
Likely hack of U.S. banking regulator FDIC by China covered up: probe - LukeHoersten
http://www.reuters.com/article/us-cyber-fdic-china-idUSKCN0ZT20M
======
chickenbane
I wouldn't be as alarmed at the NSA's data collection revealed by Snowden if I
felt they took their job of defending and protecting US systems with as much
zeal.

Of course, as the government's own reports show mass surveillance doesn't
prevent terrorism, and we are also seeing how poorly citizen data is being
protected.

This feels very familiar. Instead of seeing a malicious organization, I'm just
realizing its incompetent. Forget about Pokemon Go asking for too many
permissions, your data is already lost.

~~~
nickpsecurity
"I wouldn't be as alarmed at the NSA's data collection revealed by Snowden if
I felt they took their job of defending and protecting US systems with as much
zeal."

I thought that at one point but DOD tried and nobody wanted the stuff. COTS,
low-cost, and high-speed above all else even for critical stuff. Government
kept trying with Common Criteria but almost all vendors and customers went for
least secure stuff. NSA tried again with programs like SPOCK that evaluated
Sentinel's HYDRA firewall. Defense contractors and DARPA/NSF-funded groups
keep making stuff. Basically nobody buys it.

So, I blame the demand side instead of NSA. If market gave a shit, NSA would
be working their butts off trying to get anything done in a memory-safe, type-
safe, CPU-on-up system. But no... Least we're going to see another effort with
the Dover to integrate RISC-V with SAFE architecture's PUMP. Both RISC-V and
SAFE were U.S. government funded IIRC. Years of papers on both with no uptake
in industry or FOSS for even SAFE's basic techniques until Dover.

Far as NSA, at least they still fund Rockwell-Collins' SHADE and Galois Inc's
awesome work. CRYPTOL language & toolkit got open-sourced by Galois. Nobody
uses it. Seeing a pattern?

~~~
rdtsc
> Government kept trying with Common Criteria but almost all vendors and
> customers went for least secure stuff. NSA tried again with programs like
> SPOCK that evaluated Sentinel's HYDRA firewall. Defense contractors and
> DARPA/NSF-funded groups keep making stuff. Basically nobody buys it.

That is the truth. But there is a chicken and egg a bit there as well. Common
Criteria certification (say EAL4) is not cheap and takes years to achieve.
RedHat even opted to do it in Germany by exploiting some international mutual
agreement thing. RHEL 7 was out 3 or so years ago and it is still "in
evaluation". Who has time for that?

[https://www.redhat.com/en/technologies/industries/government...](https://www.redhat.com/en/technologies/industries/government/standards)

So I think the requirements and boilerplate needed is too much and too many
hoops to jump through. A lot are not technical I feel but rather bureaucratic.
I call it paper security -- security that exists only as rubber stamps or
checkmarks in some checklist, which might not actually improve anything in
reality. A lot of it is downright dangerous -- such as mandating installing an
antivirus on a Linux server, which installs a kernel driver, which has a
buffer overflow and so on, cue full on kernel level remote exploits ... as a
result of a "security requirement".

~~~
pjc50
Indeed. The "certification" approach really doesn't work for infosec, because
it's too much of a moving target.

------
smilekzs
> The report did not provide specific evidence that China was behind the hack.

This. Every time. Yet they point the blame guns at China without a single
doubt regardless. Then media puts large Sinophobic and Communism-themed
banners and images to top it off.

Seriously? Does it not sound like Beijing has become their favorite scapegoat,
along the lines of say, I failed to secure system xyz because Beijing was
behind the attack?

~~~
nervoustwit
The title of the article blames China, they have a menacing graphic (the
official Chinese government hacking mouse) and the body of the article affirms
that there is no evidence that the hack originated in China.

------
gleenn
I see stories like this and get pretty depressed. It also makes me wonder if,
given it is actually China, it is government-based or rogue blackhats. It also
makes me wonder the amount the US attempts to hack China and also what the
ratio of government versus rogue blackhats are doing the work.

~~~
TheArcane
You should check out the documentary "Zero Days" released this year. It talks
about Operation Olympic Games among others and how common it is for nation
states to wage cyber warfare because there are currently no rules against it.

------
cleeus
everybody repeat after me: reliable. attribution. of. hacks. is. impossible.

~~~
alanwatts
I.E. the Sony hack was attributed to North Korea simply because the attack had
a NK IP address.

------
NN88
[http://money.cnn.com/2016/07/13/technology/china-fdic-
hack/i...](http://money.cnn.com/2016/07/13/technology/china-fdic-
hack/index.html)

------
simbalion
Our government, at least under this administration and other recent
administrations, seems to have forgotten that they exist to _serve_ us.

Maybe it's not treason, but it's definitely an abdication of their
responsibilities as public servants.

~~~
webXL
"When government fears the people, there is liberty. When the people fear the
government, there is tyranny."

It's not so much tyranny that we fear these days but rather the consequences
of ceding more and more power to such a corrupt and inept bunch.

~~~
1stop
Or the realisation that WE are that corrupt and inept bunch. It's not like
government workers are a 'special elite' class...

~~~
webXL
Not in our minds, but these people see others with power and think if only
they had that power, preferably centralized (who likes redundancies??? DRY!),
they could do something really special. They are The Anointed[1]. They've
cracked the code somehow. But they get to the helm only to discover there's 10
other hands on the wheel, and no one can see the effect until well after the
next election cycle.

[1] [https://www.amazon.com/Vision-Anointed-Self-
Congratulation-S...](https://www.amazon.com/Vision-Anointed-Self-
Congratulation-Social-Policy/dp/046508995X)

