How the United States Lost to Hackers(nytimes.com)
nytimes.com
How the United States Lost to Hackers
https://www.nytimes.com/2021/02/06/technology/cyber-hackers-usa.html
29 コメント
I'm fairly certain that if China did to the US what they did to India last year[0], we would strike back, and strike back hard. If China/Russia got to the point where they're causing power outages and rioting/looting, Chinese/Russian cities wouldn't be left unscathed. In a future conflict with a peer enemy I assume all Internet services will cease to exist and we'll be back to WWII era of technology.
https://www.nytimes.com/2021/02/28/us/politics/china-india-h...
https://www.nytimes.com/2021/02/28/us/politics/china-india-h...
1 - power outages in both Russia and China are routine and wouldn’t have caused any riots or looting
2 - their governments wouldn’t care
Cyber defense seems basically impossible.
Actually securing systems would require a massive rethink of systems architecture and replacing many hundreds of millions or billions of lines of existing code.
MAD doesn't work with non-state actors, and it only works with state actors if you're actually willing to go to the mat, which I don't think the US is.
So what does that leave? Hope? Not much of a strategy.
Actually securing systems would require a massive rethink of systems architecture and replacing many hundreds of millions or billions of lines of existing code.
MAD doesn't work with non-state actors, and it only works with state actors if you're actually willing to go to the mat, which I don't think the US is.
So what does that leave? Hope? Not much of a strategy.
> So what does that leave? Hope? Not much of a strategy.
Open Source everything that is IT in government - from the basic design specifications to actual infrastructure configuration - and pay sizeable bug bounties (to the tune of at least 100k per bug) to incentivize third party experts is a very valid strategy.
It is also a great way to get contributions/feedback for improvement ideas from actual experts in the field instead of from some random freshly graduated junior that's sold as a senior consultant by the contractor.
It's ridiculous that many billions of dollars of taxpayer money are spent every year for proprietary software or, worse, hardware that cannot even be audited by independent third parties.
A side effect of a full OSS strategy would also be that waste (e.g. ridiculous/incomplete specs, "deliverables" that don't match these specifications, unrealistic timetables) can get uncovered and tracked by the public.
Given enough eyeballs and sunlight, all issues will eventually be found out. As citizens, we should demand transparency from our respective governments instead of knowing that there are issues and hope our enemies don't discover them.
Open Source everything that is IT in government - from the basic design specifications to actual infrastructure configuration - and pay sizeable bug bounties (to the tune of at least 100k per bug) to incentivize third party experts is a very valid strategy.
It is also a great way to get contributions/feedback for improvement ideas from actual experts in the field instead of from some random freshly graduated junior that's sold as a senior consultant by the contractor.
It's ridiculous that many billions of dollars of taxpayer money are spent every year for proprietary software or, worse, hardware that cannot even be audited by independent third parties.
A side effect of a full OSS strategy would also be that waste (e.g. ridiculous/incomplete specs, "deliverables" that don't match these specifications, unrealistic timetables) can get uncovered and tracked by the public.
Given enough eyeballs and sunlight, all issues will eventually be found out. As citizens, we should demand transparency from our respective governments instead of knowing that there are issues and hope our enemies don't discover them.
Considerable wishful thinking in this imho. Even the notion that having open source reduces vulnerability probability is unproven at best.
[deleted]
USAF has been running the Platform One project along these lines, and other military branches are following in their footsteps.
https://software.af.mil/dsop/services/
https://software.af.mil/dsop/services/
> sizeable bug bounties
Bug bounties might work if one could be sure that the availability of the bounties was not a significant incentive for creation of the bugs. Demand finds more ways to drive supply than you or I can imagine.
Bug bounties might work if one could be sure that the availability of the bounties was not a significant incentive for creation of the bugs. Demand finds more ways to drive supply than you or I can imagine.
We can't even get the NSA, an agency of our own government, to meaningfully contribute to cyberdefense, because they're too focused on offense. (See TFA)
I don't see how paying $100k bug bounties and requiring open source can even make a dent when the same government is paying $millions on cyber offense.
I don't see how paying $100k bug bounties and requiring open source can even make a dent when the same government is paying $millions on cyber offense.
Most security flaws that I have seen seems to fall into two separate groups: trusting user input and leaking timing information.
If we worked on a system to whitelist proven safe input, then we would be a lot safer.
What interests me is that we are essentially in an opposite of WWI: attacking is extremely easy, defense is very hard. I am not sure that this helps, but perhaps that can give some suggestions.
If we worked on a system to whitelist proven safe input, then we would be a lot safer.
What interests me is that we are essentially in an opposite of WWI: attacking is extremely easy, defense is very hard. I am not sure that this helps, but perhaps that can give some suggestions.
Perfect cyber defence is impossible. Getting rid of password protected backdoors is possible, applying security patches in timely manner is even more possible. There, two biggest hacks in the last few years just became impossible. People are not doing their jobs and hide behind the “impossible”
I'd argue that it has nothing to do with people not doing their jobs but rather the companies are accepting the risk of these breaches instead of providing the necessary resources to protect themselves.
It could be argued we're saying the same thing, but your statement has subtle undertones of "IT is failing to do what they're paid to do" instead of the reality of "executives and board members are focused on absolute profit and don't have any legal or financial consequences to being hacked".
Most C-levels that have left "as a result of a breach" for the incidents in the past decade do so with a massive golden parachute. Then after a vacation go work for another company with no consequences. They're actively rewarded for this behavior right now.
It could be argued we're saying the same thing, but your statement has subtle undertones of "IT is failing to do what they're paid to do" instead of the reality of "executives and board members are focused on absolute profit and don't have any legal or financial consequences to being hacked".
Most C-levels that have left "as a result of a breach" for the incidents in the past decade do so with a massive golden parachute. Then after a vacation go work for another company with no consequences. They're actively rewarded for this behavior right now.
As an engineer you do your job first and foremost, you blame your your management when they do not let you to do your job.
What are the two biggest hacks that are now impossible?
Certainly none of our big C++ platform software has really made any headway on completely removing memory security bugs.
Certainly none of our big C++ platform software has really made any headway on completely removing memory security bugs.
solar winds clients were hacked through solar winds back door and equifax was hacked though outdated version of struts framework
Those types of attacks are absolutely still possible. I am less interested in specific attacks and more in closing out entire types of attacks.
That is very commendable goal, but shouldn’t we stay diligent in the meanwhile?
Sure, but it doesn't seem relevant to playing defense. Patching after an attack is a losing battle. Real defense is securing systems in advance.
Zero points made. Zero answers given.
The answer: a huge number of foreign citizens, possibly agents, nobody knows, working in the US tech sector, and several domestic agencies that each separately and secretly compel those companies to pay those employees to install back doors, and then kick them out of the country in exchange for a new batch of younger and cheaper employees.
I remember when I used to think that hackers ‘found’ bugs. Silly.
The answer: a huge number of foreign citizens, possibly agents, nobody knows, working in the US tech sector, and several domestic agencies that each separately and secretly compel those companies to pay those employees to install back doors, and then kick them out of the country in exchange for a new batch of younger and cheaper employees.
I remember when I used to think that hackers ‘found’ bugs. Silly.
Foreign governments don’t need to pay employees to install back doors. Highly-paid software engineers are perfectly capable of inserting security bugs into their own code without prompting. Writing secure code is insanely difficult and has only become harder now that vast swaths of the code that is written is directly exposed to the Internet, or just one small step away from it.
It’s a really important topic for the media to cover, but the title is pure clickbait.
They keep looking at it like the whole thing is about hackers and not crappy software
I guess you the Times needs to use clickbait to get traffic same as anyone else.
A better title might be: ‘Mercenaries Undermine US Cybersecurity’.
Sadly, I've come to expect this kind of thing from the New York Times.
Just don’t click the bait. Read the top HN comments instead.
We have one of the world's top governmental cybersecurity organizations, but they would rather use that experience to hack us than protect us.
their job is not to protect you, their job is to protect their masters from you. You are the enemy.
It's harder to mobilize an army, let alone a draft, when your people are rioting and looting for lack of basic services. The good news is we won't see another personnel heavy gulf war or vietnam again, but the terrible news is adversaries know it's almost democratically impossible for the U.S. to fight a total ground war anymore and this will embolden regional border conflicts where raw numbers of infantry soldiers are an advantage. See China's current aggression in international waters and on its border with India as an example where there is a hard ceiling on the level of U.S. intervention because cyber has unbalanced the risk/reward.
Perhaps its only option is to keep escalating aggression and putting pressure on adversaries so they don't have the attention to devote to their regional ambitions, where the role changes from global cop, to a global "broken windows" and "stop and frisk" policing policy.