods etc. just to make sure that the analysis is valid and not tainted.
Also a lot of research has lag time. Experiments can take a lot of time.
There is also a hidden assumption China is hacking for the greater good.
you're talking about human medical trials. that's a very low percentage of research
Even if software is open source, you can't steal it and claim you wrote it yourself.
[deleted]
I appreciate that there’s probably a lot I don’t know or understand about the national security aspects of this but it seems wrong to not share as much information as possible with as many researchers as possible in order to help as many as people as possible. Protecting security interests is one thing but this press release specifically mentions protecting intellectual property and that seems kind of tone deaf.
I also wish they would explain how treatment options are jeopardized, even at a high level:
> The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.
I also wish they would explain how treatment options are jeopardized, even at a high level:
> The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.
First, it lists "affiliated with COVID-19-related research" not "exclusively COVID-19 research" so could be more than just the current research.
More importantly, while data theft is bad, data tampering could be much worse.
What happens to people's confidence, hope, and trust if a "remarkably effective" drug turns out to be a total dud or even dangerous because the underlying data was modified?
More importantly, while data theft is bad, data tampering could be much worse.
What happens to people's confidence, hope, and trust if a "remarkably effective" drug turns out to be a total dud or even dangerous because the underlying data was modified?
Thank you. I wonder what's really going on here.
> to not share as much information as possible with as many researchers as possible in order to help as many as people as possible.
this presumes that the stolen information would be used 'to help as many people as possible'..
Also, 1st country with viable vaccine/treatment/etc will have a huge geopolitical bargaining chip & it will likely be used as such no matter the country of origin.
this presumes that the stolen information would be used 'to help as many people as possible'..
Also, 1st country with viable vaccine/treatment/etc will have a huge geopolitical bargaining chip & it will likely be used as such no matter the country of origin.
...huge geopolitical bargaining chip...
Ummm, I'm not sure how to break it to you, but USA is already laughingstock of world due to our comically misguided reaction to the "pandemic". Everyone expected Trump to screw up (and he hasn't disappointed), but there isn't any person or institution in USA that hasn't totally whiffed on this. CDC mandated tests that didn't work, news media remained unconvinced until late in the game and now jump from one conspiracy theory to another, in-person elections were held as late as April 7, some states required that diseased patients be forced into nursing homes for the elderly, effective masks are still somehow difficult to acquire, Congress has passed numerous "bailout" laws representing trillions of dollars yet has somehow not been able to arrange healthcare for every citizen as most comparable nations have had for decades, our deaths have passed 100k and seem certain to pass 200k as well, etc.
It's difficult not to see this "investigation" and especially this silly press release that purports to inform the public about it as just more of the same. Furious pretend activity with no view of long-term strategy or of benefit to anyone other than the bureaucrats who wrote the release.
Ummm, I'm not sure how to break it to you, but USA is already laughingstock of world due to our comically misguided reaction to the "pandemic". Everyone expected Trump to screw up (and he hasn't disappointed), but there isn't any person or institution in USA that hasn't totally whiffed on this. CDC mandated tests that didn't work, news media remained unconvinced until late in the game and now jump from one conspiracy theory to another, in-person elections were held as late as April 7, some states required that diseased patients be forced into nursing homes for the elderly, effective masks are still somehow difficult to acquire, Congress has passed numerous "bailout" laws representing trillions of dollars yet has somehow not been able to arrange healthcare for every citizen as most comparable nations have had for decades, our deaths have passed 100k and seem certain to pass 200k as well, etc.
It's difficult not to see this "investigation" and especially this silly press release that purports to inform the public about it as just more of the same. Furious pretend activity with no view of long-term strategy or of benefit to anyone other than the bureaucrats who wrote the release.
relative level of (dis)respect of any country to another doesn't mean that country won't use something to their advantage
What is "advantage" in this case? Nations with reliable treatments and vaccines might use those to improve their citizens' health? Sure that's not something we'd do in USA but it doesn't seem like a bad idea...
to be clear, wasn't disagreeing, but pointing out some potential rationale why this could conceivably be viewed as a security matter vs open science matter
> Also, 1st country with viable vaccine/treatment/etc will have a huge geopolitical bargaining chip & it will likely be used as such no matter the country of origin.
Definitely, but thankfully, it is a positive sum game.
First thing, you won't keep your bargaining chip for long. If a country manages to find a vaccine, others will follow soon enough. Besides independent research and reverse engineering efforts, it is foolish to think that the US doesn't have spies and hackers targeting China.
So in order to use that "bargaining chip", the vaccine has to be at least as valuable as what you are asking for in exchange. So while it may cost a lot to the country that doesn't have the vaccine, if it took the deal, it means that the cost is less than not having a vaccine at all.
In the end it will be used to help as many people as possible, because it is the only thing a vaccine can do. Unless someone wants a full-on war that is. But if major powers really wanted the worst, there is a pile of nukes that is ready to make the whole pandemic look like a joke.
Definitely, but thankfully, it is a positive sum game.
First thing, you won't keep your bargaining chip for long. If a country manages to find a vaccine, others will follow soon enough. Besides independent research and reverse engineering efforts, it is foolish to think that the US doesn't have spies and hackers targeting China.
So in order to use that "bargaining chip", the vaccine has to be at least as valuable as what you are asking for in exchange. So while it may cost a lot to the country that doesn't have the vaccine, if it took the deal, it means that the cost is less than not having a vaccine at all.
In the end it will be used to help as many people as possible, because it is the only thing a vaccine can do. Unless someone wants a full-on war that is. But if major powers really wanted the worst, there is a pile of nukes that is ready to make the whole pandemic look like a joke.
it would be funny if Cuba finds a successful treatment protocol first.
If Russia gave it to them via China which made it from research stolen from the USA, I wouldn't call it "funny." I would call it "saving half a face, just in case."
tree3(8)
I take it you've never worked in information security, because cleaning up after a mess like this is an enormous time suck and they will need to audit their data to make sure it hasn't been "adjusted". (From a national security perspective, I bet derailing a competitor's vaccine trials is at least as valuable as "stealing" data that was already going to become public in the near future.) That means spending time and money that would be better spent doing just about anything else, if it weren't for human nature.
I've always wondered how you can be so sure it's PRC in the age of easily being able to mask your true IP address. Perhaps the identified attacks have been previously linked with the PRC, or another option is that the actors were not as covert as they thought.
Like remember the indictment of 12 russians ( https://www.justice.gov/file/1080281/download )
The FBI linked a pool of bitcoins used to purchase a VPN service and other things to the Russians. Probably best to not use a crypto with a public ledger for criminal activity.
Like remember the indictment of 12 russians ( https://www.justice.gov/file/1080281/download )
The FBI linked a pool of bitcoins used to purchase a VPN service and other things to the Russians. Probably best to not use a crypto with a public ledger for criminal activity.
First of all, the IC works with estimative language, i.e. "with a high degree of confidence", which everyone understands on what to make of it and how it should inform policy (I know, policy is different than a criminal investigation).
To your question: Imagine tracking these threat actors for years (or decades). You have observed different TTPs (Techniques, Tactics & Procedures) from different actors, you see them operating in different ways and with different teams, you can observe the time when they are active, by their targeting you can make an educated guess what they're after, you can correlate their activity with policy changes in their presumed home-countries and lastly you can repeat those observations over and over again since these threat actors are persistent and keep coming back since it's their job. If all these soft and passive observations already point to the same actor(s), and then you get some additional hard evidence on top (Opsec failures, HUMINT, SIGINT), you are eventually able to make a verdict with a high degree of confidence.
To your question: Imagine tracking these threat actors for years (or decades). You have observed different TTPs (Techniques, Tactics & Procedures) from different actors, you see them operating in different ways and with different teams, you can observe the time when they are active, by their targeting you can make an educated guess what they're after, you can correlate their activity with policy changes in their presumed home-countries and lastly you can repeat those observations over and over again since these threat actors are persistent and keep coming back since it's their job. If all these soft and passive observations already point to the same actor(s), and then you get some additional hard evidence on top (Opsec failures, HUMINT, SIGINT), you are eventually able to make a verdict with a high degree of confidence.
I think sometimes they just blame whoever suits the political narrative. The Chinese replaced the Russians as the boogeyman de jour a short while back, so of course they will now be blamed by default.
Same here. I remember once I was watching the news and they claimed a hack was done by Russians because they found Russian comments in the code. That didn't sound very convincing :). The ledger evidence sounds better.
At the same time in this case I would be more surprised if the PRC , since their need for control, and since the stakes are extremely high, wasn't doing such things.
At the same time in this case I would be more surprised if the PRC , since their need for control, and since the stakes are extremely high, wasn't doing such things.
Similarly, I recall a strain of malware being attributed to Chinese hackers because variable names were in Chinese; then when you actually inspect the code, it's clearly Unicode gibberish generated by an obfuscator... That is to say, the hackers weren't even trying to be misleading, it was just a result of obfuscation reminiscent of mojibake. (I read the article on Ars Technica but don't remember enough details to find the article.)
If I ever code a hacking tool I'll throw in some Korean comments for sure.
If I ever code a hacking tool I'll throw in some Korean comments for sure.
Do keep in mind that intelligence services are probably not being fully transparent about how they know the source of an attack. They wouldn't want to reveal their methods, to avoid them becoming unreliable in the future.
Which makes it impossible to have an open, informed discussion on the subject.
Instead, you get tribalist arguments over who believes which secret police.
Instead, you get tribalist arguments over who believes which secret police.
Do spanish instead... represent!
Was googling to see if I could find a news article to back up my memory.
Instead I found an article on Wikileaks claiming CIA executed false flag hacking operations: https://theintercept.com/2017/03/08/wikileaks-files-show-the...
Instead I found an article on Wikileaks claiming CIA executed false flag hacking operations: https://theintercept.com/2017/03/08/wikileaks-files-show-the...
Which is another reason why attribution of cyber incidents is notoriously difficult.
The CIA is hardly the only organization to put misleading evidence in their attack path. Also, countries like China and Russia have healthy malware ecosystems so a Chinese-written malware can end up in the payload of a {North Korean, Russian, Iranian} cyber attack.
Personally, I'm starting to believe that the only way to have extremely high confidence in attributing an attack is to have surveillance of the person on the source keyboard when it happens or to have telecom evidence of people admitting what they did. Most of the actual attack is probably robotic at this point.
The CIA is hardly the only organization to put misleading evidence in their attack path. Also, countries like China and Russia have healthy malware ecosystems so a Chinese-written malware can end up in the payload of a {North Korean, Russian, Iranian} cyber attack.
Personally, I'm starting to believe that the only way to have extremely high confidence in attributing an attack is to have surveillance of the person on the source keyboard when it happens or to have telecom evidence of people admitting what they did. Most of the actual attack is probably robotic at this point.
Exactly my friend, seems like it'd be trivial to leave misleading clues.
An IP address is merely one of thousands of ways that you could identify the source of network traffic.
>Perhaps the identified attacks have been previously linked with the PRC
I'm sure the PRC has used password spraying before, the only detail mentioned. Tgatd about as easily forged as the IP address though.
I'm sure the PRC has used password spraying before, the only detail mentioned. Tgatd about as easily forged as the IP address though.
Should have used Monero
This press release encourages me to think China is covering up something.
This /may/ be the case. But the FBI wants me to come to this conclusion.
It seems a little fishy.
This /may/ be the case. But the FBI wants me to come to this conclusion.
It seems a little fishy.
I know I might be the weirdo here for browsing 4chon, but for the last few months I have seen a huge incursion of "PRC-affiliated"... "contributions"... and not only to high traffic and high turnover boards but even to niche ones. On boards using flags, these "contributions" come mainly from Canada, USA, and France.
Although I am secretly grateful for this spam, as it cut down my time spent there from 3-4 hours a week to 3-4 hours a month, it's still disconcerting as they are highly organized and apparently take huge pleasure in bludgeoning seals and other harmless creatures. Heck, I am amazed that the boards were clean even after the US Elections, the shutdown of 8chon and other such events.
Although I am secretly grateful for this spam, as it cut down my time spent there from 3-4 hours a week to 3-4 hours a month, it's still disconcerting as they are highly organized and apparently take huge pleasure in bludgeoning seals and other harmless creatures. Heck, I am amazed that the boards were clean even after the US Elections, the shutdown of 8chon and other such events.
Why would they be press-releasing this other than to drive public opinion against China?
To publicize the fact that these sort of attacks can be tracked. Similar to when they publish information about particularly crafty drug houses they bust: so that people planning on building a drug house think "well, if they got that house, then they'll definitely find out the one I'm planning, so maybe I'd better not."
This doesn't demonstrate that these kinds of attacks can be tracked though. If I were planning similar attacks, I'd just acquire a Chinese IP address and assume they'd take the blame.
That's true... the FBI probably never considered that possibility.
While the admin is currently pushing a very negative image against China, I do not believe the FBI would do that so lightly.
Why would the FBI be hesitant about faking/sensationalizing this? It's nearly impossible to prove, China's unlikely to make an issue out of it, and even if the lie got exposed what punishment would they face?
Are you an infosec expert? You have said that it is impossible to trace origins of hacks multiple times but only offer two shallow points that you would learn about in your first week of a network security class.
There are papers out there that have multiple ways of using language to identify specific authors, determine multiple authors, and even decode unknown language. That's my first shallow example and would be a pretty reliable indicator if you could get your hands on their code. With a budget of millions of dollar I'm sure they have dozens of ways that can be combined. It would make no sense to reveal every single method they use to defend against people on the internet. That also assumes they don't just have a mole who told them about it, which they also wouldn't reveal.
There are papers out there that have multiple ways of using language to identify specific authors, determine multiple authors, and even decode unknown language. That's my first shallow example and would be a pretty reliable indicator if you could get your hands on their code. With a budget of millions of dollar I'm sure they have dozens of ways that can be combined. It would make no sense to reveal every single method they use to defend against people on the internet. That also assumes they don't just have a mole who told them about it, which they also wouldn't reveal.
>You have said that it is impossible to trace origins of hacks
I have not said this. The evidence they have provided makes it equally likely that they've tracked these hacks (correctly or incorrectly) or that they've made the whole thing up. You can't rule out either action.
>There are papers out there that have multiple uses of using language to identify specific authors, determine multiple authors, and even decode known language. That's my first shallow example and would be a pretty reliable indicator if you could get your hands on their code
There have been multiple papers on these subjects, with a budget of millions of dollars I'm sure identifiers could be faked. Particularly with password spraying, the only method mentioned.
I have not said this. The evidence they have provided makes it equally likely that they've tracked these hacks (correctly or incorrectly) or that they've made the whole thing up. You can't rule out either action.
>There are papers out there that have multiple uses of using language to identify specific authors, determine multiple authors, and even decode known language. That's my first shallow example and would be a pretty reliable indicator if you could get your hands on their code
There have been multiple papers on these subjects, with a budget of millions of dollars I'm sure identifiers could be faked. Particularly with password spraying, the only method mentioned.
nineparts(1)
The problem is that this administration has shown time and again that they're willing to corrupt American institutions (like the FBI) when it suits them.
"this administration"? As if it's a new problem?
Yes, it's a new problem.
Firing inspector generals en masse [1], personally attacking specific FBI agents and their families [2], intervening in the criminal proceedings of friends and political allies [3], etc. is a pattern of behavior that undermines the rule of law in this country. It's a comprehensive strategy to weed out anyone who disagrees with you, hurts your feelings, dares second guess you, or, god forbid, didn't vote for you.
This pattern of comprehensive corruption is unique to this administration.
There are _literally_ dozens of links I could provide for each point since these behaviors happen constantly, but I just google'd and picked one each.
[1] https://www.washingtonpost.com/politics/as-trump-removes-fed...
[2] https://www.vanityfair.com/news/2020/02/donald-trump-nemesis...
[3] https://www.politico.com/news/2020/02/25/judge-rebukes-trump...
Firing inspector generals en masse [1], personally attacking specific FBI agents and their families [2], intervening in the criminal proceedings of friends and political allies [3], etc. is a pattern of behavior that undermines the rule of law in this country. It's a comprehensive strategy to weed out anyone who disagrees with you, hurts your feelings, dares second guess you, or, god forbid, didn't vote for you.
This pattern of comprehensive corruption is unique to this administration.
There are _literally_ dozens of links I could provide for each point since these behaviors happen constantly, but I just google'd and picked one each.
[1] https://www.washingtonpost.com/politics/as-trump-removes-fed...
[2] https://www.vanityfair.com/news/2020/02/donald-trump-nemesis...
[3] https://www.politico.com/news/2020/02/25/judge-rebukes-trump...
>>>firing inspector generals en masse
https://www.rasmussenreports.com/public_content/political_co...
>>>intervening in the criminal proceedings of your friends and political allies
http://www.allgov.com/news/controversies/obama-fires-inspect...
https://cei.org/blog/obama-fires-inspector-general-who-uncov...
>>>a comprehensive strategy to weed out anyone who disagrees with you
https://www.motherjones.com/politics/2012/06/obamas-whistleb... https://www.washingtontimes.com/news/2020/may/7/president-ob...
>>>pattern of comprehensive corruption is unique to this administration
If you think that this administration is UNIQUELY corrupt....you might be in an echo chamber. Here's a more humorous take on the Obama administration's screwups: https://www.youtube.com/watch?v=1T7F2mvZE1E
That, or have a short memory, since Trump and Obama both pale in comparison to VP Dick Cheney and the Iraq War (KBR? Halliburton? have people forgotten about them already?).
https://www.rasmussenreports.com/public_content/political_co...
>>>intervening in the criminal proceedings of your friends and political allies
http://www.allgov.com/news/controversies/obama-fires-inspect...
https://cei.org/blog/obama-fires-inspector-general-who-uncov...
>>>a comprehensive strategy to weed out anyone who disagrees with you
https://www.motherjones.com/politics/2012/06/obamas-whistleb... https://www.washingtontimes.com/news/2020/may/7/president-ob...
>>>pattern of comprehensive corruption is unique to this administration
If you think that this administration is UNIQUELY corrupt....you might be in an echo chamber. Here's a more humorous take on the Obama administration's screwups: https://www.youtube.com/watch?v=1T7F2mvZE1E
That, or have a short memory, since Trump and Obama both pale in comparison to VP Dick Cheney and the Iraq War (KBR? Halliburton? have people forgotten about them already?).
Do you have any links that aren't from these wackjob, far-right fever dream websites? It's honestly hard to even read some of these without laughing.
>https://www.rasmussenreports.com/public_content/political_co...
All I see is extreme editorializing of the regular push and pull of government ("horrific neglect", "bull[ing]", "stonewalling", etc). How many of them were fired because Obama didn't like what they were investigating? Trump's count is 5 in the last few weeks. I'm sure Obama fired at least that many if you're making a comparison, right?
>http://www.allgov.com/news/controversies/obama-fires-inspect... >https://cei.org/blog/obama-fires-inspector-general-who-uncov...
You don't take these blog posts seriously, do you? His connection to Obama was... what exactly? This is prototypical far right nuttery: oBaMaS FrIeNd dEeP StAtE BeZoS NyT AmAzOn hEr eMaIlS.
>http://www.allgov.com/news/controversies/obama-fires-inspect... >https://cei.org/blog/obama-fires-inspector-general-who-uncov...
I wonder if you actually read these, since they have basically nothing to do with what you quoted. Did you just google "Obama friends bad" and copy/paste the first few links or something?
>"Obamagate II: Secret of the Schmooze"
Not going to spend time watching some fringe conspiracy YouTube channel, sorry. More complete nuttiness.
>That, or have a short memory, since Trump and Obama both pale in comparison to VP Dick Cheney and the Iraq War (KBR? Halliburton? have people forgotten about them already?).
I'm disappointed that I got this far before seeing this. You should seriously consider that you may be in a short, narrow, and extremely loud echo chamber. These aren't the kinds of ideas that normal, well-read, well-informed people from all sides of the political spectrum hold.
>https://www.rasmussenreports.com/public_content/political_co...
All I see is extreme editorializing of the regular push and pull of government ("horrific neglect", "bull[ing]", "stonewalling", etc). How many of them were fired because Obama didn't like what they were investigating? Trump's count is 5 in the last few weeks. I'm sure Obama fired at least that many if you're making a comparison, right?
>http://www.allgov.com/news/controversies/obama-fires-inspect... >https://cei.org/blog/obama-fires-inspector-general-who-uncov...
You don't take these blog posts seriously, do you? His connection to Obama was... what exactly? This is prototypical far right nuttery: oBaMaS FrIeNd dEeP StAtE BeZoS NyT AmAzOn hEr eMaIlS.
>http://www.allgov.com/news/controversies/obama-fires-inspect... >https://cei.org/blog/obama-fires-inspector-general-who-uncov...
I wonder if you actually read these, since they have basically nothing to do with what you quoted. Did you just google "Obama friends bad" and copy/paste the first few links or something?
>"Obamagate II: Secret of the Schmooze"
Not going to spend time watching some fringe conspiracy YouTube channel, sorry. More complete nuttiness.
>That, or have a short memory, since Trump and Obama both pale in comparison to VP Dick Cheney and the Iraq War (KBR? Halliburton? have people forgotten about them already?).
I'm disappointed that I got this far before seeing this. You should seriously consider that you may be in a short, narrow, and extremely loud echo chamber. These aren't the kinds of ideas that normal, well-read, well-informed people from all sides of the political spectrum hold.
>>>Do you have any links that aren't from these wackjob, far-right fever dream websites?
Far-right websites like the Washington Post? http://voices.washingtonpost.com/federal-eye/2009/06/third_c...
>>>His connection to Obama was... what exactly?
Kevin Johnson was a public political supporter of Obama while mayor of Sacramento.[1] Walpin investigated Johnson for fraud. Obama fired Walpin. Which one of those three facts are you disputing?
>>>since they have basically nothing to do with what you quoted
The cei.org link should have been grouped with the Rasmussen Reports link as they are both related to the firing of IGs.
>>>Not going to spend time watching some fringe conspiracy YouTube channel
That video cites numerous articles from major journalistic outlets (BBC, NY Observer which itself cites the Washington Post) relevant to the discussion of corruption in the Obama administration, and runs through them at the cyclic rate. It's time-efficient content. It's also funny. But you can't debate any of the information provided, or any of the conclusions drawn, if you discount the presenter as "fringe conspiracy nuttiness".
>>>You should seriously consider that you may be in a short, narrow, and extremely loud echo chamber.
In this thread I've cited sources ranging from the right (Michelle Malkin, Heritage foundation), to the center (BBC, CBS News), to the left (Washington Post, Politifact). You haven't posted anything, haven't countered any of the facts, and have only criticized the sources with strawman accusations of "far right conspiracies". I would challenge you to be more aggressive about exposing yourself to information that challenges your positions and assumptions, and avoid the strawmen.
>>>These aren't the kinds of ideas that normal, well-read, well-informed people from all sides of the political spectrum hold.
Which idea are you arguing against, that Dick Cheney and associated companies were massively corrupt? [2] [3]
[1]https://abcnews.go.com/Politics/president-obama-introduced-c...
[2]https://www.politifact.com/factchecks/2010/jun/09/arianna-hu...
[3]https://www.cbsnews.com/news/halliburton-whistleblower-on-ex...
Far-right websites like the Washington Post? http://voices.washingtonpost.com/federal-eye/2009/06/third_c...
>>>His connection to Obama was... what exactly?
Kevin Johnson was a public political supporter of Obama while mayor of Sacramento.[1] Walpin investigated Johnson for fraud. Obama fired Walpin. Which one of those three facts are you disputing?
>>>since they have basically nothing to do with what you quoted
The cei.org link should have been grouped with the Rasmussen Reports link as they are both related to the firing of IGs.
>>>Not going to spend time watching some fringe conspiracy YouTube channel
That video cites numerous articles from major journalistic outlets (BBC, NY Observer which itself cites the Washington Post) relevant to the discussion of corruption in the Obama administration, and runs through them at the cyclic rate. It's time-efficient content. It's also funny. But you can't debate any of the information provided, or any of the conclusions drawn, if you discount the presenter as "fringe conspiracy nuttiness".
>>>You should seriously consider that you may be in a short, narrow, and extremely loud echo chamber.
In this thread I've cited sources ranging from the right (Michelle Malkin, Heritage foundation), to the center (BBC, CBS News), to the left (Washington Post, Politifact). You haven't posted anything, haven't countered any of the facts, and have only criticized the sources with strawman accusations of "far right conspiracies". I would challenge you to be more aggressive about exposing yourself to information that challenges your positions and assumptions, and avoid the strawmen.
>>>These aren't the kinds of ideas that normal, well-read, well-informed people from all sides of the political spectrum hold.
Which idea are you arguing against, that Dick Cheney and associated companies were massively corrupt? [2] [3]
[1]https://abcnews.go.com/Politics/president-obama-introduced-c...
[2]https://www.politifact.com/factchecks/2010/jun/09/arianna-hu...
[3]https://www.cbsnews.com/news/halliburton-whistleblower-on-ex...
[deleted]
Perhaps the current FBI is pure and 100 percent professional now, but the FBI of the 50s/60s/70s would totally do this, and much worse.
> I do not believe the FBI would do that so lightly
What do you mean by "so lightly"? It changed the entire meaning of the sentence.
What do you mean by "so lightly"? It changed the entire meaning of the sentence.
Oh poor China... They just want to do whatever they want without anyone messing with them and publicizing it.
Maybe because as opposed to Chinese and other oppressive governments, the western press actually makes the people informed. Sometimes.
Maybe because as opposed to Chinese and other oppressive governments, the western press actually makes the people informed. Sometimes.
"Trust me, I have evidence for a theory that is politically convenient for my boss, but I won't tell you what it is" is not keeping people informed.
It's propaganda that pushes an agenda. That agenda may even be correct, but an outside observer who can't verify any of the evidence can't tell.
It's propaganda that pushes an agenda. That agenda may even be correct, but an outside observer who can't verify any of the evidence can't tell.
[deleted]
Just for additional context several super computing sites in Europe were attacked a few weeks ago and are still down, among them PizDaint at CSCS, which ranks 6th in the world, several super computing sites in Germany (FZ Juelich) and so on. I think no-one wishes this to turn into a kinetic war, but for all we know besides the economic warfare that has been going on for quite some time, this feels like we are in an all out conflict with China.
we are in all out conflict with China because some super computing sites were "attacked"?
That's not a very responsible statement.
That's not a very responsible statement.
Well this is clearly a hostile act during a time in which several European countries have declared medical emergencies. They were not just "attacked" but have been completely offline for almost two weeks now (https://www.hpcwire.com/2020/05/18/hacking-streak-forces-eur...).
In Germany it is (incident was 15.05) - NEMO (Freiburg) - bwUniCluster 2.0 and ForHLR II (Karlsruhe) - Hawk (Stuttgart) - Leibniz Supercomputing Center (Munich) - JURECA, JUWELS und JUDAC (FZ Jülich) - Taurus (Dresden)
Switzerland shutdown access to all of CSCS (16.05).
In Germany it is (incident was 15.05) - NEMO (Freiburg) - bwUniCluster 2.0 and ForHLR II (Karlsruhe) - Hawk (Stuttgart) - Leibniz Supercomputing Center (Munich) - JURECA, JUWELS und JUDAC (FZ Jülich) - Taurus (Dresden)
Switzerland shutdown access to all of CSCS (16.05).
> this is clearly a hostile act
That's not my reading of the article you linked. A bad actor compromised the credentials of multiple researchers with access to various supercomputers (over some unknown or at least unspecified period of time). They then simultaneously accessed the compromised machines and installed cryptocurrency mining software on them.
This could easily be profit motivated (as it appears). It could also be (as you suggest) a hostile act disguised as the former, but I don't see what the motivation to do that would be?
That's not my reading of the article you linked. A bad actor compromised the credentials of multiple researchers with access to various supercomputers (over some unknown or at least unspecified period of time). They then simultaneously accessed the compromised machines and installed cryptocurrency mining software on them.
This could easily be profit motivated (as it appears). It could also be (as you suggest) a hostile act disguised as the former, but I don't see what the motivation to do that would be?
Also the article mentions that Chinese researchers had access to the clusters as well. So the GP's implication is that the PRC attacked these datacenters ... to stop their own research?
Seems more likely that more people are using/accessing these services, and people's guards are down, which made it easier for intruders to get in.
Seems more likely that more people are using/accessing these services, and people's guards are down, which made it easier for intruders to get in.
Well there were two incidents (https://csirt.egi.eu/academic-data-centers-abused-for-crypto...) one of which had "unknown purpose". It had the real effect of disrupting the majority of the super computing infrastructure in Switzerland and Germany for almost two weeks now. The attacks originated from China (Shanghai Jiao Tong University and CSTNET).
Facts:
1 - HPC centers in Europes are down.
2 - Those are useful resources to battle battle against COVID-19.
3 - HPC centers are down due to malware infections.
4 - FBI warned and Department of Homeland Security warns of possible cyberattacks targeting COVID-19 research.
1 - HPC centers in Europes are down.
2 - Those are useful resources to battle battle against COVID-19.
3 - HPC centers are down due to malware infections.
4 - FBI warned and Department of Homeland Security warns of possible cyberattacks targeting COVID-19 research.
Facts:
1 - one of the two incidences reported (#EGI2020512) targeted academic data centers "for unknown purposes" (https://csirt.egi.eu/academic-data-centers-abused-for-crypto...) and not necessarily crypto currency mining.
