Hacker News new | past | comments | ask | show | jobs | submit login
Chinese military personnel charged for hacking into Equifax (justice.gov)
407 points by jayess 9 days ago | hide | past | web | favorite | 316 comments





This kind of charging of specific foreign military or intelligence personnel for hacking US institutions is somewhat controversial in the US intelligence community [1].

Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.

Another worry is that indicting people might give away information information about your sources and methods.

[1] https://www.mcclatchydc.com/news/nation-world/national/natio...


>Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.

How are non "cyber" crimes handled? Is it normal to charge people for the murders, thefts, and other illegal activities intelligence officers perform?

I'm not going to make a moral judgement here, I'll just say that I'm not a fan of treating "cyber" as some magical realm where there are no norms.


An alleged spy (or confirmed wife of spy) recently ran over and killed a teenager near a US base (where Americans are regularly seen driving on the wrong side of the road) here in the UK and they managed to claim some kind of diplomatic immunity and run away, they can basically get away with anything in the right place.

There is a big difference between diplomatic immunity versus crimes in absentia.

In the former case a physical crime was committed where the suspect and criminal act were both in the geography where the crime is alleged. If not for diplomatic status there would be nothing unique about this case and criminal proceeding would move forward with the suspect in apprehension.

In the later the suspect has no relationship to the geography where the crime was committed. The suspect is not a resident or citizen and was not present or planning to visit the geography in question. Furthermore the suspect was likely acting on orders of a nation-state and so bears limited responsibility. There is no legal recourse to apprehend the suspect.

https://en.wikipedia.org/wiki/Trial_in_absentia


There was no diplomatic immunity in this instance. The murderer skipped the country before that information became public.

>There was no diplomatic immunity in this instance.

Well that's just wrong.

There's diplomatic immunity unless the visiting country explicitly waves it. It's not based on some hypothetical legal theory of whether she should have it or not. The visiting country either waves it, or doesn't.

In this case, the police requested a diplomatic waiver and were denied.


in particular, the Vienna Convention on Diplomatic Relations does extend the diplomatic immunity to family members who form part of the diplomat's household.

https://opil.ouplaw.com/view/10.1093/law/9780198703969.001.0...


Correct on all fronts.

Additionally, the husband was not on a diplomatic mission, was not a registered diplomat, and does not qualify for diplomatic immunity by the rules of the host country.

Neither does his wife.


Still wrong.

The rules only matter with regard to who's allowed entry under what status. They're not subject to review after entering, except for expulsion.

I'm going to assume you're conflating the definitions of diplomat. The Vienna convention only sets a minimum standard. The things you're taking about might matter if it's the US and maybe Libya.

For friendly countries, there are agreements that extend the diplomatic privileges well beyond the core diplomatic party.

And once rules are agreed upon, they only apply to who is let into the country under what status. So entry can be denied, but once allowed in with a diplomatic or official passport, the host country can't change that status. All they can do is expel the person.

If the UK allowed entry under a diplomatic / official passport, that's all that matters.

Regardless, in a "possession is 9/10s if the law" sort of way, the only thing that matters in practice is if the visiting country waives immunity.



I read about this story a while back, very sad. However, she not only had diplomatic immunity, but a foreign government was saying she should be thrown in jail for up to 14 years for an accident. How can you blame her for returning to her own country and claiming that immunity?

The claim of diplomatic immunity was tenuous at best. Her husband was not listed as an official diplomat (the claim was that she had immunity via her husband).

The victim's family recently accused the driver of working for the CIA, and if she was in fact a spy she absolutely doesn't have immunity. That's just an accusation, of course.


If your country backs up your claim for diplomatic immunity, it's pretty much good.

There's no other measure of quality that matters in a practical sense. If the host country wants to dispute that, their recourse is expulsion.

And CIA and other agencies certainly do act under the auspices of diplomatic protection. Barring any movie-like treasonous behavior, why wouldn't they? They're government officials working in an official capacity while abroad.

Besides, being ex-CIA doesn't disqualify spousal immunity. Even if the host country had a problem with that, the recourse is... expulsion.


"she should be thrown in jail for up to 14 years for an accident."

This is such an American-centric view of the world. If you don't want to abide by the moral standards of another country, maybe... uh... don't go there?


On top of that, it is VERY easy to write what JB775 did above if you read about this in the news. If it was his/her child though the sentiment of the comment would be very different.

Laws and courts are there for all. The fact that this lady killed a child, and chose to flee the country, says a lot about her character. All this would have probably been resolved with a generous compensation (by the US gov to the victim's family)(all except bringing the child back). She didn't do anything on purpose until she flipped the finger to UK justice and the victim's family and ran away like the rat she is (let's not forget that she killed a child). US gov on the other hand protects its citizens (even those who kill children and flee justice - great job USA)(she was in the UK, she would have a fair trial). It's a messed up sorry that only has pain, sorrow, and anger.


My sister was killed 5 months ago as a result of injuries from a car accident where someone was negligent. That person is currently in prison. My family had the opportunity to make the penalties much harsher for that person, but we decided against it. It reached a point where we didn't see the point in causing even more pain to an already excruciating situation. Not to mention they need to go about the rest of their life living with what they've caused.

I'm not saying there shouldn't be any compensation or repercussions, but the possibility of 14 years for an accident is absurd. If it wasn't an accident or if she was in fact negligent, that's another story. And what precedent would the US gov be setting by turning over gov employees working abroad (or their families)?

Now that you know I basically have gone through this, maybe you should re-think your sentiment.


> That person is currently in prison.

But isn't Anne Sacoolas walking free?

You haven't "basically gone through this", since person that killed your sister was held accountable for their actions.

Anne Sacoolas was not held accountable, that family has no closure unlike yours.

> If it wasn't an accident or if she was in fact negligent, that's another story

She is to be charged with "causing death by _dangerous_ driving", not an accident.

All that being said I'm sorry about your sister and I hope you're doing OK.


That's not the point. If the law in some place says so and so, and you break it (even if involuntarily), you can't say 'oh I disagree with that law so I'm going to flee the country and that's morally ok because in my country we have different ideas about responsibilitiea of car drivers'.

> I'm not going to make a moral judgement here, I'll just say that I'm not a fan of treating "cyber" as some magical realm where there are no norms.

On the contrary, I think we are pulling in too many assumptions into "cyber". Imagine this: if someone had left their door unlocked and someone came in and stole their lawn mower, you could say they deprived the owner of use of their lawn mower. However, imagine if equifax removed [authorize] in an http endpoint like /v2/person/:id allowing anyone to just GET /v2/person/1 .. 999999999 consecutively. Is this a criminal matter? I'd say no. I'd go further and say that this "cyber" fearmongering has gone too far and we should ABOLISH the CFAA. The EFF has still laid their hopes on reform but I for one think it is irredeemable and must be abolished with no replacement.


Just to play devil's advocate: If an armored Brinks truck gets in an accident and cash spills all over, it's not legal to take just because it's no longer protected and on public land.

Intent has to matter a lot in these cases, though.

If a bill blows a mile away and somebody happens to find it with no knowledge of the crash, that's qualitatively different than witnessing the accident and then rushing to grab the money you watched spill out.


Just to be practical: the internet is not a magical place just one where anonymity is so practical that one can not justify a figurative brink truck failing. Moreover, it's absolutely unacceptable for institutions like Equifax to fail given the importance of identity security and the apparent lack of (or unwillingness to consider) alternatives to the social security number such as PKI; PGP for example. If you've ever seen a bitcoin paper wallet with QR codes printed on it you'll know what I'm talking about. I don't care if it's Apache Struts or PHP + mySQL they should have tested to the point of impossibility of intrusion. I think it's also reasonable to assume that the government is full of shit, and the most likely scenario is that these people in China admitted this to the government because they wanted us to know that they did it. If anything they're doing us a favor, but I still think the real solution to the problem is to stop relying so heavily on pseudo-secret identities like the social security number and to at least offer people an alternative means that uses cryptography at least for the people who care about doing things right and taking responsibility for their own security since the government can only make fraudulent guarantees that we're ever going to be safe.

Maybe I'm wrong about this, but I'm pretty damn sure if you use tor the right way they're not ever going to find you unless you give yourself away some other way.


Just because the proverbial armored car company and/or driver was negligent, doesn't mean the thief is innocent.

no for sure, stealing is a dick thing to do. But I like to keep my expectations reasonable. Can I reasonably expect to carelessly leave my phone at a table in a place where crime is known to happen when I know better?

> it's not legal to take

How about to copy?

I think that a better comparison would be with an armoured truck having left open its doors and spilling top secret documents all over the road.


printing money as a non-government entity is always illegal. when, where or how doesn't matter.

I did not say printing though. Copying could as well be taking a picture of them.

If you want to print them though, I am pretty sure that it is legal as long as you include a clear disclaimer that they are fake.


> Copying could as well be taking a picture of them.

These are very different things and regulated in different ways. This is some weird version of strawman.


I do not see how, given that this is about the equifax events. Is it really different if you copy a "top secret" text file or if you take photographs of your screen displaying it?

Nobody will care if you take a photo of money. Copying the money, as in making a physical copy is a problem.

This is different from information which is inherently not physical, so any copy of representation is a copy. The grey area of course is a lossy copy... redistributed low-res copies of art, etc.


One problem is the metaphor of place. The internet is not composed of tool sheds that contain lawnmowers; it is not composed of places at all. The internet is a network that allows hosts to send packets to other hosts. These packets are, fundamentally, communications. A communication can constitute a fraud or a slander or a copyright violation or certain other communication-oriented crimes or torts, but communication is never theft.

The "place" metaphor was intended to help people who don't have an intuitive understanding of communication networks. Since POTS had existed for many decades, it's not clear that this metaphor was ever necessary. No one ever confused a phone number with a place. Now that most living people have had childhoods during which the internet existed, the metaphor is certainly not necessary now.

If host A on the internet responds to a simple unauthenticated GET from host B with PII, we really shouldn't be blaming host B. The "place" metaphor obscures that fact.


Of course it's a criminal matter! When a bank is negligent and leaves the doors unlocked, they're on the hook for massive civil liability if people's deposit boxes are robbed. The thief is still going to jail if caught, though.

IANAL (I am not a lawyer) - but I think there’s a distinction here in that the lawn mower is going to be on private property, but having urls in the Internet is generally assumed to be public.

According to the DMCA, even if it’s up for public viewing, the mere act of making a copy is theft. For example, if the MPAA posted a full length movie on YouTube for free viewing, and you made a copy, you’ve committed a crime. That’s ignoring the fact that you already do make a copy: your browser cache. It’s perverted, but it’s what the law is.

If you collect massive sensitive information by scraping endpoint/1 ... 999999999, and you resident in the U.S. You will be in big trouble.

How do I know its sensitive? How did you decide its massive? 20 GB of data is not massive in my opinion.

Furthermore, perhaps I operate a crawler or an internet archiving service, and i dont even know i am collecting it.


Sorry. I meant intentionally.

> How are non "cyber" crimes handled? Is it normal to charge people for the murders, thefts, and other illegal activities intelligence officers perform?

It depends, I'd say mostly on the public outcry. For "extralegal renditions" aka kidnapping by the CIA in Europe, some investigations were happening, some charges were brought, but I haven't heard anything about conclusions.

Cyberspace attacks even against allies have generally been considered part of diplomacy, e.g. the US breaking into Germany's telecommunication systems to spy on Merkel's SMS.

Since this isn't even a state <=> state issue, it's more like the NSA's decades long industrial espionage: business as usual.


It's partly a matter of jurisdiction. Most of the time criminals are in the same location as their alleged crimes. Not so with hacking over the internet. Thats one reason why "cyber" gets special treatment and can be tricky.

And that's ignoring the implications of it possibly being a state actor.


> Their worry is that foreign countries will eventually retaliate by charging people who are involved in US government programs to hack those foreign countries.

Good. If you get caught committing a crime you should be charged with it.

> Another worry is that indicting people might give away information information about your sources and methods.

Also good. US intelligence should not be holding back 0days.


> Good. If you get caught committing a crime you should be charged with it.

So any military personnel that kill someone while doing his job should be able to be charged for murder?


As long as

- the military personnel did not kill someone in order to defend themselves

- they kill civilians

- they kill other military personnel during peace time

Then yes, they should be charged with murder.


Apparently there no longer is a universally accepted definition of peace time, or military personnel for that matter. See Omar Khadr fiasco for example.

https://en.wikipedia.org/wiki/Omar_Khadr


> - they kill other military personnel during peace time

I see that you did some effort choosing the word "peace time" to be able to say "well we are at peace with China, thus this is fine to charge them", but at the end of the day, what is peace time? Does receiving the order to attack a target make it become a war? They got an order to attack the US company, this is not peace.


> I see that you did some effort choosing the word "peace time" to be able to say "well we are at peace with China, thus this is fine to charge them"

Incorrect, actually I did it because I am against events such as the murder of the Irani general. I personally do not think that hacking should be illegal so I do not think that the chinese agents should be charged in this instance.

> but at the end of the day, what is peace time?

Not having a formal declaration of war.


Hacking should not be illegal? So if someone hacks a bank and steals money from people--totally legal?

it's up to the bank to provide a secure service. Also if you get hacked as a business a couple of times your insurance premiums will go up. In the same vein shoddy IoT devices (and I argue anything that is online) should be fair game exactly so that things have a chance to become more secure. BrickerBot (e.g. Janit0r) had the right ideas here ... Even Japan got inspired by Brickerbot and knocked many devices offline last year which have become unservicable and posed too great a liability.

If it were really about providing secure services then we'd be holding companies responsible, and even encouraging hackers to clean up those systems by hacking them. But it isn't about security so instead we're criminalizing hackers and engage in security-theater.


Responsibility and liability are not zero-sum. You can put the thief in jail, and also sue the pants off the bank for negligence.

> Good. If you get caught committing a crime you should be charged with it.

Presumably you’re fine with trying all of the US soldiers who killed other soldiers in war with murder?


We have international law on killing enemy combatants, murder of civilians, surrender, treatment of prisoners,etc.

Shooting the enemy is not murder.


Yeaaah, it’s not like the US doesn’t do this https://github.com/649/EQGRP-TrickOrTreat/tree/master/pitchi...

It’s ridiculous how many people here seem to think China is somehow special as far as this sort of hacking goes.

Shadowbrokers leaks even make it easy to identify specific NSA operators, for example Michael A Pecoraro, Nathan S. Heidbreder, Gennadiy Sidelnikov and a Brian C Fong

Going after specific Chinese individuals means throwing these US operators under the bus.


Part of the calculation of taking these types of jobs should be the consideration that there's a strong chance you'll never be able to visit a foreign country ever again.

Doesn't the alternative amount to a policy of "It's OK to break our laws so long as you are a foreign military"?

If we got in a war with China and soldiers fought each other, we wouldn’t try to charge the soldiers with crimes after the war for killing our soldiers, even though murder is generally worse than hacking. (Excepting war crimes, but is hacking a war crime?)

Considering many of these soldiers are probably conscripts and might be killed or imprisoned if they don’t follow orders to hack us, I can see the case for treating them like normal soldiers and not like criminals.

On the other hand I guess charging individuals is a way for the government to ignore that ultimately China’s government is the one responsible for their military’s actions.


That’d match the current policy of “It’s ok for US to break any foreign laws”

Right. I find this announcement rather alarming as a non-US earth-living human.

1. Foreign nationals, working (?criminally) to exfiltrate information from US companies (or servers in the US) can now be subject to US laws directly?

Isn't this the same as what I saw with the Julian Assange case, where he facilitated his actions while in a foreign country?

It seems there's been a new international law that's been set up that draws a line for any international hacking? But the article doesn't read that way... There no international criminal courts mentioned...

If that's the case, should I start recording all the US ips that try to hack into my servers, and take legal steps to have them arrested and extradited to my country? (What a nightmare!)

2. The ability for doxxing of these individuals by the US despite taking significant steps to hide their tracks indicates a certain level of Pwn-ership of the internet as a whole by the US. How could individuals have been revealed? Is ipv6 enough to de anonymise to individuals machines or is the US able to 'packet watch' across the entire internet?

Edit: better wording of concerns


> 1. Foreign nationals, working (?criminally) to exfiltrate information from US companies (or servers in the US) can now be subject to US laws directly?

Of course. We live in the 21st century, it's possible to commit crimes in countries you've never visited from halfway across the world. If such people weren't subject to criminal law where they committed their crimes, IT-support scammers, ransomware crooks, and all kinds of other criminals would act with even more impunity than they already do.


I think I agree with it. Spies are spies and they're doing their thing. USA should just suck it up and force companies to improve their security.

Should China issue an Interpol warrant for CIA's John Doe that handles US spy assets in China? I am sure there's a Chinese law against it


Is anything really going to change? If you had a role in US intelligence you're already going to know you really shouldn't leave the western bloc.

I guess there was some question as to whether government hackers could be treated just as badly as proper spies. If you're a gov't hacker, you should probably assume the worst is waiting for you if you are good at your job and avoid summer Beijing trips.

It's like charging US drone pilots with murder?

[flagged]


How is the top comment whataboutism?

Whataboutism, according to my understanding, would be saying that it's OK for China to hack because the US hacks. That's not what the top comment is about.

The top comment is about some in the US intelligence community saying that the US indicting named foreign hackers for hacking US targets might put US hackers in danger and might leak information about US intelligence capabilities.


Fortunately, there is now a new consensus on "whataboutism":

https://theoutline.com/post/8610/united-states-russia-whatab...


what are the alternative? Escalate military tensions with them? Slap sanctions on whole populations (who actually don’t have a say in this since they live under dictatorship)? Start a war?

Why do anything? It’s well known that US intelligence hacks Chinese (and European!) companies, why escalate with indictments? The Chinese are perfectly capable of namedropping NSA employees too.

I am still waiting for Equifax leaders to be charged for their negligence. They failed to keep their software up-to-date [1], while storing sensitive information about millions of US citizens.

[1] https://techbeacon.com/security/why-equifax-breach-should-ne...


Wait until you find out nearly every company with sensitive documents has pieces of software that are out of date.

That makes things worse but should absolve no one of responsibility.

Not sure why the downvotes. Is painfully true.

There also hasn't been aggressive legislation about it until CCPA. Start adding minimum costs for a breach and things may change.


>I am still waiting for Equifax leaders to be charged for their negligence.

It's the executives job to keep software up-to-date? Not the engineers building the software or implementing open-source tools? I understand being buck-stops-here accountable for the hack, but how could they be charged for negligence? Was there a conscious decision by the execs to not update the software?

It's be hilarious/sad if the executives got punished for something like not updating software, because you know what the result would be? Companies would set up a system to protect execs and ensure the line-workers would be held accountable for hacks or breaches. That'd make our jobs super fun.


> It's the executives job to keep software up-to-date?

Ultimately, yes. They are in charge, they are accountable.

> because you know what the result would be? Companies would set up a system to protect execs and ensure the line-workers would be held accountable for hacks or breaches.

As if most big companies didn't already have these systems in place.


From the article:

>The nine-count indictment alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke(许可) and Liu Lei (刘磊) were members of the PLA’s 54th Research Institute, a component of the Chinese military.

How were they identified exactly? I'm always fascinated with these DOJ indictments of foreign state actors but I'm always left wondering how they managed to narrow it down to a small group of people. I'm guessing that "PLA’s 54th Research Institute" employs thousands of people so how does the FBI/DOJ identify the culprits so precisely? Is it through CIA/NSA spying and moles inside the PLA?

You don't see foreign governments identifying individual NSA employees when the NSA hacks into something... so how does the DOJ do it?


> How were they identified exactly? I'm always fascinated with these DOJ indictments of foreign state actors but I'm always left wondering how they managed to narrow it down to a small group of people.

My guess is they counter-hacked the PLA’s 54th Research Institute to identify the culprits, then used parallel construction for the indictment.

IIRC, the public intelligence report on the Russian 2016 election influence campaign revealed that the US had counter-hacked some of the Russian groups involved, and used the information gained from that as evidence to attribute the overall campaign to the Russians.


They've just named some names. These people might be associated with that "institute", but they're just as likely to be custodians or secretaries as hackers.

You didn't read the previous GRU indictments very closely. They got actual surveillance footage of individuals in the building.

On the "surveillance footage", were they mopping and sweeping? I wonder whether such "footage" constitutes prima facie evidence for an indictment going the opposite direction...

[flagged]


[flagged]


> You do realize, that Russia and China are different nations?

I'm sure he does. You've been introducing several confusions into this subthread, and the above is one of them.

If there's been any national confusion on this topic, it's been between the Dutch and the Americans.


[flagged]


TFA and my first comment ITT are about China.

Your reply to that comment was about Russia, so everything from that on down was probably a waste of time. Then again, we're talking about DoJ indictments of foreign soldiers for allegedly accessing data that was open to all, so the whole thing has been a waste of time from the beginning. It's a good thing there isn't any real crime in USA for DoJ to investigate.

Seenso 8 days ago [flagged]

> TFA and my first comment ITT are about China. Your reply to that comment was about Russia, so everything from that on down was probably a waste of time.

Can you even follow the thread? The TFA is an American indictment against some Chinese government hackers. There are some unanswered questions about it, which were partially answered by speculation informed by parallels to a similar indictment against Russian government hackers [1] and related reporting [2].

[1] See https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian...: "In 2016, officials in Unit 26165 began spearphishing volunteers and employees of the presidential campaign of Hillary Clinton, including the campaign’s chairman. Through that process, officials in this unit were able to steal the usernames and passwords for numerous individuals and use those credentials to steal email content and hack into other computers. They also were able to hack into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC)..."

[2] https://arstechnica.com/information-technology/2018/01/dutch...: "The information gathered during the surveillance, Modderkolk’s sources suggested, was key to the US intelligence agencies’ attribution of the DNC breach to Russia."


Haha ok who's really "trolling" whom? There was an unsubstantiated claim that something had happened in one nation, therefore we can assume it happened in some other nation! Further, we really believe that you really believe those TLA posers were sitting there watching John Podesta tell someone in Russia that his password is "Runner4567", because only Russian hackers would be so clever to phish a genius like John Podesta.

Indictments don't contain evidence. Sometimes they contain rumors of evidence.

Seenso 7 days ago [flagged]

>>> Then again, we're talking about DoJ indictments of foreign soldiers for allegedly accessing data that was open to all...

I just noticed that you made a pretty mind-boggling claim there. Is it really your position that Equifax's data was "data that was open to all"?

> There was an unsubstantiated claim that something had happened in one nation, therefore we can assume it happened in some other nation!

No, we can make informed speculation in a discussion. That's quite different than "assuming it [actually] happened."

The main issue here is that you appear to read something, misunderstand or exaggerate it into hyperbole, then respond to your own hyperbole. That's not a good way to have a discussion with anyone.

seppin 7 days ago [flagged]

You are working very hard to support my original statement, you didn't read the indictments very closely (or at all).

If you knew anything about cybercrime attribution, you'd know that indictment was detailed far beyond anything we've ever seen from the DOJ. They took the extraordinary step of giving away hints on collection sources/methods just to make the evidence overwhelming and undeniable.

Which was my point, which instead of addressing you keep trying to obfuscate. Because you are a troll.

seppin 9 days ago [flagged]

I remember your user name, you popped up in another thread about US/China, talked baseless anti-US conspiracies then left. Is there a reason you spend time out of your day to do this?

[flagged]


> I do it because Russia and China pay me a great deal of money to annoy silly warmongers on the internet.

Cut out the trolling, please. It's neither clever nor valuable in the slightest, and just increases the noise level.


That would be less sad than doing it for free.

The "war" you referenced btw, the one we are discussing in this thread, is against the US. Do tell us how the Chinese Military hacking American private companies is somehow the fault of America.


There isn't actually a war. Some Chinese people have been accused of accessing some PII published by Equifax. Even mentioning "war" in these circumstances is a bit twisted. Unlike small nations who can't defend themselves, if we start something with China we'll get our asses kicked. Then your agitation for violent conflict won't seem like such a great idea...

We rarely get to learn about sources and methods but here is a recent case where cameras in buildings were hacked.

https://nos.nl/nieuwsuur/artikel/2213767-dutch-intelligence-...


They are guessing.

The case will never go to court. The DOJ knows it so they don't have to have actual evidence.

The indicment is being publicised for political reasons.


You are guessing that they are guessing, and don't in fact know that. Your opinion has the right to exist, but I'll choose to believe that they identified actual military intelligence officers using methods they're not going to tell us about, to send a strong message to China (whether these specific officers are guilty of these specific offences is immaterial, the outing itself is the message).

I am pretty sure this one is for domestic consumption.

The Chinese are a bogeyman comparable to the Russians. Being tough on them and have the other party being in bed with them is something that is surely useful in a coming election campaign.

As for the ability to trace back traffic sent through 30+ computers placed around the world including China; just think of what surveillance and logging that would entail. It is not really possible.


Other than potentially exposing sources and methods what do they gain exactly? They aren't going to Beijing to arrest them, and only legal indictments aren't(and haven't) going to scare off China.

>You don't see foreign governments identifying individual NSA employees when the NSA hacks into something...

See my mysteriously flagged comment demonstrating exactly this https://news.ycombinator.com/item?id=22290767

Of course, we don’t know who TSB were. But it’s not like individual NSA hackers have gone unidentified.


Your flagged comment can't be read by anyone but you and the moderators: https://i.imgur.com/L7tL23M.png

Go to your profile, set “showdead” to yes.

Its an allegation not a conviction. It’s not like anyone from China’s going to appear in US court to make a defense.

What if China says “we’re sending you a plane with the four individuals you are after. We insist on their innocence and want to see a fair and public trial”

Then DOJ would have to reveal their sources, wouldn’t they?


What they've done in the past [0], is continually to delay the actual trial. The idea is to force the defendants either to avoid setting foot in the jurisdiction or to spend their entire net worth on defense attorneys.

[0] https://www.law.com/nationallawjournal/2019/09/16/were-now-o...


Or drop charges. This is clearly a what-if that's been taken into account, the implication being that these people either are in fact military intelligence or otherwise very valuable, or don't exist at all.

If Iran made such an accusation against 4 NSA employees, that were actually innocent, do you think that those 4 people would ever be handcuffed, and put on a flight to Iran?

Of course not, that would be idiotic, and horrible for morale. You don't give your own people up, regardless of whether or not they are innocent or guilty.

As such, this is a spherical cow thought experiment. To address it - it's quite likely that the sources would not be revealed in an open trial, due to the catch-all of national security. For a helping of double irony, the sources are likely the product of... Espionage (Digital or otherwise).


Sure, but the US can actually try foreign military officers somewhat fairly. Almost no country in the world can accomplish that, other than perhaps the UK and Canada.

Why would you claim that? If anyone can try them fairly, that would be a neutral third party, maybe Switzerland.

Also consider how US treats 'threats to national security' - Chelsea manning, indefinite detention in Guantanamo bay, etc.


It doesn't matter if the trial is going to be fair or not. Doing this is the worst kind of betrayal that a military can commit against a soldier.

This is also why the US is not even a signatory of the ICC. It, by principle, opposes the sheer notion of Americans facing international trials for war crimes, even in impartial, third party courts. There's no way in hell it would extradite its spies to face trials for computer crimes.

It's arguments for not participating in the ICC are that the trials would be political, and not impartial. That's a stick with two ends.


How about Germany, France, Belgium, The Netherlands, etc?

Given that almost none have ever tried, what would you base your opinion on. As in, what facts?

My first thought was that American spies must have infiltrated the PLA's 54th Research Institute, or infiltrated some branch of the chinese government that was privy to that information at least.

Which is pretty ironic, really. Whoever did the hacking for the US could be charged by China for basically the same thing the DOJ just charged the Chinese hackers for.

The military is a much more legitimate target than a credit agency

I imagine the process is similar to how these guys [1] exposed Chinese APT hackers but with access to better tools and intelligence.

[1] https://twitter.com/intrusion_truth


Forensics. Attackers use and sometime re-use domains, ips and code to recon, attack and exfil data. Those items may have been used before. All the attributes related to each of those items are cross referenced. You might find a server in this breach was associated with an email address that was used to register a domain in the current breach. That email now loosely ties the two breaches and actors together.

I don't know about where you work, but the people who register domains aren't typically the people who use them.

Did the DOJ just indict a bunch of procurement people? ;-)



How were they identified exactly?

If they made it public, they could never do it again.

You don't see foreign governments identifying individual NSA employees when the NSA hacks into something...

I suspect that it does happen, but most people don't know about it because that requires knowing another language, and then regularly keeping up with the media of another country in that language.


I'm guessing part of the reason they're willing to ID them is because the DOJ knows this will never actually get to court where they'd have to explain how they found them.

Seems likely. I wouldn't be suprised if it was done as a way to get them put on watchlists in all western countries without having to officially reveal any sources or methods.

According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. They used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system. Once they accessed files of interest, the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States. In total, the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.

Holy shit did not see that coming. Was sure it was some hackers out looking to sell info on dark web. Chinese government gives it a whole different motivation.

It shouldn't be a surpise.

The US has essentially on omnipotent traditional military force that can either engage or assure mutual destruction of any opponent on the earth. Nobody can compete successfully. But humans are crafty, and come up with ways to defeat irresistible force.

As we've seen predicted for 20+ years and demonstrated in the public space for 10, our nation's weakest link is that election system and political finance system, particularly for legislators. The checks and balances that are supposed to prevent egregious behavior are broken (see what happened to most US Attorneys since 2016, the impeachment circus, and 100 other things at the state/local level).

Building dossiers on Americans are a great, obvious way to wield this power and to target and enable espionage/influence activity. Recall that the federal agency that keeps records on background checks was breached a couple of years ago. So now you have a hostile nation state that knows everyone, and all of their background data, with security clearances. You can cross-walk that with Equifax information, health insurance breaches (Recall that Blue Cross was also breached), etc and do all sorts of interesting things.


> The US has essentially on omnipotent traditional military force that can either engage or assure mutual destruction of any opponent on the earth. Nobody can compete successfully.

How many times in the past two years have our boats crashed into one another? The F35 program is a complete failure. When we ran Hormuzi wargames, a rag-tag group that fought through guerilla warfare won until our Navy cried and made the other side "fight fair." In the past 80 years the only win we can claim is the Gulf War. This is seriously overstating our military capabilities.


But, a war with China (direct conflict) would be the Naval set-piece battle the US has been dreaming of for decades. Much like how Iraq was the combined arms showcase dreamed of post Cold War. US has struggled at asymmetric combat against regional bad actors, as evidenced nearly everywhere, but your assertion that somehow China would be able to leverage that type of warfighting when their O&G infrastructure and major threat projection airbases are on islands or near shore does not compute. It would be ugly, not straightforward, not "Iraq on water" ... but it would be much different than wargames in geographically tight confines with limited rules of engagement. The US and allies still do hold the Pacific mostly as their own backyard, and that would need to change to tip the balance toward China.

> your assertion that somehow China would be able to leverage that type of warfighting

I'm not saying that, I'm that the entirety of the US military is incompetent and pumped too full of cash (despite its many failures) that's it's ridiculous to act like no one can compete.

> The US and allies

I know we like to take our satellite states for granted, but that day will come to an end and it seems likely that taking real action against China could be the catalyst.


I hear you and I see the consistency of your arguments, and acknowledge development and production failures and large budgets, but disagree it implies incompetence across the board.

I feel that the ally situation is entirely different - they are USA allies solely for protection against China, and in any real conflict against China the interests of China would be mostly limited to ensuring a regional win against those countries, and the USA would have the choice of either taking real action against China by supporting these allies or not take action and abandon them.

I agree its pumped full of cash but I think you would be surprised at how much worse the Chinese military can be.

Iraq was the combined arms showcase dreamed of post Cold War.

The war in Iraq hasn't really gone well, has it?


To be clear, the war games had US military playing the part of the fictional middle-east enemy. This story was news to me and you made it sound a lot more interesting than it turned out to be

Yes, the US sucks at winning wars. At the same time, I'm not sure what other nation is capable of waging war on the scale of the US. Perhaps the war on a large scale is just an intractable problem that cannot be solved, and the US is the only country that even tries. Not that I think that's a good thing. War in general sucks.

> At the same time, I'm not sure what other nation is capable of waging war on the scale of the US.

My inclination is that China would be perfectly capable of doing so, but that they have more effective jobs programs than the States.


No, if you do a side-by-side comparison, China may do a good job of defending their region, but they would be completely unable to project their power or enter a different theater of war without leaving themselves defenseless. It's no contest at the moment. Besides the fact that due to its unfortunate foreign policy, the US also gets a LOT of practice waging war, where as the modern Chinese military has almost zero real-life war experience.

This is a interesting thought, is there an literature stating a strategic advantage to starting mini wars to train in real warfare?

Neither side would win a War.. there would be no winners, just survivors, with both economies reduced to almost nothing, both population decimated both by direct costs and indirect( poverty, famine, etc) costs

No the idea that either China or America would "win" a war with each other is naive at best


> When we ran Hormuzi wargames, a rag-tag group that fought through guerilla warfare won until our Navy cried and made the other side "fight fair."

Wargames are designed to teach lessons. Example: https://time.com/5772665/uboat-wargames

That exercise happened in 2002, after the USS Cole bombing in 2000 ashore with a similar attack. How many warships were sunk by speedboats in the last 18 years?


If you ignore the fact that the US always fights with both hands tied behind its back then this take is almost only slightly inaccurate.

The US won a war in Afghanistan and two in Iraq. Now, the occupations afterwards? Different story.


[flagged]


...animus against military strength...

You say that as if it would be a bad thing...


Good to know

Re: breaches - just because it wasn't overtly stated: you can better know who is corruptible, more easily corruptible - and corrupt them leading locals to working for your opponents.

Can you explain what you mean by "what happened with the US Attorneys"?

China's military is growing rapidly and the US cannot expect its hegemony to last forever. See previous discussion: https://news.ycombinator.com/item?id=19802161

> The US has essentially on omnipotent traditional military force that can either engage or assure mutual destruction of any opponent on the earth.

Omnipotent and "assure mutual destruction" are contradictory if you think about it. MAD ( mutually assured destruction ) resulted from a lack of omnipotence. If one was omnipotent, one wouldn't require MAD.

> As we've seen predicted for 20+ years and demonstrated in the public space for 10...

Who is "we"?


It's very interesting when you also take into account the OPM breach:

https://en.wikipedia.org/wiki/Office_of_Personnel_Management...

If you have a list of federal employees + a list of people's credit histories you can do things like spot people who have security clearances but no credit history.

Jenna McLaughlin did a great piece on how breaches like this are making it almost impossible for intelligence agents to operate under traditional cover:

https://news.yahoo.com/shattered-inside-the-secret-battle-to...

The days of creating a SSN, issuing it a passport + an entry in OPM as a "cultural attaché" at some embassy are waning fast, if not gone already.


also the Marriott breach - who's staying when/where and what CC do they use https://www.npr.org/2018/12/12/675983642/chinese-hackers-are...

I saw several people paying cash to settle their bills at a conference once, and thought it was odd since that hotel makes you at least supply a CC for incidentals (and show ID)

Maybe it was to guard against generating useful metadata that could be later breached? Very interesting.


Yep, it could be used for finding extortion targets. Just find someone with bad credit who also works for some sort of sensitive program, and now you have leverage over them.

I don’t know what you mean by “sensitive program” but anything the federal government considers critical disqualifies people like this (even if their credit goes bad after they’re hired.)

They’re very particular about this; particular meaning polygraphs and agents talking to your family members. I know because I almost took a job like this (and know a number of people who have) but the pay and location were crap.


That happens if you work with DoD programs.

How much do you think legislative aides are scrutinized? Political party staff who aren't on the government payroll?


Are you sure that the standards applied to your background checks were also applied to those of relatives of the President? If the background check system is politicized, then this kind of hacking to discover sensitive information might become even more valuable.

This is oversimplified. Anything ITAR or EAR or commercial proprietary related to tech would be prime to extract but would be worked by million(s) US persons with no further background screen beyond basic employability checks. US Gov secret and above requires lots of checks ... but the breadth of the human attack surface for commercial or ITAR technology combined with the Equifax data would in fact be an ace in the hole.

Don't forget that China dumped the OPM database and can cross correlate individuals in important places with credit issues. Foolishly poking at them is the sort of inept strategic thinking this administration is so good at.

I think you and I will be surprised more often going forward.

>"The FBI has about a thousand investigations involving China's attempted theft of U.S.-based technology in all 56 of our field offices and spanning just about every industry and sector," Wray said.

>John Brown, FBI Assistant Director for the Counterintelligence Division, said the bureau has already made 19 arrests this fiscal year alone on charges of Chinese economic espionage.

>In comparison, the FBI made 24 arrests all last fiscal year, and only 15, five years earlier, in 2014.

https://www.zdnet.com/article/fbi-is-investigating-more-than...


I'm fairly sure this info has made it onto the darkweb regardless. A number of people have reported to me that they have been cold called by "their bank" from a spoofed number, given partial account information/address history/ssn last 4/etc, and asked to verify "security questions", and when they hang up and call the bank of course they aren't involved. It sounds exactly like attackers attempting to social engineer their way past the last bits of information they don't have from credit history reports.

"ID Theft as a Service" sites have been in operation since before the Equifax hack.

https://krebsonsecurity.com/2014/03/who-built-the-id-theft-s...


Essentially all the data contained in the Equifax breach has been for sale a long time before this breach, the other breached entities stayed quiet so people unfamiliar with the business tend to just assume that Equifax is to blame for everything.

Makes all the people talking about suing Equifax for subjecting them to identity theft look pretty silly.


The OPM hack was supposedly done by the Chinese government, too.

https://en.wikipedia.org/wiki/Office_of_Personnel_Management...

It would be easy to know who to bribe if you know who works in government, and which one has debt. As part of security clearance check, if you have substantial debt you're not suppose to be able to get a clearance...but I'm sure there are some who get exempt.



How do you know its true? The indictment insists that the defendants are responsible for the hack, and lists the things that they have allegedly done, but offers... Zero evidence for why these particular defendants were responsible.

The evidence for why is sealed unless there's a trial. There's never going to be a trial, because those guys aren't going to show up to their court date.

It's entirely possible that this has been fabricated for political purposes... It's not like the only people who could disprove the lie (the accused) have any interest in disproving it.


It can be both. Plenty of Chinese "state sponsored" APTs are happy to sell to the highest bidder, even database dumps of Chinese companies.

E.g. APT17: https://intrusiontruth.wordpress.com/2019/07/25/encore-apt17...


It shouldn't come as a surprise, after all, the OPM hack was also perpetrated by the Chinese government.

Allegedly. Note that it looks much better for the OPM if they can say they got hacked by "cyber warfare units from China" than "sorry, we are bad at OpSec, a few script kiddies got us".

From https://en.wikipedia.org/wiki/Office_of_Personnel_Management... I gather that only hearsay was provided to the public, no credible evidence.


I think criminal charges against specific government hackers will probably become the norm, since no power is likely to stop hacking other powers yet no powers are too keen to start a war over it. If you're a government hacker, I wouldn't plan on taking any overseas vacations for the rest of your life.

Wasn't Equifax the one that had admin/admin as password and leaked most of its data because of complete incompetence?

Most security breaches are because of incompetence (typically management/oversight, rather than technical).

Equifax didn't have good oversight of which systems were patched and instead relied on a single employee to remember to do it. One got forgotten. People broke in using an old exploit and then leveraged into Equifax's network.

Equifax's first problem was bad patch policy. Its second problem was lack of network isolation/intranet security/onion-ing. As soon as an edge server was compromised the attacker hit the jackpot and had everything.

The last problem was lack of audit/accountable into who/what was accessing sensitive data on the intranet. If they had that they still would have been compromised and lost data, but not every customer's record (which took a long time).


yes people are unreliable that's why we need a more resilient means to establish identity like PKI. Consider PGP for example, they could put QR codes on social security cards for all I care just fix the real problem for once.

Yep, but now they will be able to play victim card and wrap themselves in American flag. The PR value of this is amazing.

Frankly, this really does explain why they were treated with kids gloves after the incident. I was certain after insider trading came to light, the company will fight with US government to stay alive.

Boy was I an optimist.


I think they had an unpatched weblogic server/java web application that was internet facing.

The US needs to treat this as an act of war by a foreign military/government, not as a criminal act by people acting in an individual capacity.

If the US can identify the individual hackers, then they should be able to identify the physical location from which the military committed the acts of war and respond with the use of force as permitted by the UN Charter and international laws and norms. By responding with grand jury indictments the US sets a terrible and dangerous precedent and is telling foreign governments the US will not do anything in response to military based acts of cyber warfare.


By that token, Europe should have gone to war with the US for spying on its very leaders — Angela Merkel, François Hollande, etc. (The Snowden revelations and the aftermath).

I honestly don't see how the US could spin anything positively on the world stage in that regard, they are by far the worst offender as far as spying is concerned. It's not even funny to compare. And there is documentation that tech/trade secrets from foreign companies aquired by e.g. CIA or NSA was given to US companies — industrial espionage isn't exactly new or surprising, but when conducted by Federal Agencies above any control, responsibility or accountability to the US public, let alone the UN or the world...

Your suggestion is disingenuous at best and, I'm sorry to say so, terribly blind to the reality of the world, wherein the US is certainly not an all around good guy. Especially these days, it's clearly a hostile power to most others. As seen from the EU, at least, I can't speak for other places/cultures. But I hear it's not that great in general.


We need to get Federal Agencies accountable to the US Tax Payers, and be more transparent I 100% agree with that

I 10000% disagree they should ever have any accountability to the UN or any other international body

I also do not feel bad that they spied on Angela Merkel, I do care that they spied on US Citizens. Spying on Angela Merkel is constitutional and within their remit, Spying on US Citizens is Unconstitutional and not in their Remit


>By that token, Europe should have gone to war with the US for spying on its very leaders

Well not exactly. One was a state sponsored military act of cyber warfare that indiscriminately targeted an entire populace and infrastructure (i.e. a military infringed on the sovereignty of an entire nation state). The other was a targeted intelligence operation.

>Your suggestion is disingenuous at best and, I'm sorry to say so, terribly blind to the reality of the world...

Being from Europe I would assume you would be very familiar with the dangers of failing to act when one military infringes on the sovereignty of another. Though I guess we will see either China will continue hacking and escalate their hacking or they won't...if I were a betting man I would happily take you up on such a bet that China will continue and escalate its military hacking against all nation states.


Force in my opinion, is the incorrect response.

The grand powers on the world stage are constantly posturing and taking actions to further their own power. The United States is no different. We, civilians don't know the majority of what is taking place.

A "hot" war between two powers would be of such a great cost in human life, you would want to avoid it at all costs. This means indicting with a grand jury instead of starting a war.


Agree. Revealing China as an untrustworthy world partner would serve US interests much more than sending in the Marines.

>A "hot" war between two powers would be of such a great cost in human life, you would want to avoid it at all costs.

I was very careful to specify "respond with the use of force as permitted by the UN Charter and international laws and norms." In other words the UN Charter only permits a response in proportion to the offense. I do think an act of cyber warfare may legally allow us of "armed force" but it would likely have to be limited to targeting the installations where the attacks were coming from (but realistically it is a new and undeveloped area of law with respect to cyber warfare).

The problem in my opinion with failing to act is we signal that there will be no military response, and these acts of cyber warfare escalate to hacking power grids or other infrastructure than results in indirect lose of life. Then due to political pressure all out war becomes more realistic.


Wasn't this more intelligence gathering? The appropriate response would be more akin to hacking back into China's social credit scoring company and snooping around.

>Wasn't this more intelligence gathering?

I believe it raised to a level above spying and intelligence gathering. It was a state sponsored military act of cyber warfare that infringed on the US' territorial sovereignty.

>The appropriate response would be more akin to hacking back into China's social credit scoring company and snooping around.

The purpose of a proportionate response to military acts under the UN Charter and the use of force and armed conflict is not so much "an eye for an eye" (i.e. you hack me, I hack you), but to put an end to the military operations infringing on your sovereignty ...for example, assuming you believe Iraq had WMDs and chemical weapons or response is not to create stock piles of our own chemical weapons.


I agree and believe the US probably are having a hard time creating escalation mechanisms for cyberwarfare and signaling their strategic needs and interests. When the United State's entire democratic apparatus was attacked during the presidential elections and the only answer was a similar indictment of Russian hackers, enemies have a harder time knowing what is and isn't a "red line".

What would be the "correct" response? Given that citizens affected (including me) have gotten their information used relating to this attack, I'd say a state sponsored cyber counter attack will be/is the best deterrence. UN clearly has not caught up with the times in how to respond to state sponsored attacks.

I wouldn't want my government to kill anyone on my behalf because my credit report was stolen.

How about we start with securing our systems? Modernize identity and credit reporting, stop relying on social security numbers, etc.


What do you mean? The parent said they supported a cyber counter attack, which doesn't imply killing anyone unless it's explicitly stated (e.g. attacking critical infrastructure like power stations).

The correct response is recognizing the flaws in our Finchinal System and fixing those.

The Response should be shifting the Liability back to the credit providers, not the consumers

The idea of "Identity Theft" should be a thing of the past, for you did not have your identity stolen, you still have your identity, no the bank was defrauded by giving money to someone they did not properly vet. 100% of the liability should be on them, not the person who they claim had their "identity stolen"

the Liability for financial Fraud in the US is 180 degrees from where it should be.

Launching missiles at China may make you feel good, but it does not solve the root cause of the problem


You should re-read what I said. No where do I see me saying physical force had to be used.

"Fixing" takes a long time that does not mean one should not deter attacks on the current system. How does one respond to a broken legacy software system that can be taken advantage of? You restrict the actions that can be performed on that system until it is replaced.


Yes I look internally to Mitigate the attack surface,I do not think about "reverse hacking" to "make them pay"

No the response from me, internally is, is how did they get in, how can I plug that hole, and how can I make my systems more robust.

Your response is making china (the hacker) pay, in order to "prevent" future attacks, that is simply naive IMO nor it is a viable solution.


deter - discourage (someone) from doing something by instilling doubt or fear of the consequences.

^ this is the deter I am talking about.

APT is on a different level than what you are used to. Also my question was rhetorical. Didn't actually mean for you to answer it. For you or your company it is not a viable solution since you don't have the resources.


I'm sorry that you got hurt by this.

But I, as a civilian am not qualified to answer that question. Nor do I want to answer that question.

This is not a perfect analogy, and I don't want you to think that geopolitics is a zero sum game. But, imagine two heavyweight boxers circling each other in a ring. They are bouncing on the balls of their feet. They are moving in what you would almost call a dance. Most of the "fight" is in their footwork, their positioning. When one does jab, the other blocks, or moves out of the way, or takes the hit. Sometimes they counter. Sometimes they punch. This fight goes on for a long, long time. It is not tit for tat. They both want to win.

What you are saying is "That boxer needs to jab back, because the other boxer jabbed at him."


I really do not like having to make calls about fraud for months because some countries military decided to attack electronic property holding a ton of sensitive, very hard to change information. Biggest cyber theft of PII information in US history.

I think it is best for the population on the other side to feel that as well which is why I prefer an electronic counter attack. We need deterrence. If China was to "jab", let them use other means of interaction that doesn't make us want to attack them physically. The more people who are affected financially by this, the more the call for a physical deterrence whether we agree with people's feelings or not.


Techthroway's that have never experienced war and don't study international relations and geopolitics should stop suggesting bullshit like this. I get so tired of people advocating more aggressive stances with other nations when it's not their ass or their offsprings that will go to war. This is also why I advocate that next war all the politicians sons and daughters get drafted and then we can see if they still want to go to war.

Oh wait, the congress abdicated it's constitutional duty to be responsible for declaring war via the unconstitutional War Powers Act and AUMF's...


> Oh wait, the congress abdicated it's constitutional duty to be responsible for declaring war via the unconstitutional War Powers Act and AUMF's...

AUMFs are (often limited and/or conditional) declarations of war, from a Constitutional perspective, not an abdication of the power; the Supreme Court has consistently held that the Constitution doesn't require magic words when exercising the Constitutional power to declare war.


While valid, this is a technical interpretation that misses the point IMO.

Look at the range of actions the AUMF's are applied to. The AUMF's, in effect, allow the executive to wage war pretty much anywhere on the planet for an indefinite amount of time.

In your view, is Congress honoring the spirit of their Constitutional duty?


> Look at the range of actions the AUMF's are applied to. The AUMF's, in effect, allow the executive to wage war pretty much anywhere on the planet for an indefinite amount of time.

Most declarations of war do not have temporal or geographic bounds. What was unusually expansive about the 9/11 AUMF (not AUMFs more generally, neither prior nor subsequent AUMFs have had this feature) is that it also delegates the decision of the actual primary opponent(s) to executive discretion, which, yes, is an abdication of Congressional responsibility. But that's the 9/11 AUMF, not AUMFs in general.


I'm not pro war but at the other end of the spectrum, appeasement in Europe allegedly gave us WWII.

There is no sense of the word "appeasement" that includes the Treaty of Versailles. USA entering WWI and allowing UK and France to win decisively was what caused WWII.

Because apparently it must be said, I am not a "Nazi sympathizer". I would have preferred that the Nazis had never existed let alone dominated a large portion of Europe. Similarly, it would have been better had we not invaded Iraq and caused ISIS to exist.


Not really, the great depression caused by private interests in US overlending to europeans lead to a sovereign debt issue that finally made it possible for Hitler to gain power leading to WW2.

But sure you can ignore the nuance.


>Techthroway's that have never experienced war and don't study international relations and geopolitics should stop suggesting bullshit like this.

I would venture to guess I have significantly more experience and knowledge with the UN Charter Article 2(4), the UN Security Council and the international laws on the use of armed force than you.

No one said anything about "go to war", the Use of armed force is not "going to war". The UN Charter permits the use of armed force in response to acts that infringe on the sovereignty of any nation by military action.

To bury ones head in the sand at this point in history to foreign military acts against a populace is inviting more invasive and damaging acts of cyber warfare. Do you honestly think China is going to say we got away with this we should deescalate?


> No one said anything about "go to war", the Use of armed force is not "going to war".

???

> The UN Charter permits the use of armed force in response to acts that infringe on the sovereignty of any nation by military action.

Should France have nuked Fort Meade to stop the NSA from infringing on their sovereignty?

I don't understand this line of thinking, it's basically "if we do it, yeah, it's cool. If they do it, it's an act of war against our innocent republic", and you figure everybody will agree to that and not treat your cyber attacks similarly?


>> No one said anything about "go to war", the Use of armed force is not "going to war". ???

Consider the US Seal Team military operating in Pakistan where Bin Laden was killed. That was use of armed force, we infringed on Pakistani territorial sovereignty, conducted a military operation and even killed a couple people...I hope you understand that this example of using armed force is not the equivalent of "going to war."


> I hope you understand that this example of using armed force is not the equivalent of "going to war."

It's not a "war" because Pakistan isn't a match for the US. It's very much an act of war, though, Pakistan just chooses to ignore the offense because they can't really do anything about it. That's different with China or Russia. Please don't try landing a Seal team in Moscow to extract some hacker.


The thing you are missing is that every action like that carries a risk of causing a war much larger than the original action. As a matter of fact within military circles even the Bin Laden raid was criticised because almost all other operations were cordinated with Pakistan and since Pakistan is particularly unstable and also nuclear the risk was considered worth it for the value of the target, but there was a major potential for escalation and lots of political capitol was expended to quell the reaction to that action.

China is not nearly as constrained by diplomatic inroads or other mechanisms at play (such as cultural considerations) that would vastly change the potential of any overt action against China causing an exponential series of increasing escalations that could end up as a major war.

I'm not excusing China and not saying the US or other western countries should lay down for China's increasingly agressive diplomatic and strategic actions, but rather that the utmost care should be taken in the response, just as the US is doing in the conflicts going on in the south China sea and increase in espionage cases.

As an Iraq combat vet who has spent quite a bit of time trying to understand these subjects, my general thought is that I really dislike so many armchair quarterbacks speculating and being so eager to throw away others lives, even if in the of potentialities such as your suggestion. War is one of the most horrible things humans can ever experience and any avoidance of it should be sought in almost all cases possible. It's also annoying how many of those armchair quarterbacks usually don't volunteer to serve themselves.


>The thing you are missing is that every action like that carries a risk of causing a war much larger than the original action.

I fully understand that. The thing you are missing is that by ignoring act of cyber warfare from a foreign military and/or treating acts of war by a foreign military as a domestic criminal case, escalates the risk of causing acts of war much larger than if they were to be nipped in the bud now.

>As an Iraq combat vet who has spent quite a bit of time trying to understand these subjects, my general thought is that I really dislike so many armchair quarterbacks speculating and being so eager to throw away others lives

I trust you understand there are many uses of force that do not result in lost lives. The very nature of my argument is that the actions of China's military is an act of war and use of force...yet no lives were lost. As I said we should respond proportionately as authorized by the UN Charter and international law...I am not suggesting WW3, nukes or throwing away lives as has been suggested by countless people in this thread.

Just as much as I am admittedly "speculating" that treating cyber warfare by a foreign military will result in escalated attacks...it is also a speculation to suggest China will deescalate their cyber warfare against us.

So the question would fall to you is the US strategy of treating cyber warfare by a foreign military as crimes going to deescalate China's attacks here?


> don't study international relations and geopolitics

Know quite a few people with these qualifications, they are highly polarized human beings who seem to have trouble discussing politics.


I'm not sure i would want to cause the end of human civilization in response to the breach of a credit report company.

Who said the "end of human civilization"?

I specifically said "respond with the use of force as permitted by the UN Charter and international laws and norms."

It seems clear the people responding talking about all out war and "end of human civilization" don't have much experience with the UN Charter, security council and international laws and norms for the use of force. Generally the legal terms of art I used.

The idea is a proportional response to deescalate future cyber warfare attacks...not end all of humanity.


Given that the US and China are both permanent members of the United Nations Security Council, any vote would just be vetoed though right?

That produces a Security Council deadlock that then opens the door for General Assembly action under the Uniting for Peace resolution, as has happened roughly a dozen times since UfP was adopted in 1951.

Think bigger.

The CCP routinely engages in this class of behavior of salami slicing. Tiny little cuts that unto themselves wouldn’t be cause for aggression.

This is the child poking another. Violence isn’t preferable but if one refuses to correct...


I'd be very surprised if the US isn't performing similar hacks on China. They're probably just better at covering their tracks.

Also plausible is that the Americans don't want to toot their own horn (as the CIA and NSA seldom do) and the Chinese don't want to appear vulnerable and admit they were hacked. The difference in responsibilities to the people that a dictatorship and a democracy are stark, almost regardless of how broken of a democracy it is.

I am no hacking expert, but the fact that the internet is such an open place and knowledge sharing is so widespread, I would lean to the side that they have comparable hacking capabilities as America. I've yet to hear of a reason why they wouldn't other than the standard " 'Murica #1". And given a dictatorship presiding over a massive economy and a valid raison d'etre for such capabilities, there is no reason they cannot fund an equivalent of the NSA


Think better.

So does the US. If you treat this as an act of war, you automatically classify any cyber operation your operatives have executed as an act of war. Against Russians, against EU countries etc. I don't think anybody really wants that.


It's clearly not the right approach, however the severity of what the breach entails does require a very sharp, adequate response - which hasn't happened yet.

'Doing nothing' (or very little) by no means reduces the possibility of conflict escalation, possibly the opposite.

By declaring such intrusions as an 'act of war' (or maybe something literally just a little less hard sounding) it's a signal to foreign powers of the seriousness of such activities.

There is no doubt that this is a really, really serious act that has to have serious consequences.

In this new 'information era' we have to establish new boundaries. Those boundaries will help establish clarity, validate responses, enable 3rd parties to take a judicial view instead of just a political one etc..

Edit: For the last 30 years, China has been on a fairly exponential path to increasing aggression, there's no reason at all to believe this will not continue to the extent they have the material ability (i.e. supporting economy) unless they are stopped, or it becomes too painful for them to continue. If there is little meaningful response to this action, it will grow 10x. Charging the military staff responsible is the wrong tactic as the state is responsible, not these actors (it may even be against the Geneva convention), but more importantly, the cost to the state is nothing. Throw a few officers under the bus for a massive attack? That is 'no consequence' to them, and maybe even not said charged officers. There won't be any lack of volunteers. There has to be a pretty comprehensive coordinated response, and definitely not just some artefact/negotiating point in a trade war. The response may include trade, but it shouldn't be part of a tit-for-tat in a trade deal.


This is nuts, there is no way it makes sense to escalate to open warfare over a hack like this

Hasn't this precedent already been set a long time ago? I had thought cyber warfare acts were common. I would think they would have to specifically shut down large infrastructure before a response beyond this was even considered.

Considering how much crap the NSA has pulled over the years, I wouldn't consider this an "act of war". More-so tit-for-tat provoking and power posturing. China knows they are the swingin-big-dick of world manufacturing, not to mention the fact they own a massive amount of US treasury bonds and could jolt the world economy at a moments notice.

>Considering how much crap the NSA has pulled over the years, I wouldn't consider this an "act of war".

It may not seem like a distinction to some, but I think there is a difference from hacking by an intelligence agency and directly by a military. Now if you disagree, that is fine, but also each hack would need to be looked at on the merits to determine what would be a proportionate response, if any.


I know the recent charges list them as members of the Chinese "military", but I wouldn't be surprised if they also did work under the Chinese "intelligence agency" umbrella...especially considering their skillsets. Since the Chinese gov has such a tight grip on everything, I'd assume that the importance of which internal division is cutting which paycheck is more obfuscated than the US as long as it benefits the country.

Yes because of the solution to Cyber Hacking is WW3, ending with everyone launching Nuclear bombs at each other

Good Plan.

Personally I am impressed that the War Hawks were unable to persuade the Administration to start a Conventional War over this. Good for them for refusing such an action


Thankfully they know better and only go for easy(non-nuke)'prey'.

> The US needs to treat this as an act of war by a foreign military/government, not as a criminal act by people acting in an individual capacity.

Should every CIA black and grey op... And any operation by the NSA be considered by the target country as an act of war, too?

If a government employee hacking some software system is an act of war, then the US has committed acts of war against China, Russia, Germany, France, the UK, etc, etc, etc.

Committing an act of war against four nuclear powers sounds pretty irrational to me... Maybe we should reign those two organizations in a bit, before they get everyone killed?


Are you going to be picking up a rifle and hitting the beach? Chances are you and your buddies will be wiped out by transonic anti-ship missiles hitting the troop transport ship on the way to China.

>The US needs to treat this as an act of war

I'd be careful throwing around wishes like that. Are you sure the US doesn't do similar hacks? I'd much prefer people steal data than damage/penetrate critical infrastructure. (The latter is something that should be treated much more harshly, in my opinion)


If everyone took that stance, the world would be a sterile glowing ember by now.

https://en.wikipedia.org/wiki/United_States_intelligence_ope...


That starts World War 3.

It seems your position is that the response is the trigger not the initial aggression. How did WW2 start? With Hitler invading Poland or was that fine, and UK/France bear the blame of the WW2 by declaring war on hitler in response?

Who would you expect to join in on the side of the CCP?

Russia, Iran, NK, a number of countries we ignore in Africa.

Other than NK, do the others have any material alliance with the CCP or is this based on their less-than-friendly stance with the US?

Unsure why they would join a shooting war.


Its a somewhat educated guess if they would but I meant who answer who might. I personally anticipate an escalation of tensions along NATO / non-NATO lines and exploitation of destabilized regions. It's almost inevitable, classic Thucydides trap combined with NATO.

https://foreignpolicy.com/2017/06/09/the-thucydides-trap/


The belt and road initiative is creating alliances between China and many countries in Africa and Asia.

You don't understand why the government of Iran would resent the US so much that they would contribute military resources to harm the US?

Given their population isn’t a big fan of their governance, and actually holds a positive view of the US, I have sincere doubts to the possibility.

Perhaps aiding and abetting? But an act of war, no.


Depends. Iran has (allegedly) committed what could be constituted as acts of war already. With the US in a heightened state of engagement in direct conflict with China and possibly regional actors, the Gulf of Oman seems like a great place to touch off a regional conflict.

...their population isn’t a big fan of their governance.

Why would you believe this? The last time they didn't like their government, they replaced it with the current government. Even the Ayatollah was pissed off that they mistakenly shot down a plane full of Iranians; they weren't about to curb the relatively limited public demonstrations that agreed with him on that topic.

Oh, let me guess... you learned of the average Iranian's great political discontent from the USA war media. "Wishful thinking disguised as reporting" leads to wishful thinking in place of analysis.


"Russia, Iran, NK, a number of countries we ignore in Africa."

Russia won't, neither will most African nations.

There won't be a war anyhow.


It's pretty clear that the US hacks other countries far more than other countries hack the US. That's why the US has historically been very reticent to agree to treaties that would limit a country's ability to hack.

If that is the appropriate response then everyone would be shooting at everyone else long ago. You think the US doesn’t hack China, or Russian or pretty much every other country?

Haha, we've got lots of publicly documented evidence of US hacking operations against Chinese entities. Should China treat those as acts of war too then?

The US would do better nationalising Equifax.

Are you crazy? That's one step away from a social credit score.

Orgs like Equifax should not exist. I did not consent to this kind of surveillance, I was forced into it because I needed a paycheck and a place to live. Now I'm paying for it because of the incompetence of others - if the U.S. government instead had this power it would become much more difficult to differentiate between incompetence and malice.


I could be crazy, but I’m not certain of the relevance here.

If the US government ran this, you would at least have a chance at congressional oversight. Equifax is largely unchecked in its present corporate state.

I’d argue for a people very dependent on credit, a financial credit score already approaches the burden of a social credit score.


[flagged]


I agree with the first statement, but this could be stated in a more tolerant manner. Attack the idea rather than the person.

Agreed, instead what needs to happen is aggressive implementation of inflicting "pain" in their systems via economic measures - however unfortunately democracies around the world aren't stable due to the gains from technology haven't been adequately redistributed to society for too long that the current cracks in foundations would turn into a complete collapse; this is something that Presidential candidate Andrew Yang seems to understand the most - and is not only ideal but likely the only candidate who is competent enough to manage China's leadership's behaviour appropriately.

> aggressive implementation of inflicting "pain" in their systems via economic measures.

You might find this becomes their Sputnik moment.


I'm not sure I understand what you're saying here: I'd appreciate if could you explain your reasoning, comparison for me?

I’ll let the Washington Post explain...

“If Washington can cut China off from American technology at will, China will be determined to build its own technological infrastructure, top to bottom.“

https://www.washingtonpost.com/opinions/global-opinions/the-...


it is certainly the right move to charge individuals rather then directly escalating military tensions with China.

Make life miserable for those directly involved and responsible. Next time, others will push back against an order to attack like this because consequences will be personal for them, not just another move in a war


> Next time, others will push back against an order to attack like this because consequences will be personal for them, not just another move in a war.

You think Chinese soldiers will push back against orders from above because one time the US made the (supposed) perpetrators lifes miserable?

What do you think China will do? Just say "OK, on second thought you don't have to do that"?


no, high level generals will advise against acts like this, because they will be afraid to lose their real estate in Cupertino, CA

Whatever investments they have in the US are probably dwarfed by what they have in China.

I doubt any government wants someone working for them that invests the majority of their wealth in an adversarial country.


look where their kids study and live. Europe is in no danger from Russia because gov and rich kids live and study there

Counter point: Ukraine. Russia had lots of citizens and influence there but still took military action.

> Next time, others will push back against an order to attack like this because consequences will be personal for them, not just another move in a war

I don't think so. People usually follow orders until the bitter end, especially when the government wields as much power as China's.


No, it's the opposite. The activity was directed by the state, the state must absolutely be held responsible.

If this were a rogue state, or rogue actors, or non-state related activity like general corruption, as we see with Russian figures, it might make more sense to go after the individuals.


This is nuts.

a) They are charged with conspiring with each other to this, but simultaneously b) "fits a disturbing and unacceptable pattern of state-sponsored computer intrusions", and in the process they managed to commit c) "conspiracy to commit wire fraud"

None of those 3 things make any sense in the face of the others. How is doing this kind of things even legal?


The US has no jurisdiction to arrest Chinese soldiers on Chinese land. How could it be illegal? They would become prisoners of war in a war that doesn't legally exist.

> They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity

How cool is that. They have been able to grab and correlate netflow from across 20 countries.


It looks like they’re using the common meaning of routing and are implying tunneling instead actual route hijacking. So finding which servers they’re tunneling to is thorough but doesn’t seem all that impressive.

Did they want to get find then?

I don't think the implication here is 34 hops, but 34 different VPN exits that showed up in log data.

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: