Hacker News new | past | comments | ask | show | jobs | submit login
Chinese Hackers Breach U.S. Navy Contractors (wsj.com)
83 points by propman 4 months ago | hide | past | web | favorite | 61 comments



Not surprising at all. What's surprising is that it's taken this long to appear in the news.

While in the shipyards for maintenance I would stand watch and was responsible for letting people on/off a large ship. Most were contractors. The only requirement was that they had a contractor badge. How did we tell this was a valid badge? Good question. You'd think there would be some sort of master list of people with badges we could check and verify.

Not quite. Every contractor had their own style of badge and we had no way of knowing if any particular badge was real or not. Want a "valid" badge? Buy a badge printer. You're in.

We had people we didn't even know just show up to install systems on board that nobody was able to verify were supposed to be there or not. It was a little better with the classified systems, but you can imagine that any verification of contractor IT systems was non-existent.


I can't believe it, but I also can believe it - Me, ever since doing CyberSec 2 years ago.


A non-trivial bit of the problem is the highly fashionable attitude of refusing to do work that helps the Department of Defense. The fact that skilled labor is a limited resource for both nations, which means refusing to help is at least similar to aiding foreign powers, which are statistically dictatorships of one kind or another, seems to not factor into the set of moral ethoses that such folks espouse.

Remember, it's not just China. It's North Korea, Russia, Iran, Isreal; any country facing significant military threats is interested in US weapons technology.

You live in a constitutional democracy on a planet where the mean, median, and mode country is a dictatorship? And don't want to defend that government? Really?


“And don't want to defend that government?“

Well, here’s the problem. How much of what the DoD does is actually defending our government, versus going off and killing far-away people who pose no threat to us for various murky reasons?

Do I want to contribute to keeping foreign armies off our soil? Sure! Do I want to contribute to drones blowing up weddings? Not really.

Maybe if our government would stop abusing our military so horribly, it would find more American experts willing to support that military.


The issue is that what you end up defending is the right of more malicious actors to acquire technology from the US below cost through low-cost, high-yield hacking.


Do I? Or do I just not help to murder civilians on the other side of the planet? How can you be so sure that I’d only be helping the good side of the DoD?


From my point of view, both of you are right and wrong. Being a conscientious objector to war is not the same thing as aiding an enemy. However, Defending against hacking is different from providing for offensive weapons. In other words, defending government institutions takes precedence over the policies of government institutions. The policies are decided at the ballot box.


Let's assume there is no good side of the DoD. Let's assume that the military is 100% teeth-gnashing devil dogs with nuclear weapons. Which is what they aspire to, I assure you.

Two things, 1) whether they have a $700 budget or $700B budget, the DoD executes the orders of elected civilians.

2) Don't you still want to make it as expensive as humanly possible for other countries to get the plans to those weapons? Even if you live in Paraguay, rouge states with nuclear weapons increase the cost of international economic collaboration and thus decrease your quality of life. Securing the US Government's weapons information is in your best interest.


You didn’t answer my questions at all.


I did answer your questions. Perhaps I didn't convince you to reject your previously held views, but I did answer your questions.

> How can you be so sure that I’d only be helping the good side of the DoD?

I answered this by asserting your premise, the DoD has a good side, is unnecessary. I further allowed for the possibility you're not even American.

> Do I [end up defending the right of more malicious actors to acquire technology from the US below cost through low-cost, high-yield hacking]?

I answered this by posing the leading counter-question, "Don't you still want to make it as expensive as humanly possible for other countries to get the plans to those weapons?" And that appear to be the fairly strong position it is, considering I rejected your requirement of there being anything good about the DoD, and further rejected any implication that you're even American.


Then you’ve superficially answered the literal questions without actually getting at the underlying point.

The point is this: if I help them, how can I ensure that this help goes towards things like preventing other countries from obtaining nuclear weapons, and not blowing up weddings?


It's offense vs defense, and in this situation, those are highly separable domains.

Concretely, blowing up weddings is a failure of guidance systems, that's an offensive problem. Those are avionics and fire control problems, not network security problems. Avionics and fire control are highly specialized domains. You don't accidently write some code that helps with those problems. They have their own languages, their own compilers, their own chip architectures. The developers work in places you hear about on the History channel, like China Lake.

Conversely, the defensive work of improving the network security that protects the plans and software for offensive systems, including those avionics and fire control software repositories, is good for everyone not just the rabid dogs of the DoD.


Most drone strikes blow people who’d gladly saw your head off.


Even if true, they can’t.


I would do it as well. These days only one opinion is safely allowed to be stated. If you work in the Bay and you disagree with Google’s protest against working for DoD, you’ll be socially outcast. People who are apathetic just go with the flow and burgeon the numbers of in my opinion a minority.

It’s difficukt to have an actual discussion, it gets dumbed down to the most basic dumbest arguments. You support war you are bad. This anti intellectualism is spread everywhere and in my opinion caused a very promising metoo movement to falter. They refused to differentiate between 2 evils. Al Franken is not Harvey Weinstein. Louis CK is not Roy Moore. USA is not China. Arguing with the majority in the Bay about this simple fact is like arguing with toddlers.


Your opinion is extremely arrogant, perhaps even more so than it is misinformed. The reasons for why you see a dearth of technical skilled labor entering the government workforce is a complex issue and is nowhere that black and white.

Since you mention military weaponry specifically though, the primary problem is in many academics/researchers being adverse to contributing to military projects. But can you really blame them? For many, they have spent the better part of their lives in cultivating their respective fields, and you expect them to be perfectly happy spending that on making it easier to kill people? People want to meaningfully contribute to making the world a better place, and I guarantee you'll find it very difficult to convince that computer scientist building a drone with better targeting capabilities for it's missiles to better kill people will result in fulfilling such a goal, no matter how you try to phrase it.


Ah, no, strong cybersecurity for the US Government would make the cost of killing people higher.


Please refer to a comment I've previously made on this topic https://news.ycombinator.com/item?id=18557389


Additionally, I find it intellectually lazy to believe that assisting the military is morally wrong. What I think people (and in particular Americans) fail to consider is that if you really do feel that the political system is so corrupted that the will of the people has been subverted, what that actually morally requires you to do is to overthrow it. You cannot say "Oh well I didn't vote for the guy who started the war so I guess I'm ok". You are responsible for everything that happens and is happening, and if you really believe that the system is so badly broken that we are involved in illegitimate wars then you need to take responsibility for that and stop it. Stop paying your taxes, organize your community against it. Be willing to sacrifice to make it happen. By not doing this, you are disregarding the sacrifice that so many people make in support of the system (members of the military, administrators, etc).

It's reprehensible to disregard the sacrifices of others so callously yet be willing to sacrifice nothing yourself.


> I find it intellectually lazy to believe that assisting the military is morally wrong

Even if you view the military as an amoral tool, then it's still immoral to contribute to its strength while it is under immoral control.

> You are responsible for everything that happens and is happening, and if you really believe that the system is so badly broken that we are involved in illegitimate wars then you need to take responsibility for that and stop it. Stop paying your taxes, organize your community against it. Be willing to sacrifice to make it happen

So I'm on board with this ethos, but then the question becomes to do what ?

If you act in a direct violent manner (which includes not rendering unto Caesar), the system attacks and contains you.

If you act in an economic manner (earning less to pay less taxes), you're heading away from the attractor of competition. The end result is living like the Amish, which while individually sustainable, has clearly not caught on.

If you make small actions under the idea they accumulate, then you get stuck in simulations (eg ethical consumption, voting).

If you narrow your focus to one topic, then you end up just fighting your fellow plebs with different priorities (eg SJWs).

I have long thought about this and still have come up with little. Cryptocurrency seemed promising, but then Bitcoin came along and vaccinated the state. With no straightforward answer it sort of feels like you're throwing out a straw man. While I'm all for kicking people to not compromise so readily, everybody compromises constantly. It is nonsensical to pick on someone who has partially compromised as being inconsistent for not having fully compromised. I would rather have them hold on to their ideology and still be looking for new doors.


> then the question becomes to do what?

If you write code and know anything about security, one of the biggest impacts you could make would be in securing US government systems. Even if you are German or Brazilian, securing US Government systems would make the world safer than securing your own government.


You must have severely misread my comment. Securing USG's systems is certainly not going to prevent the US military [industrial complex] from attacking arbitrary countries for fun and profit.


I would happily do this work if it was accessible and lucrative. I think plenty of SV nerds would. I don't doubt that there is a significant contingent that are politically opposed like you describe, but I don't think the compensation can match what is being offered these days for talent.


Exactly what I was going to say.

I have no moral issues with (most) code related DOD work, but it just doesn't pay comparably.


It is accessible and quite lucrative. My biggest customer was the US Navy. We did great things.