2 - IP addresses associated with that second attack were all assigned to a Chinese University (Shanghai Jiaotong University), CSTNET and one Polish host known to be compromised by someone from China.
1 - one of the two incidences reported (#EGI2020512) targeted academic data centers "for unknown purposes" (https://csirt.egi.eu/academic-data-centers-abused-for-crypto...) and not necessarily crypto currency mining.
2 - IP addresses associated with that second attack were all assigned to a Chinese University (Shanghai Jiaotong University), CSTNET and one Polish host known to be compromised by someone from China.
Re 2., since when IP is address tracking a reliable method of attack attribution?
It's like trying to assign blame for a terrorist attack based on where the jacket dropped by a terrorist was made. Maybe it was made in their home country. Maybe it was imported. Or maybe they purposefully wore a jacket made in a different country and dropped it on the scene to confuse you.
It's like trying to assign blame for a terrorist attack based on where the jacket dropped by a terrorist was made. Maybe it was made in their home country. Maybe it was imported. Or maybe they purposefully wore a jacket made in a different country and dropped it on the scene to confuse you.
And in the linked article the probable cause is much more prosaic:
"The attacks may have been perpetrated in order to mine cryptocurrency; investigations are ongoing."
"The attacks may have been perpetrated in order to mine cryptocurrency; investigations are ongoing."
I feel like cryptocurrency miner install is going to end up being the new cover story anytime someone doesn't want to tip their hand on capabilities.
Yes, but if you were serious about espionage, say, you wouldn't draw attention to the compromise by running one.
Unless you're testing a zero day, and staging an alternate route of infiltration to hide your installation of threat persistence.
I believe it's referred to as the "limited hangout" in spycraft jargon. You maintain the target's sense of security and ability to detect intrusion while you maintain the capability to reintrude at will.
I believe it's referred to as the "limited hangout" in spycraft jargon. You maintain the target's sense of security and ability to detect intrusion while you maintain the capability to reintrude at will.
[deleted]
These are crypto mining schemes, though. This looks a lot more like run of the mill money making cybercrime than espionage - I don't think any nation state would be interested in outing themselves for a pittance in bitcoin.
At least according to this incident report https://csirt.egi.eu/academic-data-centers-abused-for-crypto..., one of the two attacks had "unknown purpose". In particular it was not tied to crypto mining.
From the site you linked, the one with "unknown" motive has exclusively attacked Chinese academic victims. It would be extremely bizarre to suggest that the Chinese government is behind this.
The second one is the attack that spread all the way to a basement HPC cluster in the Physics Institute at LMU Munich, the IP addresses listed are indicators to look for that your system might be compromised, not the victims of the attack.
It's worth pointing out that countries regularly hack and attack their own citizens. In some ways, it's more important to know what they're doing than what your opponents' are.
Ah, I misread the table. This is very suggestive, then.
Would they set up a crypto mining scheme to obfuscate the origin and intent of the attack though?
How do we jump from some super computers being attacked by unknown actors to a conflict with China. When did every cyber attack become automatically a chinese cyber attack?
I'm not under the impression that non-military research and academic computing facilities are particularly well secured.
Decades ago I spent a bunch of time around fnal.gov with a buddy who worked there, and they were debating the requirement of every computer, including desktops, having a static, public IPv4 address. Nobody wanted to be behind a firewall in the name of open, collaborative research.
Decades ago I spent a bunch of time around fnal.gov with a buddy who worked there, and they were debating the requirement of every computer, including desktops, having a static, public IPv4 address. Nobody wanted to be behind a firewall in the name of open, collaborative research.
Yes, the fundamental problem is that this sort of thing has around the top of the threat list for academic computing facilities for 30 years or so (originally typically coming in to the UK from CERN). It's just that this is larger scale, possibly more automated (filching SSH keys), and has a higher profile. Despite that, the systems are normally not managed to counter the threat, running with known privilege escalations either through unpatched OS vulnerabilities or through something like the batch system. Don't trust them with anything sensitive, including credentials like typed passwords or SSH forwarding, yet people do. I have an existence proof that it doesn't have to be like that for HPC systems, even if you're not allowed system time -- in which case live patching of login node kernels is specifically necessary.
Incidentally, if attackers were looking for sensitive research results from this, I think it would have to be targeted with detailed knowledge about what specific researchers were doing; after all, it's difficult enough for a typical researcher to keep track of their own stuff, and it mostly won't have look-at-me names.
Incidentally, if attackers were looking for sensitive research results from this, I think it would have to be targeted with detailed knowledge about what specific researchers were doing; after all, it's difficult enough for a typical researcher to keep track of their own stuff, and it mostly won't have look-at-me names.
Do you have a reference about those attacks? A press release or a link to a blog maybe?
Shouldn't all countries be working together openly on fighting the pandemic? Given that it's hurting the whole world.
Companies across all countries have proprietary data that they are using to develop treatment options.
jeffbee(1)
Not when there's money to be made. The Gates foundation does seek a Return on Investment, and has publicly stated they wanted to create good markets for vaccines.
Gavi/Gates/GSK and other big pharma companies might be claiming to help the world, but they're also seeking to get a return on their research funding. Even in academic circles, there isn't really a lot of information sharing.
Gavi/Gates/GSK and other big pharma companies might be claiming to help the world, but they're also seeking to get a return on their research funding. Even in academic circles, there isn't really a lot of information sharing.
Sure, but what does this have to do with a single state actor that hides everything they do (with fatal consequences in 2020) hacking another?
How can western leaders condemn China's lack of publishing info related to COVID-19 and protect private research for curing it at the same time? Research like this should be public and accessible to everyone. I don't know why I shouldn't applaud any hackers spreading this information.
Companies will stop working on it the moment they lose incentive, etc etc.
COVID-19 affects the entire world.
Shouldn't all COVID-19 basically be done on a globally viewable wiki?
It's going to take the cooperation of all countries to get through it.
I don't understand why the US should hoard any COVID-19 data it has, besides extremely non altruistic ones.
Let’s see who else is putting valuable IP it out there.
Does anyone really wonder if we (the US) and China are going to be at war in the next 10 years?
I come from an ex-communist country. So this is probably (hopefully) the only moment my talent of spotting this kind of shit is useful. The thing is that whatever bad behavior the USA committed in the past, and then anxiously analyzed and mulled over for decades... the Chinese are doing day by day, routinely, without ANY remorse or second thought. With the Russians it was different. Sorry to say this, but compared to the Chinese, they had soul. I do not foresee anything like the collapse of the Soviet Union in China. They are too "rational" for it. Not to mention their numbers. Our only hope is Jesus Christ.
US and China at war? I don't know. China at war? By their logic of expansion, I'm afraid it is guaranteed.
Seems strange to me to assign any emotion to the political entity of a huge country. I don’t even mean what it means. What does China / America/ Soviet Union feeling remorse even look like?
History has shown us that any super power will go to war. The Romans, the British, the Americans. Maybe we’ve learned our lesson from history or maybe today things are different due to greater education, multiculturalism and just rapid communication. Either way we shouldn’t be pinning our hopes on “Jesus Christ”, as again I don’t know what that means. Would he come down and disarm everyone or something?
We avoid conflict by having rational open dialog, educating people and increasing transparency and accountability. The way to increase the probability of conflict is by having this tribalistic us vs them mentality. Everything they do is bad, they are evil and we are just.
History has shown us that any super power will go to war. The Romans, the British, the Americans. Maybe we’ve learned our lesson from history or maybe today things are different due to greater education, multiculturalism and just rapid communication. Either way we shouldn’t be pinning our hopes on “Jesus Christ”, as again I don’t know what that means. Would he come down and disarm everyone or something?
We avoid conflict by having rational open dialog, educating people and increasing transparency and accountability. The way to increase the probability of conflict is by having this tribalistic us vs them mentality. Everything they do is bad, they are evil and we are just.
When that political party is set on dictating not only how every citizen but how every ethnic should behave... well...
I cant tell wether the statement that Russia had “soul” is because of the stockholm syndrome or something else, but how can you say that considering millions of people have been deported to gulags in the early days of communism, and hundreds of millions are still suffering today because of communist regimes Russia imposed on their countries? Do I get a sense of someone decrying the collapse of the SU? The political entity that literally massacred the cultures of millions of east europeans? Think again about what you wrote.
I get what you are saying but those countries were more like colonies than a part of Russia. My opinion is that they should have been left alone, like every country should, especially in that time when technology wasn't so hazardous and so widespread.
The fact that you managed to understand that I decry the collapse of the Soviet Union when my post said the exact opposite, namely that I can't see how in China an event like that could take place -- and this was the foundation on which I based my affirmation of Russians having a soul -- tells me that your agenda stands firmly on the side of the CCP, in detriment of everybody else. Quite sad, really.
The fact that you managed to understand that I decry the collapse of the Soviet Union when my post said the exact opposite, namely that I can't see how in China an event like that could take place -- and this was the foundation on which I based my affirmation of Russians having a soul -- tells me that your agenda stands firmly on the side of the CCP, in detriment of everybody else. Quite sad, really.
There is a big business opportunity, which I am sure is already fulfilled to some extent, to provide air-gap and other securities/countermeasures to businesses and orgs that deal with highly sensitive data, equipment, specimens, whatever.
Something akin to an anti-Palantir.
Something akin to an anti-Palantir.
Some of the comments here discuss how an attacker could tamper with data. What are some good ways for a scientist to ensure the integrity of their data in this case?
Post it online with a hash, particularly in a way that will get archived by others?
Keep off-site backups?
Post it online with a hash, particularly in a way that will get archived by others?
Keep off-site backups?
Where it's possible, perhaps using a deterministic process that can be easily repeated to verify the groupings haven't been tampered with? (Not to reduce the importance of backups, though they themselves can be attacked, but just as an idea for discussion...)
Here's an idea for how this could work for an example given elsewhere in the thread about the risk of an attacker mislabelling the subjects so the outcomes are unclear or deliberately skewed.
For a binary double-blind placebo trial (one group gets the medication, another gets the placebo), compute the hmac of each subject identifier (name, some participant ID), keyed with a key known to the principal investigator. Everyone whose hash MSB is above 0x80 gets the treatment, and everyone whose hash is below 0x80 gets the placebo. If you need more experimental groups, adjust the thresholds as needed
Clearly this is very restrictive and limited (you might need to ensure a proper demographic and medical/age profile distribution of subjects between both groups), but there are likely ways to achieve this by creating multiple "groups" and doing this process within each demographic balanced group.
You'd get a reproducible outcome, as long as you can recover the patient names or participant ID numbers, and the PI or experimental lead takes careful note of the hmac key used.
Just a straw man idea for how at least the patient to group allocation could be done deterministically. If someone attacked this and muddled patients and groups around, it could be reproduced just from knowing who the subjects are, and the hmac key. Clearly this doesn't scale to results or beyond, but I imagine this is where digital signatures start to help. And with modern ed25519 signatures we aren't talking massive signatures either.
Here's an idea for how this could work for an example given elsewhere in the thread about the risk of an attacker mislabelling the subjects so the outcomes are unclear or deliberately skewed.
For a binary double-blind placebo trial (one group gets the medication, another gets the placebo), compute the hmac of each subject identifier (name, some participant ID), keyed with a key known to the principal investigator. Everyone whose hash MSB is above 0x80 gets the treatment, and everyone whose hash is below 0x80 gets the placebo. If you need more experimental groups, adjust the thresholds as needed
Clearly this is very restrictive and limited (you might need to ensure a proper demographic and medical/age profile distribution of subjects between both groups), but there are likely ways to achieve this by creating multiple "groups" and doing this process within each demographic balanced group.
You'd get a reproducible outcome, as long as you can recover the patient names or participant ID numbers, and the PI or experimental lead takes careful note of the hmac key used.
Just a straw man idea for how at least the patient to group allocation could be done deterministically. If someone attacked this and muddled patients and groups around, it could be reproduced just from knowing who the subjects are, and the hmac key. Clearly this doesn't scale to results or beyond, but I imagine this is where digital signatures start to help. And with modern ed25519 signatures we aren't talking massive signatures either.
Related: https://www.theregister.co.uk/2020/05/13/uk_archer_supercomp...
"One of Britain's most powerful academic supercomputers has fallen victim to a "security exploitation" of its login nodes, forcing the rewriting of all user passwords and SSH keys."
https://www.theregister.co.uk/2020/05/05/coronavirus_researc...
"Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
The National Cyber Security Centre (NCSC) and America’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned of a “password spraying” campaign targeting healthcare and medical research organisations."
"One of Britain's most powerful academic supercomputers has fallen victim to a "security exploitation" of its login nodes, forcing the rewriting of all user passwords and SSH keys."
https://www.theregister.co.uk/2020/05/05/coronavirus_researc...
"Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
The National Cyber Security Centre (NCSC) and America’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned of a “password spraying” campaign targeting healthcare and medical research organisations."
> Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
I have a hard time believing foreign state hackers are using "script kiddie" tactics. But that's just me.
I have a hard time believing foreign state hackers are using "script kiddie" tactics. But that's just me.
This is information that can save lives, so I support any nation to hack on COVID research, anywhere in the world. If they patent COVID research, I also support breaking any patent.
Compromising remote systems puts researchers, their work, and patient rights at risk. Patents are published publicly and available free of charge, so I'm not sure how that would be a reasonable justification for compromising other's computers. "Research" per se isn't patentable anyway.
Patents provide country-by-country protection -- a US Patent doesn't mean anything in other countries - except for being evidence of prior art in their own patent offices.
Also, some/many countries have laws that disallow patents or patent infringement claims associated with medicine.
Also, some/many countries have laws that disallow patents or patent infringement claims associated with medicine.
Until the fairly recent proliferation of trade agreements that are negotiated out of the view of the public, the investor relations and patent/copyright clauses that prevented the sharing of medical information were not common and were routinely broken by most developing nations. The business community's wishes had no power there, and quite arguably when it comes to medicine, it is a crime against the people to withhold lifesaving information.
In fact, until the US became top dog in the post-war era, we pirated everything we could from England, especially industrial know-how so that we could promote our own development. It is only after we reached hegemonic status that we started enforcing these ludicrous agreements in order to preserve our own businesses' position.
In fact, until the US became top dog in the post-war era, we pirated everything we could from England, especially industrial know-how so that we could promote our own development. It is only after we reached hegemonic status that we started enforcing these ludicrous agreements in order to preserve our own businesses' position.
This is a gross misunderstanding of what patent and copyright actually mean - specifically, they exist to encourage sharing of information, not secrecy. They require full disclosure by definition, so you can't patent a trade secret without revealing it to everyone. There's a period of exclusivity (~20 years), which is very different from "withholding information", but that's only after the IP has been published.
They exist to encourage sharing of information in the context of a private marketplace. Most useful technology is created by state-funded research over decades. The private sector just monopolizes the results. If anything, competition would be better if there were no patents. If employers could simply poach key employees by offering good salaries, they would get that information quite easily.
> Most useful technology is created by state-funded research over decades. The private sector just monopolizes the results.
This is another gross oversimplification at best, and I have yet to hear anyone who has spent significant amounts of time in either public or private sector R&D make such a claim. Real life, and product development in particular, is not so easily reduced to catchy political slogans.
This is another gross oversimplification at best, and I have yet to hear anyone who has spent significant amounts of time in either public or private sector R&D make such a claim. Real life, and product development in particular, is not so easily reduced to catchy political slogans.
Off top of head, the recent Ebola vaccine was created almost exclusively from gov. research. Merck bought a company who was supposed to commercialize it but they did a really poor job . There are people who would not be dead if the vaccine had been available, sooner
That's an anecdote, not data. The last article I read about this calculated that around 20% of new drug approvals came directly from government/academic research - and that's usually repurposed older drugs (which is actually a good place to focus, since it's cheaper and big pharma isn't really interested in resurrecting off-patent molecules).
Point to nearly anything that has dramatically changed modern life and you will see the arm of the state involved: GPS, internet, the airplane, etc. The best argument I'm aware of for private enterprise producing really novel products is Bell Research, however they were a regulated monopoly, not a competitive industry and the state authorized 10% additional charges for investment.
You can make some arguments about things like iPhones but that device depended on a huge state funded or regulated infrastructure to be useful (e.g. cell towers, internet), and it was essentially a very polished cobbling together of different components (microchips, batteries) that were developed from many decades of state supported / regulated monopoly research.
Business is very good at taking something off the shelf and making money with it. It's very bad at sustained investment that might not be profitable more than a few years away.
You can make some arguments about things like iPhones but that device depended on a huge state funded or regulated infrastructure to be useful (e.g. cell towers, internet), and it was essentially a very polished cobbling together of different components (microchips, batteries) that were developed from many decades of state supported / regulated monopoly research.
Business is very good at taking something off the shelf and making money with it. It's very bad at sustained investment that might not be profitable more than a few years away.
If you think Apple simply "took something off the shelf" and sold us iPhones at huge markups, you clearly know even less about R&D than I assumed. Cherry-picking examples like the Internet doesn't really prove your point: try comparing the amount of taxpayer-funded R&D that went into the early (pre-1994) Internet with the amount of private investment since then. (I have no idea what the actual numbers are but I'd guess at least two orders of magnitude difference based on what I've seen elsewhere.)
I don't disagree, but research money spent may be a poor proxy for technical progress if it's spent to research ever better ways of showing ads to consumers.
I mean, it'd make sense if the government research spending aligned with public interest more closely than private investment did, the government is spending the public's money after all.
I mean, it'd make sense if the government research spending aligned with public interest more closely than private investment did, the government is spending the public's money after all.
Totally valid points - but this is why oversimplifying the entire issue into "Private sector bad! Public sector good!" (or vice-versa) is a terrible idea. However, oversimplifying what big companies like Apple do as pushing ads is just as bad. Think about the supply chains involved in building an iPhone, and how the individual components are manufactured - it's decades beyond the roots in government (and remember, projects like the Internet still depended on private companies to actually build most of the hardware).
You are misunderstanding the matter of patents. Modern patents exist precisely because of the inevitability of industrial espionage, which is largely practiced by all developed countries. The goal is that, even after a trade secret is stolen, it will be made useless because nobody can use that information. So the goal is not to "share knowledge", but to avoid the practical use of knowledge that was shared by any means.
Also, you are mistaken in thinking that, by publishing a patent, the company is sharing knowledge. Quite the contrary, the contents of a patent gives only the minimum necessary to protect a crucial aspect of a business secret. Most patents are opaque and don't give any concrete business information that be used to successfully replicate what it is trying to conceal.
Also, you are mistaken in thinking that, by publishing a patent, the company is sharing knowledge. Quite the contrary, the contents of a patent gives only the minimum necessary to protect a crucial aspect of a business secret. Most patents are opaque and don't give any concrete business information that be used to successfully replicate what it is trying to conceal.
In the USA, patents are explicitly mentioned in the Constitution and the purpose is to incentivize disclosure, not because the founders were worried about industrial espionage. It would have been awfully difficult for hostile powers to remotely hack our R&D facilities in 1789.
Think again. Hacking is a very old activity; it was not done with computers in 1789, but you can be sure that there was a lot of industrial espionage between Britain and the US at that time.
There is the story of the clove tree, which was monopolized by Dutch East India company, until 1 tree was stolen and seeded elsewhere
Have family that work in encryption, you can think of barriers to entry as orders of magnitude in cost.
AWS can decipher decade old encryption standards for about $100k brute computational cost.
Nation states have access to 5-8 zeros of effort if it is valuable enough. Private entities have no chance against nation-state backed hacking efforts.
It’s one-sided or ‘asymmetric’, because western intelligence refuses to share commercial intelligence with western businesses (probably because there isn’t much of value to share... yet).
Only solution is political change.
AWS can decipher decade old encryption standards for about $100k brute computational cost.
Nation states have access to 5-8 zeros of effort if it is valuable enough. Private entities have no chance against nation-state backed hacking efforts.
It’s one-sided or ‘asymmetric’, because western intelligence refuses to share commercial intelligence with western businesses (probably because there isn’t much of value to share... yet).
Only solution is political change.
Given today's anti-free-thinker HN climate I'm probably going to get downvoted to oblivion for saying this, but I feel I need to say it.
I don't think COVID-19 research should be secretive, I think it should be a global effort, and I'm perfectly happy with the idea of any nation having open access to all COVID-19 research, vaccines, results, and (anonymized) data. There should NOT be a concept of intellectual property when there are people dying in droves from a disease. Please, China, Italy, Spain, everywhere, scoop up all the COVID-19 research you can find and act upon it to save lives. Copy ideas. Copy drugs. Re-do and verify tests. Immediately. Don't mind the courts. They suck, and are sitting in armchairs killing people by delaying the effort and enforcing intellectual "property".
I don't think COVID-19 research should be secretive, I think it should be a global effort, and I'm perfectly happy with the idea of any nation having open access to all COVID-19 research, vaccines, results, and (anonymized) data. There should NOT be a concept of intellectual property when there are people dying in droves from a disease. Please, China, Italy, Spain, everywhere, scoop up all the COVID-19 research you can find and act upon it to save lives. Copy ideas. Copy drugs. Re-do and verify tests. Immediately. Don't mind the courts. They suck, and are sitting in armchairs killing people by delaying the effort and enforcing intellectual "property".
Someone should profit for figuring out how to stop COVID because otherwise there is little incentive beyond the government, and they don’t typically work nights and weekends.
If China succeeds in stealing the solution, that will harm mankind because it will reduce future incentive to stop these things quickly.
If China succeeds in stealing the solution, that will harm mankind because it will reduce future incentive to stop these things quickly.
>there is little incentive beyond the government, and they don’t typically work nights and weekends
The government certainly doesn’t pull long hours.
Beyond the military. They do pull some late nights and cold field deployments in the DoD.
And beyond local police and fire. And state troopers. Law enforcement does go late and I’m pretty sure fire departments deploy all night. But of course those are not federal.
There is, obviously, the FBI. Those agents are mostly not up at night though. Now, CBP and TSA staff air and sea ports pretty late but that’s different.
The diplomatic corps also works pretty late hours if I remember my leaked cables correctly. But again, an exception. And they get to go to fancy parties.
Obviously people in Congressional staff offices, political advisers in the executive branch, and so forth. But those folk are essentially politicians.
FEMA. Pretty sure some of them stay up.
Other than our armed forces and supporting staff (good morning NSA NSOC), police and fire departments, federal law enforcement, State Department diplomatic staff, staff for elected officials, and FEMA, no one I can think of right now in government stays up late.
Intelligence community, forgot them, other than NSA and FBI. At least some of the 14 other members probably work late, I think? NGA, at least.
But no you’re right, why would we want government scientists like those at NASA, CDC and the EPA working as leading exemplars of COVID research. Surely they are lazy. And they show good work does not happen without a profit motive.
The government certainly doesn’t pull long hours.
Beyond the military. They do pull some late nights and cold field deployments in the DoD.
And beyond local police and fire. And state troopers. Law enforcement does go late and I’m pretty sure fire departments deploy all night. But of course those are not federal.
There is, obviously, the FBI. Those agents are mostly not up at night though. Now, CBP and TSA staff air and sea ports pretty late but that’s different.
The diplomatic corps also works pretty late hours if I remember my leaked cables correctly. But again, an exception. And they get to go to fancy parties.
Obviously people in Congressional staff offices, political advisers in the executive branch, and so forth. But those folk are essentially politicians.
FEMA. Pretty sure some of them stay up.
Other than our armed forces and supporting staff (good morning NSA NSOC), police and fire departments, federal law enforcement, State Department diplomatic staff, staff for elected officials, and FEMA, no one I can think of right now in government stays up late.
Intelligence community, forgot them, other than NSA and FBI. At least some of the 14 other members probably work late, I think? NGA, at least.
But no you’re right, why would we want government scientists like those at NASA, CDC and the EPA working as leading exemplars of COVID research. Surely they are lazy. And they show good work does not happen without a profit motive.
Not to mention that if they find a cure before the world they will mark it as "strategical advantage" and not shared because it's of "national interest." At least based on their past history.
Are we talking about China or US?
I understand any extra data gives you an advantage, but I think I'm missing a step where they can steal a solution while simultaneously keeping that solution for themselves (assuming stealing means copying/sneaking out information others have already gathered).
Maybe a slight headstart if they throw extra research money on it.
Maybe a slight headstart if they throw extra research money on it.
It's not okay to keep solutions for only their citizens, but it would still be in your best interest to share what you know with their citizens so that you have a lower priority of getting infected by their citizens who may travel to your place.
Humans are humans. The virus doesn't care for the politics, it will spread without regard to human-invented political borders, so the preventative measures shouldn't stop at political borders, either. That would be contradictory to the apolitical nature of the virus.
(In any case, if you shared something with them and it is actually useful, there's a good chance you're pretty close to the solution yourself, anyway.)
Humans are humans. The virus doesn't care for the politics, it will spread without regard to human-invented political borders, so the preventative measures shouldn't stop at political borders, either. That would be contradictory to the apolitical nature of the virus.
(In any case, if you shared something with them and it is actually useful, there's a good chance you're pretty close to the solution yourself, anyway.)
https://www.bloomberg.com/news/articles/2020-05-18/china-s-v...
China promised to give its covid-19 vaccine to WHO for free. If the accusation is true, it's basically Robinhood for poor countries.
China promised to give its covid-19 vaccine to WHO for free. If the accusation is true, it's basically Robinhood for poor countries.
ezVoodoo(1)
If the PRC gets a workable vaccine first, they can gain influence to get everyone to use a WHO run global vaccine passport instead of separate national systems. They can then tie the WHO's databank into their global surveillance system and franchise out China's surveillance state and social credit score system throughout the world.
Those are good points, I'd add two more:
- "If you want to buy our vaccine, you need to buy Huawei equipment for all your communications systems" - we've already seen that in France with PPE
- What would that do for investment in vaccine research if you know China can drop in theirs at any time and address the entire market? Investments dries up, China pulls back, go back to 1.
- "If you want to buy our vaccine, you need to buy Huawei equipment for all your communications systems" - we've already seen that in France with PPE
- What would that do for investment in vaccine research if you know China can drop in theirs at any time and address the entire market? Investments dries up, China pulls back, go back to 1.
I can't recall the last time I saw a public statement by the FBI that wasn't a lie used for some nefarious purpose.
The FBI lists _many_ public statements per day about all sorts of operations and arrests: https://www.fbi.gov/news/pressrel
What you're encountering might just be a selection effect since many of these press releases don't raise people's interests. Perhaps it's the people amplifying certain stories to drive their narrative than the FBI themselves?
What you're encountering might just be a selection effect since many of these press releases don't raise people's interests. Perhaps it's the people amplifying certain stories to drive their narrative than the FBI themselves?
The FBI is a highly political organization that uses its position of authority to routinely intervene in politics often at the behest of the state.
Usually I list the interference they do in left wing movements where they spy and infiltrate spaces to disrupt and discredit vital activities aimed at e.g. preserving the environment. As a highlight, they tried to get MLK to kill himself. Much of this was documented by the revelations of COINTELPRO. That stuff was never punished, so why would they ever stop? It's good for the integrity of the state.
For a conservative example, the recent "Obamagate" disclosures show how the FBI was instrumental in creating the now totally discredited Russiagate conspiracy which raged in the media for two years as a ploy to disrupt the Trump administration by an insane xenophobic conspiracy that Trump was the manchurian candidate, going so far as to create speculation that he was some kind of soviet sleeper agent from the 1980s. He's of course a bad guy, but this stuff is off the wall.
Now the FBI is being brought under control by the current administration which is attempting to distract from it's total failure to respond to the pandemic and its actions which are widely acknowledged to have made it far worse that it should have been. The United States, the richest most powerful country in the world, has had one of the worst responses in the world. So the administration is attempting to clumsily pin the blame on a "foreign enemy" by saying it's attempting unfairly to do something about the pandemic. What an incredible world we live in.
EDIT: To conclude: Is withholding medical information in a pandemic for any reason ethical? What about for making money? Is stealing such information from such an actor unethical?
Usually I list the interference they do in left wing movements where they spy and infiltrate spaces to disrupt and discredit vital activities aimed at e.g. preserving the environment. As a highlight, they tried to get MLK to kill himself. Much of this was documented by the revelations of COINTELPRO. That stuff was never punished, so why would they ever stop? It's good for the integrity of the state.
For a conservative example, the recent "Obamagate" disclosures show how the FBI was instrumental in creating the now totally discredited Russiagate conspiracy which raged in the media for two years as a ploy to disrupt the Trump administration by an insane xenophobic conspiracy that Trump was the manchurian candidate, going so far as to create speculation that he was some kind of soviet sleeper agent from the 1980s. He's of course a bad guy, but this stuff is off the wall.
Now the FBI is being brought under control by the current administration which is attempting to distract from it's total failure to respond to the pandemic and its actions which are widely acknowledged to have made it far worse that it should have been. The United States, the richest most powerful country in the world, has had one of the worst responses in the world. So the administration is attempting to clumsily pin the blame on a "foreign enemy" by saying it's attempting unfairly to do something about the pandemic. What an incredible world we live in.
EDIT: To conclude: Is withholding medical information in a pandemic for any reason ethical? What about for making money? Is stealing such information from such an actor unethical?
That doesn't make it magically impossible for the PRC to do nefarious things of their own, which I'm sure you'd agree the FBI would gladly publicize.