Colonial Pipeline precisely does keep it's control network disconnected from the internet - the only thing that was ransomwared is their corporate network. They shut the pipelines down voluntarily to prevent further spread.
If we define critical system as "necessary to the operation of the business" then the corporate system is absolutely critical. It doesn't matter if the SCADA system is airgapped if you can shut down the capability by crashing the corporate systems.
Their approach makes a lot of sense. Corp network hacked - so to be careful shut down pipeline until you've really made sure that you are fully safe pipeline side as there now may be more attack vectors.
I built some of the SCADA and IT systems for Colonial Pipeline.
Many industrial SCADA systems (nearly all) send data from their "OT" systems (PLC/DCS/SCADA) to their "IT" and business layers (Historians/Timeseries Databases, Dashboards, Power BI/etc). This almost always happens through a two-way link (think TCP/IP, HTTP). While the software should not allow data flow backwards, the hardware absolutely does. So how much do you trust the software?
I often advocate that industrial SCADA systems utilize "data-diodes", one-way opto-isolators, or other physically verifiable methods of confirming that no information/data/instructions can get from a "higher" layer (OSI Pi, PowerBI) to a lower layer (Allen-Bradley PLC, Siemens PLC, Emerson DeltaV DCS, etc).
Convincing the powers-that-be to do this has been incredibly impossible in most places and a large reason why I'm trying to transition to a different space - I simply have had ethical concerns about providing engineering services to critical infrastructure without building in best practices.
Stuxnet was over a decade ago - I don't understand how these protections aren't mandated by the DHS already.
Disclaimer: I don't think it's reasonable for non-involved people to assume the OT side has been compromised. I do think Colonial will need some time to verify the integrity of their SCADA systems and it makes sense to keep the power to the physical devices (valves/pumps) offline until they do. I understand why they chose to shut down but I don't think there's any evidence that they'll be unable to start back up again.
Lastly, I saw a quote in one article:
>>> Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home.
I strongly doubt this. It's possible, of course. But it's extremely unlikely to me that employees would have remotely accessed OT/SCADA systems from home. No one I've worked with has had that capability enabled.
Many companies use products which have been shown to have flaws, like Citrix or various corporate VPNs. These could be compromised to get access "closer" to the OT layers but never directly into it.
Onion layer security is very much practiced everywhere I've been.
Edit: I have heard of some petrochemical facilities moving towards allowing operators and engineers to manipulate valves/pumps on their iPhones. This horrifies me for many reasons. I've never actually seen it implemented and I always bring up Stuxnet when I hear people mention it. I personally believe that DHS should make this sort of thing illegal for critical infrastructure. Many good engineers disagree with me.
Dan Kaminsky spent an enormous amount of time and effort on creating a secure hardware framework 10 years ago. It went nowhere for a lot of the same reasons you discuss in this comment.
The government and industry are all talk. Until we see actual enforcement / incentives for secure hardware, just assume everything (and I mean everything) can get shut down at any time. The only people who think this is an exaggeration are those who haven’t seen what things actually look like on the inside.
> Dan Kaminsky spent an enormous amount of time and effort on creating a secure hardware framework 10 years ago.
Can someone please link me to a page that goes into more detail about this secure hardware framework? Not a month from his passing, and we get a national-security-level attack that might have been prevented if US business took more seriously software engineering and security engineering from back then.
Also, I cannot help but wonder if Dan would still be with us if the irretrievably broken US healthcare system was a national system that supplied him with an inexpensive CGM and insulin no matter his employment situation.
There were a bunch of people who worked with him on this in Taiwan. I don't think anything ever got released publicly, and I think Dan found the whole episode to be so frustrating that he never commented on it much in public.
I’m curious — how would something like a data-diode work in real life? It makes sense, but what about something like TCP where the sending side needs the ability to receive ACK messages? Is a firewall (dedicated, if need be) enough?
Or would this be some other kind of physical interface that took some kind of read-only data (serial?) and sent it up the layers using TCP/IP, where only this box would be at risk?
Edit: looks like you answered part of this below — you suggest switching to UDP protocols.
TCP would not be possible if your physical layer doesn't support two-way communication. I think UDP would.
Firewalls are currently used, and probably generally configured well. Petrochemical companies have a many-layered onion security strategy with minimal communication paths through the firewalls. Generally you might have 4-8 layers of firewalls from public facing internet to the PLC/DCS/SCADA. Administrative people might VPN 1-2 layers deep and engineers would at worst get remote access to the historian, 1-2 firewall layers above the PLC/DCS/SCADA.
It's my professional opinion that firewalls are not good enough for critical infrastructure. Even a completely air-gapped system was hacked thoroughly over a decade ago in Iran (See Stuxnet).
Your suggestion would suffice, if that box ("gateway", in the IoT parlance) was connected with a one way physical connection to the SCADA system over serial or what-have-you. Then it could communicate with TCP using existing application stacks.
I am designing a system like this at my current job, where luckily we are a small enough team so people have genuinely listened to my suggestions about this.
However, good engineers often disagree with me. I may be overly zealous on this particular issue and I take a lot of criticism about how dogmatic I am at times. I'm not a senior engineer by any stretch.
> I’m curious — how would something like a data-diode work in real life?
Low, fixed-bitrate transfer over unidirectional fiber optics. Unidirectional transcievers are the norm for long-haul fiber.
My local electrical utility is still running 11.52kbps RS-232 over fiber for exactly this reason. At those bitrates you don't need backpressure -- your disk will never fill up and if the CPU can't handle that bitrate you already have much larger problems.
It's kind of funny that they have sheaths where one strand is running this piddly dozen-kilobit protocol and other strands in the same sheath are doing 10gbit/sec * 16-channel CWDM.
Most electrical utilities are into fiber optics in a very big way; they already (usually) own the poles and unlike copper it's nonconductive. Many of them have vastly more strands of fiber between substations than they need.
> how would something like a data-diode work in real life?
The ones I have worked with convert a TCP stream to UDP, send it across the diode, and then convert it back to TCP. Each UDP packet has a sequence number and there is a single reverse-diode that is fired when a packet is missed or arrives out of order that triggers a retransmission of the last N packets.
I have heard some plane infotainment systems use a 1-way optical link to solve this problem to get the speed/altitude/etc to the displays. It just receives the data as a downlink (no 2-way communications) and being optical its electrically isolated as well as impossible to transmit or even interfere the other way.
That was FUD[1] spread by Chris Roberts who has been called out for it. He claimed he was able to issue climb commands from the IFE to the CAN bus.
Apart from this being technologically impossible, if he would have really done it he would have been charged for endangering an aircraft and prosecuted. (So the only explanation why he isn't in prison is that it didn't happen). The technical reason is Data diodes are common in aviation to separate IFE and CAN bus or position data. (e.g in the ARINC)
If you don’t allow 2-way comms to SCADA devices, how can you set values on those devices. For example, open valve 9881 to 10% … how would that be done?
That functionality would be local, before the one-way isolator. A human at a terminal located near the valve could still press a button to make that happen. That system could even be running windows (most are!).
But a hacker wouldn't be able to use their access to the Timeseries database for supply chain and logistics, to pivot to the SCADA system because their attempts would be blocked by a lack of a physical layer connection in that direction.
It would significantly reduce the attack surface of the OT systems.
I think the original use-case was delivering data for use in dashboards or other business systems, not the SCADA network in general (where you’d want write access). So, places where you might want to get read-only data from a secured system, but not allow write access. These business/reporting systems might be internet connected, hence the desire for better isolation.
That would be like deploying the landing gear of the airliner, because someone triggered a bug while changing the channel on the in-flight entertainment system.
The whole point of SCADA systems is that you can open and close valves remotely, without requiring to drive hundreds of miles along the pipeline to wherever the particular valve is located.
Industrial applications use unidirectional gateways (See NIST 800-82r2). The gateways have diode-like hardware at their core, but add software. The software acquires snapshots of industrial state, converts those snapshots to proprietary unidirectional protocols & formats, and on the external enterprise network makes the data available to enterprise users.
A common example is a SQLServer database of all industrial data that is authorized to share with the enterprise. Grab new and changed data as it arrives on the industrial side. Push unidirectionally to the enterprise side. Insert/update the data in an identical SQLServer. Enterprise users & applications interact normally and bi-directionally with the replica database.
The technology is used routinely to provide access to industrial data that enables business efficiencies, without providing access to the industrial systems that produce the data.
A data diode doesn't have to be just a one way ethernet port, it can include a pair of dedicated servers.
The inside (isolated) server would poll everything, store it into a buffer, and send that buffer (plus error correction) out through an optoisolator to other server.
The outside (internet facing) server would then keep up with the ring buffer, and serve requests, and do any outbound push of data via any protocol required.
A system to do this could be made with a pair of raspberry pi computers and a little bit of discrete components for less than $150 in hardware costs.
"Operational Tech" (pipeline and safety-critical monitor and control)
and
"Information Tech" (payroll, email, other business stuff)
?
I could only imagine trying to tell a large corporation that their "IT" authentication system can't be linked to the access card keys for the front gate, or whatever other physical security they might have in place.
It doesn't matter if we can formally prove that a remote access system is sufficiently secure as to aloow engineers to operate valves and pumps from home... For inevitably, some months from now, a wildly insecure utility will be connected to that, and you lose the ability to reason about how to keep the streams from crossing.
Easiest opto-isolator is to epoxy the sfp into the socket, and then fill the rx port on the critical side with epoxy, and then just run one fiber. The epoxy may seem excessive, especially if the sfp dies and you have to swap a whole nic, but it makes people stop and think.
Do you think Colonial identified some "physical world" risk, as in the possibility of a pressure overload or pipeline leak? I imagine that verifying the integrity of these SCADA systems is a very complex task, so I'm wondering if they've already identified a possible attack vector/entry point or if this was entirely preventative.
I have no idea. Shutting down preventatively would be smart, and they had good leadership in their IT space while I was there. Friendly people who could make the hard decisions quickly, weren't afraid to pick up the phones to call people, and supported the growth of struggling employees without letting shoddy work get approved. They were also good at managing large multi-year and nation-wide project campaigns - a rare skill in this world.
That said, determining whether or not a system was compromised can be incredibly difficult. I'm sure they'll face massive pressure to turn the pipeline back on as it does supply almost half of the east coast with oil. I wouldn't want to be the person who has to make that call when it's impossible to prove a negative.
CPC had two explosions a few years back which caused gasoline shortages in new england, that may provide indication of the scale of disruption to expect.
Thanks for the response. It's amazing to have a community where "subject-matter experts" like yourself just pop up.
I'm quite surprised and comforted to hear that the leadership there is competent and knows how to manage people. I've heard from friends/acquaintances who have worked in the energy industry about how terribly things are put together on an IT front (PG&E being a prime culprit), so I was expecting the same here.
I really like your "data-diodes" concept. Interested to see if such a thing takes off especially as these attacks evolve.
> I personally believe that DHS should make this sort of thing illegal for critical infrastructure.
I can't speak to non-electrical infrastructure, but the NERC CIP "high impact" standards already make it largely impossible to operate critical electrical infrastructure from anywhere other than a secured control centre. Operating from your laptop or iPhone from the kitchen table is however allowed for "low impact" assets like small power plants.
I also wonder why nobody who has secure computing issues demands physical write-enable switches for ROM, rather than using software switches that are inevitably corrupted.
Generally it's been the opinion that the control systems need to be modifiable. For example if you add a single valve in a facility which has 4,000 valves already, it would be nice to just add add a controller for that valve to the current SCADA system.
However, a write-only ROM system is possible as long as the ROM chips were reasonably affordable and a company could provide reasonable turnaround times for small modifications. That would move the target of vulnerability up the supply chain.
Some of the things which matter though are necessarily run-time variables like "is the valve commanded open or closed?" and "what are the tuning parameters for this PID control loop?". It's always theoretically possible for a buffer overflow/rowhammer/etc to flip the bit responsible for the valve's open/closed command. Even with an OS/Application stack burned into ROM. You still need RAM.
At least power cycling a readonly-storage device would remove any malicious RAM changes.
Thanks for your many informative posts here. It's a pleasure reading from someone who knows what they're talking about :-)
I did say ROMs, but you can also use EEPROMs, which are erasable in-circuit, and you certainly put a physical write-enable in that circuit. Ideally, it would be a momentary push-button that has to be pushed in person on-site.
Back in college we used EPROMs, which are erased by putting them for 20 minutes or so under a UV lamp. EEPROMs came out later.
Another thing that can be done is to divide the pipeline into several sections, not just one long one. So if one section gets compromised, it doesn't propagate to the next.
Do you propose that each section gets their own control/monitoring facility staffed 24/7 ? If not, the shared control/monitoring facility is the most likely place of compromise anyway, and it by design can control all the pipeline hardware.
I'm not sure how that would work-- each section would still need to send its petroleum products to the next section, making it effectively still one pipeline. Unless I misunderstand your statement?
Consider cars on a freeway. There is no central control. Each car controls itself, cooperating with its neighbors. If one car goes berserk, it doesn't take down the whole freeway.
With a pipeline, if sections operated autonomously but cooperated with each other, and one goes berserk, its neighbors will shut down, but they won't be damaged. The repair work only has to repair the one section.
Ah, I see. Not segmented pipeline, segmented pipeline control. That makes a little more sense. However it might make it significantly more difficult to make coordination between segments possible: The self organizing behavior at work with car driving may be significantly different than what is required for a pipeline.
People driving cars are essentially doing what is best for themselves individually (within the bounds of the law), and that ends up translating to something that works for the whole. With a pipeline, that might not work: If pressure gets too high in one area, it might take highly coordinated control across thousands of miles to bleed off contents into buffer tanks & ease pressure a dozen segments away.
I'm not saying that couldn't be done, I'm sure the SCADA systems could be isolated from each other in this way, it just seems like it would require a lot more difficulty with explicit coordination between technicians, not a self-organizing system such with driving on a highway.
I have no idea why they would do that unless the system was not airgapped properly or it was hard to untangle the admin network from the control network (in which case, the control network is effectively not airgapped).
USB ports are generally disabled in BIOS or purposefully physically damaged on most OT systems I've worked on for oil/gas/chemicals. Many places are fond of using epoxy to block the ports.
I like those people. The problem being sometimes you need logs or data off tools. I’m far from an IT wizard so I don’t know what other solutions exist but the flash drives to get stuff off tools was the easiest
It makes some things more difficult. CD/DVD's are generally used instead. Sometimes other computers could be connected but in that case there would be some organizational procedure for attempting to make sure that other computer was as low risk as possible.
You can't eliminate the possibility of malicious action, Stuxnet proves that. It's my opinion that at least for critical infrastructure we can probably make things much more difficult for our adversaries at a relatively low cost. This pipeline is purported to carry half the gasoline/diesel/heating oil to the east coast, but I'd be lying if I said I knew exactly where the cost-benefit equilibrium should land.
I'd be lying if I claimed I knew...but I would be willing to bet that cost-benefit analysis was made a long time ago before these concerns became so timely.
You need the SCADA systems to run the pipeline. They control the pumps, valves, product sequencing, etc. So Colonial purposely shut down the pipeline to prevent the SCADA system from getting affected, which might cause physical damage that truly would be a catastrophe.
It was intended to be airgapped, but we're talking about a pipeline that is several thousand miles long, with many pumping stations and delivery terminals. All it would take is one of the SCADA systems at one of those locations to suddenly open a valve and dump petroleum out into the environment to cause a disaster.
Or worse - rapidly open & close valves in rhythm, and the water hammer effect (the inertia of the petroleum in the pipeline) would cause the pipeline to destroy itself. The repair costs would be astronomical - you'd naturally have to repair the damaged sections, but then also re-test all the welds to see if any had been weakened by the pressure pulses.
It was not intended to be air-gapped. These systems generally communicate to business layers through firewalls.
Onion-layer security rather than air gaps. Communication through the firewall isn't supposed to allow control over the valves, but it does communicate both ways (TCP/IP). This is the general practice in petrochemicals, at any rate.
And to add it’s perfectly possible that the pipeline networks were air gapped (Ed: which don’t believe them) but you still need to shut down.
I could imagine a situation where information another network (e.g. orders or incoming flows from another customer or user) is necessary to run the pipeline but unavailable to use to operate the pipeline control system.
>Colonial has not given any public indication as to the reach of the ransomware outbreak, but Robert M. Lee, chief executive of cybersecurity firm Dragos, said he believed Colonial's operations network was shut down proactively "to make sure that nothing spread into those systems."
Most petrochemical companies have an onion structure. There are lots of layers of firewalls with what are supposed to be limited communication paths for specific applications.
We need to move to using physical layers where data can only be transmitted in one direction (and then use something like UDP)
That gang may have bitten off more than they can chew. They've now gotten the US government involved officially, which means that beyond the sheer mass of resources that will go into tracking this gang, the government also has something to prove now.
Being at the center of an international incident is probably not good for business.
When you said “the gang”, I had an image of the gang from “It’s Always Sunny” writing their first virus and this being the result. I’d watch that episode.
When the Feds catch up to them, Dennis and Mac are loading frozen beef in to the back of his car and are legitimately confused by what the cops are saying. They moved past the virus several weeks ago and have had literally dozens of plans since then.
And then Charlie walks out and goes "Ooooh, uh oh, uh yeah, guys you know what... I think I know what they mean. Last week when everyone was talking about the virus, I had just watch this really cool cyber hacking movie on TV last night, so I kinda zoned out and didn't know what our next scheme was, so when I went home I paid someone on the darkweb for a virus just like in that movie-"
Dennis: "How the hell do you have money to pay people on the darkweb Charlie?"
Charlie: "KittenCoin"
Dennis: "Oh god dammit, KittenCoin? You did that huh? Alright, checks out. Anyways, so then what happened?"
Charlie: "Well then I didn't really know what we were doing still, so I just emailed the file the russian kid sent me to your email, but I totally messed up the address cause my fingers were all sticky with peanut butter at this point and-"
Dennis: "WHY WERE YOUR- You know what, not only do I not wanna know, but I'm also gonna take a stab at how this story ends. Charlie, are you telling me you made a scam cryptocurrency and then used the profits to pay some sketchy russian hacker for a ransomware virus which you then emailed to a random address with a subject line something along the lines of "FOR FRIEND, IMPORTANT FILE, FOR PLAN, GIVES MONEY", which obviously enticed the random receiver to open said email promptly starting a massive email worm that managed to spread its way into the government's oil pipelines?"
Charlie: "That's... Uh, yeah, yup, yup, that's pretty much spot on dude, I'm pretty sure."
Lol this was my first reaction as well, they now have a nation-state on their ass. But that being said its not impossible that this was just a cover for a Russian state-sponsored attempt on US infra
If I were running the Russian hacking center in charge of pwning US infrastructure, I'd be pissed as hell. This is like getting vaccinated -- all of a sudden we're going to take this seriously and patch a bunch of exploits that they've had ready to go.
"nation-state" is not just a fancy infosec word for country, and there's some debate as to whether the USA constitutes an actual nation state, rather than a state.
Now introducing, TypeLang! A strictly typed spoken language with core emotional concepts built into the standard library and immutablity as default. Easily transpiled into dozens of different languages, such as English, Japanese, JavaScript, and Smooth Jazz.
nation-state" is not just a fancy infosec word for country,
This is pedantic and adds no value. In what sense could the precise definition of "nation state" matter? in this context everyone understands the phrase in exactly the way it's meant -- a resourceful national government.
The USA is absolutely a nation state. Cocal-cola, mcdonalds, Christmas, enlgish, etc. are well dispersed throughout the entire population. We have a uniform culture, although not as uniform as much smaller countries, but uniform nonetheless.
> A nation state is a state in which a great majority shares the same culture and is conscious of it. It has been described as a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group. [1]
Believe it or not, massive governments that employ hundreds of thousands of people are capable of doing multiple things simultaneously.
I don't think there's any evidence this was state-sponsored, or even state-approved, but "oh there's better things to do" is not a good argument in the least.
I'll keep it in mind the next time a horse bolts from a barn in some foreign country - 'Clearly, this was the CIA's doing. There's no evidence for it, but they have the capability, and their motives are sufficiently sinister and shadowy, and while there's no reason for them to be engaging in medium-scale hooliganism on the other side of the world, they could be the ones responsible!'
The Russian Government had huge motive for this attack, they were not at all happy about the United States' retaliation for SolarWinds/Election interference. Shutting down a major oil pipeline in the United States is not "medium-scale hooliganism."
Also shouting 'No Evidence' is a typical tactic the propagandists use to cast doubt and muddy the waters; surely the attackers would love to see what evidence is available, so they can adapt - that's why evidence is largely kept private.
Why do you assume that propagandists only work for them?
What makes you think propagandists on our side would never use lack of evidence to make whatever they want up, and cite your exact reason as justification?
This is medium-scale hooliganism in the sense that the end result isn't going to accomplish more than a dedicated idiot with a toolbox, and a grudge against gas pipelines couldn't achieve. IT will clean things up, operations will resume, life will go on.
Not to mention that this gives the industry another, rather low-stakes kick in the ass to take IT security seriously.
Russia and China have been suspected of doing things like this for years. And who says it's just to inconvenience them? There will other things happening because of this and this could impact other nations in a postive manner.
> Russia and China have been suspected of doing things like this for years.
By who? People who never provide evidence for their claims?
> There will other things happening because of this and this could impact other nations in a postive manner.
While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.
> By who? People who never provide evidence for their claims?
By lots of countreies. The US charged 4 chinese military officers for hacking Equifax.
> While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.
You seem to think that it would require multiple things to fall into place to benefit a foreign country. Say you want to manipulate the price of the fuel. Increasing the costs of transport would do that.
Hacking Equifax[1] makes sense, because it directly useful for intelligence work. Find people of interest who have credit problems, and lean on them. [2]
This isn't even a blip on the radar of global fuel prices. It is completely lost in the noise. [3]
[1] Or the OPM, since it was kind enough to have lists of 'all spies operating abroad' on its intranet. Whoops.
[2] I mean, you could also just pose as a landlord or employer, and ask for credit checks on them, it costs ~$30 per query, but it is what it is.
[3] If the FSB really wants to increase demand for fuel, they should try stalling a junker or two on an interstate bridge... Imagine the fuel wasted from all the cars idling, or taking detours!
I'm just pointing out countries have been hacking each other for ages and specifically infrastructure. Which was originally stated as absurd because there is no benefit to them, which considering you don't know all the basic effects this attack is having. And who said they wanted to raise global fuel prices?
End of the story is intelligence agencies around the world have been bulking up for cyber warfare for at least a decade. Russia and China have been been fingered repeatedly for cyber attacks. It is not completely outlandish that one of them is behind it for whatever reason. I'm pretty sure the entire point of these agencies is that we don't know what do or why they do them.
I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?
If they want to go overkill, they can additionally use a public VPN account purchased using walmart giftcards bought on ebay using a stolen identity and then mailed overseas.
They can also perform the hack using a brand new computer that they never use again afterward.
It just seems to me like the attacker has most of the advantage here if they know what they're doing.
That would work against network tracking of the actual connection, but that is not the main means of attribution and tracking culprits.
One way is to look at any tools and artifacts used/deployed - it's not common that only "off-shelf" tools are used, and as soon as there's anything custom, most likely it's not a one-off thing that never ever appears anywhere else; if you got it from someone, that's a potential lead; if you wrote it yourself, you're likely to use it (or a modified version) elsewhere, so if you make a mistake in one "gig" then it can relate to all your other activities as well.
Another is people - those things are often not done alone, and people talk, especially if they get detained for something else. And last but not least, the money trail sometimes leads to results as well.
But the key thing is that even if you do everything securely enough, it can work once or a couple times if you're careful enough, but nobody is careful enough to sustain proper opsec all the time, everyone makes mistakes every now and then. These things often take years to resolve, but the legal system has sufficient patience to link something done five years ago to a mistake you'll make next year.
There's sort of an asymmetry for an attack - that if the defender closes 99 vulnerabilities but leaves one, that one is enough for an attacker to get in; but there's a similar asymmetry for detection; if the attacker hides their trail in 99 ways but leaves one, that one is enough to find them afterwards.
> I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?
PSA: There are known traffic correlation attacks against Tor. It's not magic security dust you can sprinkle on a system. If you're doing thoughtcrimes, assume any G10 intelligence service can track you down. (If you're into extortion, human trafficking/exploiting children, or financing/advocating violence against civilians, then Tor is totally magic and is 100% guaranteed to make you invincible. Tor is all you need a-hole.)
Tor intentionally makes latency-privacy tradeoffs to make web browsing usable. I'm not familiar enough with Tor internals, but I believe applications have no control over these tradeoffs.
Anyone know if I2P allows applications to adjust latency/privacy tradeoffs? (Conceptually, you want your store-and-forward mixnet to use a priority queue for each hop, setting a deadline when each message arrives, and filling the pipe with expired messages first, and then non-expired messages in uniform random order. Applications more tolerant of latency get their traffic spread over a longer window. Per-hop latency targets should allow applications to avoid hop-to-hop correlations in latency targets.)
Getting operational security right is surprisingly hard.
The really hard part is that you need to have gotten it right some years ago already.
I remember that I read that other day that a bitcoin tumbler operator was charged for money laundering. The way they got to him was tracking initial funds that started the tumbler, which was purchased from an exchanged and not obfuscated.
There are all kinds of things you can get wrong: your build tools could accidentally store compromising meta data in your malware; payments from previous campaigns could be tracked, a single non-TOR access to the command&control infrastructure could get you busted, as could a single login to an email provider you used to communicate with somebody related to the ransomware operation.
All in all, if you have a larger team, the chances of at least one person messing up aren't too small, and then it's a matter of the investigators pouring enough money and attention into the case to find it.
As a rule, there is no off-the-shelf software solution that you can simply use to avoid being detected by the NSA or other powerful nation intelligence services. Even if there were, they are not limited to tracking you through technological means - they very much know how to find people the old-fashioned way as well.
That's not to say that it is impossible to hide from them, but it's never simple, when they're actively looking for you.
Tor isn't perfect. Government agencies like to create TOR endpoints/nodes that allows collection of bulk traffic data. They can't see exactlt who sent specific packets or their exact contents by looking at them individually, but they can see which mode it just came from and where it's going next. By watching traffic to entry and exit points they can create probablist models based on traffic volume that can allow them to identify where large volumes of packets most likely came from when they're already watching the destination. This is how they tend to catch drug dealers and similar illegal transactions using TOR and a similar setup that monitors crypto currency transactions that simply monitors either known bad agents (criminals, dark web sites selling illegal goods, suspects, etc) or suspected targets. By combining the two data sets they've even identified who certain crypto currency wallets belong to. The main thing to be aware of is that it's extremely difficult for them to identify anyone with low traffic levels, or that do not interact with actively monitored actors/targets.
> shouldn't simply using TOR make it nearly impossible for the US government to track them down?
Not even close. Tor kinda secures one aspect of very many, but kinda doesn't.
It attracts attention: Governments actively try to defeat Tor. And if they are looking for a criminal, they might look first at Tor users. In fact, they collect data on Tor use before a crime is committed.
Yes, in the sense that it gets reported to law enforcement and investigative agencies. Without being specific, I was a victim of identity theft and cybercrime. My incident was “reported to the FBI” but I’ve literally never heard anything back from them.
In practical terms there needs to be something special about the cyberattack for the government to devote any resources towards it.
It all depends on the attention these attacks get. Now that they've had a tangible effect on the news cycle, creating concern about the safety of US energy infrastructure, there will be more incentives for the Government to hunt them down and get credit for doing so.
I think I read somewhere that China based attackers have already penetrated networks of major US infrastructure systems but didn't do anything because whats the point of wrecking havoc now? Better wait for more opportune times.
Which also seems to indicate that this may not be a Nation State... they would be after a bigger prize than some bitcoins.
I think it's 50/50 some real gang vs a branch of the NSA who sees how pwned the US infrastructure is and wants to make a (fairly harmless) splash so we take it more seriously and patch our shit.
So, a very limited state of emergency which allows fuel that is ordinarily piped to be transported by truck.
Ancillarily, It's not evident this cyberattack actually compromised the industrial controls, but rather trashed the administrative system controlling the controls.
> It means drivers in 18 states can work extra or more flexible hours when transporting gasoline, diesel, jet fuel and other refined petroleum products.
This means truck drivers hauling 45,500+ lbs of an extremely flammable liquid aren't required to sleep.
I worked in the supply chain industry for a few years, dropping these restrictions is unheard of. My instinct tells me this issue is a lot worse than it seems now.
Armchair take: The pipelines handle a lot of fuel, and the US needs / uses a lot of fuel; to move the same amount, you need a lot of trucks. And if that need is not met, the economy etc will be disrupted heavily, price of fuel will go up, and the price of fuel going up has caused massive issues in the past.
Last time I checked the amount of sleep I need doesn't go down when an oil pipeline stops flowing.
It's offloading the risk to drivers to benefit these companies first and foremost, which is ridiculous. The cherry on top is the article pointing out even with the extra hours they won't be anywhere near meeting demand...
No, that part of the regulations (the 10 hour break requirement) specifically does not get suspended in an emergency, if I recall correctly, but federal qualifications for new drivers do, so maybe someone otherwise hauling oranges from Florida might drive a tanker while the normal driver has a day off. Plus, this is only federal law; state laws still apply, and it is state troopers who pull you over, not feds.
I don't think so. These drivers need more specialized training, and the type of equipment they haul is different. Plus I'd imagine your mindset is different when you have a swimming pool's amount of oil a few feet behind you compared to a bunch of toilet paper or whatever.
Everyone here is failing to read between the lines.
Nobody in trucking gripes about limited working hours. The current hours per week available for work are more than enough to work at an unsustainable rate of sleep. What everyone bitches about is the electronic logging requirements that prevent them from cooking the books in order to account for delays that happen over the normal course of business. Because people can no longer cook the books they do other things that increase risk.
For political and optical reasons the DOT can't exempt them from e-logs to make their lives easier. So they just exempt them from all of it. They're basically saying "if you're gonna push yourselves we'd rather you cut the smart corner and work a 12hr day than drive around like maniacs trying to fit X hours of driving in a Y hour window."
Absolutely they do, but with the pipeline down its a volume and distance issue.
Normally the pipeline would pump huge amounts of fuel around to various distribution centers where trucks and tankers would then haul it the last leg to e.g. gas stations and other end users. Now there will be far fewer distribution centers to pick up the load from, and much longer distances to drive to deliver the product.
Naturally a pipeline has much greater capacity than a string of trucks, not to mention the impacts on traffic and safety concerns that go with pushing the truck drivers that far. The limited number of distribution points with the pipeline offline will probably have a logistical impact as well since there will be an imbalance re: how many trucks are arriving to get filled up.
It's interesting to consider the human link between the admin systems and industrial control systems here. If we assume the controls are on an airgapped network, the attackers, in some sense, jumped the airgap and shutdown the pipeline.
Obviously not as bad as an actual compromise of the control systems though, which presumably could cause leaks, explosions, etc.
Generally the controls are firewalled from the administrative/business systems, not air-gapped.
Production data (like gallons per minute of flow through the pipeline) must be sent from the controls to the business analytics software. That's generally done through a firewall over TCP/IP.
I've seen systems where data is sent via UDP and the physical connection was transmit-only (for example, only the transmit fiber plugged in to the port) to avoid potential firewall exploitation.
Often that kind of reporting data is delivered back via a “data diode” unidirectional network. That said, there is usually just a dmz between biz and prod to enable remote support of the controls system (ala the Purdue model), and not any real air gap.
They likely could have kept running the pipeline without incident.
I imagine when the government stepped in they decided to dial their procedures up to 10 and they plan on making an example out of this incident and the perpetrators.
> James Chappell, co-founder and chief innovation officer at Digital Shadows, believes DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.
Once they get in to the internal network, they could possibly have access to anything. Most organizations don't follow good practices for internal services and there's all kinds of unauthenticated crap that's accessible to anyone who knows where to look.
If its really a ransomware attack, they could have taken over some internal system, or maybe just locked out remote access. We will need to know more, but at first glance it doesn't look very good.
"Multiple sources have confirmed that the ransomware attack was caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial's network on Thursday and took almost 100GB of data hostage."
re: "infiltrated Colonial's network"
I have been reading some of the other reports of this incident from different publications.
Many of the stories include a line about attackers downloading "100 GB in only 2 hours" as if that was being downloaded from the company's on premises servers.
Eventually I found a story that disclosed the data was actually downloaded from a cloud provider.
It’s really not. SME branch office is dead easy. Multinational corporations virtually impossible.
In the cloud you can stop your whole VM estate, nuke roles and access and pull an audit trail and access logs for everything in a few minutes. Without even getting off your butt. Or having to negotiate with a branch office IT team who disagree with you.
In the 20 or so years I’ve been running ops for corporates, the cloud is the nearest we’ve come to half decent DR and emergency response capability. It has got to the point now where compliance and audit is built in and I can actually write some code here and there rather than arguing about trivial stuff like “what happens if X happens” with people who are only in it for the pension.
Is it though? We have plenty of cases of on-prem and in-cloud going down. And we have also plenty of evidence that some companies do actually manage to do disaster recovery pretty well. Not all, of course, usually those that experience frequent disasters.
My environment is mostly on-prem, and it's nearly always the cloud services that drop out and leave us high and dry. In fact, not long ago, a cloud service we don't use went down, and it took one of our vendors down, and their cloud service went down, because of an outage with a completely unrelated service we don't use! The cloud is a house of cards that is run by companies that should have disaster recovery down, and really don't even come close.
Meanwhile, I can unplug one cable to isolate our site, and everything that isn't a cloud service is pulled offline. (And delightfully, almost all of it would still be independently operational until I plugged it back in, too.)
>The gang even has a website on the dark web where it brags about its work in detail, listing all the companies it has hacked and what was stolen, and an "ethics" page where it says which organisations it will not attack.
I don't have it, but I would go to dark.fail's onion address and browse there (http://darkfailllnkf4vf.onion/verify this and get in the habit of doing so! dark fail's clearnet website just got hacked while their onion site was unaffected), and then I would go to Dread forum (onion reddit clone) and ask there.
A little tedious but there is lots of commerce on onion sites, and a lot of valuable information in general that I've never seen anywhere else, so it can be worth it.
Most people will probably be hesitant to post it for obvious reasons here. But it was helpful to me, to find a ransomware url, during the college leak a few weeks ago (https://dorper.me/articles/unileak.aspx) to find out which colleges were impacted because tons of people I know were in it. There are plenty of good reasons to want to have it. But I understand why BBC wouldn't post it...
People that read Hacker News on their work machine: note that if you're on the org VPN (and even if you're not, if your org installs IDS tools or other spyware) many of those tools may flag your visit of such site as "malicious".
I like how they are charging 10% more if you pay with Bitcoin than with Monero.
I think commerce would greatly improve if other networks had Tor clients, especially because of the stablecoin and private stablecoin availability as of this year. All EVMs as well as Tendermint networks have no out of the box solutions for Tor nodes and connectivity. But they both have ways for ERC20 tokens to have a great degree of privacy. One Tendermint network called Secret Network has private smart contract execution, and a variety of bridges. So as all tokens are smart contracts the metadata and variables would not be visible onchain.
sDAI would be more useful for commerce if the nodes and wallets could easily resolve over Tor.
> I like how they are charging 10% more if you pay with Bitcoin than with Monero.
I smell a business opportunity... Kick off a ransomware attack and accept Bitcoin or a Shitcoin at a 30% discount.
Some shitcoins have such little liquidity... a 50k buy would push their price off by hundreds of percentage points. You can even refund their money back after they pay... a modern day pump/dump.
The thing about being an ethical player in unethical markets is coming up with ideas that could make you richer but not wanting break laws / be a terrible person.
Illiquid asset pumping is the best way to launder the money in the crypto space.
AccountA has bought or owns the illiquid asset using clean money, in advance. AccountB has the ransom proceeds in the more liquid digital asset. AccountB eventually buys the illiquid asset and pumps it. All the blockchain detectives are still following AccountB across many more addresses and blockchains, hoping and praying and imagining that one of the touched accounts needs fiat so that a human identity can be assigned to the funds. But that never happens. AccountA has the 8,000% or other arbitrarily high gain and nobody can distinguish them from any other crypto trader, as these kinds of gains are commonplace. All the trading can (and should) occur onchain without any financial intermediary, as there would be no transaction size limits or issue moving the funds, compared to odd activity on a business' centralized custodial exchange.
AccountB connected accounts are saddled with the illiquid asset. Maybe organic growth has occurred from fear of missing out and AccountB can resell, but that is just an embellishment and icing on the cake.
AccountB connected accounts can also create the liquidity pool, or create the yield farming opportunities to incentivize others to join the liquidity pool. And if AccountB really never cares about the funds, they can also burn the bearer liquidity pool share, providing confidence to the market that they can always trade at high volumes onchain.
I don't get how Account B gets to the point of extracting value from the illiquid asset after purchasing?
Seems like they either, 1) sell periodically or as the assets value appreciates, but this is generally unreliable and tough or 2) create a liquidity pool or yield farming opportunities
For 1, this isn't necessarily reliable but it seems like the most plausible popular case. For 2, given the previously mentioned challenge of the illiquid asset, how does it work to provide incentive in liquidity pooling and yield farming?
Note, that I'm less well aware of the mechanics of 2 so perhaps its also a fundamental ignorance issue.
AccountB doesn't have to make more money as it directly or indirectly transferred all the liquid assets to AccountA (and many other people). In a liquidity pool kind of exchange, AccountB would have simply put all its liquid assets into the liquidity pool, in exchange for removing the illiquid asset into AccountB's custody. The liquidity pool maintains prices based on a ratio of two assets in the pool, so the illiquid asset would have quite how price after this activity. AccountA would have just sold its holdings of the illiquid asset back into the liquidity pool at a coincidentally favorable time. AccountA can also have been a liquidity provider, and when they unbundle their liquidity pool share it will have more of the liquid asset and less of the illiquid asset. Many possibilities, permissionless.
If it must be said, AccountA is yours too and is just for reintegrating the illicit proceeds into the economy without trying to do something more convoluted like running a permissionless SaaS business with fake customers spending Monero for domain name lookups.
But, AccountB can attempt to make its assets more liquid again. You just go on Telegram and pump it in speculator groups, buy off some youtubers. How much are you laundering? You can keep a few thousand dollars in liquidity for negotiations. AccountB should also provide liquidity itself. Just launch a yield farm contract, copy and paste, change the input and output token address, redeploy, lock a substantial portion of the illiquid token inside of it (or pay off a more coveted yield farming project like Pancake or Polygon to list a farm and pay farmers in their token). Make the yield high.
> I don't get how Account B gets to the point of extracting value from the illiquid asset after purchasing?
My understanding is, accounts A and B are both controlled by the same person/group. Account A always deals with clean money and pretends to do speculative investing; account B uses dirty money to pump illiquid assets. An example scenario, as a simplified list of transactions:
| Time | From | To | Amount | Note |
|------+---------+--------+------------+-------------------------------------------|
| 0 | Pocket | A | 10 $GOOD | Initial investment. |
| 0 | - | B | - | Created account for criminal activity. |
|------+---------+--------+------------+-------------------------------------------|
| 10 | A | Market | 10 $GOOD | Exchanged liquid $GOOD for illiquid |
| 10 | Market | A | 1000 $BAD | $BAD at 1:100. |
|------+---------+--------+------------+-------------------------------------------|
| 100 | Victims | B | 3000 $GOOD | Crime - e.g. ransomware payments. |
|------+---------+--------+------------+-------------------------------------------|
| 150 | B | Market | 3000 $GOOD | Buying up $BAD to generate interest and |
| 150 | Market | B | 1500 $BAD | pump its value. |
|------+---------+--------+------------+-------------------------------------------|
| 200 | A | Market | 1000 $BAD | Buying back $GOOD for temporarily liquid |
| 200 | Market | A | 5000 $GOOD | $BAD at 5:1. |
|------+---------+--------+------------+-------------------------------------------|
| 500 | B | Market | 1500 $BAD | If $BAD didn't collapse, recovering some |
| 500 | Market | B | 100 $GOOD | of more stable asset at 1:15; can be used |
| | | | | to repeat the trick later. |
In this scenario, criminals turned $3000 of dirty $GOOD in account B into $5000 of clean $GOOD in account A. If they were good with OPSEC, there's no connection between accounts A and B - from outside, it looks like the owner of account A got lucky speculating on crypto, and owner of account B was a dumb criminal that made a bad investment. Hell, if criminals are sure of their OPSEC, they could even go as far as paying taxes for their gains on account A, reinforcing the image that A is owned by some random, legitimate investor (but that could bite them hard if law enforcement realizes there's a connection between accounts B and A). Account B is never cashed out - it's used only for purposes of pumping illiquid cryptocurrencies, and eventually abandoned.
Yeah we would be talking about paying taxes and having a record of the funds for more social benefits in society.
AccountA is just a speculator. Stuff you speculate on right now has other accounts pumping it from funds that just appeared out of Tornado.cash, or were just swapped from Monero. There is no way to distinguish between you controlling those or someone else, and there isn’t probable cause from this behavior to investigate the accounts that appeared with funds from obfuscated sources. Just some OPSEC considerations.
What are EVMs, ERC2, and sDAI? I do not believe your objective is to confuse or obstruct, but additional context would help understand the unique value of your contribution. This is coming from someone with a recent BSc in Computer Engineering yet still completely unaware of these acronyms & references.
Only a few universities are teaching this stuff right now. In any case:
EVM is "Ethereum Virtual Machine", a similar concept to the JVM "Java Virtual Machine". EVMs are one the most common technology for deployment of arbitrary execution within distributed networks. These kinds of functions and applications are colloquially called smart contracts. The biggest distributed network with this technology being simply called "Ethereum" or "Ethereum mainnet". But any code deployed on Ethereum mainnet is deployable on any other EVM environment, such as Polygon, Avalanche, Binance Smart Chain, Tron, Ethereum Classic, Hashgraph, or Quorum which was stewarded by JP Morgan for a few years for internal enterprise use.
With the other common smart contract network being Tendermint also colloquially referred to as Cosmos.
There are a couple of standard classes with a certain protocol of functions on all these networks. One standardized class is called ERC20, which is a fungible token standard. Deploying this kind of class ensures that you have created an asset with a name, ticker symbol, quantity, and a transfer function. Therefore ERC20 just is a quick way to refer to an additional asset. Assets that represent something the market wants or is familiar with or is redeemable for something the market likes therefore have certain monetary values associated with them. Some communities representing other networks have different protocol names for the same concept, for example, the Binance Smart Chain community has a token standard called BEP20 which is mostly contrived marketing but it could also have tweaks to the ERC20 standard, you have to read them. No different than reading the IETF's REST protocol standard for each function, and then seeing how it is implemented slightly differently across different browsers, devices and frameworks.
DAI is an ERC20 asset that maintains convertibility with $1 US Dollar. It is collateralized by a basket of assets, some completely digital assets and some that are backed by real world assets from centralized issuers.
When it comes to ERC20 naming styles, the market has resorted to prefixes for now.
So on the Secret Network (which uses Tendermint/Cosmos technology instead of EVM), assets that enter it from bridges are called sAssets. So DAI that enters the Secret Network would be sDAI. Where it will inherit the private nature of the network. Specifically the current state of the functions such as quantity, transfer(to, from) would all be unknown from looking at the blockchain.
One of the highest growth areas and highly demanded is in building bridges for assets to move between blockchains. Particularly Liquidity Pool shares and other asset backed derivatives. If you would like to apply yourself here. The market-based rewards are direct, swift, and very high.
I was reading about DOT and decided to start learning rust. I've used python in a couple automation tasks before, but besides that have very little programming ability. Rust has been hard so far but very rewarding. What technologies would you suggest learning if i wanted to get into blockchain programming?
Solidity or the Javascript frameworks that compile down to solidity. EVMs are heavy in this.
Rust is good too. I'm not too familiar with the Polkadot ecosystem, but the main thing you need to know is that every financial app that has been popular on EVMs needs to be rebuilt on those other ecosystems. There can be multiple of the same things too, no different than multiple grocery stores in a town, or multiple actual bridges. Nothing unique needs to occur, just more. Its literally a global boom town you don't need to go anywhere for and your competition would rather argue about how a MySQL database is better for yield farming than a blockchain.
It is just too expensive for the Ethereum network and not a large enough mixing set (haven't looked recently though) and nobody accepts it therefore requiring you to exit it if you want anything, but exiting will reveal who you are because there is nobody else it could be.
Privacy on the Ethereum network remains just Ether in Tornado Cash.
edit: oh cool Aztec actually transitioned to the Optimistic Rollup. That is different than their prior smart contract and requires new analysis. I recall their article last year or before about doing a "zk zk rollup" and I didn't keep following.
At least for public services in Canada, it is. Which serves as as a deterrent since attackers are guaranteed to _not_ get money. Also whips management into more than CYA-and-wait IT security.
Bitcoin full node– which processes and verifies all transactions– uses only 7GB disk space. It doubles as a wallet, and it has native bidirectional Tor support.
There are only a few cryptocurrency networks with robust Tor infrastructure for now. There should be more but the stewards haven't prioritized it, for the most part many nodes and wallets for other networks are UDP, which is a major hurdle as Tor requires TCP exclusively. Bitcoin and Monero do not have this limitation, but Monero is the only private by default one and has a large mixture set to stay easily obfuscated.
The reason that cyberattacks are proliferating is because it has only recently become easy for the threat actors to receive massive payments quickly and anonymously. Remove that ability and the entire cyberattack ecosystem shuts down instantly. It is only a matter of time before this happens.
The reason cyberattacks are proliferating is because many enterprises refuse to learn from the mistakes of others. They continue to connect ancient, unpatched Windows and Exchange servers to the public internet, they don't segment their networks, they don't secure TeamViewer and RDP, they don't use FIDO U2F, they don't have an IDS, they don't monitor logs, they don't execute email links and attachments in a sandbox, etc., etc., etc.
If you write the combination for your safe on a post-it note and stick it to the door of the safe, and a thief opens the safe and steals everything in it, it's still the thief's fault.
But it's not victim-blaming to observe that you shouldn't have made it so easy for the thief.
If it's just your valuables that get stolen, then that's unfortunate for you, but at least it doesn't hurt anyone else.
But when other people trust you to keep the safe secure, and are hurt because of your negligence, then it's also not victim-blaming to observe that your negligence caused harm to other people.
- More infrastructure than ever has some exposure to the internet
- Outsourcing at massive scale (probably) makes consistent security screening harder
- There are more programmers in the world than ever and so (probably) there are more black hats, malicious hackers, etc
- As time goes on, there are more and more aging computer systems, thus (probably) there are more and more vulnerabilities in the wild
- As time goes on, systems accrete complexity, thus (probably) there are more and more vulnerabilities in the wild
But yes, I do think cryptocurrency is an important change. Cash is still king when it comes to crime, but crypto does make crossing borders much easier.
Your own jurisdiction and law enforcement have no power on foreign territory; but foreign organizations (state sponsored or not) located there have freedom to penetrate your society and economy. Moreover, foreign governments may deliberately ignore your requests to investigate.
Thanks to technologies and to chaotic reactions to modern day problems (including covid-19 pandemic) it looks like modern forms of independent sovereign states are very archaic.
BTC will increasingly become viewed as playing a significant role in these incidents. Legislation antithetical to crypto currencies should be expected with bi-partisan support. I would imagine fairly soon.
This is why “it’s just like cash but better, and humanity has been using cash for centuries” is not a valid argument for adoption of cryptocurrencies. Cash has fundamental scale-limiting properties; cash without those properties is a qualitatively different beast for which there’s no precedent in humanity’s history. The above argument actively conceals the sheer scope of unknown unknowns.
Even if you shut down the cashing out infrastructure (exchanges) in the affected countries, it will quickly spring up again in countries belligerent to them. The FATF is the main global body trying to curb this, but my hunch is they will lose this battle long-term.
Imagine if you are on the FATF red list [1] and you announce a free-for all domestic exchange for local spending. It's free FDI.
This would be terrible in the long term because without ransomware companies regularly carrying out such attacks, vulnerabilities would remain unaddressed until a rival nation decides to use them. Much better to have one pipedown temporarily shut down now than for China or Russia to shut them all down at once sometime in future.
BTC has value because people exchange it for "real" money. If BTC is heavily regulated or outlawed, a whole lot of folks are going to duck out. It's one thing to try and get in on the ground floor of the latest meme stock, it's another thing to buy into a currency/practice that's illegal in your country.
Add onto that making it illegal to pay ransoms in BTC, then there's really no value in using it as a ransomeware currency. No one is buying it so all you are getting are some random digits on a piece of paper.
Outlawing a thing except for when the govt controls it is just another way of saying governement regulation. Which is both common and successful.
When was the last time you drank bootleg liquor? Answer: I don't know of course, but for most people in rich western countries I would think the answer is never.
It's a good point but that's a particularly bad analogy. Brewing and distilling are strongly culturally ingrained, at least in the west. I live in a state where (last I checked) no legal method exists to distill ethanol for personal use. Nonetheless, a surprising number of acquaintances over the years have had stills and offered me samples.
In the US, honestly, yes. I've had the same experience in two different states at this point and friends who relocated from other places have reported similar. I mean, you can literally order a small still that you use on your stove top from Amazon!
I think it just depends on the sort of people you choose to spend time with.
Well mark me down as dubious but not invested enough to research it. However, I do wonder if you/they test or filter for poisonous impurities like methanol? Seems like a bit of a risk?
Testing and filtering is accomplished by the distillation itself. A very basic understanding of what comes out when is more than enough for a simple pot still and only one or two passes. Humans have been doing that since long before the concept of a molecule even existed.
If you decide to mess around with a large fractionating column though, do read up and make sure you have a full conceptual understanding of how the chemistry works. Even seemingly benign chemicals can be extremely dangerous to ingest or handle once concentrated. (For example, vinegar. Dilute acetic acid makes for a good salad dressing. Above 90%, contact will leave you with severe burns and scarring.)
Blockchain has many uses, including as a record of transaction. Crypto currencies are merely a subset of what might be available using blockchain. Legislation can certainly target that subset.
I looked at their available posted jobs on Friday as news broke about the attack. Colonial has had a position for Cybersecurity Manager open for over 30+ days. I wonder what happened to the old manager....
…first to be questioned by the Feds no matter what terms they left under. Too important an attack for that institutional knowledge to stay out of the fray.
Ransom ware seems like a potential antidote to vulnerable US digital infrastructure. It provides a persistent, material bug bounty which incentivises the C-suite to fix them.
A lot of people are talking about the the results of this hack and a little bit about the industrial control systems, but no one is really addressing the hack itself.
>James Chappell, co-founder and chief innovation officer at Digital Shadows, believes DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.
>He says it is possible for anyone to look up the login portals for computers connected to the internet on search engines like Shodan, and then "have-a-go" hackers just keep trying usernames and passwords until they get some to work.
Nothing sophisticated, nothing difficult, you just need some capital in the bank to buy some leaked credentials someone else worked hard to poke at, that is, some academic security person on a PhD worked hard for months to find some bug in software back in 2014, that turned into code someone else copy and pasted back in 2017, that yielded a dump in 2019 that some other hackers actually probed for some sucker's old login details he probably didn't even realize was in a dump, or might not even use anymore! The only hard work in this story is that academic in 2014 did and he definitely probably no connection to the criminals who basically got the president to issue a national emergency.
I seriously don't understand why the pipeline operators don't have some contingency plan or have simulated scenarios like this which enables them to roll-back systems immediately to some usable state.
How the hell is some random ransomware gang able to shut down critical infrastructure at purely a software level
That sort of scenario preparation takes a lot of time for planning and design to support work-arounds. If the business thinks this is low risk, they won't invest, no matter how significant the scenario could be.
Businesses train and prepare for scenarios that make money, not scenarios that may lose money. I used to do a lot of work related to safety across industries and I can assure you, every business I worked with was only interested in the bare minimum of legally required safety. It was rare to see a business interested in investing resources into things like safety or security vs something that might directly increase their revenue streams.
IT/Security/Software is all secondary for a pipeline operator, who's main business is to move liquids from A to B over a set of fixed pipes put in place decades ago.
Without some forcing function to have cybersecurity threats taken seriously, industrials are unlikely to suddenly develop tier-1 security protocols.
Would be interested in seeing if this does result in a change in their processes, or if they will just accept the risk of this happening as a "risk of doing business".
If things go wrong, they receive millions in resources from the FBI/Federal Law Enforcement. Unless they get a bill, it's likely that they will continue their lax practices.
> I seriously don't understand why the pipeline operators don't have some contingency plan or have simulated scenarios like this which enables them to roll-back systems immediately to some usable state.
I would expect that most companies, even companies whose core product is technology, are not capable of what you describe.
With tons of companies paying insane software engineering salaries, I doubt that a pipeline operator that probably doesn't invest much in IT at all is attracting the best talent either.
Something doesn't quite add up. I feel like we don't have the full story:
>After seizing the data, the hackers locked the data on some computers and servers, demanding a ransom on Friday. If it is not paid, they are threatening to leak it onto the internet.
So... that constitutes a state of emergency? What data would they have that would be so sensitive? More likely they have hooks deep into the operation of the pipeline and may be threatening to shut it down/destroy it if not paid. Or, rather, they may be having trouble restoring operations without paying the ransom.
Side note/speculation: Will the feds make a move against crypto?
I don't see this being called a "State of Emergency" anywhere but that BBC article. There's nothing on the Whitehouse.Gov briefing room, google news, etc.
It's not clear to me that this is actually a "state of emergency". The BBC has now quietly amended their headline to say "US passes emergency waiver over fuel pipeline cyber-attack." (The web page calls it a "Regional emergency declaration.")
No but they want to get a reputation that paying them makes the problem go away. With that reputation, more people will pay instead of thinking it's a waste of money as the data are gone one way or another.
I saw a youtube video once of someone trying to communicate with ransomware attackers and their support was better than even some legit companies. It was funny as hell how they were so 'professional' about it
They want to ensure ransoms are paid by there being lots of sources that say they do what they say. The kneejerk reaction is to be skeptical and waste time. The only reaction is to determine if you have a backup or not, or if the consequences are favorable or not. In all of the “or nots” then you pay and move on.
In the absence of consumer protection, word of mouth (or the compulsory google results) is key.
Technological advancements happen because of a confluence of different events, each contributing to its eventual success.
Bitcoin is absolutely one of the components that allows for the proliferation of ransomware. The key to a ransom is the ability for the attacker to obtain payment in an way that doesn't put them at risk of being caught. BTC enabled that. In fact, anonymous payments are widely considered to be one of the major purposes of BTC.
If ransomware was a positive thing, then BTC advocates would be talking about how BTC is the key technology that enabled malware to make the transition from hobby/annoyance/weapon to a full-fledged industry.
Any chance this acts as a catalyst to face the ransomware problem head-on? Someone in a position of power in US intelligence agencies has to know this won't be the last time that a massive piece of infrastructure is taken down.
This is depressing and not going to stop because it is so lucrative and relatively easy for these malware companies to find victims. It makes me wonder if cybersecurity should be considered a state responsibility and infrastructure so it will be uniform and available for every business like electricity or police protection.
Is the point to move liquid shipments to trucks/ships because it's safer somehow? or simply to make it so difficult to transport liquid fuels that people quit using them?
I suspect that pipeline activism mostly results in the former.
Constrained supply or higher cost of transportation = higher prices = incentive to consume less.
I'd prefer to see this dynamic produced by carbon taxes so the price difference isn't going back to the fossil fuel companies, but I'll take what I can get.
Also installation of new fossil fuel infrastructure like pipelines implies a long term commitment to the status quo or even increased production which I find unacceptable.
If the neccessary changes were underway there would be zero demand for new pipelines.
It needs to be asked again, why are critical services on the Internet ?
We all know why, companies are chasing profits at any cost, so hiring more people to monitor these systems as the did 40 years ago will lower the execs bonuses.
The US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.
> US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited
This sounds good in theory but suffers from the cobra effect [1]; you think you’re incentivising security. You’re actually pushing obscurity. Colonial preëmptively shut down its pipe to prevent physical damage. Attach a fine to the discovery and disclosure and you disincentivise that prudence.
Better: make it easier for industry to build securely and incentivise redundancy.
Pipelines run for thousands of miles and operate 24/7. What do you imagine? Keeping a fleet of helicopters on standby to pick up a technician at home, and drop him wherever the equipment is, in case something needs to be adjusted at night?
You could have an air-gapped system and still have remote access. Just not external access. I don't think it's unreasonable to have a couple of people in a control booth monitoring a computer that regulates the pipeline 24/7. The recommendation is, however, that we should not have that monitoring computer connected to any other network besides the internal one. If you're running pipeline, surely you can run some data cables with it?
Yes - and consider how many people have the resources needed to run Stuxnet versus ordinary ransomware. That seems like a pretty clear win if you can shrink the pool of likely attackers down to “top-tier nation-state”.
Stuxnet was built by a very well funded organization and was not targeting monetary gains. Getting ransomware spreading via USB drive is insanely expensive and complicated. You won't make money on it, whatever they are extorting will not cover development expenses
There's an entire parallel internet for the DoD and it's contractors. It's not like there isn't precedent that critical industries can emulate if they ever became concerned about the common good.
> You could have an air-gapped system and still have remote access
You're suggesting the gas company run their own network, and then you assume no employee will connect that network to the general internet for their own convenience? Not happening.
Is that the one when the CIA got wind of a Soviet industrial espionage operation, and seeded it with a legit-looking but subtly flawed schematic, which the Soviets ended up actually building to spec, and it exploded shortly after?
According to the story, this was some Canadian pipeline control equipment or software which the USSR purchased from some Canadians, but the CIA modified the software somehow before it was delivered. A supply-chain attack on a computer system.
I understand there's nonzero doubt as to the credibility of this story.
I'm currently reading The Dead Hand, and I think this matches what you're talking about:
> Rather than roll up the Line X officers and expel them, Reagan approved a secret plan to exploit the Farewell dossier for economic warfare against the Soviet Union. The plan was to secretly feed the Line X officers with technology rigged to self-destruct after a certain interval. The idea came from Weiss, who approached Casey, who took it to Reagan. The CIA worked with American industry to alter products to be slipped to the KGB, matching the KGB’s shopping list. “Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disturbed the output of chemical plants and a tractor factory,” Weiss said. “The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft.”
> Oil and gas equipment was at the top of the Soviet wish list, and the Soviets needed sophisticated control systems to automate the valves, compressors and storage facilities for a huge new pipeline to Europe. When the pipeline technology could not be purchased in the United States, the KGB shopped it from a Canadian firm. However, tipped by Vetrov, the CIA rigged the software sold from Canada to go haywire after a while, to reset pump speeds and valve settings to create pressures far beyond those acceptable to the pipeline joints and welds. One day, the system exploded. “The result was the most monumental non-nuclear explosion and fire ever seen from space,” Reed recalled. The blast was starting to trigger worried looks in the U.S. government that day, he recalled, when, at the National Security Council, “Gus Weiss came down the hall to tell his fellow NSC staffers not to worry.” The explosion had been one of the first fruits of the Reagan confrontation.
It's funny how upset the US public can get about any perceived incursions by the Russians (sometimes true, often not) when you consider the country's own history.
There's a big difference between the capabilities of a criminal organization (like the one involved here) and that of a nation state. Such attacks are also responded to differently, and it's not going to be send some Bitcoin to this address.
Couldn't the pipeline have it's own network connected to a monitoring station. At the station employees could access the pipeline network but never connect it to the network from which they could communicate with the people who would be dispatched to make repairs or adjustments?
Sounds looks a solved problem, but it isn’t. The electrical grid isolates SCADA networks from the internet, so substations are interconnected via dedicated networks. But then at the command centers you have the entire monitoring and control systems with on site operators. Then, inevitably you will have some employees with vpn access, and now you have 2 vectors: remote admins getting hacked and local admins plugging in external devices. You’d think it’s easy to get rid of vpns, but things like the pandemic brought them all back to full force.
I remember they got past the Iranian air gap using a USB stick. It’s a mistake to think air gaps are safe but they are certainly better than having your network open to the internet.
> Attach a fine to the discovery and disclosure and you disincentivise that prudence.
Sue them. Failure to disclose key documents in the discovery phase of a trial carries hefty fines and jailtime. And quadruple the fine for misrepresenting the cause.
People act like the government doesn't have the power of subpoena. They can absolutely compel you to tell the truth.
Yes. I've worked in a very regulated industry before and it ended up being less secure than any other I've worked in. Checking your secure email required so many hoops people would just text each others personal phones instead, etc.
I've actually worked in govt systems. If you think the whole endless threats of jail make for more secure systems you are truly clueless.
These systems are RIDDLED with the WORST outdated crap you can imagine. Absolute insane hoop jumping so plenty of pressure to work around security just to get jobs done (seriously - start with the help desk if you want access - they are so used to password resets the procedures become a joke - literally - what's the username and that's it, because if you have thousands of folks on 30 day password rotations with insane complexity all you do is password resets endlessly). Password sharing can also be crazy so passwords float all over.
The govt has had it's top stuff leaked. Office of personnel management leaked insanely sensitive stuff. They contract with the WORST folks in security. It's really crazy.
Google has never asked me to rotate my password. I have non-SMS two factor authentication options, they do pretty sophisticated rate and geo monitoring so you are not annoyed but pretty secure.
Cyberattacks, mechanical failures, weather disasters, meteor strikes, terrorist bombs, stupid construction workers ALL could affect this pipeline. People on HN have no risk perspective. Make the system resilient to a proactive few day outage. Why does this system have to run 365 / 24 / 7? Have you mitigated EVERY possible issue - including disgruntled employees? No - then instead of over doing one corner, design some give in the system.
I want to add that the physical limits of how the design is done is as much as corruption/stupidity.
By physical limits I mean us, the wet ware in the middle of all this. These systems can be designed years if not decades before they are actually brought online. By simple temporal placement they get the materials and techniques of that time span. By the time these things are ageing out of the system they will have some old tech on them.
> Failure to disclose key documents in the discovery phase of a trial carries hefty fines and jailtime
When you do this, the documents never get created. Not due to nefarious cover-ups. But because if little incentivises the creation of documentation, and everything penalises it in the edge case, you get rubber stamped compliance stacks for decades until a crash.
If one has massive downside for reporting a potential risk, one better be 100% sure that risk is manifest before pulling the trigger. That delay and omission is the cost of such draconianism.
All internal communications, unless they are with an attorney and are clearly marked "privileged" and pertain to actual legal advice, are discoverable.
> All internal communications, unless they are with an attorney and are clearly marked "privileged" and pertain to actual legal advice, are discoverable
If a communication doesn't exist, it's not discoverable. If you legislate penalties for a certain type of communication, it shouldn't be surprising when it ceases to exist. This isn't the product of cover ups. It's the long-term effect of penalties dissuading the looking into of certain things. If discovering a breach is penalized, nobody competent will look for breaches--that leaves no discoverable liability.
You're imagining that every company is going to transition some kind of nefarious mob-style wink-wink, nudge-nudge, no-written records speakeasy, or what? That's really taking things far.
This whole line of reasoning is specious, anyway. It's based on a fallacy that enforcing penalties is just going to make everyone lie their asses off to get out scott free. Is society so broken that they can get away with this? Come on.
Government systems get hacked all the time, too. Just because the government doesn't have a profit motive doesn't change a long list of human motivations that can be counterproductive.
The profit motive also incentivizes improved quality. If the product is bungled, the company is not likely to get the next contract. If the government agency bungles the product, they'll get a budget increase next time.
> The US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.
I would love to see this but somehow I doubt it will happen any more than my pipe dream of holding the CXO and the board criminally liable for the criminal actions of management/employees/contractors/agents of a corporation during the course of their work for the corporation.
It is nice to dream though. I would certainly welcome any kind of accountability.
They aren't 'on the internet'. They are connected via several layers of networks with firewalls etc in between to a system which has direct access to the internet. There often is no practical way around this - data from these networks needs to be shared with business users, other companies, regulators and so on. Data diodes can be applicable in some situations, but I've never worked with a company that uses one. I don't know the details of this situation, but demanding that it be impossible to compromise infrastructure networks is ridiculous. If you throw enough money and resources at it, no network is secure.
Indeed the best evidence supporting this view is that Natanz was fully air-gapped and still got destroyed by the Stuxnet hack.
That said I have heard of customers expressing desire to control valves and pumps using iPhones, and believe there are several initiatives at SCADA/PLC/DCS/System Integrator companies to provide this.
However I've seen as many of those in practice as I have data-diodes, which is to say, none/never.
It's multi-dimensional. SCADA itself being networked, and it reaching other systems that may be internet-enabled.
* What systems are affected by the hack?
* Could the shutdown be needed because of critical data the ICS gets from business?
* Or is it shut down because business needs real-time data from ICS it can't ingest?
In general, the idea of completely isolating an ICS from any other network is a tough one.
My question is, how often are these critical suppliers audited by the federal government? I have worked in banking cybersecurity and the amount of auditing from federal and state regulators is mind boggling. If a single company controls 45% of fuel transport to the east coast, it should carry some designation as a quasi-state entity subject to federal cybersecurity audits like banks.
This question of missing cyber security audits came up for me in discussion of the Verkada hack. That’s the startup providing security cameras inside hospitals, prisons and schools.
It seems like cybersecurity and audits of security readiness need to be demanded from any authority over companies operating in sensitive areas.
>if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.
The problem is that it matters less than we'd like to think how "serious they are about security".
I'm seeing a lot of discussion about the responsibility of the victims to secure their networks, and it's mostly valid.
But it's strange that we're talking about how to punish the victims versus the criminal conspirators. We virtually let the malicious, overtly criminal party off the hook. It's almost like we're saying we expect criminals to be criminals and these guys are so hard to catch that the onus is entirely on the targets to repel their incessant attacks, else they're negligently malicious themselves. Sure, most of these victims can do better in just about every case. But, people here know better than most how difficult it is to 100% secure every layer of the stack from software to firmware to hardware, with multiple vendors and vectors, OSS, zero days, etc. And the bad guys only have to be right once across this broad attack surface. It's impossible to defend completely. There will always be breaches.
So, there's another element of this that has to be addressed, and that's getting serious about punishing these people. As it is, there's zero disincentive for them to just keep trying until they get through, but the upside is massive.
Most if not all of this activity originates from nations that are adversarial towards the US. So, we need to start treating these instances as official sovereign actions, especially when they originate from nations wherein the government and their intelligence services exert control over (and outright sponsor) such criminal schemes, and wield these attacks as a projection of national power.
These regimes also tend to feature oppressive criminal justice systems and harsh reprisals for even political dissidents. So, the message is, "we're not going to argue whether you're sanctioning these acts, but we're also not buying that you can't stop them, so we'll treat each incident as an official act of the state. We're holding you responsible for your criminals when they attack us and we will respond accordingly".
Detailed discussion around exactly how the most recent exploit might be mitigated is interesting and useful. But the balance in these discussions between mitigation and reprisals for the perpetrators needs to be shifted much more towards the latter. Otherwise, we can expect these discussions ad infinitum.
My guess is that they only get serious about security after a breach occurs.
You can view it all as strengthening an immune system. Without attacks, and the occasional successful ones, nobody is going to bother to harden anything.
Is that like how the banks all got serious about evaluating their risk carefully after the first time [1] they saw their models, and consequently their liquidity, evaporate?
Obviously I agree about your dissatisfaction with the other proposed solution: that just lets corporate entities put a low (10%) ceiling on what should be unlimited liability, allowing them to say that failing catastrophically by utter neglect to security is reliably a survivable offense (I recognize that in reality the liability of course ends at the dissolution of the corporation.)
I don’t think the analogy applies. We are humans, capable of observing the failures of others and making rational decisions to avoid those same failures. The immune system is programmed to react one specific way. For example, we can choose or choose not to go out of our way to get vaccinated. If someone doesn’t get vaccinated and infects a dozen other people and then get really sick themselves, it’s hard for me to have sympathy. Unfortunately here, when there’s an illness, millions of people have private information leaked. This should simply be an unacceptable.
This was addressed in the article. Critical services are on the internet because remote workers need access to them. I don't see how profits factor into it.
What "on site"? The various valves that need to be controlled remotely often are just a box, perhaps even underground, in a place where's no buildings for people to stay - a mechanical team can access the hardware on-site, but building and maintaining an actual office on each site is not practical. The same applies for power grids - you can't staff every substation with people.
A remote operator can manage dozens of such sites, a single "local" person might be close to one point, but the next control point is going to be miles away, so you either need much, much more people to station one at every valve, or have a situation where flipping a switch in all the "sites" is very slow because requires the "local" person to drive many miles visiting each location.
No, there's a reasonable objective need for this management to be actually remote - there's a discussion on how this should be implemented in a secure way, but it does have to be remote.
Lost revenue would be justified by execs as cost of doing business. And they'd probably buy hacker-insurance to cover some/all of that risk. They'd pay for the hacker-insurance by getting a shittier employee benefit plan, and cutting the employee 401k match by 2%. For each quarter they aren't hacked, they'd probably receive a credit from the hacker-insurance company, which would be distributed to execs via performance bonuses.
> It needs to be asked again, why are critical services on the Internet?
From TFA:
Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home... believe DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.
Maybe that'd make sense if it was the encryption that was broken. I wouldn't suggest a one-time pad for anything where modern encryption works just fine.
People whine about infrastructure being accessible over the internet, but in the old days it was just accessible over the phone network instead of the internet. It's not realistic for every bit of infrastructure to have the security protocols of military systems.
> The US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.
Make it a crime to pay the ransom in a ransomware attack.
Make it a crime to fail to report a ransomware attack in a timely manner.
Ransomware attacks (and companies with poor security practices) will go away.
Make it a crime to possess, consume, or distribute substances that are bad for people.
Make it a crime for people to knowingly withhold information about such activities from the authorities.
Abuse of substances, trafficking, and associated criminality will go away.
But seriously...
> Make it a crime to pay the ransom in a ransomware attack.
Ok, so ... what should a company do? File a report with some government agency or with an insurance company and wait until the bureaucratic process maybe results in being able to pay the ransom to resume business operations? Punishing the victim of a crime? Really?
> Make it a crime to fail to report a ransomware attack in a timely manner.
Further punishing the victim of a crime? Really?
> Ransomware attacks (and companies with poor security practices) will go away.
I don’t see an analogy to drug laws. Is your point simply that such a law is impractical to enforce?
Paying extortionists begets more extortion. The only argument I’m seeing is a bunch of hand waving and people telling me I’m being hopelessly naive. I don’t think I am.
The real question right here. When will the US government finally take Linux seriously and invest heavily in it instead of relying on Microsoft solutions?
so then we rely on linux solutions instead? I've seen lots of control systems running linux and windows, personally I'd rather keep a mix of the two. Something about eggs and baskets.
> Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home.
I would disagree with this. No petrochemical company I've worked with had OT/PLC/SCADA layers enabled for remote login. Other middle layers, like the historian, potentially. But not the control system itself.
It's possible to enable this but knowing the culture at Colonial Pipeline first-hand, I strongly doubt they did this during COVID.
To clarify: this is not from "financialization" generally speaking. This is specifically from consolidation for the sake of increasing efficiency and thus margins (as you pointed out).
This is opposed to increased competition (which also increases volatility) in the markets.
The reason why the markets are so consolidated is because it removes short-term risk. If there is an obvious market and only one (or a few) companies involved then everyone makes money (magic, I know). This is why Wall Street lobbies for regulations so hard. They have ownership in all the existing major companies that can afford those regulations and it consolidates the profits (and thus returns). De facto Crony Capitalism at its finest. Your aristocratic oligarchs.
So, stop giving your money to large index funds. (And every time there is a comment on HN telling you to, and there are plenty, downvote them and tell them a proper F-off).
The idea that no one can/should ever lose is what is killing the economy. It got its birth in the boomer-retirement-fund markets of the past few decades.
To recap, it is consolidation for margins that is the problem. That is not the same as general "financialization" (increased trading) that helps increase volatility in the markets and actually increases the size of the economy.
We desperately need real markets and not this crony capitalism that seems self-persistent.
The current system is such a marriage between corrupt politicians and wall street (which is now heavily extended into SV, btw) that it is absolutely disgusting.
They are not always the lowest bidder. Colonial Pipeline was known for selecting the higher bids sometimes in order to ensure quality of work. They'd generally evaluate risk vs. quality vs. price.
Colonial also kept multiple overlapping vendors for their last SCADA upgrade in order to make sure that no contractor was too overloaded during a "boom time". They'd generally stagger the work between locations (they had to upgrade dozens of stations along the pipeline) and keep track of the performance of everyone they hired and try to keep a steady workflow for everyone over a multi-year period.
> if you are a critical service ... for each occurances 10% of your total revenue ... are forfeited
You can achieve the same effect without all the arbitrary political decision-making inherent in this proposal by requiring these companies to buy delivery insurance or something. The insurance company will charge them proportionally to the risk of attack, which will internalize the cost.
Like AIG insuring investments during the 2008 crisis? I think for critical infra you want some extra care and redundancy (not arbitrary though of course).
or maybe the notion that russia is even behind it is a lie aimed at stoking tensions between the united states and russia, probably for the sake of profitting companies like digital shadows--or wharever it was called.
Anyone not using U2F/WebAuthn to protect all of their internal resources is behind the state of the art. It's really not that hard, especially when you're a BigCorp and already have an SSO system in place.
> We should shut down Russian infrastructure as retaliation.
How about, instead of causing harm to innocent Russian people by such pointless escalation, the US makes a serious and meaningful effort to secure their critical national infrastructure. As they should have done in the first place.
I was an adult, and I remember the experts on TV (and print and other media) debunking the “experts” you refer to, often in near real time. And, unlike the latter, the former often had the receipts (fairly literally, in the case of the debunking of the “Winnebagos of Mass Destruction”.)
I was also an adult, and the fervor over WMD was unreal. And not just WMDs, but stupid shit like "Freedom Fries" and "These colors don't run". The spike in nationalism was awful to behold.
> I was also an adult, and the fervor over WMD was unreal
Sure, the fervor was, as were lots of emotional aspects of the post-9/11 wave of Islamophobic hysteria. And certainly the opinion and commentary programs of the major TV news networks were often engaged in that (Fox, of course, but also MSNBC and CNN, both of whom reacted to Fox in the early 00’s even before 9/11 by chasing the bias in Fox opinion/commentary — not so much actual news — which definitely contributed to their slant and the reinforced the national post-9/11 mood well pay the beginning of the Iraq War.) This effect was smaller in the print media (but even greater in blogs, which were taking off as the new distinctly online media and didn’t tend to segregate fact and commentary or otherwise act like traditional media.)
That’s why the widely disseminated debunkings of the WMD propaganda in news coverage were also widely disregarded, but there has since become a revisionist narrative which pretends that the WMD propaganda was generally presented as unquestioned fact and contrary information suppressed by the news media.
>If we shut down Russian infrastructure and Russian civilians get caught in the crossfire, the Russian government can blame themselves
A very naive statement. The Russian government doesn't work like that. They NEVER admit they were wrong. They don't care about civilians. They have culture of complete denial, even in the presence of indisputible facts. They will say US attacks on Russia is yet another proof of US' hostile, aggressive behavior towards Russia in a greater geopolitical game (especially when presented proofs of Russia's involvement are pretty weak, like "the hacker group never attacked Russian infrastructure" - I bet they never attacked North Korea either), giving Putin an excuse to crackdown on opposition and restrict/reduce Russians' freedom/human rights even more, further militarizing things and increasing attacks on US infra.
Actually strengthening security is the only proper solution, to make that kind of attacks futile and unprofitable. It's usually not some ingenious attacks but just simple negligence of the targets.
No we should not. We should hunt down those individuals that are responsible but if we get into this tit for tat escalation pattern it might end poorly for all parties involved.
And if “the individuals” turn out to be operatives of the Russian government?
I find as world events unfold these last few years I have drifted away from my isolationist/non-interventionist views. I wouldn’t say I’d advocate for a military response (either electronic or physically destructive) at this point, but I wouldn’t think badly of our government if they did something like that.
Americans have become a rather stupidly optimistic/ignorant people. Russia and China will absolutely destroy us if we don’t aggressively counter their military aggression. And that’s what attacks like this are: military aggression. We ought to start acting like it.
Since this account appears to be using HN primarily for ideological battle and that's against the site guidelines, we've banned it. Please don't create accounts to do that with. It's not what this site is for, and it destroys what it is for.
Yes we should. There is no justification for why we meekly let them have at it cyberspace. It should be pain for pain. Russians will never learn until they feel pain.
I can think of some reasons why we should not retaliate against the Russian government. Perhaps we have more to lose in escalation. I don't know if this is true but it might be. If this is an attack at the behest/approval of the Russian government we don't know why they made the attack. It could be a response to something we did to them. We should not get riled up because what hasn't been reported is likely the real story. We just don't know and as citizens we ought not clamor for our leaders to respond. That sort of clamoring has in the past had very negative consequences.
We can entirely, safely remove Russia from the global Internet and we can do it trivially. That's exactly what we should do if they press attacks too far: isolate them. They have the increasingly government controlled Runet to restrict their people's access to the outside world, we should barricade them in.
Their economy is small, close to meaningless. It's nearly a rounding error at this point in the global economy and it'll continue to shrink in that relationship. The sole thing to be concerned about with Russia is their nuclear arsenal.
Their economy is small and ours large. Therefore we have more to lose possibly. Removing them from the internet will not prevent their ability to mount attacks. It makes it more difficult but not impossible. We cyber attacked an Iranian nuclear facility that was air gapped.
I like the concept of holding Russia (as with any country) responsible assuming they are, but your reply didn’t address the escalating pattern of tit for tat, and how to deal with that.
Perhaps a sort of cyber-MAD comes out of the escalation and the Russian government cracks down on the group to prevent their own serious infrastructure disruptions.
> We should shut down Russian infrastructure as retaliation
Sanctions against key people are probably more effective while not causing too much anti-American sentiment in the general population or a rally around the flag effect. Hard to rile up the people because a dodgy oligarch can no longer keep his roubles in a London bank, where Babushka Svetlana freezing to death 'cuz the Yankees cut the gas is a martyrdom event.
Not to mention sanctions cost real human lives. The people who will be starving aren't the same folks who are mounting highly complex, large scale ransomware attacks.
If you believe this is somehow unprecedented, or that the United States does not also exploit extralegal methods for proxy conflict/geopolitical subterfuge when convenient, you need to read more
Take a deep breath, you are jumping at shadows and telling everyone that "they" are out to get us.
Thieves are thieves, organized crime is organized crime. You think there aren't major criminal organizations in the US committing ransoms in other countries?
Previous poster isn't wrong that the Russian government turns a blind eye to these kind of things as long as it doesn't target Russian citizens; same with China etc. This isn't especially controversial, and anyone involved with these kind of things will tell you this.
Calling this an "act of war" is of course hysterical.
MSNBC had a person on who purported to be someone knowledgeable. I also read the Washington Post. The act of war part was my idea. I realize I may not have the correct understanding yet, but based on the Solar Winds hack and the Mueller report, it seems to me they are attacking us. Isn't an attack an act of war?
i noticed this at the time. i heard really loudly about russia paying bounties on american soldiers, and then so quietly that i might have missed it that there was no evidence for it. it's odd isn't it?
Large corporate or state media outlets are unlikely to provide the historical context or the epistemic humility required to follow geopolitics with nuance
This is the same group advocating for The Great Reset, and predicting people will “own nothing and be happy”.
It does seem like there is a plan in place for the controlled demolition of industrial society to depopulate the planet and solidify a neo-feudal order of rule by a breakaway elite.
when did "legitimate interest" become the thing advertisers^Wtrackers are (ab)using to keep tracking on by default? It's not due to a change in legislation afaikt, the GDPR hasn't changed in this regard, right?
I suppose I’m very naive, but I’m under the impression that they’re the same in the way that that they’re both meant to provide necessary fuel oils to local markets in an efficient way.
And that maybe it would be good to have redundancy, which requires allowing new pipelines to be built. It’s not my fault that that’s somehow a “political issue,” which as far as I can tell means something that your preferred propaganda sources have conditioned you to have an emotional response to that overwhelms any hope of reasoning.
I hope you're not talking about the CIA, whose network of agents in China (to pick one example) was rounded up and killed due to either shoddy IT work or a mole in the Agency. Either possiblity reflects poorly on the American intelligence community:
>Investigators remain divided over whether there was a spy within the Central Intelligence Agency who betrayed the sources or whether the Chinese hacked the CIA’s covert communications system, the newspaper reported, citing current and former U.S. officials.
>The Chinese killed at least a dozen people providing information to the CIA from 2010 through 2012, dismantling a network that was years in the making, the newspaper reported.
>One was shot and killed in front of a government building in China, three officials told the Times, saying that was designed as a message to others about working with Washington.
This isn't a counter-argument against the person you're replying to, though. One can pick from numerous examples of the inverse(though the US doesn't round them up & disappear them, they go through the court system)
> though the US doesn't round them up & disappear them, they go through the court system
Yeah, unless you are suspected for terrorism. I recommend the movie named The Mauritanian.
> Mohamedou Ould Slahi (Arabic: محمدو ولد الصلاحي) (born December 21, 1970) is a Mauritanian man who was detained at Guantánamo Bay detention camp without charge from 2002 until his release on October 17, 2016.
> The book, Guantánamo Diary, was published in January 2015. It is the first work by a still-imprisoned detainee at Guantánamo. It provides details of Slahi's harsh interrogations and torture, including being "force-fed seawater, sexually molested, subjected to a mock execution and repeatedly beaten, kicked and smashed across the face, all spiced with threats that his mother will be brought to Guantánamo and gang-raped.[1]
In a country of 330 million people, with massively global interests, you're going to have to do a lot better than rare examples.
In a country so large with so many different government agencies, entities, organizations, and interests, just about anything you can think of will have happened at some point. The question is whether it's going on at large scale, whether it's the common practice or rare.
You're trying to use one example to prove that the practice is common, when in fact that's false, it's not common it's rare. It's the exception, not the rule; which is exactly why it makes for an attention getting story.
Okay, first of all, we have no reason to remotely assume those executed were CIA agents; it’s far(far) more likely they were CIA assets, local people recruited by agents to sell secrets. Assets are captured regularly.
Even still, do you expect any intelligence agency to be perfect? I’m not sure what point you’re trying to prove here.
Intelligence I'd say probably Russia right? They've made America look quite incompetent the past decade or so. Military I'd say America although I don't think SEAL team 6 is going to be hunting down these attackers
> They've made America look quite incompetent the past decade or so
This itself is American propoganda; the strategy is to be absolutely all over your opponents, knowing that they can't complain about it for fear of looking weak, while complaining loudly about how their meagre attempts are the end of the world, getting public and Congressional support for more spending.
Before the Snowden leaks, someone suggesting the US had the SIGINT capacities they actually did have would have be laughed out of serious circles as a crank, and you better believe they haven't been sat still over the 8 years since.
I don't believe the way America has embarrassed itself on the world stage is American propaganda. Russia has repeatedly exploited the stupidity of a few within the upper echelons of the elected American government with a few well placed agents and bots backing up those messages online.
The effectiveness of the CIA (or government) depends on the narrative of the author. Like the immigrant paradox: are they lazy or are they taking your jobs? which is it?
Not to be rude but I'm pretty sure you need to check up on your stats. The Chinese do have the oceans.
>Citing the Office of Naval Intelligence, a Congressional Research Service report from March notes that the People’s Liberation Army Navy, or PLAN, was slated to have 360 battle force ships by the end of 2020, dwarfing the U.S. fleet of 297 ships.
Air Craft carriers and jets were proven in WW2 to be the big differentiator. US took note and has more than the entire world combined. 'Battle force ships' is a very loose term and your source only includes navy resources. You forget we have Army, Air force, Marines and not to forget coast guard that all have their own watercraft. Also, don't know if you've been seeing some of the new SWISS ships the US have been developing. Very small, hyper fast ships with a crew of 6 or less with a crazy amount of firepower in terms of AA, 50 cal, even torpedos. Those aren't categorized as 'Battle Force Ships'.
Also, despite the huge waste that is inherent in it - no one has bases like the US does. We have forward operating bases all over the middle east, geographically separated units all over east europe, africa, asian pacific, and military bases all over europe and every key point of the united states. Nasa never quite got launches down but we do have some of the most advanced satellite, imagery and other military instruments. look up number of military spacecraft by country.
Whether it's moral or not is an entirely different question, but there is a reason the international monetary fund has a weight 44% USD; It's not because all the other countries like us that's for sure.
Bath Iron Works is hiring people on the spot right now. They are probably going to hire 3k people in the next year. I imagine this is happening at other shipyards around the country. Expect those ship numbers to be revised upwards.
I don't dispute the ability for China to produce more ships than the US or have more ships. By tonnage they are still less than half the size of the the US fleet and they aren't in control of the oceans. I'm not saying that won't change I am merely flagging OP statements as inaccurate.
We should use it and shut down Russian pipelines. The Russian government is supporting and harboring DarkSide. It's possible the state directed this attack through them for plausible deniability.
Forgive my ignorance, but is it incredibly hard to determine the actual identities of the people behind this? I don’t know why a government wouldn’t simply assassinate culprits who were guilty of crimes at a level that would qualify as an act of war.
Given that this is a ransomware attack, the data is probably encrypted, so if they did find the person behind it, they would probably use "rubber-hose cryptanalysis" to extract encryption keys before...
I think it’s odd that I’m being downvoted.. I’m not advocating murder, I just wonder if ransomware criminals (assuming they aren’t actually state actors) wouldn’t be at risk.
Breaking: U.S. government is inept at carrying out procedures which are standard in the technology industry, including the proper safeguarding of important tools & data, despite a budget larger than any other entity on earth.
Not Breaking: Citizens’ disappointment in the aforementioned, particularly given their direct contribution to said budget.
The Unsaid: Much of this will not change, unless incentives are realigned.
> Breaking: U.S. government is inept at carrying out procedures which are standard in the technology industry, including the proper safeguarding of important tools & data, despite a budget larger than any other entity on earth.
I'm not sure what technology industry you are in, but in the one I'm in software engineers are fooled by phishing attacks extremely consistently, people routinely expose critical systems and devices to the internet, developers often expose databases with insecure defaults to the internet over well-known ports, customer data gets stolen on a regular basis, etc., etc., etc. Regardless of how one feels about the government, I don't think the average technology company does any better when it comes to securing its own infrastructure.
Basic security practices like 2FA and not using VPNs/trusting the network would be a great start. There is no excuse for private business like Facebook and Google being more secure than the f*@& United States of America.
For sure, and worse because there's no stock grants that subsequently go up several times in value after distribution. I get that it's a compensation problem as well as a supply problem: software engineering talent is hard to come by and world class software security talent is even harder to come by.
https://news.ycombinator.com/newsguidelines.html