
Envisioning a Hack That Could Take Down NYC - ChrisArchitect
http://nymag.com/daily/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html
======
rm_-rf_slash
Articles like these make me wonder if the long-term progression of the PC
revolution will follow the sexual revolution of the 1960s.

The AIDS crisis of the 80s did everything it could to undermine the last few
decades worth of free love. Not only was promiscuity tinged with risk, that
risk alone (and the lgbt association) opened the door to conservative
ridicule.

Fast forward to 2016 and sex is better and safer than ever: hookup apps give
you the opportunity to connect with people without the prerequisite of an
alcohol-soaked atmosphere. Condom quality is light years ahead of what it used
to be. Truvada and low-cost antiretrovirals have chipped away at HIV stigma.
STI test results are an app away.

If an apocalyptic hack resembling this article occurs, it could spur on a
similar security revolution among businesses and consumers. Only when people
realize how insecure they have made their own lives will there be any chance
of saving them from themselves.

~~~
ryanmarsh
In large companies we're already in the beginning of a backlash. Companies are
going overboard on IT security, throwing tons of money at it relative to the
past.

CIO's used to fear failed projects and downtime. Now they tell me they fear
hackers. Many large companies in America are dealing with APT's as well. I'm
sure others here can comment on their experience with this.

Instead of a backlash like the 80's I think there will be a split. I'm already
seeing tech haves and have-nots. My gut tells me there will be those with
amazing tech at their fingertips and those left out or even punished for
trying. I recently commented here that security and privacy are a feature not
a product. I want to retract that statement. Security and privacy may become
an essential product offering.

~~~
superuser2
If decision makers want to improve security, there are readily available
levers they can pull: give a shit about code quality, put 5 minutes of thought
into authorization decisions inside their applications, escape strings, take
advantage of memory safety, upgrade unpatched legacy garbage, stop using and
creating protocols that are trusting by default, etc. They don't do those
things. They buy bolt-on antivirus suites and magic Cisco gateway boxes and
when a 12 year old who's heard of SQL injection comes along they throw up
their hands and go "APT nation-states, what could we have done?" They continue
to believe in perimiter-based security, where network drops in unlocked
conference rooms and hallways are inside the perimeter. They continue to laugh
off email encryption and signing.

We aren't seeing sophisticated attacks, by and large. We're just seeing
someone finally bothering to attack all the crap that was designed in the
assumption of "who would ever want to attack this?" or that pre-existing
viruses for which signatures are published are the only relevant threats.

~~~
shaftway
But by and large, the decision makers _can 't_ make those decisions, because
of dependencies on open source systems that are too large to audit, or closed
source systems where all they can do is trust the vendor's salesperson who
says "oh yeah, it's secure".

~~~
CaptSpify
The beauty of open source though, is that if we can start funding them, we can
start getting them audited. Look at openssl.

The past method of "taking from open-source, but giving nothing back" may just
need to go away

------
kens
I read a novel [1] in 1979 with a similar plot. In this book, the attack took
place in Hollister CA rather than NYC. It didn't have vehicles being hacked,
of course, but traffic lights were hacked and people died. Factory production
and medical records were messed up and the hospital's power electronically
shut down by the intruder. My point is that the idea of attacking a city
through its computer systems is older than most HN readers.

[1] The book is _Intruder_ by Louis Charbonneau. A synopsis is at
[https://www.amazon.com/Intruder-Louis-Charbonneau-
ebook/dp/B...](https://www.amazon.com/Intruder-Louis-Charbonneau-
ebook/dp/B00XZCC512) and a negative review is
[https://www.kirkusreviews.com/book-reviews/louis-
charbonneau...](https://www.kirkusreviews.com/book-reviews/louis-
charbonneau-2/intruder/)

~~~
ams6110
I read one as a kid in 1982[1]. As I recall it was along the same lines,
starting with an attack on the computers that control the traffic signals,
causing massive gridlock. I forget the rest of the plot.

I like the punch card theme on the cover art.

[1] [https://www.amazon.com/Apple-Crunch-Frederic-Vincent-
Huber/d...](https://www.amazon.com/Apple-Crunch-Frederic-Vincent-
Huber/dp/0380606992/184-8654610-2208526)

------
rch
Short version: one day in NYC people went home early, and had time for
breakfast before going to work the following day.

Having been through a couple of hurricanes, I think it's a mistake to
underestimate the robustness of human systems.

~~~
cardamomo
Let's not forget that, in some parts of NYC, Sasndy recovery is not yet
complete. As you suggest, I imagine if a scenario like that depicted in this
piece were to unfold, some New Yorkers would be relatively unaffected. Others,
however, might have their lives upended for months.

------
noonespecial
Minor nit. In each of 3 medical facility settings I've gone to to restore the
computers, the staff was _disappointed_ when I got them going again. Instead
of just using the paper charts on the doors, they once again had to enter all
of the data 3 times in 3 different awful systems designed to show, it seems
that yes, Vogons do write user interfaces.

And they had the added burden of catching back up what they'd put on paper in
those 3 systems.

------
douche
I thought all you had to do was take down one substation to plunge NYC into
chaos

[https://en.wikipedia.org/wiki/Northeast_blackout_of_2003](https://en.wikipedia.org/wiki/Northeast_blackout_of_2003)

------
legodt
Aw yes, classic puffed up (likely state-sponsored) scare pieces designed, not
written, for the easily swayed common man and not any real workers in netsec
or systems architecture. The real subtext of this piece reads like "stay
frightened and helpless," "fund the DHS more," or, "submit to the NSA."

Blech.

~~~
eric_h
Perhaps I'm not predisposed to view this story the way you are, but I actually
got the opposite sense from it.

Don't trust that the massive bureaucracies will save you. Don't trust that the
US government is doing a good enough job.

The brief mention in the story "there was a congressman demanding that even
white-hat hackers, who tried to probe systems as a way to point out
vulnerabilities before the bad guys got to them, be thrown in jail", I think
screams that there are people working with our best interests at heart, don't
demonize them as hackers.

But perhaps I'm just predisposed to optimism; that eventually the rational,
sensible approach to cybersecurity will prevail.

Perhaps you're right, and I'm just being foolish.