OTOH, the military has the ability to manufacture whatever labor it needs.

Out of potato peelers? You, you, and you grab some spuds.

Out of computer engineers? You, you, and you head to training.


ah, remarkably less so than you might think.


The general issues of compensation and the beurocratic aspects of the work seem to be much larger issues than any lack of patriotism.

I'd note that the civilian side of the government has similar struggles.


An even more non-trivial part of that is the difference in pay


Hackers breaching US Navy contractors tells us one important thing: That the US Navy is not doing adequate due diligence on the firms it allow to be contractors.

This story is part of the campaign to present China as an unethical, capable adversary and threat. In reality, China wants to trade peacefully with the US and the aggression is nearly 100% on the US side and is meant to garner all the benefits of threat-oriented chest pounding for US politicians.

The #1 rule of being a citizen should be "don't let them tell you who to fear or who to hate". Sadly, the NYT, Bloomberg, and the WSJ are all telling us to hate and fear China, when it's obvious that the US has domestic political motives in mind.

In the US, leaders need an enemy or the conversation might turn to things like "why do we have poisonous drinking water?" or "Why has there been a trend of downward mobility?" or "Why didn't anyone get punished for Snowden's revelations or for the lies that led to the Iraq war?"


> In reality, China wants to trade peacefully with the US and the aggression is nearly 100% on the US side

You don't need to make this claim to support the rest of your point. I agree with the gist of your comment but think this point makes it easier to attack the overall message.

Personally, I think China is trading with the goal of jump starting their economy, and then seeing where they end up. China's incentives aren't to act within our paradigm of free trade, but to attempt to operate on it. If free trade is truly a Schelling point, then we'll remain there. Otherwise at the end of the day, holding currency or title to imaginary property won't matter, but where the factories are located will.

But that isn't really relevant to the larger point that all this finger pointing at China (or Russia, depending on the month) is just basic scapegoating to cover the asses of negligent contractors and corrupt government.


> You don't need to make this claim to support the rest of your point.

True


> The victims have included large contractors as well as small ones, some of which are seen as lacking the resources to invest in securing their networks.

That does not compute. If they want to become a defense contractor, it stands to reason not spending resources on securing their network (and educating their employees against phishing attacks) is a non-starter.


Why? You can be a “defense contractor” as a one person show out of your garage.

The requirements for selling a toilet to the navy were written at a time when these issues didn’t exist. That the biggest bureaucracy on earth doesn’t respond well to new threats seems ecpected not odd.


Exactly. Legit anyone can bid on these contracts and the DOD is finally starting to crack down on “Confidential Unclassified Information” and the contractors that handle that data. It’s wild how many small companies have no security infrastructure


Are you serious? It should be pragmatic and taken seriously, but it isn't. As for phishing attacks, try it three times in a row and, if I recall correctly you get results of 50 percent success.


Do procurement contracts have clauses that discount the purchase price when proprietary information is lost to reflect the diminished value of the product?


I wouldn't be suprised. I've done some unclassified govt contracting and it wasn't uncommon for them to include clauses in software purchase contracts that they had to be re-imbursed a certain amount of money any time a security vulnerability was discovered in the purchased software. The reasoning was that they had to spend money identifying, reporting, and updating systems, so the vendor had to pay for wasted resources.


This is an excellent question. I can imagine the difficulty of such clause would be to quantify the value that was diminished due to a breach in financial terms. Most likely the case is that the government has a vested interest in keeping tight security over their program - from engineering to manufacturing and small suppliers rely on security engagement from the gov. Big suppliers such as General Dynamics and Northrop Grumman, I am sure security breaches are taken very seriously and it would impact future supplier selection process and bidding.


At what point will the gov actually do something meaningful here? I know security is hard, but so is putting a man on the moon. This is insane the amount of hacks without consequences.


Is this a surprise? I imagine many powerful countries' cyberespionage groups are going after the other side.


Paywall workaround: http://archive.is/KMi5Y


A slightly different headline would be "Navy has lousy security practices especially regarding contractors"

I'm pretty sure the CIA and NSA do their utmost to spy as much as they can on the Chinese and Russian Navy.


Excellent job moralizing, comrade.


What exactly is immoral about spying on a foreign nation state?

We do it to them, they do it to us, what exactly is the issue? Is there some no-spying gentleman's agreement that's being violated, here?


The notable news is not that they’re trying to do it. The news is that they are succeeding, and what’s worth noting is that our defenses are so weak.


@snowden sold us out to china when he fled in 2013, by revealing details about our spying operation on them. apparently they bolstered their defenses after this, due to this information, meanwhile stepping up offensive attacks against the United States


According to the NYTimes they also killed over a 100 CIA assets in China. So we went in the dark for a while as the whole batch was compromised. We didn’t retaliate either. The Snowden thing wasn’t the cause of that but I bet the Snowden thing compromised other assets.


It's interesting how much people still talk about metadata collection (protected behind the requirement of itemized FISA court approval) because "big mean US is evil" while ignoring events like this.


Events like what? That people committing capital crimes for money are being caught, and convicted of... Said capital crimes?

If you don't want to do the time, don't do the crime. You don't just stumble into being an informant for a foreign power.


> Events like what?

Killing dozens of people in secret without a proper trial.

And the fact that it isn't an uncommon occurrence.


>Killing dozens of people in secret without a proper trial.

To be fair, they also executed some of them in public ;)

https://www.nytimes.com/2017/05/20/world/asia/china-cia-spie...

>From the final weeks of 2010 through the end of 2012, according to former American officials, the Chinese killed at least a dozen of the C.I.A.’s sources. According to three of the officials, one was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.


So like the disposition matrix? Except they aren't also killing thousands of innocents that just happen to be near the person being killed?


It seems like that is more appropriately attributed to USG's persecution of whistleblowers. I'd bet that Snowden would rather have not fled the US, but he did not have that option.

You can't build on a broken foundation - exposing domestic anticonstitutional corruption is more important than the fallout to foreign policy.


Your comment temporally corresponded with multiple simultaneous downvotes of my comment.

There's no justification at all for informing any of our adversaries of details related to spying activity on them. Intentional or not, Mr. snowden's action have hurt USA.


We aren't at war with China, they are not our adversaries. Any harm caused to the US was a result of harm we had done to them.


The people who have 1M people in "re-education camps", claim ownership of Taiwan, have been building artificial islands to stake their "territory" in the South China Sea, and just made Xi de facto emperor for life?

Are you sure we aren't adversaries? Because we certainly don't seem to be ideologically aligned!

Don't get me wrong, we've got fucking problems, but we're not disappearing artists and sending people to live in other people's houses to spy on them directly. China has chosen a path of dictatorial horse-shit of its own accord - the US didn't push them into it.


>Are you sure we aren't adversaries? Because we certainly don't seem to be ideologically aligned!

None of those things pose a true threat to America, and who benefits from treating them as adversaries because of ideological differences?

>China has chosen a path of dictatorial horse-shit of its own accord - the US didn't push them into it.

Though there are strong arguments that US and other Western powers did push them into this situation, if you view this as a path they chose why would you oppose it? We tried controlling their path before, and countless millions of Chinese died as a result.


> There's no justification at all for informing any of our adversaries of details related to spying activity on them.

Even under pain of imprisonment and torture? Everyone has their limits.

> Mr. snowden's action have hurt USA.

Only if you believe that "USA" is equivalent to the "US Government". If you believe that the United States means something more, like perhaps a society founded on individual rights, equal protection under the rule of law, and a government constrained by its charter, then blowing the whistle on the domestic enemies in Maryland is extremely helpful.


Nonsense.

@snowden could have chosen to not told our adversaries about any spying activity upon them. Instead, he stole classified info that was far beyond the scope of domestic surveillance, in a pre-meditated way, then shared this with our adversaries.

"domestic enemies in Maryland" is entirely your opinion. Are you an American citizen? What exactly is your justification (beyond Hollywood propaganda, news articles, etc) for such a claim? Have you reviewed in detail what @snowden (and his co-conspirators) have leaked? How much was actually related to domestic surveillance? How much was classified military intel?


You can easily look through my profile and infer my nationality and effort spent commenting. Yours, not so much.

This topic has been endlessly debated on HN. The general consensus here may be different than what you're used to, as it is harder to distract technical people with baseless excuses about "security" when we can understand the details of what the NSA (et al) must have had to do to implement their panopticon. The excuse that they do not operate domestically simply no longer holds water, and a standard heuristic of criminal investigation is to dig deeper after finding probable cause. Opening up the specifics of these secretive organizations to public scrutiny is the only way forward for a democratic society.

You clearly have an opposing view, and it is true our society needs to regain tolerance of disagreement. But it's just not a very interesting view to explore when it consists of the same exact "whataboutist" talking points that are broadcast through USG's media outlets.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: