Many industrial SCADA systems (nearly all) send data from their "OT" systems (PLC/DCS/SCADA) to their "IT" and business layers (Historians/Timeseries Databases, Dashboards, Power BI/etc). This almost always happens through a two-way link (think TCP/IP, HTTP). While the software should not allow data flow backwards, the hardware absolutely does. So how much do you trust the software?
I often advocate that industrial SCADA systems utilize "data-diodes", one-way opto-isolators, or other physically verifiable methods of confirming that no information/data/instructions can get from a "higher" layer (OSI Pi, PowerBI) to a lower layer (Allen-Bradley PLC, Siemens PLC, Emerson DeltaV DCS, etc).
Convincing the powers-that-be to do this has been incredibly impossible in most places and a large reason why I'm trying to transition to a different space - I simply have had ethical concerns about providing engineering services to critical infrastructure without building in best practices.
Stuxnet was over a decade ago - I don't understand how these protections aren't mandated by the DHS already.
Disclaimer: I don't think it's reasonable for non-involved people to assume the OT side has been compromised. I do think Colonial will need some time to verify the integrity of their SCADA systems and it makes sense to keep the power to the physical devices (valves/pumps) offline until they do. I understand why they chose to shut down but I don't think there's any evidence that they'll be unable to start back up again.
Lastly, I saw a quote in one article:
>>> Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home.
I strongly doubt this. It's possible, of course. But it's extremely unlikely to me that employees would have remotely accessed OT/SCADA systems from home. No one I've worked with has had that capability enabled.
Many companies use products which have been shown to have flaws, like Citrix or various corporate VPNs. These could be compromised to get access "closer" to the OT layers but never directly into it.
Onion layer security is very much practiced everywhere I've been.
Edit: I have heard of some petrochemical facilities moving towards allowing operators and engineers to manipulate valves/pumps on their iPhones. This horrifies me for many reasons. I've never actually seen it implemented and I always bring up Stuxnet when I hear people mention it. I personally believe that DHS should make this sort of thing illegal for critical infrastructure. Many good engineers disagree with me.
The government and industry are all talk. Until we see actual enforcement / incentives for secure hardware, just assume everything (and I mean everything) can get shut down at any time. The only people who think this is an exaggeration are those who haven’t seen what things actually look like on the inside.
Can someone please link me to a page that goes into more detail about this secure hardware framework? Not a month from his passing, and we get a national-security-level attack that might have been prevented if US business took more seriously software engineering and security engineering from back then.
Also, I cannot help but wonder if Dan would still be with us if the irretrievably broken US healthcare system was a national system that supplied him with an inexpensive CGM and insulin no matter his employment situation.
Or would this be some other kind of physical interface that took some kind of read-only data (serial?) and sent it up the layers using TCP/IP, where only this box would be at risk?
Edit: looks like you answered part of this below — you suggest switching to UDP protocols.
Firewalls are currently used, and probably generally configured well. Petrochemical companies have a many-layered onion security strategy with minimal communication paths through the firewalls. Generally you might have 4-8 layers of firewalls from public facing internet to the PLC/DCS/SCADA. Administrative people might VPN 1-2 layers deep and engineers would at worst get remote access to the historian, 1-2 firewall layers above the PLC/DCS/SCADA.
It's my professional opinion that firewalls are not good enough for critical infrastructure. Even a completely air-gapped system was hacked thoroughly over a decade ago in Iran (See Stuxnet).
Your suggestion would suffice, if that box ("gateway", in the IoT parlance) was connected with a one way physical connection to the SCADA system over serial or what-have-you. Then it could communicate with TCP using existing application stacks.
I am designing a system like this at my current job, where luckily we are a small enough team so people have genuinely listened to my suggestions about this.
However, good engineers often disagree with me. I may be overly zealous on this particular issue and I take a lot of criticism about how dogmatic I am at times. I'm not a senior engineer by any stretch.
Low, fixed-bitrate transfer over unidirectional fiber optics. Unidirectional transcievers are the norm for long-haul fiber.
My local electrical utility is still running 11.52kbps RS-232 over fiber for exactly this reason. At those bitrates you don't need backpressure -- your disk will never fill up and if the CPU can't handle that bitrate you already have much larger problems.
It's kind of funny that they have sheaths where one strand is running this piddly dozen-kilobit protocol and other strands in the same sheath are doing 10gbit/sec * 16-channel CWDM.
Most electrical utilities are into fiber optics in a very big way; they already (usually) own the poles and unlike copper it's nonconductive. Many of them have vastly more strands of fiber between substations than they need.
The ones I have worked with convert a TCP stream to UDP, send it across the diode, and then convert it back to TCP. Each UDP packet has a sequence number and there is a single reverse-diode that is fired when a packet is missed or arrives out of order that triggers a retransmission of the last N packets.
Apart from this being technologically impossible, if he would have really done it he would have been charged for endangering an aircraft and prosecuted. (So the only explanation why he isn't in prison is that it didn't happen). The technical reason is Data diodes are common in aviation to separate IFE and CAN bus or position data. (e.g in the ARINC)
SCADA devices are not read-only.
But a hacker wouldn't be able to use their access to the Timeseries database for supply chain and logistics, to pivot to the SCADA system because their attempts would be blocked by a lack of a physical layer connection in that direction.
It would significantly reduce the attack surface of the OT systems.
That would be like deploying the landing gear of the airliner, because someone triggered a bug while changing the channel on the in-flight entertainment system.
A common example is a SQLServer database of all industrial data that is authorized to share with the enterprise. Grab new and changed data as it arrives on the industrial side. Push unidirectionally to the enterprise side. Insert/update the data in an identical SQLServer. Enterprise users & applications interact normally and bi-directionally with the replica database.
The technology is used routinely to provide access to industrial data that enables business efficiencies, without providing access to the industrial systems that produce the data.
For more info see: https://waterfall-security.com
The US government term of art for this pattern is a “guard”, often with a regex or manual filter.
The inside (isolated) server would poll everything, store it into a buffer, and send that buffer (plus error correction) out through an optoisolator to other server.
The outside (internet facing) server would then keep up with the ring buffer, and serve requests, and do any outbound push of data via any protocol required.
A system to do this could be made with a pair of raspberry pi computers and a little bit of discrete components for less than $150 in hardware costs.
A webcam? Second hand, but that's what I was told a dam operator was using as a "grass-roots" solution a while back
"OT" vs "IT":
"Operational Tech" (pipeline and safety-critical monitor and control)
"Information Tech" (payroll, email, other business stuff)
I could only imagine trying to tell a large corporation that their "IT" authentication system can't be linked to the access card keys for the front gate, or whatever other physical security they might have in place.
It doesn't matter if we can formally prove that a remote access system is sufficiently secure as to aloow engineers to operate valves and pumps from home... For inevitably, some months from now, a wildly insecure utility will be connected to that, and you lose the ability to reason about how to keep the streams from crossing.
That said, determining whether or not a system was compromised can be incredibly difficult. I'm sure they'll face massive pressure to turn the pipeline back on as it does supply almost half of the east coast with oil. I wouldn't want to be the person who has to make that call when it's impossible to prove a negative.
CPC had two explosions a few years back which caused gasoline shortages in new england, that may provide indication of the scale of disruption to expect.
I'm quite surprised and comforted to hear that the leadership there is competent and knows how to manage people. I've heard from friends/acquaintances who have worked in the energy industry about how terribly things are put together on an IT front (PG&E being a prime culprit), so I was expecting the same here.
I really like your "data-diodes" concept. Interested to see if such a thing takes off especially as these attacks evolve.
I can't speak to non-electrical infrastructure, but the NERC CIP "high impact" standards already make it largely impossible to operate critical electrical infrastructure from anywhere other than a secured control centre. Operating from your laptop or iPhone from the kitchen table is however allowed for "low impact" assets like small power plants.
However, a write-only ROM system is possible as long as the ROM chips were reasonably affordable and a company could provide reasonable turnaround times for small modifications. That would move the target of vulnerability up the supply chain.
Some of the things which matter though are necessarily run-time variables like "is the valve commanded open or closed?" and "what are the tuning parameters for this PID control loop?". It's always theoretically possible for a buffer overflow/rowhammer/etc to flip the bit responsible for the valve's open/closed command. Even with an OS/Application stack burned into ROM. You still need RAM.
At least power cycling a readonly-storage device would remove any malicious RAM changes.
I did say ROMs, but you can also use EEPROMs, which are erasable in-circuit, and you certainly put a physical write-enable in that circuit. Ideally, it would be a momentary push-button that has to be pushed in person on-site.
Back in college we used EPROMs, which are erased by putting them for 20 minutes or so under a UV lamp. EEPROMs came out later.
With a pipeline, if sections operated autonomously but cooperated with each other, and one goes berserk, its neighbors will shut down, but they won't be damaged. The repair work only has to repair the one section.
People driving cars are essentially doing what is best for themselves individually (within the bounds of the law), and that ends up translating to something that works for the whole. With a pipeline, that might not work: If pressure gets too high in one area, it might take highly coordinated control across thousands of miles to bleed off contents into buffer tanks & ease pressure a dozen segments away.
I'm not saying that couldn't be done, I'm sure the SCADA systems could be isolated from each other in this way, it just seems like it would require a lot more difficulty with explicit coordination between technicians, not a self-organizing system such with driving on a highway.
I used to work in fabs and every couple of years some tool or other would get a virus, sometimes it spread through the network.
You can't eliminate the possibility of malicious action, Stuxnet proves that. It's my opinion that at least for critical infrastructure we can probably make things much more difficult for our adversaries at a relatively low cost. This pipeline is purported to carry half the gasoline/diesel/heating oil to the east coast, but I'd be lying if I said I knew exactly where the cost-benefit equilibrium should land.
Or worse - rapidly open & close valves in rhythm, and the water hammer effect (the inertia of the petroleum in the pipeline) would cause the pipeline to destroy itself. The repair costs would be astronomical - you'd naturally have to repair the damaged sections, but then also re-test all the welds to see if any had been weakened by the pressure pulses.
Onion-layer security rather than air gaps. Communication through the firewall isn't supposed to allow control over the valves, but it does communicate both ways (TCP/IP). This is the general practice in petrochemicals, at any rate.
Think what would happen if the autopilot suddenly went berserk and did a hardover.
I haven't seen any evidence that the "OT" side of their network was compromised in a way that would cause physical damage, a la Stuxnet.
I could imagine a situation where information another network (e.g. orders or incoming flows from another customer or user) is necessary to run the pipeline but unavailable to use to operate the pipeline control system.
>Colonial has not given any public indication as to the reach of the ransomware outbreak, but Robert M. Lee, chief executive of cybersecurity firm Dragos, said he believed Colonial's operations network was shut down proactively "to make sure that nothing spread into those systems."
(To a first approximation, generic == less interesting and specific == more interesting on HN: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...)
We need to move to using physical layers where data can only be transmitted in one direction (and then use something like UDP)
Being at the center of an international incident is probably not good for business.
Dennis: "How the hell do you have money to pay people on the darkweb Charlie?"
Dennis: "Oh god dammit, KittenCoin? You did that huh? Alright, checks out. Anyways, so then what happened?"
Charlie: "Well then I didn't really know what we were doing still, so I just emailed the file the russian kid sent me to your email, but I totally messed up the address cause my fingers were all sticky with peanut butter at this point and-"
Dennis: "WHY WERE YOUR- You know what, not only do I not wanna know, but I'm also gonna take a stab at how this story ends. Charlie, are you telling me you made a scam cryptocurrency and then used the profits to pay some sketchy russian hacker for a ransomware virus which you then emailed to a random address with a subject line something along the lines of "FOR FRIEND, IMPORTANT FILE, FOR PLAN, GIVES MONEY", which obviously enticed the random receiver to open said email promptly starting a massive email worm that managed to spread its way into the government's oil pipelines?"
Charlie: "That's... Uh, yeah, yup, yup, that's pretty much spot on dude, I'm pretty sure."
Also French has an official body that authorizes words.
This is pedantic and adds no value. In what sense could the precise definition of "nation state" matter? in this context everyone understands the phrase in exactly the way it's meant -- a resourceful national government.
Some people can’t stop fighting “blasphemy,” even if they aren’t in a classic religion.
These are well dispersed throughout the world...
I don't think there's any evidence this was state-sponsored, or even state-approved, but "oh there's better things to do" is not a good argument in the least.
Also shouting 'No Evidence' is a typical tactic the propagandists use to cast doubt and muddy the waters; surely the attackers would love to see what evidence is available, so they can adapt - that's why evidence is largely kept private.
What makes you think propagandists on our side would never use lack of evidence to make whatever they want up, and cite your exact reason as justification?
This is medium-scale hooliganism in the sense that the end result isn't going to accomplish more than a dedicated idiot with a toolbox, and a grudge against gas pipelines couldn't achieve. IT will clean things up, operations will resume, life will go on.
Not to mention that this gives the industry another, rather low-stakes kick in the ass to take IT security seriously.
By who? People who never provide evidence for their claims?
> There will other things happening because of this and this could impact other nations in a postive manner.
While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.
By lots of countreies. The US charged 4 chinese military officers for hacking Equifax.
> While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.
You seem to think that it would require multiple things to fall into place to benefit a foreign country. Say you want to manipulate the price of the fuel. Increasing the costs of transport would do that.
This isn't even a blip on the radar of global fuel prices. It is completely lost in the noise. 
 Or the OPM, since it was kind enough to have lists of 'all spies operating abroad' on its intranet. Whoops.
 I mean, you could also just pose as a landlord or employer, and ask for credit checks on them, it costs ~$30 per query, but it is what it is.
 If the FSB really wants to increase demand for fuel, they should try stalling a junker or two on an interstate bridge... Imagine the fuel wasted from all the cars idling, or taking detours!
End of the story is intelligence agencies around the world have been bulking up for cyber warfare for at least a decade. Russia and China have been been fingered repeatedly for cyber attacks. It is not completely outlandish that one of them is behind it for whatever reason. I'm pretty sure the entire point of these agencies is that we don't know what do or why they do them.
If they want to go overkill, they can additionally use a public VPN account purchased using walmart giftcards bought on ebay using a stolen identity and then mailed overseas.
They can also perform the hack using a brand new computer that they never use again afterward.
It just seems to me like the attacker has most of the advantage here if they know what they're doing.
One way is to look at any tools and artifacts used/deployed - it's not common that only "off-shelf" tools are used, and as soon as there's anything custom, most likely it's not a one-off thing that never ever appears anywhere else; if you got it from someone, that's a potential lead; if you wrote it yourself, you're likely to use it (or a modified version) elsewhere, so if you make a mistake in one "gig" then it can relate to all your other activities as well.
Another is people - those things are often not done alone, and people talk, especially if they get detained for something else. And last but not least, the money trail sometimes leads to results as well.
But the key thing is that even if you do everything securely enough, it can work once or a couple times if you're careful enough, but nobody is careful enough to sustain proper opsec all the time, everyone makes mistakes every now and then. These things often take years to resolve, but the legal system has sufficient patience to link something done five years ago to a mistake you'll make next year.
There's sort of an asymmetry for an attack - that if the defender closes 99 vulnerabilities but leaves one, that one is enough for an attacker to get in; but there's a similar asymmetry for detection; if the attacker hides their trail in 99 ways but leaves one, that one is enough to find them afterwards.
PSA: There are known traffic correlation attacks against Tor. It's not magic security dust you can sprinkle on a system. If you're doing thoughtcrimes, assume any G10 intelligence service can track you down. (If you're into extortion, human trafficking/exploiting children, or financing/advocating violence against civilians, then Tor is totally magic and is 100% guaranteed to make you invincible. Tor is all you need a-hole.)
Tor intentionally makes latency-privacy tradeoffs to make web browsing usable. I'm not familiar enough with Tor internals, but I believe applications have no control over these tradeoffs.
Anyone know if I2P allows applications to adjust latency/privacy tradeoffs? (Conceptually, you want your store-and-forward mixnet to use a priority queue for each hop, setting a deadline when each message arrives, and filling the pipe with expired messages first, and then non-expired messages in uniform random order. Applications more tolerant of latency get their traffic spread over a longer window. Per-hop latency targets should allow applications to avoid hop-to-hop correlations in latency targets.)
The really hard part is that you need to have gotten it right some years ago already.
I remember that I read that other day that a bitcoin tumbler operator was charged for money laundering. The way they got to him was tracking initial funds that started the tumbler, which was purchased from an exchanged and not obfuscated.
There are all kinds of things you can get wrong: your build tools could accidentally store compromising meta data in your malware; payments from previous campaigns could be tracked, a single non-TOR access to the command&control infrastructure could get you busted, as could a single login to an email provider you used to communicate with somebody related to the ransomware operation.
All in all, if you have a larger team, the chances of at least one person messing up aren't too small, and then it's a matter of the investigators pouring enough money and attention into the case to find it.
That's not to say that it is impossible to hide from them, but it's never simple, when they're actively looking for you.
One can suspect a healthy percentage of Tor nodes are operated by Governments as TOR was developed and released by the US Navy.
Not even close. Tor kinda secures one aspect of very many, but kinda doesn't.
It attracts attention: Governments actively try to defeat Tor. And if they are looking for a criminal, they might look first at Tor users. In fact, they collect data on Tor use before a crime is committed.
The US government will have to respond to deter others. They have "poked the bear".
In practical terms there needs to be something special about the cyberattack for the government to devote any resources towards it.
There are cyberattacks and then there's going after the most important domestic energy line of a superpower.
This is quite different from your run of the mill cyberattack, they're not all created equal.
It all depends on the attention these attacks get. Now that they've had a tangible effect on the news cycle, creating concern about the safety of US energy infrastructure, there will be more incentives for the Government to hunt them down and get credit for doing so.
I think I read somewhere that China based attackers have already penetrated networks of major US infrastructure systems but didn't do anything because whats the point of wrecking havoc now? Better wait for more opportune times.
Which also seems to indicate that this may not be a Nation State... they would be after a bigger prize than some bitcoins.
Maybe it's another government, trying to sow chaos, disrupt markets, test US response capabilities, etc.
It's just a very profitable business model.
Ancillarily, It's not evident this cyberattack actually compromised the industrial controls, but rather trashed the administrative system controlling the controls.
This means truck drivers hauling 45,500+ lbs of an extremely flammable liquid aren't required to sleep.
I worked in the supply chain industry for a few years, dropping these restrictions is unheard of. My instinct tells me this issue is a lot worse than it seems now.
It's offloading the risk to drivers to benefit these companies first and foremost, which is ridiculous. The cherry on top is the article pointing out even with the extra hours they won't be anywhere near meeting demand...
On the bright side, these guys will be making mega-bucks on overtime, provided they can stay awake. coffee and no-doz will only take you so far.
IE, the issue isn't that drivers transport fuel, but that possibly tired drivers do so.
Nobody in trucking gripes about limited working hours. The current hours per week available for work are more than enough to work at an unsustainable rate of sleep. What everyone bitches about is the electronic logging requirements that prevent them from cooking the books in order to account for delays that happen over the normal course of business. Because people can no longer cook the books they do other things that increase risk.
For political and optical reasons the DOT can't exempt them from e-logs to make their lives easier. So they just exempt them from all of it. They're basically saying "if you're gonna push yourselves we'd rather you cut the smart corner and work a 12hr day than drive around like maniacs trying to fit X hours of driving in a Y hour window."
Normally the pipeline would pump huge amounts of fuel around to various distribution centers where trucks and tankers would then haul it the last leg to e.g. gas stations and other end users. Now there will be far fewer distribution centers to pick up the load from, and much longer distances to drive to deliver the product.
Naturally a pipeline has much greater capacity than a string of trucks, not to mention the impacts on traffic and safety concerns that go with pushing the truck drivers that far. The limited number of distribution points with the pipeline offline will probably have a logistical impact as well since there will be an imbalance re: how many trucks are arriving to get filled up.
Obviously not as bad as an actual compromise of the control systems though, which presumably could cause leaks, explosions, etc.
Production data (like gallons per minute of flow through the pipeline) must be sent from the controls to the business analytics software. That's generally done through a firewall over TCP/IP.
I have only witnessed this once, at a wastewater treatment plant, so very anecdotal.
They likely could have kept running the pipeline without incident.
I imagine when the government stepped in they decided to dial their procedures up to 10 and they plan on making an example out of this incident and the perpetrators.
Once they get in to the internal network, they could possibly have access to anything. Most organizations don't follow good practices for internal services and there's all kinds of unauthenticated crap that's accessible to anyone who knows where to look.
If its really a ransomware attack, they could have taken over some internal system, or maybe just locked out remote access. We will need to know more, but at first glance it doesn't look very good.
U.S.'s Biggest Gasoline Pipeline Halted After Cyberattack - https://news.ycombinator.com/item?id=27086403 - May 2021 (190 comments)
re: "infiltrated Colonial's network"
I have been reading some of the other reports of this incident from different publications.
Many of the stories include a line about attackers downloading "100 GB in only 2 hours" as if that was being downloaded from the company's on premises servers.
Eventually I found a story that disclosed the data was actually downloaded from a cloud provider.
In the cloud you can stop your whole VM estate, nuke roles and access and pull an audit trail and access logs for everything in a few minutes. Without even getting off your butt. Or having to negotiate with a branch office IT team who disagree with you.
In the 20 or so years I’ve been running ops for corporates, the cloud is the nearest we’ve come to half decent DR and emergency response capability. It has got to the point now where compliance and audit is built in and I can actually write some code here and there rather than arguing about trivial stuff like “what happens if X happens” with people who are only in it for the pension.
Meanwhile, I can unplug one cable to isolate our site, and everything that isn't a cloud service is pulled offline. (And delightfully, almost all of it would still be independently operational until I plugged it back in, too.)
And yet they don't give the URL.
I wanna see this page. Does anyone have it?
A little tedious but there is lots of commerce on onion sites, and a lot of valuable information in general that I've never seen anywhere else, so it can be worth it.
Best to use a personal device.
Conti: conti.news & htcltkjqoitnez5slo7fvhiou5lbno5bwczu7il2hmfpkowwdpj3q2yd.onion
Here is a text dump of their press page https://pastebin.com/fxJCaUDq
I think commerce would greatly improve if other networks had Tor clients, especially because of the stablecoin and private stablecoin availability as of this year. All EVMs as well as Tendermint networks have no out of the box solutions for Tor nodes and connectivity. But they both have ways for ERC20 tokens to have a great degree of privacy. One Tendermint network called Secret Network has private smart contract execution, and a variety of bridges. So as all tokens are smart contracts the metadata and variables would not be visible onchain.
sDAI would be more useful for commerce if the nodes and wallets could easily resolve over Tor.
Is anybody working on that?
I smell a business opportunity... Kick off a ransomware attack and accept Bitcoin or a Shitcoin at a 30% discount.
Some shitcoins have such little liquidity... a 50k buy would push their price off by hundreds of percentage points. You can even refund their money back after they pay... a modern day pump/dump.
The thing about being an ethical player in unethical markets is coming up with ideas that could make you richer but not wanting break laws / be a terrible person.
AccountA has bought or owns the illiquid asset using clean money, in advance. AccountB has the ransom proceeds in the more liquid digital asset. AccountB eventually buys the illiquid asset and pumps it. All the blockchain detectives are still following AccountB across many more addresses and blockchains, hoping and praying and imagining that one of the touched accounts needs fiat so that a human identity can be assigned to the funds. But that never happens. AccountA has the 8,000% or other arbitrarily high gain and nobody can distinguish them from any other crypto trader, as these kinds of gains are commonplace. All the trading can (and should) occur onchain without any financial intermediary, as there would be no transaction size limits or issue moving the funds, compared to odd activity on a business' centralized custodial exchange.
AccountB connected accounts are saddled with the illiquid asset. Maybe organic growth has occurred from fear of missing out and AccountB can resell, but that is just an embellishment and icing on the cake.
AccountB connected accounts can also create the liquidity pool, or create the yield farming opportunities to incentivize others to join the liquidity pool. And if AccountB really never cares about the funds, they can also burn the bearer liquidity pool share, providing confidence to the market that they can always trade at high volumes onchain.
Seems like they either, 1) sell periodically or as the assets value appreciates, but this is generally unreliable and tough or 2) create a liquidity pool or yield farming opportunities
For 1, this isn't necessarily reliable but it seems like the most plausible popular case. For 2, given the previously mentioned challenge of the illiquid asset, how does it work to provide incentive in liquidity pooling and yield farming?
Note, that I'm less well aware of the mechanics of 2 so perhaps its also a fundamental ignorance issue.
If it must be said, AccountA is yours too and is just for reintegrating the illicit proceeds into the economy without trying to do something more convoluted like running a permissionless SaaS business with fake customers spending Monero for domain name lookups.
But, AccountB can attempt to make its assets more liquid again. You just go on Telegram and pump it in speculator groups, buy off some youtubers. How much are you laundering? You can keep a few thousand dollars in liquidity for negotiations. AccountB should also provide liquidity itself. Just launch a yield farm contract, copy and paste, change the input and output token address, redeploy, lock a substantial portion of the illiquid token inside of it (or pay off a more coveted yield farming project like Pancake or Polygon to list a farm and pay farmers in their token). Make the yield high.
My understanding is, accounts A and B are both controlled by the same person/group. Account A always deals with clean money and pretends to do speculative investing; account B uses dirty money to pump illiquid assets. An example scenario, as a simplified list of transactions:
| Time | From | To | Amount | Note |
| 0 | Pocket | A | 10 $GOOD | Initial investment. |
| 0 | - | B | - | Created account for criminal activity. |
| 10 | A | Market | 10 $GOOD | Exchanged liquid $GOOD for illiquid |
| 10 | Market | A | 1000 $BAD | $BAD at 1:100. |
| 100 | Victims | B | 3000 $GOOD | Crime - e.g. ransomware payments. |
| 150 | B | Market | 3000 $GOOD | Buying up $BAD to generate interest and |
| 150 | Market | B | 1500 $BAD | pump its value. |
| 200 | A | Market | 1000 $BAD | Buying back $GOOD for temporarily liquid |
| 200 | Market | A | 5000 $GOOD | $BAD at 5:1. |
| 500 | B | Market | 1500 $BAD | If $BAD didn't collapse, recovering some |
| 500 | Market | B | 100 $GOOD | of more stable asset at 1:15; can be used |
| | | | | to repeat the trick later. |
AccountA is just a speculator. Stuff you speculate on right now has other accounts pumping it from funds that just appeared out of Tornado.cash, or were just swapped from Monero. There is no way to distinguish between you controlling those or someone else, and there isn’t probable cause from this behavior to investigate the accounts that appeared with funds from obfuscated sources. Just some OPSEC considerations.
EVM is "Ethereum Virtual Machine", a similar concept to the JVM "Java Virtual Machine". EVMs are one the most common technology for deployment of arbitrary execution within distributed networks. These kinds of functions and applications are colloquially called smart contracts. The biggest distributed network with this technology being simply called "Ethereum" or "Ethereum mainnet". But any code deployed on Ethereum mainnet is deployable on any other EVM environment, such as Polygon, Avalanche, Binance Smart Chain, Tron, Ethereum Classic, Hashgraph, or Quorum which was stewarded by JP Morgan for a few years for internal enterprise use.
With the other common smart contract network being Tendermint also colloquially referred to as Cosmos.
There are a couple of standard classes with a certain protocol of functions on all these networks. One standardized class is called ERC20, which is a fungible token standard. Deploying this kind of class ensures that you have created an asset with a name, ticker symbol, quantity, and a transfer function. Therefore ERC20 just is a quick way to refer to an additional asset. Assets that represent something the market wants or is familiar with or is redeemable for something the market likes therefore have certain monetary values associated with them. Some communities representing other networks have different protocol names for the same concept, for example, the Binance Smart Chain community has a token standard called BEP20 which is mostly contrived marketing but it could also have tweaks to the ERC20 standard, you have to read them. No different than reading the IETF's REST protocol standard for each function, and then seeing how it is implemented slightly differently across different browsers, devices and frameworks.
DAI is an ERC20 asset that maintains convertibility with $1 US Dollar. It is collateralized by a basket of assets, some completely digital assets and some that are backed by real world assets from centralized issuers.
When it comes to ERC20 naming styles, the market has resorted to prefixes for now.
So on the Secret Network (which uses Tendermint/Cosmos technology instead of EVM), assets that enter it from bridges are called sAssets. So DAI that enters the Secret Network would be sDAI. Where it will inherit the private nature of the network. Specifically the current state of the functions such as quantity, transfer(to, from) would all be unknown from looking at the blockchain.
One of the highest growth areas and highly demanded is in building bridges for assets to move between blockchains. Particularly Liquidity Pool shares and other asset backed derivatives. If you would like to apply yourself here. The market-based rewards are direct, swift, and very high.
More than what FAANG pays their E5's and L5's.
Rust is good too. I'm not too familiar with the Polkadot ecosystem, but the main thing you need to know is that every financial app that has been popular on EVMs needs to be rebuilt on those other ecosystems. There can be multiple of the same things too, no different than multiple grocery stores in a town, or multiple actual bridges. Nothing unique needs to occur, just more. Its literally a global boom town you don't need to go anywhere for and your competition would rather argue about how a MySQL database is better for yield farming than a blockchain.
Privacy on the Ethereum network remains just Ether in Tornado Cash.
edit: oh cool Aztec actually transitioned to the Optimistic Rollup. That is different than their prior smart contract and requires new analysis. I recall their article last year or before about doing a "zk zk rollup" and I didn't keep following.
Source? How much are they asking for?
There are only a few cryptocurrency networks with robust Tor infrastructure for now. There should be more but the stewards haven't prioritized it, for the most part many nodes and wallets for other networks are UDP, which is a major hurdle as Tor requires TCP exclusively. Bitcoin and Monero do not have this limitation, but Monero is the only private by default one and has a large mixture set to stay easily obfuscated.
Also blaming the victim can only go so far
But it's not victim-blaming to observe that you shouldn't have made it so easy for the thief.
If it's just your valuables that get stolen, then that's unfortunate for you, but at least it doesn't hurt anyone else.
But when other people trust you to keep the safe secure, and are hurt because of your negligence, then it's also not victim-blaming to observe that your negligence caused harm to other people.
- More infrastructure than ever has some exposure to the internet
- Outsourcing at massive scale (probably) makes consistent security screening harder
- There are more programmers in the world than ever and so (probably) there are more black hats, malicious hackers, etc
- As time goes on, there are more and more aging computer systems, thus (probably) there are more and more vulnerabilities in the wild
- As time goes on, systems accrete complexity, thus (probably) there are more and more vulnerabilities in the wild
But yes, I do think cryptocurrency is an important change. Cash is still king when it comes to crime, but crypto does make crossing borders much easier.
Your own jurisdiction and law enforcement have no power on foreign territory; but foreign organizations (state sponsored or not) located there have freedom to penetrate your society and economy. Moreover, foreign governments may deliberately ignore your requests to investigate.
Thanks to technologies and to chaotic reactions to modern day problems (including covid-19 pandemic) it looks like modern forms of independent sovereign states are very archaic.
Even if you shut down the cashing out infrastructure (exchanges) in the affected countries, it will quickly spring up again in countries belligerent to them. The FATF is the main global body trying to curb this, but my hunch is they will lose this battle long-term.
Imagine if you are on the FATF red list  and you announce a free-for all domestic exchange for local spending. It's free FDI.
Add onto that making it illegal to pay ransoms in BTC, then there's really no value in using it as a ransomeware currency. No one is buying it so all you are getting are some random digits on a piece of paper.
Just like how outlawing drugs ended the drug trade.
When was the last time you drank bootleg liquor? Answer: I don't know of course, but for most people in rich western countries I would think the answer is never.
I think it just depends on the sort of people you choose to spend time with.
If you decide to mess around with a large fractionating column though, do read up and make sure you have a full conceptual understanding of how the chemistry works. Even seemingly benign chemicals can be extremely dangerous to ingest or handle once concentrated. (For example, vinegar. Dilute acetic acid makes for a good salad dressing. Above 90%, contact will leave you with severe burns and scarring.)
It doesn’t. It provide C-Exec material to increase significantly Cyber Defense budget not overhaul Information System.
For those executives these are two different topics with different budget.
Of course for regular engineers it’s not, legacy infrastructure is probably much simpler to hack than modern one.
>James Chappell, co-founder and chief innovation officer at Digital Shadows, believes DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.
>He says it is possible for anyone to look up the login portals for computers connected to the internet on search engines like Shodan, and then "have-a-go" hackers just keep trying usernames and passwords until they get some to work.
Nothing sophisticated, nothing difficult, you just need some capital in the bank to buy some leaked credentials someone else worked hard to poke at, that is, some academic security person on a PhD worked hard for months to find some bug in software back in 2014, that turned into code someone else copy and pasted back in 2017, that yielded a dump in 2019 that some other hackers actually probed for some sucker's old login details he probably didn't even realize was in a dump, or might not even use anymore! The only hard work in this story is that academic in 2014 did and he definitely probably no connection to the criminals who basically got the president to issue a national emergency.
*got the Department of Transportation to...
Further, aren't such blind credential attempts really noticeable if anyone is checking the access logs?
How the hell is some random ransomware gang able to shut down critical infrastructure at purely a software level
Businesses train and prepare for scenarios that make money, not scenarios that may lose money. I used to do a lot of work related to safety across industries and I can assure you, every business I worked with was only interested in the bare minimum of legally required safety. It was rare to see a business interested in investing resources into things like safety or security vs something that might directly increase their revenue streams.
Without some forcing function to have cybersecurity threats taken seriously, industrials are unlikely to suddenly develop tier-1 security protocols.
I would expect that most companies, even companies whose core product is technology, are not capable of what you describe.
>After seizing the data, the hackers locked the data on some computers and servers, demanding a ransom on Friday. If it is not paid, they are threatening to leak it onto the internet.
So... that constitutes a state of emergency? What data would they have that would be so sensitive? More likely they have hooks deep into the operation of the pipeline and may be threatening to shut it down/destroy it if not paid. Or, rather, they may be having trouble restoring operations without paying the ransom.
Side note/speculation: Will the feds make a move against crypto?
> The emergency status enables fuel to be transported by road.
Usually your only option with a ransomware attack is restoration from backups. So no backups or bad backups means no system.
It certainly sounds like this may be the case given that it’s triggering emergency orders. If so, it is being omitted from official accounts.
* Critical infrastructure should not be allowed to run on Microsoft Windows
* The remote workers, through which the attack was performed, didn't even use a VPN, just TeamViewer and MS Remote Desktop.
In the absence of consumer protection, word of mouth (or the compulsory google results) is key.
Bitcoin is absolutely one of the components that allows for the proliferation of ransomware. The key to a ransom is the ability for the attacker to obtain payment in an way that doesn't put them at risk of being caught. BTC enabled that. In fact, anonymous payments are widely considered to be one of the major purposes of BTC.
If ransomware was a positive thing, then BTC advocates would be talking about how BTC is the key technology that enabled malware to make the transition from hobby/annoyance/weapon to a full-fledged industry.
I wonder how they shuffle it around and eventually convert to fiat.
Is the point to move liquid shipments to trucks/ships because it's safer somehow? or simply to make it so difficult to transport liquid fuels that people quit using them?
I suspect that pipeline activism mostly results in the former.
I'd prefer to see this dynamic produced by carbon taxes so the price difference isn't going back to the fossil fuel companies, but I'll take what I can get.
Also installation of new fossil fuel infrastructure like pipelines implies a long term commitment to the status quo or even increased production which I find unacceptable.
If the neccessary changes were underway there would be zero demand for new pipelines.
Keep your eyes on the oil major folks on twitter to see what happens:
We all know why, companies are chasing profits at any cost, so hiring more people to monitor these systems as the did 40 years ago will lower the execs bonuses.
The US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.
That will get them serious about security.
This sounds good in theory but suffers from the cobra effect ; you think you’re incentivising security. You’re actually pushing obscurity. Colonial preëmptively shut down its pipe to prevent physical damage. Attach a fine to the discovery and disclosure and you disincentivise that prudence.
Better: make it easier for industry to build securely and incentivise redundancy.
The airgap certainly reduces the chances of getting hit with a joe-random ransomware attack, though. Defense in depth...
But in the end was it really though?
I'd love to read an article on it. Maybe there are others that are geographically dispersed.
You're suggesting the gas company run their own network, and then you assume no employee will connect that network to the general internet for their own convenience? Not happening.
That wasn't an internet trojan, fyi.
I understand there's nonzero doubt as to the credibility of this story.
> Rather than roll up the Line X officers and expel them, Reagan approved a secret plan to exploit the Farewell dossier for economic warfare against the Soviet Union. The plan was to secretly feed the Line X officers with technology rigged to self-destruct after a certain interval. The idea came from Weiss, who approached Casey, who took it to Reagan. The CIA worked with American industry to alter products to be slipped to the KGB, matching the KGB’s shopping list. “Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disturbed the output of chemical plants and a tractor factory,” Weiss said. “The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft.”
> Oil and gas equipment was at the top of the Soviet wish list, and the Soviets needed sophisticated control systems to automate the valves, compressors and storage facilities for a huge new pipeline to Europe. When the pipeline technology could not be purchased in the United States, the KGB shopped it from a Canadian firm. However, tipped by Vetrov, the CIA rigged the software sold from Canada to go haywire after a while, to reset pump speeds and valve settings to create pressures far beyond those acceptable to the pipeline joints and welds. One day, the system exploded. “The result was the most monumental non-nuclear explosion and fire ever seen from space,” Reed recalled. The blast was starting to trigger worried looks in the U.S. government that day, he recalled, when, at the National Security Council, “Gus Weiss came down the hall to tell his fellow NSC staffers not to worry.” The explosion had been one of the first fruits of the Reagan confrontation.
It's funny how upset the US public can get about any perceived incursions by the Russians (sometimes true, often not) when you consider the country's own history.
Sue them. Failure to disclose key documents in the discovery phase of a trial carries hefty fines and jailtime. And quadruple the fine for misrepresenting the cause.
People act like the government doesn't have the power of subpoena. They can absolutely compel you to tell the truth.
These systems are RIDDLED with the WORST outdated crap you can imagine. Absolute insane hoop jumping so plenty of pressure to work around security just to get jobs done (seriously - start with the help desk if you want access - they are so used to password resets the procedures become a joke - literally - what's the username and that's it, because if you have thousands of folks on 30 day password rotations with insane complexity all you do is password resets endlessly). Password sharing can also be crazy so passwords float all over.
The govt has had it's top stuff leaked. Office of personnel management leaked insanely sensitive stuff. They contract with the WORST folks in security. It's really crazy.
Google has never asked me to rotate my password. I have non-SMS two factor authentication options, they do pretty sophisticated rate and geo monitoring so you are not annoyed but pretty secure.
Cyberattacks, mechanical failures, weather disasters, meteor strikes, terrorist bombs, stupid construction workers ALL could affect this pipeline. People on HN have no risk perspective. Make the system resilient to a proactive few day outage. Why does this system have to run 365 / 24 / 7? Have you mitigated EVERY possible issue - including disgruntled employees? No - then instead of over doing one corner, design some give in the system.
By physical limits I mean us, the wet ware in the middle of all this. These systems can be designed years if not decades before they are actually brought online. By simple temporal placement they get the materials and techniques of that time span. By the time these things are ageing out of the system they will have some old tech on them.
When you do this, the documents never get created. Not due to nefarious cover-ups. But because if little incentivises the creation of documentation, and everything penalises it in the edge case, you get rubber stamped compliance stacks for decades until a crash.
If one has massive downside for reporting a potential risk, one better be 100% sure that risk is manifest before pulling the trigger. That delay and omission is the cost of such draconianism.
If a communication doesn't exist, it's not discoverable. If you legislate penalties for a certain type of communication, it shouldn't be surprising when it ceases to exist. This isn't the product of cover ups. It's the long-term effect of penalties dissuading the looking into of certain things. If discovering a breach is penalized, nobody competent will look for breaches--that leaves no discoverable liability.
This whole line of reasoning is specious, anyway. It's based on a fallacy that enforcing penalties is just going to make everyone lie their asses off to get out scott free. Is society so broken that they can get away with this? Come on.
There are counterarguments to this, but they're mostly academic: https://core.ac.uk/download/pdf/228618432.pdf.
Stuxnet, by contrast is very real
Government systems get hacked all the time, too. Just because the government doesn't have a profit motive doesn't change a long list of human motivations that can be counterproductive.
The profit motive also incentivizes improved quality. If the product is bungled, the company is not likely to get the next contract. If the government agency bungles the product, they'll get a budget increase next time.
I would love to see this but somehow I doubt it will happen any more than my pipe dream of holding the CXO and the board criminally liable for the criminal actions of management/employees/contractors/agents of a corporation during the course of their work for the corporation.
It is nice to dream though. I would certainly welcome any kind of accountability.
That said I have heard of customers expressing desire to control valves and pumps using iPhones, and believe there are several initiatives at SCADA/PLC/DCS/System Integrator companies to provide this.
However I've seen as many of those in practice as I have data-diodes, which is to say, none/never.
* What systems are affected by the hack?
* Could the shutdown be needed because of critical data the ICS gets from business?
* Or is it shut down because business needs real-time data from ICS it can't ingest?
My question is, how often are these critical suppliers audited by the federal government? I have worked in banking cybersecurity and the amount of auditing from federal and state regulators is mind boggling. If a single company controls 45% of fuel transport to the east coast, it should carry some designation as a quasi-state entity subject to federal cybersecurity audits like banks.
It seems like cybersecurity and audits of security readiness need to be demanded from any authority over companies operating in sensitive areas.
The problem is that it matters less than we'd like to think how "serious they are about security".
I'm seeing a lot of discussion about the responsibility of the victims to secure their networks, and it's mostly valid.
But it's strange that we're talking about how to punish the victims versus the criminal conspirators. We virtually let the malicious, overtly criminal party off the hook. It's almost like we're saying we expect criminals to be criminals and these guys are so hard to catch that the onus is entirely on the targets to repel their incessant attacks, else they're negligently malicious themselves. Sure, most of these victims can do better in just about every case. But, people here know better than most how difficult it is to 100% secure every layer of the stack from software to firmware to hardware, with multiple vendors and vectors, OSS, zero days, etc. And the bad guys only have to be right once across this broad attack surface. It's impossible to defend completely. There will always be breaches.
So, there's another element of this that has to be addressed, and that's getting serious about punishing these people. As it is, there's zero disincentive for them to just keep trying until they get through, but the upside is massive.
Most if not all of this activity originates from nations that are adversarial towards the US. So, we need to start treating these instances as official sovereign actions, especially when they originate from nations wherein the government and their intelligence services exert control over (and outright sponsor) such criminal schemes, and wield these attacks as a projection of national power.
These regimes also tend to feature oppressive criminal justice systems and harsh reprisals for even political dissidents. So, the message is, "we're not going to argue whether you're sanctioning these acts, but we're also not buying that you can't stop them, so we'll treat each incident as an official act of the state. We're holding you responsible for your criminals when they attack us and we will respond accordingly".
Detailed discussion around exactly how the most recent exploit might be mitigated is interesting and useful. But the balance in these discussions between mitigation and reprisals for the perpetrators needs to be shifted much more towards the latter. Otherwise, we can expect these discussions ad infinitum.
My guess is that they only get serious about security after a breach occurs.
You can view it all as strengthening an immune system. Without attacks, and the occasional successful ones, nobody is going to bother to harden anything.
Obviously I agree about your dissatisfaction with the other proposed solution: that just lets corporate entities put a low (10%) ceiling on what should be unlimited liability, allowing them to say that failing catastrophically by utter neglect to security is reliably a survivable offense (I recognize that in reality the liability of course ends at the dissolution of the corporation.)
I don't know what the actual answer is.
What does that mean?
This was addressed in the article. Critical services are on the internet because remote workers need access to them. I don't see how profits factor into it.
A remote operator can manage dozens of such sites, a single "local" person might be close to one point, but the next control point is going to be miles away, so you either need much, much more people to station one at every valve, or have a situation where flipping a switch in all the "sites" is very slow because requires the "local" person to drive many miles visiting each location.
No, there's a reasonable objective need for this management to be actually remote - there's a discussion on how this should be implemented in a secure way, but it does have to be remote.
And then a sliding scale of risk and cost of getting hacked vs savings and increases in efficiency resulting from remote access.
Are you for or against Tesla having remote access to all of the Tesla vehicles? Are their OTA updates innovative or reckless?
Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home... believe DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.
Projects that require a security clearance have to be done from inside of a secure facility. This clearly needs to be the same level.
I wonder if that's even true 100% of the time.
It could simply be programmers + feature creep, bolting great wads of software to systems with small value on the margin.
It would be interesting to talk to software people in the gambling business, you'd think that would be Ground Zero for nefarious attacks.
Then once a year a rep could fly out a few terabytes of OTP to each location and all comms would be impenetrable.
Sure beats a parallel physical comms system cost wise.
Make it a crime to pay the ransom in a ransomware attack.
Make it a crime to fail to report a ransomware attack in a timely manner.
Ransomware attacks (and companies with poor security practices) will go away.
Make it a crime for people to knowingly withhold information about such activities from the authorities.
Abuse of substances, trafficking, and associated criminality will go away.
> Make it a crime to pay the ransom in a ransomware attack.
Ok, so ... what should a company do? File a report with some government agency or with an insurance company and wait until the bureaucratic process maybe results in being able to pay the ransom to resume business operations? Punishing the victim of a crime? Really?
> Make it a crime to fail to report a ransomware attack in a timely manner.
Further punishing the victim of a crime? Really?
> Ransomware attacks (and companies with poor security practices) will go away.
Paying extortionists begets more extortion. The only argument I’m seeing is a bunch of hand waving and people telling me I’m being hopelessly naive. I don’t think I am.
You mean like "18 U.S. Code § 4 - Misprision of felony" ?
It's possible to enable this but knowing the culture at Colonial Pipeline first-hand, I strongly doubt they did this during COVID.
Our over financialization is squeezing everyone and everything.
This is opposed to increased competition (which also increases volatility) in the markets.
The reason why the markets are so consolidated is because it removes short-term risk. If there is an obvious market and only one (or a few) companies involved then everyone makes money (magic, I know). This is why Wall Street lobbies for regulations so hard. They have ownership in all the existing major companies that can afford those regulations and it consolidates the profits (and thus returns). De facto Crony Capitalism at its finest. Your aristocratic oligarchs.
So, stop giving your money to large index funds. (And every time there is a comment on HN telling you to, and there are plenty, downvote them and tell them a proper F-off).
The idea that no one can/should ever lose is what is killing the economy. It got its birth in the boomer-retirement-fund markets of the past few decades.
To recap, it is consolidation for margins that is the problem. That is not the same as general "financialization" (increased trading) that helps increase volatility in the markets and actually increases the size of the economy.
We desperately need real markets and not this crony capitalism that seems self-persistent.
The current system is such a marriage between corrupt politicians and wall street (which is now heavily extended into SV, btw) that it is absolutely disgusting.
Colonial also kept multiple overlapping vendors for their last SCADA upgrade in order to make sure that no contractor was too overloaded during a "boom time". They'd generally stagger the work between locations (they had to upgrade dozens of stations along the pipeline) and keep track of the performance of everyone they hired and try to keep a steady workflow for everyone over a multi-year period.
It was generally not about the lowest bid.
You can achieve the same effect without all the arbitrary political decision-making inherent in this proposal by requiring these companies to buy delivery insurance or something. The insurance company will charge them proportionally to the risk of attack, which will internalize the cost.
On a serious note, sure retaliate, probably don't hurt innocent people.
It might be time to switch to hardware tokens, encryption keys or to enforce fully random passphrases or diceware/xkcd passphrases.
How about, instead of causing harm to innocent Russian people by such pointless escalation, the US makes a serious and meaningful effort to secure their critical national infrastructure. As they should have done in the first place.
I find as world events unfold these last few years I have drifted away from my isolationist/non-interventionist views. I wouldn’t say I’d advocate for a military response (either electronic or physically destructive) at this point, but I wouldn’t think badly of our government if they did something like that.
Americans have become a rather stupidly optimistic/ignorant people. Russia and China will absolutely destroy us if we don’t aggressively counter their military aggression. And that’s what attacks like this are: military aggression. We ought to start acting like it.
“One need not destroy one's enemy. One need only destroy his willingness to engage.”
― Sun Tzu
We can entirely, safely remove Russia from the global Internet and we can do it trivially. That's exactly what we should do if they press attacks too far: isolate them. They have the increasingly government controlled Runet to restrict their people's access to the outside world, we should barricade them in.
Their economy is small, close to meaningless. It's nearly a rounding error at this point in the global economy and it'll continue to shrink in that relationship. The sole thing to be concerned about with Russia is their nuclear arsenal.
At some point, you have to tat.
Sanctions against key people are probably more effective while not causing too much anti-American sentiment in the general population or a rally around the flag effect. Hard to rile up the people because a dodgy oligarch can no longer keep his roubles in a London bank, where Babushka Svetlana freezing to death 'cuz the Yankees cut the gas is a martyrdom event.
We detached this subthread from https://news.ycombinator.com/item?id=27102024.
What an absurd statement. And what do you suggest we do? Attack them and hope they don't respond with nukes?
Thieves are thieves, organized crime is organized crime. You think there aren't major criminal organizations in the US committing ransoms in other countries?
Calling this an "act of war" is of course hysterical.
in light of this:
i noticed this at the time. i heard really loudly about russia paying bounties on american soldiers, and then so quietly that i might have missed it that there was no evidence for it. it's odd isn't it?
I think it's already potentially illegal to pay a ransom. Maybe governments could increase those penalties and make it more clearly illegal.
This is the same group advocating for The Great Reset, and predicting people will “own nothing and be happy”.
It does seem like there is a plan in place for the controlled demolition of industrial society to depopulate the planet and solidify a neo-feudal order of rule by a breakaway elite.
when did "legitimate interest" become the thing advertisers^Wtrackers are (ab)using to keep tracking on by default? It's not due to a change in legislation afaikt, the GDPR hasn't changed in this regard, right?
They are not, and you should know the difference before dragging political nonsense totally irrelevant into the topic at hand.
I know, some people just can’t help themselves but to color everything in a political binary.
And that maybe it would be good to have redundancy, which requires allowing new pipelines to be built. It’s not my fault that that’s somehow a “political issue,” which as far as I can tell means something that your preferred propaganda sources have conditioned you to have an emotional response to that overwhelms any hope of reasoning.
Should have also kept nuclear launch codes on floppy.
>Investigators remain divided over whether there was a spy within the Central Intelligence Agency who betrayed the sources or whether the Chinese hacked the CIA’s covert communications system, the newspaper reported, citing current and former U.S. officials.
>The Chinese killed at least a dozen people providing information to the CIA from 2010 through 2012, dismantling a network that was years in the making, the newspaper reported.
>One was shot and killed in front of a government building in China, three officials told the Times, saying that was designed as a message to others about working with Washington.
Yeah, unless you are suspected for terrorism. I recommend the movie named The Mauritanian.
> Mohamedou Ould Slahi (Arabic: محمدو ولد الصلاحي) (born December 21, 1970) is a Mauritanian man who was detained at Guantánamo Bay detention camp without charge from 2002 until his release on October 17, 2016.
> The book, Guantánamo Diary, was published in January 2015. It is the first work by a still-imprisoned detainee at Guantánamo. It provides details of Slahi's harsh interrogations and torture, including being "force-fed seawater, sexually molested, subjected to a mock execution and repeatedly beaten, kicked and smashed across the face, all spiced with threats that his mother will be brought to Guantánamo and gang-raped.
In a country so large with so many different government agencies, entities, organizations, and interests, just about anything you can think of will have happened at some point. The question is whether it's going on at large scale, whether it's the common practice or rare.
You're trying to use one example to prove that the practice is common, when in fact that's false, it's not common it's rare. It's the exception, not the rule; which is exactly why it makes for an attention getting story.
How do we know it is not happening though? Think about pre-Snowden.
USA doesn't have massive global interest. Maybe its companies, but not it's state. USA is a very insular, and static system of a state.
It's a good example what happens in those very few cases when the machine of US state moves, and what is characteristic of it.
A meaningful political reform will start with somebody starting to uncork it, and forcefully subjecting it to contact with outside world.
Even still, do you expect any intelligence agency to be perfect? I’m not sure what point you’re trying to prove here.
This itself is American propoganda; the strategy is to be absolutely all over your opponents, knowing that they can't complain about it for fear of looking weak, while complaining loudly about how their meagre attempts are the end of the world, getting public and Congressional support for more spending.
Before the Snowden leaks, someone suggesting the US had the SIGINT capacities they actually did have would have be laughed out of serious circles as a crank, and you better believe they haven't been sat still over the 8 years since.
It would certainly reduce their enthusiasm for hacking.
In absolute terms I'm pretty sure China has us at sea and in cyber so...
Not the US
>Citing the Office of Naval Intelligence, a Congressional Research Service report from March notes that the People’s Liberation Army Navy, or PLAN, was slated to have 360 battle force ships by the end of 2020, dwarfing the U.S. fleet of 297 ships.
Also, despite the huge waste that is inherent in it - no one has bases like the US does. We have forward operating bases all over the middle east, geographically separated units all over east europe, africa, asian pacific, and military bases all over europe and every key point of the united states. Nasa never quite got launches down but we do have some of the most advanced satellite, imagery and other military instruments. look up number of military spacecraft by country.
Whether it's moral or not is an entirely different question, but there is a reason the international monetary fund has a weight 44% USD; It's not because all the other countries like us that's for sure.
I am not sure what your point is. By number of ships, they are the biggest. I have no idea how important aircraft carrier fleet is.
I.e. who cares if you have the most swordsmen on the planet, if you in a gunfight.
It’s the most important part of a modern blue water navy and has been since WW2. The US also has a world-dominating submarine fleet.
Don't worry I don't take your comments as rude.
Our and our employer's liability for errors is enough motivation to maintain safety at a reasonable level.
Put another way, is there statistical evidence of the efficacy of these regulations in reducing trucking accidents? Not that I could find!
Not Breaking: Citizens’ disappointment in the aforementioned, particularly given their direct contribution to said budget.
The Unsaid: Much of this will not change, unless incentives are realigned.
I'm not sure what technology industry you are in, but in the one I'm in software engineers are fooled by phishing attacks extremely consistently, people routinely expose critical systems and devices to the internet, developers often expose databases with insecure defaults to the internet over well-known ports, customer data gets stolen on a regular basis, etc., etc., etc. Regardless of how one feels about the government, I don't think the average technology company does any better when it comes to securing its own infrastructure.
FAANG: Levels.fyi and personal experience
NSA/CIA: https://work.chron.com/nsa-pay-scale-16399.html and https://www.opm.gov/policy-data-oversight/pay-leave/salaries...