Hacker News new | past | comments | ask | show | jobs | submit login
China hacked HPE, IBM and then attacked clients (reuters.com)
370 points by petethomas on Dec 20, 2018 | hide | past | favorite | 176 comments

> A British government spokeswoman declined to comment on the identities of companies affected by the Cloudhopper campaign or the impact of those breaches.

> “A number of MSPs have been affected, and naming them would have potential commercial consequences for them, putting them at an unfair disadvantage to their competitors,” she said.

Wait, what? These companies got repeatedly hacked, were apparently not able to re-secure the network, allowed themselves to be used as a springboard for further attacks to their customers, and then covered it up. And letting this be known would be an "unfair disadvantage"?

So the plan is to hide and not to disclose the problematic companies, and then blame everything on China... Absurd.

Why would we not blame the hackers? You can criticize someone for having bad locks but the burglar is still the one that belongs in jail.

I mainly blame the market because there's been highly-secure technology for a long time, including some NSA pentesting didn't break during evaluation, that they refuse to use for even their most sensitive stuff. Security is like an after-thought or non-thought in the markets. Many concerned about I.P. thieves even outsource R&D or manufacturing to countries with high, I.P. theft mainly to help executives hit short-term goals for personal profit. They also keep buying and using stuff that's shown to be horribly insecure. They also don't follow good security practices despite being billion dollar businesses. That part will lead to most hacks.

Given this market, anyone developing high-security solutions has to loose money on them constantly or charge exorbitant prices to recover their investment. Pretty much only Defense and regulated sectors will buy those. So, the number of high-security products goes down or stays minimum while easily-hacked garbage grows in number. That's all people see to the point that many buyers don't even know something better is possible. Situation keeps reenforcing itself with the buyers all getting what they're paying for or not guarding against.

So, I blame them as much as the attackers if not more than the attackers when it's the same preventable stuff happening. Especially the times it didn't cost extra or what they bought cost more than secure stuff.

> some NSA pentesting didn't break during evaluation

Which ones? Are any open-source?

They're in my Lobsters link in this comment:


Not open source given only proprietary sector made high-assurance security most of the time. There are some groups that open-sourced stuff after the fact. One whose methods some might emulate is Muen separation kernel. They use SPARK Ada to prove it can't have all kinds of problems. It's also smaller than most things like it.


The only time-proven one that I know of is pulling the plug. And even this could be hacked.

If a burglar robs your house and steals a gun it’s your duty to report that it was stolen.

Not necessarily to the public though.

Perhaps a more apt analogy would be your house is burgled while you are away, do the authorities have an obligation to tell everyone in the neighborhood or just you?

Did the burglarized house contain copies of the keys of all their neighbors? We're abusing the metaphor by now, but there's clear interest of the clients of the companies in the matter...

Abusing the analogy: instead of a house you have apartments and the burglar broke in to the building and now might have access to the other tenants' homes, don't you have to report that to the landlord, police AND your neighbors?

Still, are you going to place a majority of the blame on the victim or the burglar? It would seem that a majority of the blame lies with China if the allegations are true (I suspect they are)

It is basically impossible to track the source of a hack. China might just as likely never had anything to do with any attack so far.

Not every hack are related to your personal data.

Only to law-enforcement. Not to the public.

They are blaming "China" for doing what NSA's burglars (or "America") do all day.

At the same time I can see their reasoning: a nation would only need to attack a company with the goal of ruining their reputation in order to benefit a domestically-favored competitor.

You mean without getting identified as the source though? If you can simultaneously reveal both aspects, who would choose the domestic playground of an attacker over somewhere they couldn't stay undetected?

of course you blame china. if your house gets broken into and then you still don't buy new locks or a security system and you house continues to get violated... sure you're not very smart but it's still the criminals commiting the crime.

And that wasn't even the comparable situation. From the article it looks like IBM was continually responding to an evolving attack and very deep and extensive penetration.

Maybe, possible, at worst, IBM was arguably negligent here but it's still Chinas fault the situation occured.

Even after all of these years I still see a continued underestimation of how good China is at these types of hacks. There's very plausibly no nation/group better at it, or that could do it better, including the NSA. They have accumulated immense experience and it's an always on process with China, so they evolve and learn with security adjustments.

It reminds me of the Google China incident. except google pulled out and revamped their practices (though as outsiders we know little of what really happened),

> except google pulled out and revamped their practices

All while working behind the scenes trying to make a Chinese controlled Google (Dragonfly) for China, complete with the censorship tools that any government that wants to control its people would love? Several large American companies seem to be chomping at the bit to do these types of projects and help repressive governments in order to profit, until the light of truth gets shown on them... Or were you referring to the time when they were already in China and pulled out over censorship issues?


I'm not even sure why China needs google, they've already stolen the source code years ago. Maybe they're after updates to the algorithms.

> In a blog post, Google chief legal officer David Drummond said hackers stole the source code that powers Google’s vaunted search engine and also targeted the e-mail accounts of activists critical of China’s human rights abuses.


The pilot project of one APAC director doesn't represent the entire company. Per an exgoogler on the project, Scott Beaumont tried to bypass the company's privacy and security review process, and the employees revolted.

The focus on Google's dragonfly is strange because it never came to fruition, yet other major tech companies like Apple, Facebook, Microsoft, and Amazon are already operating in China and currently giving similar concessions to the Chinese government.

>The pilot project of one APAC director doesn't represent the entire company.

Sure, no action is ever representative of an entire company - there are always exceptions, but in this case, the CEO and other senior leadership were both behind the project AND behind hiding it from others - you can't paint it as a rogue operation from "one APAC director".

Scott Beaumont went so far as to ban note taking during meetings because he was worried other employees might find them, learn about the project existing, and oppose it vehemently. Along with intentionally bypassing the required privacy and security reviews, it has all the characteristics of a rogue project. The only reason we know about it is because the employees working on it opposed it so much they leaked it.

It can’t be a rogue project if the CEO had full knowledge of it.

The intercept documents don't show the CEO having "Full" knowledge of the project. Where do you get that from?

Google does a lot of things people don't like, but among huge companies they're still the 'good guys' in some ways. Its a big part of their brand. Isn't it nice that one of the world's biggest companies cares enough about losing that to change its plans?

Google does a lot of things people don't like, but among huge companies they're still the 'good guys' in some ways. Its a big part of their brand.

Just because it's a part of their "brand" doesn't mean they "are" that thing. Caveat surfor.

From what I've read Pichai was a champion of the project though and gave the director the cover he needed to bypass standard procedure.

I mean, this isn't really a new phenomenon. See the United Fruit Company (https://en.wikipedia.org/wiki/United_Fruit_Company#Guatemala)

China is the second most powerful nation in the world. If they want to hack you there is not much you can do about it. They could just send spies into your organization. Pretty much all the computers are built there. They could bug the equipment, or they could just economically flex their muscle.

Look to what happen to ZTE when US threw sanctions at them.

> google pulled out and revamped their practices

Give it 5 years. See if Google are just waiting for things to "cool down" before going back at it.

Dragonfly implies they have been working towards that attempt for a while, and weren't too far away from it being launchable: https://en.wikipedia.org/wiki/Dragonfly_(search_engine)

So yea, already happened, will probably happen again.

This. Pichai's comments before congress didn't say it was cancelled. What he said ammounted to simply stating "we don't yet have a release date"

Or Russia. The source of all problems that the West is facing.

Things haven't changed that much since post-ww2.

No Russia is the source of problems that Russia creates.

Influencing elections and referendums, assassinating people abroad, hostile acquisition of parts of a country, widespread cheating at sport, assassinating opposition members etc.

> Influencing elections and referendums

That is no way limited to Russia.

Can't reply to sibling comment...but maybe Russia taking sides at all causes people to doubt the democratic process. Should we automatically take the opposite position of Putin? That's just as subversive.

That doesn't excuse the behaviour.

And Russia is far more aggressive than other country. Even today we had Putin telling UK's government in a press conference to respect Brexit which directly helps Russia by weakening the EU/NATO.

Sentiment shared. Working in the public sector there are many things which continually go un-adressed and as a result continually provide favorable conditions to APTs.

> So the plan is to hide and not to disclose the problematic companies, and then blame everything on China... Absurd.

Or the methods used so others can try to protect themselves.

It's absurd that you even suggest not blaming China

China is the new Boogeyman of 2010s.

China is a state sponsor of hacking and industrial espionage and they're also incarcerating quite a number of people based on their ethnicity, and harvesting their organs when they die in incarceration. Among other things.

Call it what you want but, even with a lot of grey in between, these things are real and material.

That said, I suggest the number of stories appearing in the press as of late might be part of a steady leak of information from US authorities as part of their strategy to put pressure on China during trade negotiations.

Right, but if all I do is accept obvious reality as it is, I'll be just like everyone else!

How will others know I'm intellectually superior to them, unless I express some edgy contrarian view?!

Organs aren't very useful when people die outside of a hospital. They're harvested from brain dead patients or those that have just undergone cardiac death.

edit: I was responding to "harvesting their organs when they die in incarceration" -- this sounds like it's a natural death.


> For many years, it has been known that China uses execution vans, kind of like specially outfitted ambulances, to more efficiently carry out its exceedingly large number of executions. The method of killing in these vans is lethal injection, which has been slowly but surely replacing the firing squad as China’s preferred means of execution, and both lethal injection and the vans are believed to facilitate the widespread practice of harvesting organs of the executed prisoners, an unbelievably appalling practice.

Not that I doubt it's happening, but I'd have thought that lethal injection would poison the recipients of the stolen organs?

No, they don’t inject you with cyanide or something that kills the organs.

No. They've earned it over the last 70 years.

China is making strategic practices of lying and cheating on every level, from small biz to strategic military issues, and they are vertically integrating all of it.

At the small biz level, it is well known among anyone that if you let any IP visible to a Chinese partner, you should have the full expectation that it will be in your competitor's hands within hours, and you can expect to see your products being sold out the back door.

At the larger biz level, it is a standard practice to demand that key IP is turned over to required Chinese 'partners' as a condition of doing business in the country.

Backdoors have been engineered into both consumer and military hardware.

China has been hacking everything from the US Office of Personnel Mgt (stealing info on every USG employee, including highly classified info on intel agents, & info on everyone that could be used to compromise them), to major and minor companies, to private citizens.

China is continually and as a matter of policy expanding into and encroaching upon its neighbors from Tibet in the 1950s to the '9-dashed-line' in pacific waters today.

I know many perfectly honorable Chinese people, and there are probably more of them than the entire population of the US. But, to regard official or business China as anything better than anything but a thief who will stab you in the back at the first opportunity is to be a fool.

We in the west thought that we were exploiting China's cheap labor. Meanwhile, China was exploiting our myopic weakness for short term profits to seek massive strategic business and military advantage. This will go down in history as one of the greatest geopolitical blunders of all time.

Say 1% of chinese are baddie and that is 14m ... and said the government is founded by not fighting the Japanese war and then steal the result ... it is part being normal (as us would have its share of baddies) and part being abnormal (which government including acts starving 30m death without consequence and starting intern ...)

Aanyway for the money we all go.

No that's Russia.

Well... China actually exists, and is actually doing some of the things that people are scared of them for.

Well, if everyone is probably compromised, then naming companies who just happen to be known to be compromised could arguably put them at an unfair disadvantage.

the others companies have been hacked too... they say that because we don't know about it yet.... LOL... computer networks are still impossible to secure

we could pass laws making companies liable for their security (or at the minimum, remove current laws that shield companies from being sued for damages when they leak personally identifying information)

But its easier to blame China, so let's do that.

You prefer blaming the victim instead of the perpetrator of the crime?

This is an absurd appeal to the whole victim-blaming awareness trend. That's about an individual going about their life and having a crime perpetrated on them, which primarily negatively affects them. This meanwhile is about a corporation entrusted with valuable information/access with the understanding the corporation would take appropriate measures to secure it.

The victims here had an obligation to those they worked with to take reasonable measures to prevent and mitigate this sort of thing. Just because something bad happened to them doesn't relieve them of this obligation.

It's possible for more than one party involved to be in the wrong. Just because the victims screwed up doesn't mean the perpetrator is somehow morally cleared. Nor does the perpetrator clear the victims of their carelessness.

Edit: Since apparently people are taking this to mean I think companies should withstand a dedicated attack by China, I've gone wrong somewhere. I don't mean that. I was talking about responsibility. They can both be responsible and not be negligent. What I expect is them to help clean up afterwards. Just because they failed in an understandable way doesn't mean they get to avoid taking actions to ensure the damage is minimized.

As someone who has been involved in corporate security where we had a state sponsored attack your position is simply uninformed.

Almost all companies simply do not have the capabilities to defend against state sponsored attacks and are already taking reasonable measures to prevent and mitigate. When you have undisclosed exploits being used against third party vendor hardware to attack the company what can you reasonably do ?

Mm. Perhaps I should have been a little more explicit. I never meant to imply any business should be able to handle a nation-state attack. That's not feasible.

It doesn't mean they get to clean their hands of the whole thing either. They failed, and that's fine as long as they weren't being negligent. But they are still responsible for doing what they can to minimize the damage. That means, for one, informing those impacted about what is known.

So, just to be super explicit. I don't expect a business to withstand a nation-state attack. I do however expect them to do what they can to minimize the damage afterwards.

There's possibility to decide what could be done by the company without saying they're completely responsible, or couldn't do anything.

In this case it was spearphishing infected .docs. If corp security can't deal with that, they've got bigger problems.

Is it really so that even a company cannot protect itself against a state sponsored attack? I am asking sincerely, is it really the state of IT security today? I mean, it is somewhat clear that since Snowden we all know that we could not even dream up in our nightmares how far NSA is going. But I was thinking, that since then at least companies with strategic data started to work on protection.

If, what you are saying is reality, what consequences can it have and what legal recourse can a client (corporation or private) expect in such cases? Who can be hold as responsible if sensitive data disappears? Does it need a new type of contracts when subscribing to a service?

Imagine an undeclared cyber war broke out. Out of curiosity, how 'far' from being able to defend themselves are most serious companies? If they had 3 months to prepare, do they save themselves from getting breached without going offline?

I don't believe you. Some companies may not have the capabilities to defend against state-sponsored attacks today, but that's only because their executives have chosen to be willfully ignorant and not devote sufficient resources to the problem. There's a whole industry of consultants and outsourcing services which provide exactly this capability. All you have to do is write a check.

Show me who I need to write a check to defend against a 0-day exploit that was used against Cisco networking equipment. Which in turn was used to compromise security mechanisms within the company.

Oh wait you can't. Which is why we had to turn to our government intelligence services to provide assistance.

So stop pretending like companies can defend against state sponsors who are buying 0-days for $100k+ like it's candy.

The NSA certified the Boeing SNS Server and BAE Systems XTS-400 as stuff they couldn't hack at that point. They're used as guards to protect secrets on classified site from attacks on Internet side. There's been no published hacks of those systems for almost 30 years. You could try to see if you can buy them. I linked to descriptions of some of those products here:


I described what I learned about how high-assurance security builds stuff here:


As I often said, compare anything from security market advertised as secure against stuff on that list. If they're missing something, they're probably insecure. Now, I'm still not saying you can stop nation states and all 0-days. I am saying that most of the $100k 0-days are preventable with architectures like above with apps in safe languages with guards separating trusted things from untrusted things. Ada has also been around a long time with Rust getting popular now.

What makes most companies not use stuff like that isn't that level of security being unachievable: they just don't want to for management's reasons which range from arbitrary to sound practices in a profit-focused environment.

> All you have to do is write a check.

"I don't believe you." You can't just change the organization, culture, and procedures of a company just by throwing money at consultants.

That's like saying a big family can solve their feuds and mental illnesses just by writing a check to team of group therapists and lawyers.

Defense from foreign attacks is one of the main reasons for the federal government to even exist. You can blame the victims all you want but diplomatic and military defense is still the government's responsibility.

Even small nation states have a hard time defending against the larger ones, it is as you correctly identify merely a matter of writing a larger check but the amount on that check is so much larger than what is feasible that even the largest nation states find themselves routinely hacked.

Security is hard. So hard that no matter what amount of money you spend you will still be vulnerable, but maybe a bit less so. There are no absolutes in this.

What should the companies have done to protect themselves against the state sponsored attack? The article doesn't say how they were compromised, so what "reasonable measures" didn't they take to mitigate being targeted by a powerful nation?

This is a fair point. Many of these large data breaches are revealed to be the result of negligence on the company's part (and often the company faces few to no consequences beyond public shaming). But in this particular case we simply don't have enough information yet to make that type of claim.

Taken from another commenter:

> according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation.

Junior Sysadmins straight out of a bootcamp can negate that.

Sure, maybe this was something beyond what could be reasonably prevented by a non-state. I don't think we know yet.

But they have a duty after the fact as well, to ensure the damage is minimized. That includes actually telling those potentially impacted what is known, etc.

This is true. It starts with China, it's their fault, but if your customers are compromised as a result they need know to protect themselves, or it spreads like a virus.

IBM is not to blame for the initial attack. But any further attacks that result from their silence can have a good share of blame laid at their feet.

You're completely right. Every company has a basic, fundamental obligation to respect the human rights of their customers and partners to security and privacy. This is best manifested as taking reasonable measures to ensure that this basic human right is protected.

Now, there may be a wrinkle. When discussing nation-state grade actors, there's a very real possibility that they may attack in ways that cannot reasonably have been protected against by most private-sector security programs.

What are we to think, to do, to expect in such a scenario? To what extent should be expect any company, even a large and wealthy one, to successfully fend off the full might of a large and powerful nation-state's offensive information security apparatus?

Again, you're absolutely and unquestionably right. Companies can, should, and must take reasonable measures to protect the basic human rights of security and privacy. There just might be some room for subtlety when considering what reasonable measures can accomplish.

Absolutely. I didn't mean to imply otherwise. I don't expect companies to be able to stand up to dedicated attention from a nation-state.

What I was trying to say was that that doesn't relieve them of their responsibilities to minimize the damage afterwards.

Just because they can't be expected to win doesn't mean they should be able to wash their hands of the whole affair without trying to help.

What do you expect the outcome would be in a scenario where a company is living up their responsibilities to deploy reasonable measures, deploy defense in depth, and work to minimize the damage of a breach in the face of a sustained nation-state attack?

More to the point, in what ways are the companies allegedly breached failing to live up to their responsibilities to help minimize the damage of a breach? What should they do in a scenario where investigations may be ongoing and potentially involving law enforcement?

And I'm sure you believe Iran should've taken more reasonable measures to prevent Stuxnet? Securing yourself against script kiddies is one thing, but against a nation? Good luck.

Stuxnet involved multiple 0-day exploits which state sponsors can afford to buy and deploy against even low level companies if they see fit.

Not sure how on earth people expect companies to defend against that.

Use secure devices, development practices, and so on. They've all existed since the 1980's on the market. IBM itself invented some of it in form of Fagan Inspections, VDM methodology, Cleanroom Software Engineering for low-defect development, a CPU that blocked leaks that violated a security policy, and a smartcard OS (Caernarvon) done by Karger et al to high-assurance standards. They could've afforded to use Ada, SPARK, and/or static analysis for protection by default from tons of 0-days. They had their own language, PL/S, with some protections. They instead of McAfee could've acquired Secure Computing Corporation or some other company if they wanted this expertise early plus some products with it. Boeings SNS server, which has no public hacks in 20-30 years, used the LOCK platform from SCC. There's small, new companies using lightweight, formal methods on kernels, protocols, and VPN's. One to four people groups in CompSci do the same thing regularly. IBM has even more developers.

You mentioned Cisco in another comment. Why buy Cisco if their stuff is known to be insecure or not proven secure? If not knowing high-security, I'd consider genua just cuz they use OpenBSD at the core. There were two others using INTEGRITY RTOS, one Sentinel's HYDRA and another discontinued, with both having few buyers. There's still going to be attacks but way less of them choking attackers further year after year. Hell, even leaks in CPU's were found from 1992-1995 using these same methods as LOCK et al in VAX VMM. We knew then with companies and security folks just ignoring them because those high-performance, lower-cost CPU's let us do some awesome stuff, right?

We're not getting hit because of ridiculous resources opponents put into 0-days: we're getting hit because of ridiculous resources put into known-insecure components and methods after people with those resources ignore stuff that works, often letting it die off. Totally, different problem. When phrased that way, one starts thinking maybe they should be regulated to use what works or liable for some of these decisions for ignoring what works using what's high-risk. I favor regulation after seeing positive results in TCSEC and DO-178B markets in terms of assurance activities.

Companies can defend against that through layered defense in depth and limiting the attack surface area.

Well done. You've solved the security challenge of our generation.

And all it took was meaningless buzzwords which almost all enterprise companies at least do already. It doesn't make one iota of difference when your vendor equipment or services are compromised.

Limit the attack surface all you want, there's still an attack surface, and state based actors are highly motivated to put extreme pressure on these. It's nearly axiomatic that there is no perfect security, and to expect a company to defend against all attacks from organizations whose cyber warfare budget exceeds the company's gross revenue is unreasonable.

Uh yeah, they should have. Random USB sticks (which is how stuxnet bridged the air gap) are banned for a reason in every secure site I've heard of.

Agreed. Financial institutions I've worked at have blocked unapproved USB devices at a domain level. Want that special keyboard or mouse? Got to have approval. Want to connect your iPod/phone for anything beyond charging? Hell no. Attach a USB mass storage device? Likely be ealked out the door fired before you get approval.

Edit: spelling.

those bans started happening en mass pretty much as a result of stuxnet. Before that, many places had policies that were lax or non existent.

Not sure this is true. Every company at scale I've worked at has had policies banning unapproved USB devices since the early 2000s. It's usually smaller companies that are more susceptible to this, because they dont have the infrastructure.

Really? Maybe it's just a bit of selection bias (not yours) that I didn't see it at the places I came into contact with.

Maybe it is selection bias. Most of my career has been spent in industries sensitive to trade theft (finance, industrial manufacturing). Not sure how difficult it is to do on Linux, but if you're administering a windows domain, disabling unapproved USB devices can easily be done via group policies.

Nah, I personally know that some secure sites were banning them at least as early as 2006.

That's well and good, but existing and future clients should still be aware. The clients might decide that other service providers would be just as vulnerable, but they should not be kept in the dark.

Companies aren't liable for how stolen information is used, so they don't invest in security. Want to prevent this from happening? Make companies liable for how stolen information is used, and overnight watch as security becomes a first thought at most companies, instead of ignored entirely.

Car thief steals your car from your garage.

Car thief crashes car into crowd of people.

Crowd of people sue you for damages because you didn't make your garage secure enough? Why didn't you hire a 24/7 security service to protect your property to decrease risk?

What you’re facetiously describing actually is a thing in legal settings, just not with your locked car. If you left your car in front of an elementary school all day, keys in the ignition and running, and some preteen joyrides it into someone, brace yourself. In the same way that if kids climb your inadequate fence and drown in your pool, you’re screwed.

I think it’s more than fair to say that reams of personal info stored by companies is such an attractive nuisance.

See what happens when a kid drowns in your unsecured backyard pool on more than one occasion or brings your unsecured handgun to school more than once.

I get that it's liberating to disclaim responsibility for the consequences of anything we do, but that isn't how the world works. At some point (however far) you are held responsible for your negligence.

if I was a parking garage that made money by keeping my clients car and 1) other similar companies did the same and had their cars stolen over and over again (so I know it is likely or at least possible) and 2) thieves killed hundreds of people by using the stolen cars and 3) I didn’t provide any sort of damage reparation to my clients then: yes.

Or, how about they explicitly tell their customers that they can’t keep their data safe and might be a target of an attack that harms the customer?

I’m ok with either option.

There is an implicit expectation/contract that if a company is collecting your data it will keep it safe. If it’s not going to do that and will not do anything afterwards to repair any damages caused then they should just delete it after using that data or, advertise they can’t keep it safe and let the customer decide.

An online shopping/travel site you used is hacked, the hackers use your credit card. What is your position now ?

Credit card charge back, identify culprits, prosecute. Write off any actual monetary loss.

The government steps in here and limits the liability that can be placed on the consumer. I think it's $50. The rest is on the credit card company. Strong incentive for credit card companies to have strong anti fraud units.

Say you used your debit card instead of credit card, you are now 100% liable in the US, to the best of my knowledge, up to the point you or the credit card company identify the fraudulent activity.

For debit cards the EFTA offers protection: $50 maximum liability if reported within 2 days, $500 if reported with 60 days. After that it's unlimited, unless your bank offers some type of protection.

If you are running a for-profit parking garage? Absolutely.

Torts law is, happily, able to distinguish the very wide spectrum between such extreme cases.

This means it is notoriously complex and nuanced, but it's not going to be overturned by boolean strawmen.

No, but if you're hosting someone else's car in your garage as a service and a thief takes it for a homicidal joyride, you are liable to that person for your shitty security.

In some states this is pretty much how it works if your guns are stolen.

Edit: Moral of the story, since perhaps it's not obvious to all, is secure your dangerous property, cars, guns, band saws, computer networks, or otherwise.

I agree companies should have a greater incentive structure here, but liability for all resulting damages is also unreasonable, especially in the face of state base cyber warfare programs whose annual funding may exceed the gross revenue of every medium sized corporattion, and be a significant percentage of larger ones too. A large burden for protection on that scale needs to rest with with government cyber defense.

Don't let these huge corporations overplay the victim card though, withholding information from customers how their systems might be affected is also unacceptable.

I mean, the blame is somewhat shared. Blaming the perpetrator only helps so much. It's reactionary. It's similar to the reason you get insurance before bad things happen, not after. You can blame perpetrators all you want, but you still need to protect yourself.

We don't know how the companies were compromised, so we have no way of knowing if they were capable of protecting themselves. A state sponsored attacker has effectively unlimited resources, so at the end of the day, the company would go bankrupt trying to protect themselves against every concievable attack. It's one thing if they were negligent, but just saying that they should have protected themselves better is like blaming an Iraqi company for not protecting itself from being blown up by the USA. Some threats are just too large for you to protect against.

I wonder if they had super-micro motherboards?

Doesn't seem likely that HP, at least, would have used SuperMicro.

So it's my fault if someone steals a package from my porch?

What we are actually talking about is you putting your valuables in a safe within your alarmed house and a professional thief breaking in and stealing it. Because the thief previously worked at the safe company and implemented a backdoor in the design.

You want to explain how you defend against that ?

What we're actually talking about, if we consider security evaluations and ratings, is to...

1. Put valuables in a low-rated safe whose door opener is network accessible and itself low-rated.

2. Whose alarms suck at identifying and responding to actual breaches by even the most common methods.

3. A thief breaking in who uses the most common methods that the safemaker or company didn't try to stop. They did spend a fortune on unrelated stuff.

4. Various designs and implementations that weren't using methods that often prevent or detect backdoor attempts in favor of methods that let backdoors slip through.

Also, this is a company that makes billions in profits a year. They have the money to both develop and build highly-secure systems, including safes. They keep not doing that or not using what high-security they build. They keep using low-security stuff year after year after year. They could defend against those problems by doing more of what works and not using low-rated, often-vulnerable stuff for protecting secrets. Just a hunch on my part. ;)

Morally? No. It's the thief's fault, and the thief's fault only.

But if you know that people steal packages off of porches in your neighborhood, and you leave a package out there for weeks, you're at least being pretty unwise. You're not morally at fault, but pragmatically, yes, you kind of are.

[Edit: That is, your actions are not well-suited for the kind of world that we actually live in, and that you know that we live in.]

No, but if you borrow my stuff and it gets stolen off your porch then you're also to blame because you didn't protect it responsibly.

Not your fault in a moral sense, but it certainly is in a causal sense.

You could have set up a different causal chain that would have prevented the theft. Of course that doesn't mean that society can't blame (and punish) the thief.

If a package is taken from a porch and there is no Ring camera to record it did it make a noise?

The whole concept of a victim probably isn’t appropriate when referencing a large corporation. Even if it is, what these companies did after being victimized is certainly something deserving of a portion of fault, along with the hackers.

They aren't the victim. The victim is the people they helped hack, and the people whose private information they helped leak.

This is like defending a teacher who left a loaded gun on their desk because they are the victim of theft.

We don't have details of the attack so we don't know if the gun was left on the desk or if, to extend the metaphor, the gun was left in a safe the criminal helped design with flaws it could exploit. Or just a safe it knew how to crack. Now, what the company did afterwards in notifying ( or not) customers and others affected, that is on the company.

The Ministry of State Security sanctioned this, so let's do both.

I'd rather form a white/gray hat team in the government that actively tries to break into commercial and government infrastructure, then privately disclose it to them with recommended fixes.

It's hard to mandate competence practically speaking.

I would even go as far as saying this would be mandating expertise. The zero days these state actors use often fly under the radar for a while. I don’t think you can really blame the companies

This is an example of the "tail wagging the dog". Whether a "State Sponsored" organization hacked IBM or someone in their mothers garage, IBM and other companies ARE responsible for keeping their customers data safe. While it's true a state sponsored entity would have more resources than a kid in a basement, IBM has the resources to pay for full time IT security professionals and for the amount of money they charge for their products and services, they should have more than enough resources to pay for decent 3rd party Security products and services. They KNOW they have a target on their back, it's their responsibility.

> While it's true a state sponsored entity would have more resources than a kid in a basement

In this case, according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation. The companies should be held responsible for being silly in this case.

It's a bit silly, sure, but just because they got breached in this phishing attack, doesn't mean they didn't resist other attacks successfully.

Personally, yeah companies need to be held to a higher standard against hackers, but if we're going to be realistic, we only expect they could do it because it's IBM and they have a lot of money. What about all the other companies? Rhetorically, what are we going to do about this issue? There's been decades of fairly basic confidence schemes and "hacks" and all the corporate training in the world isn't making a dent in people trusting strangers and running malicious files.

I have some strong views here. 1. These are cons more than hacks as you wrote. I believe the protection doesn't exist only because there's no real risk. What would happen if some employee got conned to send out company money. Why isn't the same response applied to obtained information? 2. Principle of least privilege + monitoring. Those companies should know almost immediately about the break-ins. Even if the training fails, there are mechanisms to stop this.

I'm starting to believe that at some point we should start fining people for lack of protection.

I doubt you can get to a state that will make your company unhackable. You can get to a state when you are able to discover a breach and remediate relatively quickly.

True, nothing is "unhackable" and it reminded me of Oracles corporations challenge about 10 years ago... they placed a billboards and marketed that they had an "Unbreakable" system...within hours they were "hacked" after doing this announcement. What these companies can do is change their premise for guarding their customers information. Instead of putting a singular firewall around their information system, they "compartmentalize" their customers info so they may get one or two customers info not hundreds or thousands at a time. Further, the critical info of each customer can be further "compartmentalized" to make the information difficult to access. This is how they approach Cardholder Information Security Program (CISP) with cardholder data. This approach ASSUMES the information at some point will be compromised, so with this assumption, when there is a breach, the damage will be limited not massive as it was the case with IBM and the other companies involved. They could have done something like that, however based on the media play they are doing now, I'm guessing there are hundreds if not thousands of companies involved.

I agree a lot more can be done but if you look at how advanced some of the state level groups (like APT-29) are if you are truly a target it's tough even if you follow all the best practices.

Aren't HPE and IBM precisely the types of companies that states turn to for IT infrastructure?

That's a bit of a silly thing to say. It's known that state actors can break 128-bit encryption, perhaps even 256-bit is not secure.

Thanks for the links.

" FOR IMMEDIATE RELEASE Thursday, December 20, 2018

Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information


> International Business Machines Corp said it had no evidence that sensitive corporate data had been compromised. Hewlett Packard Enterprise (HPE) said it could not comment on the Cloudhopper campaign.

> Both IBM and HPE declined to comment on the specific claims made by the sources.

> DXC Technology declined to comment, saying in a statement that it does not comment on reports about specific cyber events and hacking groups.

> Reuters was unable to confirm the names of other breached technology firms or identify any affected clients.

I wonder why the title of the article sounds so certain while it seems none of the claims are confirmed

Because there are no consequences of journalistic malpractice and no one will read retractions or revisions so the parent conglomerates can shape public opinion any way it wants.

> none of the claims are confirmed

"None of the claims are confirmed" is probably due to IBM (etc) having an aggressive legal attitude + plenty of lawyers.

eg If you try and force them to contact their customers, you're in for a long, drawn out legal process with a less than 100% chance of getting a decent result for their customers.

It is really strange to see that, when a US company or one goverment department doing something, we call it by its name or its branch, but when a Chinese company or a department doing something affect copyright or anything wrong (there's no exuse for that I know) but we summerise it as "China". I am working in a Chinese company right now, this mentality really affects some good Chinese company out there to do some fair business.

That's because the Chinese government has its thumbs in every pie in their country. If the government wanted, they could easily compel your company to do its bidding.

Well, that's exactly the same how the Chinese people think about America --- if America wants, they can take away millions of citizens life from a previously rich middle east country with ease. And I dislike this idea and the way of generalization.

Exactly, the seemingly good independent Chinese companies are simply the ones that haven't caught the attention of the thousand eyed spider. The company is in the web regardless.

Is there a way to prove your counterpart arguement? Logically, it's much easier to prove your arguements than mine even if the truth favours mine.

The only way the US has influence over business is via the judicial system. If a business takes issue with the outcome of the court cases they can even take the extreme step of shutting their business down as was done with Lavabit.

The Chinese government has routinely stooped to using coercion such as blackmail and kidnapping of family members to control its citizens. It's really not comparable.

One afternoon I was doing some consulting work at one of HP's oldest offices. I needed to print something, so I had the printer produce a configuration page, so I could get the IP address.

Lo and behold, it was a public IP.

As in, this old-ass printer, sitting at an HP office, was sitting on the Internet. And it was connected to the office network.

Really blew my mind.

The office was very old, and there were things laying around the hallways that seemed to have been untouched for 20 or even 40 years. So I'm guessing that workhorse of a printer had been chugging away for decades, and was configured long before anyone had thought about information security.

Also, if this sounds too crazy to be possible, you can test this for yourself. If you do a Google search on the welcome page of an HP printer, you will find hundreds with public IP addresses.

> it was a public IP.

IP exposed to the internet, or an IP from the public range?

HP has 2 /8s. Lots of things got public IPs in there since they can hand them out like candy. It doesn't mean though that they're available from the internet.

Yeah, I've worked with plenty of companies who have a whole public range and use it internally, but the external firewall still stops them from being publicly routed. Simply having a public IP doesn't mean it's actually public.

The printer had a public IP and the printer was open to anyone who cared to use it. It was available from the Internet.

The big question is whether you could exploit that to get to the rest of the facility.

This particular facility was acquired by HP, so who knows how they set it up.

> Lo and behold, it was a public IP.

As lousy as that sounds from your description (eg a valid globally routable IP), it would be very surprising if the printer (or even the office space) was accessible from outside HP.

Firewalls (and more) are a thing. ;)

> Also, if this sounds too crazy to be possible, you can test this for yourself. If you do a Google search on the welcome page of an HP printer, you will find hundreds with public IP addresses.

Yeah. Certainly says something about the competence of some places. :(

Relatedly, it sounds like Shodan might be of interest:


They are persistent. I see attacks from them on my company in the thousands every day. Some ip ranges have continued to hit us dozens of times after prolonged blocking.

While I was at IBM, I deployed an sshkey to the internal Bluemix staging environment, called "Dr Worm" (it's my title :) About 3 months later they froze my account and called my manager, freaking out. Apparently it was not allowed.

We were like, wait, if it's not allowed, they why was I able to? And why did it take 3 months?! They backed down and we laughed over beers.

I'd be surprised if IBM even has the visibility into the situation... because that's just one of the war stories.

Meanwhile, the CFO is Huawei is reported to have seven passports.


fun fact: according to this article in Wikipedia you can have up to 10 valid german passports.


When does this become an act of war?

When someone stupid enough to think ending the species over this or any of Chinas crimes is an appropriate response.

You don't declare war on a nuclear power, ever. That kills us all.

When human lives are threatened.

the vast majority of the fentanyl that's killing 70,000+ people a year in the US is manufactured in China. The Chinese government has done next to nothing to prevent this

The manufacture of Fentanyl has been illegal in China since 1 March 2017.

How effectively and stringently that ban is enforced might be open to question, but to say that the Chinese government has done "next to nothing" is hyperbolic.

They get around it by making precursors and then sending it to Mexico for the cartels to finish and then traffic into the US. It's a loophole China allows to stay open


+ It was sold, there was no force feeding by the chinese at hand.

When the Chinese had a problem with a lot of their citizens becoming addicted to opiates and tried to curb it, the Western powers actually invaded them (see Opium War). This seems like karma.

Bullshit. That's an entirely bogus excuse. The US wasn't responsible for the opium war on China.

It's quite the opposite in terms of how the US has treated them. In terms of actual behavior, China has never had a better friend in its modern history than the US. The US helped China vs the Empire of Japan, which had done unimaginably horrible things to China. The US kept the Soviets from nuking China in 1969. The US invested trillions of dollars into China's economy over decades. We've treated them more than fair, we've worked with them as traders, we've tolerated their aggressive hacking and anti-WTO trade practices for nearly two decades. The US is the sole reason China got into the WTO. We've gone out of our way to try to respect their sensitivities toward Taiwan for decades. The US didn't seek to conquer China, or annex parts of China, or invade China, or turn them into a colony of a superpower. We traded with them and they've successfully built the world's second largest economy on the back of it.

Curious: is this a legal statement?

Disparate effects are the new norm. There very well may be lives threatened.

death by a thousand cuts

The US Government considers a cyber attack that threatens human life to be an act of war: https://www.wsj.com/articles/SB10001424052702304563104576355...

I'd rather see companies invest heavily into security. At the end it benefits a customer.

I wonder if we are doing the same thing to China and it just doesn't get as much press here or China doesn't disclose it. From a layman view, things seem very one-sided.

Sure would be nice if there was some evidence.

When someone says 'china' hacked these companies, what does that even mean? The chinese version of the NSA, or FBI hacked these companies? Can anyone shed some light on this?

As long as there are no consequences, this will continue. 1. Hacked firms should be investigated for neglience. If opening a doc file can bonk the entire system, somewhere best practices were not followed.

2. The judicative should viciously go after the largest hostile actor, including state actors, they can get a hold of.

3. And lastly, politics should go after China. Every week there is a new story how China stole IP, hacked something or showed hostile behavior Compared with their rethoric and genocidial tendencies, it should become clear to every state that China is not an ally to anyone but the CCP, and no Chinese firm is at the end not owned by the CCP. The harshest consequences that are reasonable are approrpriate at this point, or Chinas behavior will just get worse Appeasement does not work anymore.

I thought HPE was a majority owned Chinese company?

That which can be asserted without evidence, can be dismissed without evidence.

Read the indictment:


... this still has to go in front of a judge of course but it's not like they're claiming there's no evidence.

Can’t blame them. Wall St. and their financied politicians cashed out technology leadership for short term gain.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact