Hacker News new | past | comments | ask | show | jobs | submit login
US passes emergency waiver over fuel pipeline cyber-attack (bbc.com)
611 points by selfsimilar on May 10, 2021 | hide | past | favorite | 451 comments



All: please don't post flamebait such as calls for war and whatnot. It's incredibly tedious. We're trying for interesting conversation here.

https://news.ycombinator.com/newsguidelines.html


Colonial Pipeline precisely does keep it's control network disconnected from the internet - the only thing that was ransomwared is their corporate network. They shut the pipelines down voluntarily to prevent further spread.


If we define critical system as "necessary to the operation of the business" then the corporate system is absolutely critical. It doesn't matter if the SCADA system is airgapped if you can shut down the capability by crashing the corporate systems.


Their approach makes a lot of sense. Corp network hacked - so to be careful shut down pipeline until you've really made sure that you are fully safe pipeline side as there now may be more attack vectors.


I built some of the SCADA and IT systems for Colonial Pipeline.

Many industrial SCADA systems (nearly all) send data from their "OT" systems (PLC/DCS/SCADA) to their "IT" and business layers (Historians/Timeseries Databases, Dashboards, Power BI/etc). This almost always happens through a two-way link (think TCP/IP, HTTP). While the software should not allow data flow backwards, the hardware absolutely does. So how much do you trust the software?

I often advocate that industrial SCADA systems utilize "data-diodes", one-way opto-isolators, or other physically verifiable methods of confirming that no information/data/instructions can get from a "higher" layer (OSI Pi, PowerBI) to a lower layer (Allen-Bradley PLC, Siemens PLC, Emerson DeltaV DCS, etc).

Convincing the powers-that-be to do this has been incredibly impossible in most places and a large reason why I'm trying to transition to a different space - I simply have had ethical concerns about providing engineering services to critical infrastructure without building in best practices.

Stuxnet was over a decade ago - I don't understand how these protections aren't mandated by the DHS already.

Disclaimer: I don't think it's reasonable for non-involved people to assume the OT side has been compromised. I do think Colonial will need some time to verify the integrity of their SCADA systems and it makes sense to keep the power to the physical devices (valves/pumps) offline until they do. I understand why they chose to shut down but I don't think there's any evidence that they'll be unable to start back up again.

Lastly, I saw a quote in one article:

>>> Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home.

I strongly doubt this. It's possible, of course. But it's extremely unlikely to me that employees would have remotely accessed OT/SCADA systems from home. No one I've worked with has had that capability enabled.

Many companies use products which have been shown to have flaws, like Citrix or various corporate VPNs. These could be compromised to get access "closer" to the OT layers but never directly into it.

Onion layer security is very much practiced everywhere I've been.

Edit: I have heard of some petrochemical facilities moving towards allowing operators and engineers to manipulate valves/pumps on their iPhones. This horrifies me for many reasons. I've never actually seen it implemented and I always bring up Stuxnet when I hear people mention it. I personally believe that DHS should make this sort of thing illegal for critical infrastructure. Many good engineers disagree with me.


Dan Kaminsky spent an enormous amount of time and effort on creating a secure hardware framework 10 years ago. It went nowhere for a lot of the same reasons you discuss in this comment.

The government and industry are all talk. Until we see actual enforcement / incentives for secure hardware, just assume everything (and I mean everything) can get shut down at any time. The only people who think this is an exaggeration are those who haven’t seen what things actually look like on the inside.


> Dan Kaminsky spent an enormous amount of time and effort on creating a secure hardware framework 10 years ago.

Can someone please link me to a page that goes into more detail about this secure hardware framework? Not a month from his passing, and we get a national-security-level attack that might have been prevented if US business took more seriously software engineering and security engineering from back then.

Also, I cannot help but wonder if Dan would still be with us if the irretrievably broken US healthcare system was a national system that supplied him with an inexpensive CGM and insulin no matter his employment situation.


There were a bunch of people who worked with him on this in Taiwan. I don't think anything ever got released publicly, and I think Dan found the whole episode to be so frustrating that he never commented on it much in public.


I’m curious — how would something like a data-diode work in real life? It makes sense, but what about something like TCP where the sending side needs the ability to receive ACK messages? Is a firewall (dedicated, if need be) enough?

Or would this be some other kind of physical interface that took some kind of read-only data (serial?) and sent it up the layers using TCP/IP, where only this box would be at risk?

Edit: looks like you answered part of this below — you suggest switching to UDP protocols.


TCP would not be possible if your physical layer doesn't support two-way communication. I think UDP would.

Firewalls are currently used, and probably generally configured well. Petrochemical companies have a many-layered onion security strategy with minimal communication paths through the firewalls. Generally you might have 4-8 layers of firewalls from public facing internet to the PLC/DCS/SCADA. Administrative people might VPN 1-2 layers deep and engineers would at worst get remote access to the historian, 1-2 firewall layers above the PLC/DCS/SCADA.

It's my professional opinion that firewalls are not good enough for critical infrastructure. Even a completely air-gapped system was hacked thoroughly over a decade ago in Iran (See Stuxnet).

Your suggestion would suffice, if that box ("gateway", in the IoT parlance) was connected with a one way physical connection to the SCADA system over serial or what-have-you. Then it could communicate with TCP using existing application stacks.

I am designing a system like this at my current job, where luckily we are a small enough team so people have genuinely listened to my suggestions about this.

However, good engineers often disagree with me. I may be overly zealous on this particular issue and I take a lot of criticism about how dogmatic I am at times. I'm not a senior engineer by any stretch.


> I’m curious — how would something like a data-diode work in real life?

Low, fixed-bitrate transfer over unidirectional fiber optics. Unidirectional transcievers are the norm for long-haul fiber.

My local electrical utility is still running 11.52kbps RS-232 over fiber for exactly this reason. At those bitrates you don't need backpressure -- your disk will never fill up and if the CPU can't handle that bitrate you already have much larger problems.

It's kind of funny that they have sheaths where one strand is running this piddly dozen-kilobit protocol and other strands in the same sheath are doing 10gbit/sec * 16-channel CWDM.

Most electrical utilities are into fiber optics in a very big way; they already (usually) own the poles and unlike copper it's nonconductive. Many of them have vastly more strands of fiber between substations than they need.


> how would something like a data-diode work in real life?

The ones I have worked with convert a TCP stream to UDP, send it across the diode, and then convert it back to TCP. Each UDP packet has a sequence number and there is a single reverse-diode that is fired when a packet is missed or arrives out of order that triggers a retransmission of the last N packets.


I have heard some plane infotainment systems use a 1-way optical link to solve this problem to get the speed/altitude/etc to the displays. It just receives the data as a downlink (no 2-way communications) and being optical its electrically isolated as well as impossible to transmit or even interfere the other way.


That was FUD[1] spread by Chris Roberts who has been called out for it. He claimed he was able to issue climb commands from the IFE to the CAN bus.

Apart from this being technologically impossible, if he would have really done it he would have been charged for endangering an aircraft and prosecuted. (So the only explanation why he isn't in prison is that it didn't happen). The technical reason is Data diodes are common in aviation to separate IFE and CAN bus or position data. (e.g in the ARINC)

[1] https://www.pentestpartners.com/security-blog/a-pen-testers-...


If you don’t allow 2-way comms to SCADA devices, how can you set values on those devices. For example, open valve 9881 to 10% … how would that be done?

SCADA devices are not read-only.


That functionality would be local, before the one-way isolator. A human at a terminal located near the valve could still press a button to make that happen. That system could even be running windows (most are!).

But a hacker wouldn't be able to use their access to the Timeseries database for supply chain and logistics, to pivot to the SCADA system because their attempts would be blocked by a lack of a physical layer connection in that direction.

It would significantly reduce the attack surface of the OT systems.


I think the original use-case was delivering data for use in dashboards or other business systems, not the SCADA network in general (where you’d want write access). So, places where you might want to get read-only data from a secured system, but not allow write access. These business/reporting systems might be internet connected, hence the desire for better isolation.


You don't let remote systems open valve 9881.

That would be like deploying the landing gear of the airliner, because someone triggered a bug while changing the channel on the in-flight entertainment system.


The whole point of SCADA systems is that you can open and close valves remotely, without requiring to drive hundreds of miles along the pipeline to wherever the particular valve is located.


Industrial applications use unidirectional gateways (See NIST 800-82r2). The gateways have diode-like hardware at their core, but add software. The software acquires snapshots of industrial state, converts those snapshots to proprietary unidirectional protocols & formats, and on the external enterprise network makes the data available to enterprise users.

A common example is a SQLServer database of all industrial data that is authorized to share with the enterprise. Grab new and changed data as it arrives on the industrial side. Push unidirectionally to the enterprise side. Insert/update the data in an identical SQLServer. Enterprise users & applications interact normally and bi-directionally with the replica database.

The technology is used routinely to provide access to industrial data that enables business efficiencies, without providing access to the industrial systems that produce the data.

For more info see: https://waterfall-security.com


That can work. Or you can have A use TCP to B, C use TCP to D, and B and C are connected by a very short one-way cable, maybe something optical.

The US government term of art for this pattern is a “guard”, often with a regex or manual filter.


A data diode doesn't have to be just a one way ethernet port, it can include a pair of dedicated servers.

The inside (isolated) server would poll everything, store it into a buffer, and send that buffer (plus error correction) out through an optoisolator to other server.

The outside (internet facing) server would then keep up with the ring buffer, and serve requests, and do any outbound push of data via any protocol required.

A system to do this could be made with a pair of raspberry pi computers and a little bit of discrete components for less than $150 in hardware costs.


> how would something like a data-diode work in real life?

A webcam? Second hand, but that's what I was told a dam operator was using as a "grass-roots" solution a while back


Not sure, but seems like literal diodes on the data line would work? Probably packaged to make it plug and play.


Excellent info, thanks.

"OT" vs "IT":

"Operational Tech" (pipeline and safety-critical monitor and control)

and

"Information Tech" (payroll, email, other business stuff)

?

I could only imagine trying to tell a large corporation that their "IT" authentication system can't be linked to the access card keys for the front gate, or whatever other physical security they might have in place.

It doesn't matter if we can formally prove that a remote access system is sufficiently secure as to aloow engineers to operate valves and pumps from home... For inevitably, some months from now, a wildly insecure utility will be connected to that, and you lose the ability to reason about how to keep the streams from crossing.


Easiest opto-isolator is to epoxy the sfp into the socket, and then fill the rx port on the critical side with epoxy, and then just run one fiber. The epoxy may seem excessive, especially if the sfp dies and you have to swap a whole nic, but it makes people stop and think.


Do you think Colonial identified some "physical world" risk, as in the possibility of a pressure overload or pipeline leak? I imagine that verifying the integrity of these SCADA systems is a very complex task, so I'm wondering if they've already identified a possible attack vector/entry point or if this was entirely preventative.


I have no idea. Shutting down preventatively would be smart, and they had good leadership in their IT space while I was there. Friendly people who could make the hard decisions quickly, weren't afraid to pick up the phones to call people, and supported the growth of struggling employees without letting shoddy work get approved. They were also good at managing large multi-year and nation-wide project campaigns - a rare skill in this world.

That said, determining whether or not a system was compromised can be incredibly difficult. I'm sure they'll face massive pressure to turn the pipeline back on as it does supply almost half of the east coast with oil. I wouldn't want to be the person who has to make that call when it's impossible to prove a negative.

CPC had two explosions a few years back which caused gasoline shortages in new england, that may provide indication of the scale of disruption to expect.


Thanks for the response. It's amazing to have a community where "subject-matter experts" like yourself just pop up.

I'm quite surprised and comforted to hear that the leadership there is competent and knows how to manage people. I've heard from friends/acquaintances who have worked in the energy industry about how terribly things are put together on an IT front (PG&E being a prime culprit), so I was expecting the same here.

I really like your "data-diodes" concept. Interested to see if such a thing takes off especially as these attacks evolve.


That's why physical write-enable switches are a must for ROMs. If it's "off", the malware won't survive a reboot.


> I personally believe that DHS should make this sort of thing illegal for critical infrastructure.

I can't speak to non-electrical infrastructure, but the NERC CIP "high impact" standards already make it largely impossible to operate critical electrical infrastructure from anywhere other than a secured control centre. Operating from your laptop or iPhone from the kitchen table is however allowed for "low impact" assets like small power plants.


I also wonder why nobody who has secure computing issues demands physical write-enable switches for ROM, rather than using software switches that are inevitably corrupted.


Generally it's been the opinion that the control systems need to be modifiable. For example if you add a single valve in a facility which has 4,000 valves already, it would be nice to just add add a controller for that valve to the current SCADA system.

However, a write-only ROM system is possible as long as the ROM chips were reasonably affordable and a company could provide reasonable turnaround times for small modifications. That would move the target of vulnerability up the supply chain.

Some of the things which matter though are necessarily run-time variables like "is the valve commanded open or closed?" and "what are the tuning parameters for this PID control loop?". It's always theoretically possible for a buffer overflow/rowhammer/etc to flip the bit responsible for the valve's open/closed command. Even with an OS/Application stack burned into ROM. You still need RAM.

At least power cycling a readonly-storage device would remove any malicious RAM changes.


Thanks for your many informative posts here. It's a pleasure reading from someone who knows what they're talking about :-)

I did say ROMs, but you can also use EEPROMs, which are erasable in-circuit, and you certainly put a physical write-enable in that circuit. Ideally, it would be a momentary push-button that has to be pushed in person on-site.

Back in college we used EPROMs, which are erased by putting them for 20 minutes or so under a UV lamp. EEPROMs came out later.


Another thing that can be done is to divide the pipeline into several sections, not just one long one. So if one section gets compromised, it doesn't propagate to the next.


Do you propose that each section gets their own control/monitoring facility staffed 24/7 ? If not, the shared control/monitoring facility is the most likely place of compromise anyway, and it by design can control all the pipeline hardware.


I'm not sure how that would work-- each section would still need to send its petroleum products to the next section, making it effectively still one pipeline. Unless I misunderstand your statement?


Consider cars on a freeway. There is no central control. Each car controls itself, cooperating with its neighbors. If one car goes berserk, it doesn't take down the whole freeway.

With a pipeline, if sections operated autonomously but cooperated with each other, and one goes berserk, its neighbors will shut down, but they won't be damaged. The repair work only has to repair the one section.


Ah, I see. Not segmented pipeline, segmented pipeline control. That makes a little more sense. However it might make it significantly more difficult to make coordination between segments possible: The self organizing behavior at work with car driving may be significantly different than what is required for a pipeline.

People driving cars are essentially doing what is best for themselves individually (within the bounds of the law), and that ends up translating to something that works for the whole. With a pipeline, that might not work: If pressure gets too high in one area, it might take highly coordinated control across thousands of miles to bleed off contents into buffer tanks & ease pressure a dozen segments away.

I'm not saying that couldn't be done, I'm sure the SCADA systems could be isolated from each other in this way, it just seems like it would require a lot more difficulty with explicit coordination between technicians, not a self-organizing system such with driving on a highway.


is there evidence of suspicion the Ransomeware is on the controller HMI's, infected from Enterprise connections


is there indication of speculation the Ransomeware is on the Contoller HMI's or is it Enterprise


I have no idea why they would do that unless the system was not airgapped properly or it was hard to untangle the admin network from the control network (in which case, the control network is effectively not airgapped).


Flash drives.

I used to work in fabs and every couple of years some tool or other would get a virus, sometimes it spread through the network.


USB ports are generally disabled in BIOS or purposefully physically damaged on most OT systems I've worked on for oil/gas/chemicals. Many places are fond of using epoxy to block the ports.


I like those people. The problem being sometimes you need logs or data off tools. I’m far from an IT wizard so I don’t know what other solutions exist but the flash drives to get stuff off tools was the easiest


It makes some things more difficult. CD/DVD's are generally used instead. Sometimes other computers could be connected but in that case there would be some organizational procedure for attempting to make sure that other computer was as low risk as possible.

You can't eliminate the possibility of malicious action, Stuxnet proves that. It's my opinion that at least for critical infrastructure we can probably make things much more difficult for our adversaries at a relatively low cost. This pipeline is purported to carry half the gasoline/diesel/heating oil to the east coast, but I'd be lying if I said I knew exactly where the cost-benefit equilibrium should land.


I'd be lying if I claimed I knew...but I would be willing to bet that cost-benefit analysis was made a long time ago before these concerns became so timely.


Please explain why shutting down the pipeline will contain the hack?


You need the SCADA systems to run the pipeline. They control the pumps, valves, product sequencing, etc. So Colonial purposely shut down the pipeline to prevent the SCADA system from getting affected, which might cause physical damage that truly would be a catastrophe.


I'm really confused: the pipeline is resilient to a hack: they just shut down the pipeline so it won't be 'affected' (hacked?)?


It was intended to be airgapped, but we're talking about a pipeline that is several thousand miles long, with many pumping stations and delivery terminals. All it would take is one of the SCADA systems at one of those locations to suddenly open a valve and dump petroleum out into the environment to cause a disaster.

Or worse - rapidly open & close valves in rhythm, and the water hammer effect (the inertia of the petroleum in the pipeline) would cause the pipeline to destroy itself. The repair costs would be astronomical - you'd naturally have to repair the damaged sections, but then also re-test all the welds to see if any had been weakened by the pressure pulses.


It was not intended to be air-gapped. These systems generally communicate to business layers through firewalls.

Onion-layer security rather than air gaps. Communication through the firewall isn't supposed to allow control over the valves, but it does communicate both ways (TCP/IP). This is the general practice in petrochemicals, at any rate.


In airplanes, this is dealt with by having an independent system monitoring things.

Think what would happen if the autopilot suddenly went berserk and did a hardover.


It can be already hacked but while power to the valves and pumps are removed then the SCADA system hacks can't cause physical damage.

I haven't seen any evidence that the "OT" side of their network was compromised in a way that would cause physical damage, a la Stuxnet.


And to add it’s perfectly possible that the pipeline networks were air gapped (Ed: which don’t believe them) but you still need to shut down.

I could imagine a situation where information another network (e.g. orders or incoming flows from another customer or user) is necessary to run the pipeline but unavailable to use to operate the pipeline control system.


I saw Robert Lee of Dragos giving an opinion on that here https://www.reuters.com/business/energy/knowns-unknowns-abou... but did they confirm that officially?

>Colonial has not given any public indication as to the reach of the ransomware outbreak, but Robert M. Lee, chief executive of cybersecurity firm Dragos, said he believed Colonial's operations network was shut down proactively "to make sure that nothing spread into those systems."


We detached this subthread from https://news.ycombinator.com/item?id=27101293, which was a generic subthread, because the discussion turned more relevant at this point.

(To a first approximation, generic == less interesting and specific == more interesting on HN: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...)


Any source for that?


Why is the network constructed in such a way that it allows things to spread?


Super common. A lot of companies have this hard on the outside gooey on the inside model (aka flat network structure).


Most petrochemical companies have an onion structure. There are lots of layers of firewalls with what are supposed to be limited communication paths for specific applications.

We need to move to using physical layers where data can only be transmitted in one direction (and then use something like UDP)


it's always means it is (or it was); it's never possessive.


That gang may have bitten off more than they can chew. They've now gotten the US government involved officially, which means that beyond the sheer mass of resources that will go into tracking this gang, the government also has something to prove now.

Being at the center of an international incident is probably not good for business.


When you said “the gang”, I had an image of the gang from “It’s Always Sunny” writing their first virus and this being the result. I’d watch that episode.


When the Feds catch up to them, Dennis and Mac are loading frozen beef in to the back of his car and are legitimately confused by what the cops are saying. They moved past the virus several weeks ago and have had literally dozens of plans since then.


And then Charlie walks out and goes "Ooooh, uh oh, uh yeah, guys you know what... I think I know what they mean. Last week when everyone was talking about the virus, I had just watch this really cool cyber hacking movie on TV last night, so I kinda zoned out and didn't know what our next scheme was, so when I went home I paid someone on the darkweb for a virus just like in that movie-"

Dennis: "How the hell do you have money to pay people on the darkweb Charlie?"

Charlie: "KittenCoin"

Dennis: "Oh god dammit, KittenCoin? You did that huh? Alright, checks out. Anyways, so then what happened?"

Charlie: "Well then I didn't really know what we were doing still, so I just emailed the file the russian kid sent me to your email, but I totally messed up the address cause my fingers were all sticky with peanut butter at this point and-"

Dennis: "WHY WERE YOUR- You know what, not only do I not wanna know, but I'm also gonna take a stab at how this story ends. Charlie, are you telling me you made a scam cryptocurrency and then used the profits to pay some sketchy russian hacker for a ransomware virus which you then emailed to a random address with a subject line something along the lines of "FOR FRIEND, IMPORTANT FILE, FOR PLAN, GIVES MONEY", which obviously enticed the random receiver to open said email promptly starting a massive email worm that managed to spread its way into the government's oil pipelines?"

Charlie: "That's... Uh, yeah, yup, yup, that's pretty much spot on dude, I'm pretty sure."


The Gang "Solves" the Gas Crisis (2021)


I think it would have to be "Still Solving the Gas Crisis".


Lol this was my first reaction as well, they now have a nation-state on their ass. But that being said its not impossible that this was just a cover for a Russian state-sponsored attempt on US infra


If I were running the Russian hacking center in charge of pwning US infrastructure, I'd be pissed as hell. This is like getting vaccinated -- all of a sudden we're going to take this seriously and patch a bunch of exploits that they've had ready to go.


Maybe this gang doesn't need to worry about the US going after it, it needs to worry about the FSB going after it for screwing up its game plan...


"nation-state" is not just a fancy infosec word for country, and there's some debate as to whether the USA constitutes an actual nation state, rather than a state.


We regret to inform you that language is mutable.


Now introducing, TypeLang! A strictly typed spoken language with core emotional concepts built into the standard library and immutablity as default. Easily transpiled into dozens of different languages, such as English, Japanese, JavaScript, and Smooth Jazz.


see https://en.wikipedia.org/wiki/Esperanto not exactly what you are looking for, but :)

Also French has an official body that authorizes words.


We really need SI units for emotions. Something that can be based on reproducible observations.


A megasophia of wisdom.


nation-state" is not just a fancy infosec word for country,

This is pedantic and adds no value. In what sense could the precise definition of "nation state" matter? in this context everyone understands the phrase in exactly the way it's meant -- a resourceful national government.


:thums-up:

Some people can’t stop fighting “blasphemy,” even if they aren’t in a classic religion.


The USA is absolutely a nation state. Cocal-cola, mcdonalds, Christmas, enlgish, etc. are well dispersed throughout the entire population. We have a uniform culture, although not as uniform as much smaller countries, but uniform nonetheless.


> Cocal-cola, mcdonalds, Christmas, english

These are well dispersed throughout the world...


Cultural dominance isn’t an argument against national cohesion.


Arguably the "nation" of the USA extends into England, Australia, Israel and a few other places which have taken a lot of the culture.


> A nation state is a state in which a great majority shares the same culture and is conscious of it. It has been described as a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group. [1]

Interesting.

[1] https://en.wikipedia.org/wiki/Nation_state


Yes, because the Russian state has nothing better to do then inconvenience the operation of a foreign fuel pipeline for a few days.


Believe it or not, massive governments that employ hundreds of thousands of people are capable of doing multiple things simultaneously.

I don't think there's any evidence this was state-sponsored, or even state-approved, but "oh there's better things to do" is not a good argument in the least.


I'll keep it in mind the next time a horse bolts from a barn in some foreign country - 'Clearly, this was the CIA's doing. There's no evidence for it, but they have the capability, and their motives are sufficiently sinister and shadowy, and while there's no reason for them to be engaging in medium-scale hooliganism on the other side of the world, they could be the ones responsible!'


The Russian Government had huge motive for this attack, they were not at all happy about the United States' retaliation for SolarWinds/Election interference. Shutting down a major oil pipeline in the United States is not "medium-scale hooliganism."

Also shouting 'No Evidence' is a typical tactic the propagandists use to cast doubt and muddy the waters; surely the attackers would love to see what evidence is available, so they can adapt - that's why evidence is largely kept private.


Why do you assume that propagandists only work for them?

What makes you think propagandists on our side would never use lack of evidence to make whatever they want up, and cite your exact reason as justification?

This is medium-scale hooliganism in the sense that the end result isn't going to accomplish more than a dedicated idiot with a toolbox, and a grudge against gas pipelines couldn't achieve. IT will clean things up, operations will resume, life will go on.

Not to mention that this gives the industry another, rather low-stakes kick in the ass to take IT security seriously.


Russia and China have been suspected of doing things like this for years. And who says it's just to inconvenience them? There will other things happening because of this and this could impact other nations in a postive manner.


> Russia and China have been suspected of doing things like this for years.

By who? People who never provide evidence for their claims?

> There will other things happening because of this and this could impact other nations in a postive manner.

While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.


> By who? People who never provide evidence for their claims?

By lots of countreies. The US charged 4 chinese military officers for hacking Equifax.

> While it's certainly possible that the FSB is playing 59-dimensional chess, here, hoping for a true butterfly-effect sequence of causality, I think the onus is on you to demonstrate that.

You seem to think that it would require multiple things to fall into place to benefit a foreign country. Say you want to manipulate the price of the fuel. Increasing the costs of transport would do that.


Hacking Equifax[1] makes sense, because it directly useful for intelligence work. Find people of interest who have credit problems, and lean on them. [2]

This isn't even a blip on the radar of global fuel prices. It is completely lost in the noise. [3]

[1] Or the OPM, since it was kind enough to have lists of 'all spies operating abroad' on its intranet. Whoops.

[2] I mean, you could also just pose as a landlord or employer, and ask for credit checks on them, it costs ~$30 per query, but it is what it is.

[3] If the FSB really wants to increase demand for fuel, they should try stalling a junker or two on an interstate bridge... Imagine the fuel wasted from all the cars idling, or taking detours!


I'm just pointing out countries have been hacking each other for ages and specifically infrastructure. Which was originally stated as absurd because there is no benefit to them, which considering you don't know all the basic effects this attack is having. And who said they wanted to raise global fuel prices?

End of the story is intelligence agencies around the world have been bulking up for cyber warfare for at least a decade. Russia and China have been been fingered repeatedly for cyber attacks. It is not completely outlandish that one of them is behind it for whatever reason. I'm pretty sure the entire point of these agencies is that we don't know what do or why they do them.


I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?

If they want to go overkill, they can additionally use a public VPN account purchased using walmart giftcards bought on ebay using a stolen identity and then mailed overseas.

They can also perform the hack using a brand new computer that they never use again afterward.

It just seems to me like the attacker has most of the advantage here if they know what they're doing.


That would work against network tracking of the actual connection, but that is not the main means of attribution and tracking culprits.

One way is to look at any tools and artifacts used/deployed - it's not common that only "off-shelf" tools are used, and as soon as there's anything custom, most likely it's not a one-off thing that never ever appears anywhere else; if you got it from someone, that's a potential lead; if you wrote it yourself, you're likely to use it (or a modified version) elsewhere, so if you make a mistake in one "gig" then it can relate to all your other activities as well.

Another is people - those things are often not done alone, and people talk, especially if they get detained for something else. And last but not least, the money trail sometimes leads to results as well.

But the key thing is that even if you do everything securely enough, it can work once or a couple times if you're careful enough, but nobody is careful enough to sustain proper opsec all the time, everyone makes mistakes every now and then. These things often take years to resolve, but the legal system has sufficient patience to link something done five years ago to a mistake you'll make next year.

There's sort of an asymmetry for an attack - that if the defender closes 99 vulnerabilities but leaves one, that one is enough for an attacker to get in; but there's a similar asymmetry for detection; if the attacker hides their trail in 99 ways but leaves one, that one is enough to find them afterwards.


> I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?

PSA: There are known traffic correlation attacks against Tor. It's not magic security dust you can sprinkle on a system. If you're doing thoughtcrimes, assume any G10 intelligence service can track you down. (If you're into extortion, human trafficking/exploiting children, or financing/advocating violence against civilians, then Tor is totally magic and is 100% guaranteed to make you invincible. Tor is all you need a-hole.)

Tor intentionally makes latency-privacy tradeoffs to make web browsing usable. I'm not familiar enough with Tor internals, but I believe applications have no control over these tradeoffs.

Anyone know if I2P allows applications to adjust latency/privacy tradeoffs? (Conceptually, you want your store-and-forward mixnet to use a priority queue for each hop, setting a deadline when each message arrives, and filling the pipe with expired messages first, and then non-expired messages in uniform random order. Applications more tolerant of latency get their traffic spread over a longer window. Per-hop latency targets should allow applications to avoid hop-to-hop correlations in latency targets.)


I don't know much about TOR but recall reading speculation that the NSA operates a majority of the exit nodes.


Yes, you can pick tunnel length in I2P.


But, can you allow some nodes to queue messages for a longer period of time?


No, it is designed for low latency communication.


Getting operational security right is surprisingly hard.

The really hard part is that you need to have gotten it right some years ago already.

I remember that I read that other day that a bitcoin tumbler operator was charged for money laundering. The way they got to him was tracking initial funds that started the tumbler, which was purchased from an exchanged and not obfuscated.

There are all kinds of things you can get wrong: your build tools could accidentally store compromising meta data in your malware; payments from previous campaigns could be tracked, a single non-TOR access to the command&control infrastructure could get you busted, as could a single login to an email provider you used to communicate with somebody related to the ransomware operation.

All in all, if you have a larger team, the chances of at least one person messing up aren't too small, and then it's a matter of the investigators pouring enough money and attention into the case to find it.


As a rule, there is no off-the-shelf software solution that you can simply use to avoid being detected by the NSA or other powerful nation intelligence services. Even if there were, they are not limited to tracking you through technological means - they very much know how to find people the old-fashioned way as well.

That's not to say that it is impossible to hide from them, but it's never simple, when they're actively looking for you.


No - Running enough TOR entry and exit nodes allows one to unmask initial connections[1].

One can suspect a healthy percentage of Tor nodes are operated by Governments as TOR was developed and released by the US Navy[2].

[1] https://www.theregister.com/2015/05/30/researchers_claim_tra...

[2] https://www.torproject.org/about/history/


Tor isn't perfect. Government agencies like to create TOR endpoints/nodes that allows collection of bulk traffic data. They can't see exactlt who sent specific packets or their exact contents by looking at them individually, but they can see which mode it just came from and where it's going next. By watching traffic to entry and exit points they can create probablist models based on traffic volume that can allow them to identify where large volumes of packets most likely came from when they're already watching the destination. This is how they tend to catch drug dealers and similar illegal transactions using TOR and a similar setup that monitors crypto currency transactions that simply monitors either known bad agents (criminals, dark web sites selling illegal goods, suspects, etc) or suspected targets. By combining the two data sets they've even identified who certain crypto currency wallets belong to. The main thing to be aware of is that it's extremely difficult for them to identify anyone with low traffic levels, or that do not interact with actively monitored actors/targets.


> shouldn't simply using TOR make it nearly impossible for the US government to track them down?

Not even close. Tor kinda secures one aspect of very many, but kinda doesn't.

It attracts attention: Governments actively try to defeat Tor. And if they are looking for a criminal, they might look first at Tor users. In fact, they collect data on Tor use before a crime is committed.


Doesn't every cyberattack get attention from the U.S. government? After all, carrying out a cyberattack is a federal crime.


Not this kind of attention. Oil pipelines are considered critical energy infrastructure. This will likely be viewed as a national security threat.

The US government will have to respond to deter others. They have "poked the bear".


Yes, in the sense that it gets reported to law enforcement and investigative agencies. Without being specific, I was a victim of identity theft and cybercrime. My incident was “reported to the FBI” but I’ve literally never heard anything back from them.

In practical terms there needs to be something special about the cyberattack for the government to devote any resources towards it.


How could it? There are thousands of cyberattacks against US companies and infrastructure every day.

There are cyberattacks and then there's going after the most important domestic energy line of a superpower.

This is quite different from your run of the mill cyberattack, they're not all created equal.


This is exactly right.

It all depends on the attention these attacks get. Now that they've had a tangible effect on the news cycle, creating concern about the safety of US energy infrastructure, there will be more incentives for the Government to hunt them down and get credit for doing so.

I think I read somewhere that China based attackers have already penetrated networks of major US infrastructure systems but didn't do anything because whats the point of wrecking havoc now? Better wait for more opportune times.

Which also seems to indicate that this may not be a Nation State... they would be after a bigger prize than some bitcoins.


I think it's 50/50 some real gang vs a branch of the NSA who sees how pwned the US infrastructure is and wants to make a (fairly harmless) splash so we take it more seriously and patch our shit.


Wouldn't the NSA branch be "disciplined" if they were found out? Seems risky.


The difference between "the FBI will look into it if they find some spare time" and "you've made the top 10 target list of the NSA".


I'm going to link this here: https://attack.mitre.org/ Those are only the reported attacks. You could check groups as well, and their TTPs.


> That gang ...

Maybe it's another government, trying to sow chaos, disrupt markets, test US response capabilities, etc.


Could be, but ransomware gangs are a dime a dozen, and many are simply financialy motivated.

It's just a very profitable business model.


This was a very stupid thing to do, if it was a ransomware gang.


maybe it's the CIA, trying to increase hostilities between the united states and some other country.


Third administration in a row to do nothing. Read sandworm. The wolf is in the hen house now and nothing will still be done.


That almost sounded like a hollywood like prologue. Nothing interesting, nothing the average joe doesn't know, just your fantasies.

Good


The US Govt is fit for nothing beyond setting up social media offices these days.


So, a very limited state of emergency which allows fuel that is ordinarily piped to be transported by truck.

Ancillarily, It's not evident this cyberattack actually compromised the industrial controls, but rather trashed the administrative system controlling the controls.


> It means drivers in 18 states can work extra or more flexible hours when transporting gasoline, diesel, jet fuel and other refined petroleum products.

This means truck drivers hauling 45,500+ lbs of an extremely flammable liquid aren't required to sleep.

I worked in the supply chain industry for a few years, dropping these restrictions is unheard of. My instinct tells me this issue is a lot worse than it seems now.


Armchair take: The pipelines handle a lot of fuel, and the US needs / uses a lot of fuel; to move the same amount, you need a lot of trucks. And if that need is not met, the economy etc will be disrupted heavily, price of fuel will go up, and the price of fuel going up has caused massive issues in the past.


Last time I checked the amount of sleep I need doesn't go down when an oil pipeline stops flowing.

It's offloading the risk to drivers to benefit these companies first and foremost, which is ridiculous. The cherry on top is the article pointing out even with the extra hours they won't be anywhere near meeting demand...


No, that part of the regulations (the 10 hour break requirement) specifically does not get suspended in an emergency, if I recall correctly, but federal qualifications for new drivers do, so maybe someone otherwise hauling oranges from Florida might drive a tanker while the normal driver has a day off. Plus, this is only federal law; state laws still apply, and it is state troopers who pull you over, not feds.


And I thought we were already facing a nationwide shortage of qualified tanker truck drivers.

On the bright side, these guys will be making mega-bucks on overtime, provided they can stay awake. coffee and no-doz will only take you so far.


Could be that, or the heightened sensitivity to all issues cyber we’re experiencing right now


Will there be enough extra tanker-hours and tired tanker-hours to see a statistically significant upturn in accidents and deaths?


It's definitely a good natural experiment on the efficacy of these types of laws.


I don't think so. These drivers need more specialized training, and the type of equipment they haul is different. Plus I'd imagine your mindset is different when you have a swimming pool's amount of oil a few feet behind you compared to a bunch of toilet paper or whatever.


Don't trucks transport fuel like this all the time? Or maybe it's the quantity.


They do, but to me GP's issue is with relaxing the requirements for rest.

IE, the issue isn't that drivers transport fuel, but that possibly tired drivers do so.


Everyone here is failing to read between the lines.

Nobody in trucking gripes about limited working hours. The current hours per week available for work are more than enough to work at an unsustainable rate of sleep. What everyone bitches about is the electronic logging requirements that prevent them from cooking the books in order to account for delays that happen over the normal course of business. Because people can no longer cook the books they do other things that increase risk.

For political and optical reasons the DOT can't exempt them from e-logs to make their lives easier. So they just exempt them from all of it. They're basically saying "if you're gonna push yourselves we'd rather you cut the smart corner and work a 12hr day than drive around like maniacs trying to fit X hours of driving in a Y hour window."


Absolutely they do, but with the pipeline down its a volume and distance issue.

Normally the pipeline would pump huge amounts of fuel around to various distribution centers where trucks and tankers would then haul it the last leg to e.g. gas stations and other end users. Now there will be far fewer distribution centers to pick up the load from, and much longer distances to drive to deliver the product.

Naturally a pipeline has much greater capacity than a string of trucks, not to mention the impacts on traffic and safety concerns that go with pushing the truck drivers that far. The limited number of distribution points with the pipeline offline will probably have a logistical impact as well since there will be an imbalance re: how many trucks are arriving to get filled up.


It's interesting to consider the human link between the admin systems and industrial control systems here. If we assume the controls are on an airgapped network, the attackers, in some sense, jumped the airgap and shutdown the pipeline.

Obviously not as bad as an actual compromise of the control systems though, which presumably could cause leaks, explosions, etc.


Generally the controls are firewalled from the administrative/business systems, not air-gapped.

Production data (like gallons per minute of flow through the pipeline) must be sent from the controls to the business analytics software. That's generally done through a firewall over TCP/IP.


I've seen systems where data is sent via UDP and the physical connection was transmit-only (for example, only the transmit fiber plugged in to the port) to avoid potential firewall exploitation.


Often that kind of reporting data is delivered back via a “data diode” unidirectional network. That said, there is usually just a dmz between biz and prod to enable remote support of the controls system (ala the Purdue model), and not any real air gap.


…and the controls still have internet access, but it is NAT’ed, and it still has a fresh copy of Internet Explorer 9.

I have only witnessed this once, at a wastewater treatment plant, so very anecdotal.


I've worked on these systems, they are separate.

They likely could have kept running the pipeline without incident.

I imagine when the government stepped in they decided to dial their procedures up to 10 and they plan on making an example out of this incident and the perpetrators.


> James Chappell, co-founder and chief innovation officer at Digital Shadows, believes DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.

Once they get in to the internal network, they could possibly have access to anything. Most organizations don't follow good practices for internal services and there's all kinds of unauthenticated crap that's accessible to anyone who knows where to look.

If its really a ransomware attack, they could have taken over some internal system, or maybe just locked out remote access. We will need to know more, but at first glance it doesn't look very good.


Previous related thread:

U.S.'s Biggest Gasoline Pipeline Halted After Cyberattack - https://news.ycombinator.com/item?id=27086403 - May 2021 (190 comments)


"Multiple sources have confirmed that the ransomware attack was caused by a cyber-criminal gang called DarkSide, who infiltrated Colonial's network on Thursday and took almost 100GB of data hostage."

re: "infiltrated Colonial's network"

I have been reading some of the other reports of this incident from different publications.

Many of the stories include a line about attackers downloading "100 GB in only 2 hours" as if that was being downloaded from the company's on premises servers.

Eventually I found a story that disclosed the data was actually downloaded from a cloud provider.


It's a lot easier to pull the plug on on-premise systems.


It’s really not. SME branch office is dead easy. Multinational corporations virtually impossible.

In the cloud you can stop your whole VM estate, nuke roles and access and pull an audit trail and access logs for everything in a few minutes. Without even getting off your butt. Or having to negotiate with a branch office IT team who disagree with you.

In the 20 or so years I’ve been running ops for corporates, the cloud is the nearest we’ve come to half decent DR and emergency response capability. It has got to the point now where compliance and audit is built in and I can actually write some code here and there rather than arguing about trivial stuff like “what happens if X happens” with people who are only in it for the pension.


Is it though? We have plenty of cases of on-prem and in-cloud going down. And we have also plenty of evidence that some companies do actually manage to do disaster recovery pretty well. Not all, of course, usually those that experience frequent disasters.


My environment is mostly on-prem, and it's nearly always the cloud services that drop out and leave us high and dry. In fact, not long ago, a cloud service we don't use went down, and it took one of our vendors down, and their cloud service went down, because of an outage with a completely unrelated service we don't use! The cloud is a house of cards that is run by companies that should have disaster recovery down, and really don't even come close.

Meanwhile, I can unplug one cable to isolate our site, and everything that isn't a cloud service is pulled offline. (And delightfully, almost all of it would still be independently operational until I plugged it back in, too.)


>The gang even has a website on the dark web where it brags about its work in detail, listing all the companies it has hacked and what was stolen, and an "ethics" page where it says which organisations it will not attack.

And yet they don't give the URL.

I wanna see this page. Does anyone have it?


I don't have it, but I would go to dark.fail's onion address and browse there (http://darkfailllnkf4vf.onion/ verify this and get in the habit of doing so! dark fail's clearnet website just got hacked while their onion site was unaffected), and then I would go to Dread forum (onion reddit clone) and ask there.

A little tedious but there is lots of commerce on onion sites, and a lot of valuable information in general that I've never seen anywhere else, so it can be worth it.


Most people will probably be hesitant to post it for obvious reasons here. But it was helpful to me, to find a ransomware url, during the college leak a few weeks ago (https://dorper.me/articles/unileak.aspx) to find out which colleges were impacted because tons of people I know were in it. There are plenty of good reasons to want to have it. But I understand why BBC wouldn't post it...


People that read Hacker News on their work machine: note that if you're on the org VPN (and even if you're not, if your org installs IDS tools or other spyware) many of those tools may flag your visit of such site as "malicious".

Best to use a personal device.


Here's a list of the common malware URLs. BE VERY CAUTIOUS. Also note that DarkSide's onionsite is down and has been for a while.

Babuk: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtf...

Dopple: http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qn...

Maze: mazenews.top

AKO: http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxk...

Nefilim: http://hxt254aygrsziejn.onion/

Ragnar: http://p6o7m73ujalhgkiv.onion/

Clop: http://ekbgzchl6x2ias37.onion/

Netwalker: http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdr...

REvil: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46...

Sekhmet: http://sekhmetleaks.top/

Pysa: http://wqmfzni2nvbbpk25.onion/partners.html

Conti: conti.news & htcltkjqoitnez5slo7fvhiou5lbno5bwczu7il2hmfpkowwdpj3q2yd.onion

Suncrypt: http://nbzzb6sa6xuura2z.onion/

DarkSide: darksidedxcftmqa.onion


It might help if you format these as "domain[dot]com" to avoid misclicks.


Too late.


You can edit your comments here.


Well the reason for that is that the website has dumps that you can easily download.

Here is a text dump of their press page https://pastebin.com/fxJCaUDq


I like how they are charging 10% more if you pay with Bitcoin than with Monero.

I think commerce would greatly improve if other networks had Tor clients, especially because of the stablecoin and private stablecoin availability as of this year. All EVMs as well as Tendermint networks have no out of the box solutions for Tor nodes and connectivity. But they both have ways for ERC20 tokens to have a great degree of privacy. One Tendermint network called Secret Network has private smart contract execution, and a variety of bridges. So as all tokens are smart contracts the metadata and variables would not be visible onchain.

sDAI would be more useful for commerce if the nodes and wallets could easily resolve over Tor.

Is anybody working on that?


> I like how they are charging 10% more if you pay with Bitcoin than with Monero.

I smell a business opportunity... Kick off a ransomware attack and accept Bitcoin or a Shitcoin at a 30% discount.

Some shitcoins have such little liquidity... a 50k buy would push their price off by hundreds of percentage points. You can even refund their money back after they pay... a modern day pump/dump.

The thing about being an ethical player in unethical markets is coming up with ideas that could make you richer but not wanting break laws / be a terrible person.


Illiquid asset pumping is the best way to launder the money in the crypto space.

AccountA has bought or owns the illiquid asset using clean money, in advance. AccountB has the ransom proceeds in the more liquid digital asset. AccountB eventually buys the illiquid asset and pumps it. All the blockchain detectives are still following AccountB across many more addresses and blockchains, hoping and praying and imagining that one of the touched accounts needs fiat so that a human identity can be assigned to the funds. But that never happens. AccountA has the 8,000% or other arbitrarily high gain and nobody can distinguish them from any other crypto trader, as these kinds of gains are commonplace. All the trading can (and should) occur onchain without any financial intermediary, as there would be no transaction size limits or issue moving the funds, compared to odd activity on a business' centralized custodial exchange.

AccountB connected accounts are saddled with the illiquid asset. Maybe organic growth has occurred from fear of missing out and AccountB can resell, but that is just an embellishment and icing on the cake.

AccountB connected accounts can also create the liquidity pool, or create the yield farming opportunities to incentivize others to join the liquidity pool. And if AccountB really never cares about the funds, they can also burn the bearer liquidity pool share, providing confidence to the market that they can always trade at high volumes onchain.


I don't get how Account B gets to the point of extracting value from the illiquid asset after purchasing?

Seems like they either, 1) sell periodically or as the assets value appreciates, but this is generally unreliable and tough or 2) create a liquidity pool or yield farming opportunities

For 1, this isn't necessarily reliable but it seems like the most plausible popular case. For 2, given the previously mentioned challenge of the illiquid asset, how does it work to provide incentive in liquidity pooling and yield farming?

Note, that I'm less well aware of the mechanics of 2 so perhaps its also a fundamental ignorance issue.


AccountB doesn't have to make more money as it directly or indirectly transferred all the liquid assets to AccountA (and many other people). In a liquidity pool kind of exchange, AccountB would have simply put all its liquid assets into the liquidity pool, in exchange for removing the illiquid asset into AccountB's custody. The liquidity pool maintains prices based on a ratio of two assets in the pool, so the illiquid asset would have quite how price after this activity. AccountA would have just sold its holdings of the illiquid asset back into the liquidity pool at a coincidentally favorable time. AccountA can also have been a liquidity provider, and when they unbundle their liquidity pool share it will have more of the liquid asset and less of the illiquid asset. Many possibilities, permissionless.

If it must be said, AccountA is yours too and is just for reintegrating the illicit proceeds into the economy without trying to do something more convoluted like running a permissionless SaaS business with fake customers spending Monero for domain name lookups.

But, AccountB can attempt to make its assets more liquid again. You just go on Telegram and pump it in speculator groups, buy off some youtubers. How much are you laundering? You can keep a few thousand dollars in liquidity for negotiations. AccountB should also provide liquidity itself. Just launch a yield farm contract, copy and paste, change the input and output token address, redeploy, lock a substantial portion of the illiquid token inside of it (or pay off a more coveted yield farming project like Pancake or Polygon to list a farm and pay farmers in their token). Make the yield high.


> I don't get how Account B gets to the point of extracting value from the illiquid asset after purchasing?

My understanding is, accounts A and B are both controlled by the same person/group. Account A always deals with clean money and pretends to do speculative investing; account B uses dirty money to pump illiquid assets. An example scenario, as a simplified list of transactions:

  | Time | From    | To     | Amount     | Note                                      |
  |------+---------+--------+------------+-------------------------------------------|
  |    0 | Pocket  | A      | 10 $GOOD   | Initial investment.                       |
  |    0 | -       | B      | -          | Created account for criminal activity.    |
  |------+---------+--------+------------+-------------------------------------------|
  |   10 | A       | Market | 10 $GOOD   | Exchanged liquid $GOOD for illiquid       |
  |   10 | Market  | A      | 1000 $BAD  | $BAD at 1:100.                            |
  |------+---------+--------+------------+-------------------------------------------|
  |  100 | Victims | B      | 3000 $GOOD | Crime - e.g. ransomware payments.         |
  |------+---------+--------+------------+-------------------------------------------|
  |  150 | B       | Market | 3000 $GOOD | Buying up $BAD to generate interest and   |
  |  150 | Market  | B      | 1500 $BAD  | pump its value.                           |
  |------+---------+--------+------------+-------------------------------------------|
  |  200 | A       | Market | 1000 $BAD  | Buying back $GOOD for temporarily liquid  |
  |  200 | Market  | A      | 5000 $GOOD | $BAD at 5:1.                              |
  |------+---------+--------+------------+-------------------------------------------|
  |  500 | B       | Market | 1500 $BAD  | If $BAD didn't collapse, recovering some  |
  |  500 | Market  | B      | 100 $GOOD  | of more stable asset at 1:15; can be used |
  |      |         |        |            | to repeat the trick later.                |
In this scenario, criminals turned $3000 of dirty $GOOD in account B into $5000 of clean $GOOD in account A. If they were good with OPSEC, there's no connection between accounts A and B - from outside, it looks like the owner of account A got lucky speculating on crypto, and owner of account B was a dumb criminal that made a bad investment. Hell, if criminals are sure of their OPSEC, they could even go as far as paying taxes for their gains on account A, reinforcing the image that A is owned by some random, legitimate investor (but that could bite them hard if law enforcement realizes there's a connection between accounts B and A). Account B is never cashed out - it's used only for purposes of pumping illiquid cryptocurrencies, and eventually abandoned.


Yeah we would be talking about paying taxes and having a record of the funds for more social benefits in society.

AccountA is just a speculator. Stuff you speculate on right now has other accounts pumping it from funds that just appeared out of Tornado.cash, or were just swapped from Monero. There is no way to distinguish between you controlling those or someone else, and there isn’t probable cause from this behavior to investigate the accounts that appeared with funds from obfuscated sources. Just some OPSEC considerations.


What are EVMs, ERC2, and sDAI? I do not believe your objective is to confuse or obstruct, but additional context would help understand the unique value of your contribution. This is coming from someone with a recent BSc in Computer Engineering yet still completely unaware of these acronyms & references.


Only a few universities are teaching this stuff right now. In any case:

EVM is "Ethereum Virtual Machine", a similar concept to the JVM "Java Virtual Machine". EVMs are one the most common technology for deployment of arbitrary execution within distributed networks. These kinds of functions and applications are colloquially called smart contracts. The biggest distributed network with this technology being simply called "Ethereum" or "Ethereum mainnet". But any code deployed on Ethereum mainnet is deployable on any other EVM environment, such as Polygon, Avalanche, Binance Smart Chain, Tron, Ethereum Classic, Hashgraph, or Quorum which was stewarded by JP Morgan for a few years for internal enterprise use.

With the other common smart contract network being Tendermint also colloquially referred to as Cosmos.

There are a couple of standard classes with a certain protocol of functions on all these networks. One standardized class is called ERC20, which is a fungible token standard. Deploying this kind of class ensures that you have created an asset with a name, ticker symbol, quantity, and a transfer function. Therefore ERC20 just is a quick way to refer to an additional asset. Assets that represent something the market wants or is familiar with or is redeemable for something the market likes therefore have certain monetary values associated with them. Some communities representing other networks have different protocol names for the same concept, for example, the Binance Smart Chain community has a token standard called BEP20 which is mostly contrived marketing but it could also have tweaks to the ERC20 standard, you have to read them. No different than reading the IETF's REST protocol standard for each function, and then seeing how it is implemented slightly differently across different browsers, devices and frameworks.

DAI is an ERC20 asset that maintains convertibility with $1 US Dollar. It is collateralized by a basket of assets, some completely digital assets and some that are backed by real world assets from centralized issuers.

When it comes to ERC20 naming styles, the market has resorted to prefixes for now.

So on the Secret Network (which uses Tendermint/Cosmos technology instead of EVM), assets that enter it from bridges are called sAssets. So DAI that enters the Secret Network would be sDAI. Where it will inherit the private nature of the network. Specifically the current state of the functions such as quantity, transfer(to, from) would all be unknown from looking at the blockchain.


Thank you for the elaboration. Your humble willingness to do so is much appreciated.


You're welcome!

One of the highest growth areas and highly demanded is in building bridges for assets to move between blockchains. Particularly Liquidity Pool shares and other asset backed derivatives. If you would like to apply yourself here. The market-based rewards are direct, swift, and very high.

More than what FAANG pays their E5's and L5's.


I was reading about DOT and decided to start learning rust. I've used python in a couple automation tasks before, but besides that have very little programming ability. Rust has been hard so far but very rewarding. What technologies would you suggest learning if i wanted to get into blockchain programming?


Solidity or the Javascript frameworks that compile down to solidity. EVMs are heavy in this.

Rust is good too. I'm not too familiar with the Polkadot ecosystem, but the main thing you need to know is that every financial app that has been popular on EVMs needs to be rebuilt on those other ecosystems. There can be multiple of the same things too, no different than multiple grocery stores in a town, or multiple actual bridges. Nothing unique needs to occur, just more. Its literally a global boom town you don't need to go anywhere for and your competition would rather argue about how a MySQL database is better for yield farming than a blockchain.


That seems interesting, and rewarding. Any pointers on how one can get into this area. Thanks


Where can someone learn more about this? Any resources?


I recently learned of zkDai[1]. Do you have any thoughts on this or the Aztec protocol?

[1] https://medium.com/aztec-protocol/introducing-zkdai-into-the...


It is just too expensive for the Ethereum network and not a large enough mixing set (haven't looked recently though) and nobody accepts it therefore requiring you to exit it if you want anything, but exiting will reveal who you are because there is nobody else it could be.

Privacy on the Ethereum network remains just Ether in Tornado Cash.

edit: oh cool Aztec actually transitioned to the Optimistic Rollup. That is different than their prior smart contract and requires new analysis. I recall their article last year or before about doing a "zk zk rollup" and I didn't keep following.


Is it illegal to pay the ransom?


At least for public services in Canada, it is. Which serves as as a deterrent since attackers are guaranteed to _not_ get money. Also whips management into more than CYA-and-wait IT security.


There is an argument for that. Haven't heard of prosecutions for doing so.


Bitcoin full node– which processes and verifies all transactions– uses only 7GB disk space. It doubles as a wallet, and it has native bidirectional Tor support.


> I like how they are charging 10% more if you pay with Bitcoin than with Monero.

Source? How much are they asking for?


There is a screenshot in the article in the Ransomware as a Service (Raas) section.


probably because btc is epxpensive and hard to launder


Yes, it is nice to see the market adjusting.

There are only a few cryptocurrency networks with robust Tor infrastructure for now. There should be more but the stewards haven't prioritized it, for the most part many nodes and wallets for other networks are UDP, which is a major hurdle as Tor requires TCP exclusively. Bitcoin and Monero do not have this limitation, but Monero is the only private by default one and has a large mixture set to stay easily obfuscated.


The reason that cyberattacks are proliferating is because it has only recently become easy for the threat actors to receive massive payments quickly and anonymously. Remove that ability and the entire cyberattack ecosystem shuts down instantly. It is only a matter of time before this happens.


The reason cyberattacks are proliferating is because many enterprises refuse to learn from the mistakes of others. They continue to connect ancient, unpatched Windows and Exchange servers to the public internet, they don't segment their networks, they don't secure TeamViewer and RDP, they don't use FIDO U2F, they don't have an IDS, they don't monitor logs, they don't execute email links and attachments in a sandbox, etc., etc., etc.


Yes, but this is not new. Cryptocurrency is.

Also blaming the victim can only go so far


If you write the combination for your safe on a post-it note and stick it to the door of the safe, and a thief opens the safe and steals everything in it, it's still the thief's fault.

But it's not victim-blaming to observe that you shouldn't have made it so easy for the thief.

If it's just your valuables that get stolen, then that's unfortunate for you, but at least it doesn't hurt anyone else.

But when other people trust you to keep the safe secure, and are hurt because of your negligence, then it's also not victim-blaming to observe that your negligence caused harm to other people.


My guess is that there are many factors.

- More infrastructure than ever has some exposure to the internet - Outsourcing at massive scale (probably) makes consistent security screening harder - There are more programmers in the world than ever and so (probably) there are more black hats, malicious hackers, etc - As time goes on, there are more and more aging computer systems, thus (probably) there are more and more vulnerabilities in the wild - As time goes on, systems accrete complexity, thus (probably) there are more and more vulnerabilities in the wild

But yes, I do think cryptocurrency is an important change. Cash is still king when it comes to crime, but crypto does make crossing borders much easier.


The whole thing is very asymmetric:

Your own jurisdiction and law enforcement have no power on foreign territory; but foreign organizations (state sponsored or not) located there have freedom to penetrate your society and economy. Moreover, foreign governments may deliberately ignore your requests to investigate.

Thanks to technologies and to chaotic reactions to modern day problems (including covid-19 pandemic) it looks like modern forms of independent sovereign states are very archaic.


Meanwhile Microsoft and "app" developers are training normal users to avoid updates by continuing to push anti-user updates...


BTC will increasingly become viewed as playing a significant role in these incidents. Legislation antithetical to crypto currencies should be expected with bi-partisan support. I would imagine fairly soon.


This is why “it’s just like cash but better, and humanity has been using cash for centuries” is not a valid argument for adoption of cryptocurrencies. Cash has fundamental scale-limiting properties; cash without those properties is a qualitatively different beast for which there’s no precedent in humanity’s history. The above argument actively conceals the sheer scope of unknown unknowns.


Cat is out of the bag I think.

Even if you shut down the cashing out infrastructure (exchanges) in the affected countries, it will quickly spring up again in countries belligerent to them. The FATF is the main global body trying to curb this, but my hunch is they will lose this battle long-term.

Imagine if you are on the FATF red list [1] and you announce a free-for all domestic exchange for local spending. It's free FDI.

[1] http://www.fatf-gafi.org/countries/#high-risk


This would be terrible in the long term because without ransomware companies regularly carrying out such attacks, vulnerabilities would remain unaddressed until a rival nation decides to use them. Much better to have one pipedown temporarily shut down now than for China or Russia to shut them all down at once sometime in future.


I assume you're thinking of blockchain tech? How do you think the genie will be put back in the bottle?


BTC has value because people exchange it for "real" money. If BTC is heavily regulated or outlawed, a whole lot of folks are going to duck out. It's one thing to try and get in on the ground floor of the latest meme stock, it's another thing to buy into a currency/practice that's illegal in your country.

Add onto that making it illegal to pay ransoms in BTC, then there's really no value in using it as a ransomeware currency. No one is buying it so all you are getting are some random digits on a piece of paper.


The US and other government wills outlaw all cryptocurrencies but the ones that they control (“Govcoin,” as The Economist refers to them). Game over.


You're assuming the US and other government are not using cryptocurrencies for their own covert transactions.


So what? Many governments have nuclear weapons arsenals but they don't make it legal for everyone to buy or manufacture atomic bombs.


I would expect that the drug production and export business is a more apt analogy.


>The US and other government wills outlaw all cryptocurrencies but the ones that they control (“Govcoin,” as The Economist refers to them). Game over.

Just like how outlawing drugs ended the drug trade.


Outlawing a thing except for when the govt controls it is just another way of saying governement regulation. Which is both common and successful.

When was the last time you drank bootleg liquor? Answer: I don't know of course, but for most people in rich western countries I would think the answer is never.


It's a good point but that's a particularly bad analogy. Brewing and distilling are strongly culturally ingrained, at least in the west. I live in a state where (last I checked) no legal method exists to distill ethanol for personal use. Nonetheless, a surprising number of acquaintances over the years have had stills and offered me samples.


Do you think your local circumstances are broadly generalisable? I would be surprised.


In the US, honestly, yes. I've had the same experience in two different states at this point and friends who relocated from other places have reported similar. I mean, you can literally order a small still that you use on your stove top from Amazon!

I think it just depends on the sort of people you choose to spend time with.


Well mark me down as dubious but not invested enough to research it. However, I do wonder if you/they test or filter for poisonous impurities like methanol? Seems like a bit of a risk?


Testing and filtering is accomplished by the distillation itself. A very basic understanding of what comes out when is more than enough for a simple pot still and only one or two passes. Humans have been doing that since long before the concept of a molecule even existed.

If you decide to mess around with a large fractionating column though, do read up and make sure you have a full conceptual understanding of how the chemistry works. Even seemingly benign chemicals can be extremely dangerous to ingest or handle once concentrated. (For example, vinegar. Dilute acetic acid makes for a good salad dressing. Above 90%, contact will leave you with severe burns and scarring.)


How so? The US has banned heroin, cocaine etc but it never provided a state-sanctioned alternative.


Blockchain has many uses, including as a record of transaction. Crypto currencies are merely a subset of what might be available using blockchain. Legislation can certainly target that subset.


I looked at their available posted jobs on Friday as news broke about the attack. Colonial has had a position for Cybersecurity Manager open for over 30+ days. I wonder what happened to the old manager....


…first to be questioned by the Feds no matter what terms they left under. Too important an attack for that institutional knowledge to stay out of the fray.


Seems like this company has more than just IT problems https://newrepublic.com/article/161498/huntersville-north-ca...


Incredible. This company must be penalized, but I don't have any faith they're gonna change.


Amazing. I live in the Carolinas and hadn't heard of this. Sounds like maybe we should be thanking the hackers for shutting this thing down.


Ransom ware seems like a potential antidote to vulnerable US digital infrastructure. It provides a persistent, material bug bounty which incentivises the C-suite to fix them.


Yes! The ultimate bug bounty program! Instead of ranking on some hackerone or bugcrowd leader board you rank on the FBIs most wanted list!


> which incentivises the C-suite to fix them.

It doesn’t. It provide C-Exec material to increase significantly Cyber Defense budget not overhaul Information System.

For those executives these are two different topics with different budget.

Of course for regular engineers it’s not, legacy infrastructure is probably much simpler to hack than modern one.


A lot of people are talking about the the results of this hack and a little bit about the industrial control systems, but no one is really addressing the hack itself.

>James Chappell, co-founder and chief innovation officer at Digital Shadows, believes DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.

>He says it is possible for anyone to look up the login portals for computers connected to the internet on search engines like Shodan, and then "have-a-go" hackers just keep trying usernames and passwords until they get some to work.

Nothing sophisticated, nothing difficult, you just need some capital in the bank to buy some leaked credentials someone else worked hard to poke at, that is, some academic security person on a PhD worked hard for months to find some bug in software back in 2014, that turned into code someone else copy and pasted back in 2017, that yielded a dump in 2019 that some other hackers actually probed for some sucker's old login details he probably didn't even realize was in a dump, or might not even use anymore! The only hard work in this story is that academic in 2014 did and he definitely probably no connection to the criminals who basically got the president to issue a national emergency.


> who basically got the president to issue a national emergency.

*got the Department of Transportation to...

Further, aren't such blind credential attempts really noticeable if anyone is checking the access logs?


I seriously don't understand why the pipeline operators don't have some contingency plan or have simulated scenarios like this which enables them to roll-back systems immediately to some usable state.

How the hell is some random ransomware gang able to shut down critical infrastructure at purely a software level


That sort of scenario preparation takes a lot of time for planning and design to support work-arounds. If the business thinks this is low risk, they won't invest, no matter how significant the scenario could be.

Businesses train and prepare for scenarios that make money, not scenarios that may lose money. I used to do a lot of work related to safety across industries and I can assure you, every business I worked with was only interested in the bare minimum of legally required safety. It was rare to see a business interested in investing resources into things like safety or security vs something that might directly increase their revenue streams.


IT/Security/Software is all secondary for a pipeline operator, who's main business is to move liquids from A to B over a set of fixed pipes put in place decades ago.

Without some forcing function to have cybersecurity threats taken seriously, industrials are unlikely to suddenly develop tier-1 security protocols.


Given that this is preventing them from moving liquids from A to B they should realize that protecting their system isn't a secondary concern.


Would be interested in seeing if this does result in a change in their processes, or if they will just accept the risk of this happening as a "risk of doing business".


If things go wrong, they receive millions in resources from the FBI/Federal Law Enforcement. Unless they get a bill, it's likely that they will continue their lax practices.


> I seriously don't understand why the pipeline operators don't have some contingency plan or have simulated scenarios like this which enables them to roll-back systems immediately to some usable state.

I would expect that most companies, even companies whose core product is technology, are not capable of what you describe.


With tons of companies paying insane software engineering salaries, I doubt that a pipeline operator that probably doesn't invest much in IT at all is attracting the best talent either.


This is predicated on computer systems outside of the tech industry not being held together with zipties and prayers.


Something doesn't quite add up. I feel like we don't have the full story:

>After seizing the data, the hackers locked the data on some computers and servers, demanding a ransom on Friday. If it is not paid, they are threatening to leak it onto the internet.

So... that constitutes a state of emergency? What data would they have that would be so sensitive? More likely they have hooks deep into the operation of the pipeline and may be threatening to shut it down/destroy it if not paid. Or, rather, they may be having trouble restoring operations without paying the ransom.

Side note/speculation: Will the feds make a move against crypto?


As per the article:

> The emergency status enables fuel to be transported by road.


The Fuel company in question apparently handles 40% of all the fuel in the NE sea board. So thats probably a problem.


> Or, rather, they may be having trouble restoring operations without paying the ransom.

Usually your only option with a ransomware attack is restoration from backups. So no backups or bad backups means no system.

It certainly sounds like this may be the case given that it’s triggering emergency orders. If so, it is being omitted from official accounts.


* There exists a decryption tool for DarkSide https://labs.bitdefender.com/2021/01/darkside-ransomware-dec...

* Critical infrastructure should not be allowed to run on Microsoft Windows

* The remote workers, through which the attack was performed, didn't even use a VPN, just TeamViewer and MS Remote Desktop.


I don't see this being called a "State of Emergency" anywhere but that BBC article. There's nothing on the Whitehouse.Gov briefing room, google news, etc.

https://www.whitehouse.gov/briefing-room/


It's not clear to me that this is actually a "state of emergency". The BBC has now quietly amended their headline to say "US passes emergency waiver over fuel pipeline cyber-attack." (The web page calls it a "Regional emergency declaration.")


My inherent cynicism leads me to believe the real reason they shut down the pipeline was because the attackers took down the accounting system.


I like how they "guarantee support in case of problems" after you pay them. God forbid they lose a customer. Are they going for repeat buys?


No but they want to get a reputation that paying them makes the problem go away. With that reputation, more people will pay instead of thinking it's a waste of money as the data are gone one way or another.


I saw a youtube video once of someone trying to communicate with ransomware attackers and their support was better than even some legit companies. It was funny as hell how they were so 'professional' about it


They want to ensure ransoms are paid by there being lots of sources that say they do what they say. The kneejerk reaction is to be skeptical and waste time. The only reaction is to determine if you have a backup or not, or if the consequences are favorable or not. In all of the “or nots” then you pay and move on.

In the absence of consumer protection, word of mouth (or the compulsory google results) is key.


Gotta honour the Pirate Code.


Brought to you by Bitcoin.


you never had to worry about ransomware back when we used clay tablets for accounting.


You're getting downvoted, but how many ransomware attacks would be successful if a bank account was required?


Bitcoin's not the problem, America's shitty corporate culture around not treating cybersecurity as a priority is the problem.


Technological advancements happen because of a confluence of different events, each contributing to its eventual success.

Bitcoin is absolutely one of the components that allows for the proliferation of ransomware. The key to a ransom is the ability for the attacker to obtain payment in an way that doesn't put them at risk of being caught. BTC enabled that. In fact, anonymous payments are widely considered to be one of the major purposes of BTC.

If ransomware was a positive thing, then BTC advocates would be talking about how BTC is the key technology that enabled malware to make the transition from hobby/annoyance/weapon to a full-fledged industry.


Any chance this acts as a catalyst to face the ransomware problem head-on? Someone in a position of power in US intelligence agencies has to know this won't be the last time that a massive piece of infrastructure is taken down.


We knew about this since before 2000 probably, earliest articles I could find : 2007, 2009 : https://www.cfr.org/backgrounder/americas-vulnerable-energy-... , https://www.wsj.com/articles/SB123914805204099085


This is depressing and not going to stop because it is so lucrative and relatively easy for these malware companies to find victims. It makes me wonder if cybersecurity should be considered a state responsibility and infrastructure so it will be uniform and available for every business like electricity or police protection.


If it is uniform then when a weakness is found, the whole economy can be exploited; rather than isolated companies.


Isn’t this already the case? Like SolarWinds?


It seems like the main new thing crypto has enabled as a currency so far is ransomware.


This was Mike Hearn's fear back in 2013: https://bitcointalk.org/index.php?topic=333824.0


They say crypto can't be anonymous due to the blockchain but this proves that isn't true.

I wonder how they shuffle it around and eventually convert to fiat.


At least that's a real source of value.


I'm a fan of pipeline shutdowns personally


I've always wondered about that theory.

Is the point to move liquid shipments to trucks/ships because it's safer somehow? or simply to make it so difficult to transport liquid fuels that people quit using them?

I suspect that pipeline activism mostly results in the former.


Constrained supply or higher cost of transportation = higher prices = incentive to consume less.

I'd prefer to see this dynamic produced by carbon taxes so the price difference isn't going back to the fossil fuel companies, but I'll take what I can get.

Also installation of new fossil fuel infrastructure like pipelines implies a long term commitment to the status quo or even increased production which I find unacceptable.

If the neccessary changes were underway there would be zero demand for new pipelines.


Assuming the pipeline shutdown doesn't result in even more dangerous transportation alternatives being used instead.


underrated comment. especially this company which was in the news for a major spill not so long ago.


I know exactly what stocks I'm buying at 930am tomorrow morning.

Keep your eyes on the oil major folks on twitter to see what happens:

https://twitter.com/anasalhajji

https://twitter.com/calvinfroedge


Aaaand to what extent might this state of emergency require corporate welfare for US Oil?


Note that the group has an ethics page. They only attack large, for-profit corporations.


Also, they donate part of proceeds to charity.


I would love to read the IEC 62443 risk analysis of IT-infrastructure of the pipeline.


It needs to be asked again, why are critical services on the Internet ?

We all know why, companies are chasing profits at any cost, so hiring more people to monitor these systems as the did 40 years ago will lower the execs bonuses.

The US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.

That will get them serious about security.


> US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited

This sounds good in theory but suffers from the cobra effect [1]; you think you’re incentivising security. You’re actually pushing obscurity. Colonial preëmptively shut down its pipe to prevent physical damage. Attach a fine to the discovery and disclosure and you disincentivise that prudence.

Better: make it easier for industry to build securely and incentivise redundancy.

[1] https://en.m.wikipedia.org/wiki/Perverse_incentive#The_origi...


I reckon air-gapped networks are a valid defense. If something needn't be connected, why let it? It mitigates so many threats.


Pipelines run for thousands of miles and operate 24/7. What do you imagine? Keeping a fleet of helicopters on standby to pick up a technician at home, and drop him wherever the equipment is, in case something needs to be adjusted at night?


You could have an air-gapped system and still have remote access. Just not external access. I don't think it's unreasonable to have a couple of people in a control booth monitoring a computer that regulates the pipeline 24/7. The recommendation is, however, that we should not have that monitoring computer connected to any other network besides the internal one. If you're running pipeline, surely you can run some data cables with it?


This basically describes the Iranian nuclear system that was hit by stuxnet, which, as I recall, was spread via USB drive.

The airgap certainly reduces the chances of getting hit with a joe-random ransomware attack, though. Defense in depth...


Yes - and consider how many people have the resources needed to run Stuxnet versus ordinary ransomware. That seems like a pretty clear win if you can shrink the pool of likely attackers down to “top-tier nation-state”.


Let's not let perfect be enemy of good, especially since we can't never be perfect.


Stuxnet was built by a very well funded organization and was not targeting monetary gains. Getting ransomware spreading via USB drive is insanely expensive and complicated. You won't make money on it, whatever they are extorting will not cover development expenses


"and was not targeting monetary gains"

But in the end was it really though?


This is what the financial industry does. There's a secured "extranet" that everyone runs FIX on top of. For the most part, it works.


There's an entire parallel internet for the DoD and it's contractors. It's not like there isn't precedent that critical industries can emulate if they ever became concerned about the common good.


That's interesting. Is it physically separate? I would assume so but don't know.

I'd love to read an article on it. Maybe there are others that are geographically dispersed.


> You could have an air-gapped system and still have remote access

You're suggesting the gas company run their own network, and then you assume no employee will connect that network to the general internet for their own convenience? Not happening.


That would be a fireable offense. Even criminal.


Again, stuff like that just don't happen. It's too inconvenient. How many major utility companies run such airgapped networks?

https://gca.isa.org/blog/common-ics-cybersecurity-myth-1-the...


Are pipelines something we invented after the internet? Have we lost the knowledge we used to support infrastructure before the 90s?


Before the 90s? Hmm. Well, if you believe Thomas C. Reed's account, the US was using trojans to sabotage Soviet oil pipelines in 1982.


Is that the one when the CIA got wind of a Soviet industrial espionage operation, and seeded it with a legit-looking but subtly flawed schematic, which the Soviets ended up actually building to spec, and it exploded shortly after?

That wasn't an internet trojan, fyi.


According to the story, this was some Canadian pipeline control equipment or software which the USSR purchased from some Canadians, but the CIA modified the software somehow before it was delivered. A supply-chain attack on a computer system.

I understand there's nonzero doubt as to the credibility of this story.


I'm currently reading The Dead Hand, and I think this matches what you're talking about:

> Rather than roll up the Line X officers and expel them, Reagan approved a secret plan to exploit the Farewell dossier for economic warfare against the Soviet Union. The plan was to secretly feed the Line X officers with technology rigged to self-destruct after a certain interval. The idea came from Weiss, who approached Casey, who took it to Reagan. The CIA worked with American industry to alter products to be slipped to the KGB, matching the KGB’s shopping list. “Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disturbed the output of chemical plants and a tractor factory,” Weiss said. “The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft.”

> Oil and gas equipment was at the top of the Soviet wish list, and the Soviets needed sophisticated control systems to automate the valves, compressors and storage facilities for a huge new pipeline to Europe. When the pipeline technology could not be purchased in the United States, the KGB shopped it from a Canadian firm. However, tipped by Vetrov, the CIA rigged the software sold from Canada to go haywire after a while, to reset pump speeds and valve settings to create pressures far beyond those acceptable to the pipeline joints and welds. One day, the system exploded. “The result was the most monumental non-nuclear explosion and fire ever seen from space,” Reed recalled. The blast was starting to trigger worried looks in the U.S. government that day, he recalled, when, at the National Security Council, “Gus Weiss came down the hall to tell his fellow NSC staffers not to worry.” The explosion had been one of the first fruits of the Reagan confrontation.


Interesting, it's not unlike the Crypto AG story.

It's funny how upset the US public can get about any perceived incursions by the Russians (sometimes true, often not) when you consider the country's own history.


There's a big difference between the capabilities of a criminal organization (like the one involved here) and that of a nation state. Such attacks are also responded to differently, and it's not going to be send some Bitcoin to this address.


Couldn't the pipeline have it's own network connected to a monitoring station. At the station employees could access the pipeline network but never connect it to the network from which they could communicate with the people who would be dispatched to make repairs or adjustments?


Sounds looks a solved problem, but it isn’t. The electrical grid isolates SCADA networks from the internet, so substations are interconnected via dedicated networks. But then at the command centers you have the entire monitoring and control systems with on site operators. Then, inevitably you will have some employees with vpn access, and now you have 2 vectors: remote admins getting hacked and local admins plugging in external devices. You’d think it’s easy to get rid of vpns, but things like the pandemic brought them all back to full force.


Is this even safe enough, though? They had one of those in the Iranian uranium enrichment facilities, and it still didn't work out for them.


I remember they got past the Iranian air gap using a USB stick. It’s a mistake to think air gaps are safe but they are certainly better than having your network open to the internet.


Well, whatever they used to do before they connected everything to the internet. What about just do that?


You can have a maintenance network that is disconnected from the internet.


Can an individual not accidentally or intentionally infect a computer not connected to the internet?


It's called Stuxnet, and it ruined 20% of Iran's uranium centrifuges. Which were air-gapped.


Air gaps didn’t save Iran. Air gaps are just one layer in the onion.


Is the argument that Iran was attacked on air-gapped network, so its not worth doing?


Do the opposite of last time logic is surprisingly popular, despite leading to some odd conclusions.


Tradeoffs. Air gaps come with other costs of their own.


Allowing remote monitoring and troubleshooting is too convenient


Iran would like a word!


> Attach a fine to the discovery and disclosure and you disincentivise that prudence.

Sue them. Failure to disclose key documents in the discovery phase of a trial carries hefty fines and jailtime. And quadruple the fine for misrepresenting the cause.

People act like the government doesn't have the power of subpoena. They can absolutely compel you to tell the truth.


Yes. I've worked in a very regulated industry before and it ended up being less secure than any other I've worked in. Checking your secure email required so many hoops people would just text each others personal phones instead, etc.


I've actually worked in govt systems. If you think the whole endless threats of jail make for more secure systems you are truly clueless.

These systems are RIDDLED with the WORST outdated crap you can imagine. Absolute insane hoop jumping so plenty of pressure to work around security just to get jobs done (seriously - start with the help desk if you want access - they are so used to password resets the procedures become a joke - literally - what's the username and that's it, because if you have thousands of folks on 30 day password rotations with insane complexity all you do is password resets endlessly). Password sharing can also be crazy so passwords float all over.

The govt has had it's top stuff leaked. Office of personnel management leaked insanely sensitive stuff. They contract with the WORST folks in security. It's really crazy.

Google has never asked me to rotate my password. I have non-SMS two factor authentication options, they do pretty sophisticated rate and geo monitoring so you are not annoyed but pretty secure.

Cyberattacks, mechanical failures, weather disasters, meteor strikes, terrorist bombs, stupid construction workers ALL could affect this pipeline. People on HN have no risk perspective. Make the system resilient to a proactive few day outage. Why does this system have to run 365 / 24 / 7? Have you mitigated EVERY possible issue - including disgruntled employees? No - then instead of over doing one corner, design some give in the system.


I want to add that the physical limits of how the design is done is as much as corruption/stupidity.

By physical limits I mean us, the wet ware in the middle of all this. These systems can be designed years if not decades before they are actually brought online. By simple temporal placement they get the materials and techniques of that time span. By the time these things are ageing out of the system they will have some old tech on them.


> Failure to disclose key documents in the discovery phase of a trial carries hefty fines and jailtime

When you do this, the documents never get created. Not due to nefarious cover-ups. But because if little incentivises the creation of documentation, and everything penalises it in the edge case, you get rubber stamped compliance stacks for decades until a crash.

If one has massive downside for reporting a potential risk, one better be 100% sure that risk is manifest before pulling the trigger. That delay and omission is the cost of such draconianism.


All internal communications, unless they are with an attorney and are clearly marked "privileged" and pertain to actual legal advice, are discoverable.


> All internal communications, unless they are with an attorney and are clearly marked "privileged" and pertain to actual legal advice, are discoverable

If a communication doesn't exist, it's not discoverable. If you legislate penalties for a certain type of communication, it shouldn't be surprising when it ceases to exist. This isn't the product of cover ups. It's the long-term effect of penalties dissuading the looking into of certain things. If discovering a breach is penalized, nobody competent will look for breaches--that leaves no discoverable liability.


You're imagining that every company is going to transition some kind of nefarious mob-style wink-wink, nudge-nudge, no-written records speakeasy, or what? That's really taking things far.

This whole line of reasoning is specious, anyway. It's based on a fallacy that enforcing penalties is just going to make everyone lie their asses off to get out scott free. Is society so broken that they can get away with this? Come on.


Security through obscurity is almost always a bad idea. There are exceptions: namely nuclear missiles.

There are counterarguments to this, but they're mostly academic: https://core.ac.uk/download/pdf/228618432.pdf.

Stuxnet, by contrast is very real


> companies are chasing profits at any cost

Government systems get hacked all the time, too. Just because the government doesn't have a profit motive doesn't change a long list of human motivations that can be counterproductive.

The profit motive also incentivizes improved quality. If the product is bungled, the company is not likely to get the next contract. If the government agency bungles the product, they'll get a budget increase next time.


"If the product is bungled, the company is not likely to get the next contract."


> The US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.

I would love to see this but somehow I doubt it will happen any more than my pipe dream of holding the CXO and the board criminally liable for the criminal actions of management/employees/contractors/agents of a corporation during the course of their work for the corporation.

It is nice to dream though. I would certainly welcome any kind of accountability.


They aren't 'on the internet'. They are connected via several layers of networks with firewalls etc in between to a system which has direct access to the internet. There often is no practical way around this - data from these networks needs to be shared with business users, other companies, regulators and so on. Data diodes can be applicable in some situations, but I've never worked with a company that uses one. I don't know the details of this situation, but demanding that it be impossible to compromise infrastructure networks is ridiculous. If you throw enough money and resources at it, no network is secure.


Indeed the best evidence supporting this view is that Natanz was fully air-gapped and still got destroyed by the Stuxnet hack.

That said I have heard of customers expressing desire to control valves and pumps using iPhones, and believe there are several initiatives at SCADA/PLC/DCS/System Integrator companies to provide this.

However I've seen as many of those in practice as I have data-diodes, which is to say, none/never.


It's multi-dimensional. SCADA itself being networked, and it reaching other systems that may be internet-enabled.

  * What systems are affected by the hack?
  * Could the shutdown be needed because of critical data the ICS gets from business?
  * Or is it shut down because business needs real-time data from ICS it can't ingest?
In general, the idea of completely isolating an ICS from any other network is a tough one.

My question is, how often are these critical suppliers audited by the federal government? I have worked in banking cybersecurity and the amount of auditing from federal and state regulators is mind boggling. If a single company controls 45% of fuel transport to the east coast, it should carry some designation as a quasi-state entity subject to federal cybersecurity audits like banks.


This question of missing cyber security audits came up for me in discussion of the Verkada hack. That’s the startup providing security cameras inside hospitals, prisons and schools.

It seems like cybersecurity and audits of security readiness need to be demanded from any authority over companies operating in sensitive areas.


>if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.

The problem is that it matters less than we'd like to think how "serious they are about security".

I'm seeing a lot of discussion about the responsibility of the victims to secure their networks, and it's mostly valid.

But it's strange that we're talking about how to punish the victims versus the criminal conspirators. We virtually let the malicious, overtly criminal party off the hook. It's almost like we're saying we expect criminals to be criminals and these guys are so hard to catch that the onus is entirely on the targets to repel their incessant attacks, else they're negligently malicious themselves. Sure, most of these victims can do better in just about every case. But, people here know better than most how difficult it is to 100% secure every layer of the stack from software to firmware to hardware, with multiple vendors and vectors, OSS, zero days, etc. And the bad guys only have to be right once across this broad attack surface. It's impossible to defend completely. There will always be breaches.

So, there's another element of this that has to be addressed, and that's getting serious about punishing these people. As it is, there's zero disincentive for them to just keep trying until they get through, but the upside is massive.

Most if not all of this activity originates from nations that are adversarial towards the US. So, we need to start treating these instances as official sovereign actions, especially when they originate from nations wherein the government and their intelligence services exert control over (and outright sponsor) such criminal schemes, and wield these attacks as a projection of national power.

These regimes also tend to feature oppressive criminal justice systems and harsh reprisals for even political dissidents. So, the message is, "we're not going to argue whether you're sanctioning these acts, but we're also not buying that you can't stop them, so we'll treat each incident as an official act of the state. We're holding you responsible for your criminals when they attack us and we will respond accordingly".

Detailed discussion around exactly how the most recent exploit might be mitigated is interesting and useful. But the balance in these discussions between mitigation and reprisals for the perpetrators needs to be shifted much more towards the latter. Otherwise, we can expect these discussions ad infinitum.


> That will get them serious about security.

My guess is that they only get serious about security after a breach occurs.

You can view it all as strengthening an immune system. Without attacks, and the occasional successful ones, nobody is going to bother to harden anything.


Is that like how the banks all got serious about evaluating their risk carefully after the first time [1] they saw their models, and consequently their liquidity, evaporate?

Obviously I agree about your dissatisfaction with the other proposed solution: that just lets corporate entities put a low (10%) ceiling on what should be unlimited liability, allowing them to say that failing catastrophically by utter neglect to security is reliably a survivable offense (I recognize that in reality the liability of course ends at the dissolution of the corporation.)

I don't know what the actual answer is.

[1] https://en.m.wikipedia.org/wiki/List_of_economic_crises


I don’t think the analogy applies. We are humans, capable of observing the failures of others and making rational decisions to avoid those same failures. The immune system is programmed to react one specific way. For example, we can choose or choose not to go out of our way to get vaccinated. If someone doesn’t get vaccinated and infects a dozen other people and then get really sick themselves, it’s hard for me to have sympathy. Unfortunately here, when there’s an illness, millions of people have private information leaked. This should simply be an unacceptable.


> companies are chasing profits at any cost

What does that mean?

This was addressed in the article. Critical services are on the internet because remote workers need access to them. I don't see how profits factor into it.


Without the overhead of reaching many locations, fewer engineers/technicians can more efficiently operate the whole thing remotely.


Those remote workers wouldn’t have to be ‘remote’ if there were other workers hired on site.


What "on site"? The various valves that need to be controlled remotely often are just a box, perhaps even underground, in a place where's no buildings for people to stay - a mechanical team can access the hardware on-site, but building and maintaining an actual office on each site is not practical. The same applies for power grids - you can't staff every substation with people.

A remote operator can manage dozens of such sites, a single "local" person might be close to one point, but the next control point is going to be miles away, so you either need much, much more people to station one at every valve, or have a situation where flipping a switch in all the "sites" is very slow because requires the "local" person to drive many miles visiting each location.

No, there's a reasonable objective need for this management to be actually remote - there's a discussion on how this should be implemented in a secure way, but it does have to be remote.


Many sites are in the middle of nowhere so it is inconvenient to go to them, so accessing them over a network saves a lot of travel time and cost.


This is true for nuclear weapons infrastructure. Paying for commutes and lodging are used there, might be useful to consider?


At one extreme a Nuclear weapons accident can kill millions of people and destroy the environment of a large area for a long time.

And then a sliding scale of risk and cost of getting hacked vs savings and increases in efficiency resulting from remote access.

Are you for or against Tesla having remote access to all of the Tesla vehicles? Are their OTA updates innovative or reckless?


Lost revenue would be justified by execs as cost of doing business. And they'd probably buy hacker-insurance to cover some/all of that risk. They'd pay for the hacker-insurance by getting a shittier employee benefit plan, and cutting the employee 401k match by 2%. For each quarter they aren't hacked, they'd probably receive a credit from the hacker-insurance company, which would be distributed to execs via performance bonuses.


> It needs to be asked again, why are critical services on the Internet?

From TFA:

Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home... believe DarkSide bought account login details relating to remote desktop software like TeamViewer and Microsoft Remote Desktop.


So fast food workers were “essential workers” but oil pipeline control system engineers aren’t?

Projects that require a security clearance have to be done from inside of a secure facility. This clearly needs to be the same level.


>We all know why, companies are chasing profits at any cost,

I wonder if that's even true 100% of the time.

It could simply be programmers + feature creep, bolting great wads of software to systems with small value on the margin.

It would be interesting to talk to software people in the gambling business, you'd think that would be Ground Zero for nefarious attacks.


Couldn't a service provider use an internet backbone with a one time pad comms protocol to essentially have a secure controls channel?

Then once a year a rep could fly out a few terabytes of OTP to each location and all comms would be impenetrable.

Sure beats a parallel physical comms system cost wise.


Maybe that'd make sense if it was the encryption that was broken. I wouldn't suggest a one-time pad for anything where modern encryption works just fine.


People whine about infrastructure being accessible over the internet, but in the old days it was just accessible over the phone network instead of the internet. It's not realistic for every bit of infrastructure to have the security protocols of military systems.


> The US Gov should make it clear, if you are a critical service and if your service drops due to items being on the internet, for each occurances 10% of your total revenue (including your parent companies) are forfeited.

Make it a crime to pay the ransom in a ransomware attack.

Make it a crime to fail to report a ransomware attack in a timely manner.

Ransomware attacks (and companies with poor security practices) will go away.


Make it a crime to possess, consume, or distribute substances that are bad for people.

Make it a crime for people to knowingly withhold information about such activities from the authorities.

Abuse of substances, trafficking, and associated criminality will go away.

But seriously...

> Make it a crime to pay the ransom in a ransomware attack.

Ok, so ... what should a company do? File a report with some government agency or with an insurance company and wait until the bureaucratic process maybe results in being able to pay the ransom to resume business operations? Punishing the victim of a crime? Really?

> Make it a crime to fail to report a ransomware attack in a timely manner.

Further punishing the victim of a crime? Really?

> Ransomware attacks (and companies with poor security practices) will go away.

lol


I don’t see an analogy to drug laws. Is your point simply that such a law is impractical to enforce?

Paying extortionists begets more extortion. The only argument I’m seeing is a bunch of hand waving and people telling me I’m being hopelessly naive. I don’t think I am.


There is already a law. It's called misprison of felony.


>Make it a crime to fail to report a ransomware attack in a timely manner.

You mean like "18 U.S. Code § 4 - Misprision of felony" [0]?

[0] https://www.law.cornell.edu/uscode/text/18/4


Just like all other laws that companies break, they'll just get a slap on the wrist and continue their ways


Also, why do critical services run Microsoft systems?


The real question right here. When will the US government finally take Linux seriously and invest heavily in it instead of relying on Microsoft solutions?


so then we rely on linux solutions instead? I've seen lots of control systems running linux and windows, personally I'd rather keep a mix of the two. Something about eggs and baskets.


> Digital Shadows thinks the Colonial Pipeline cyber-attack has come about due to the coronavirus pandemic - the rise of engineers remotely accessing control systems for the pipeline from home.


I would disagree with this. No petrochemical company I've worked with had OT/PLC/SCADA layers enabled for remote login. Other middle layers, like the historian, potentially. But not the control system itself.

It's possible to enable this but knowing the culture at Colonial Pipeline first-hand, I strongly doubt they did this during COVID.


Agreed. Our companies are driven to increase profit at all cost. Even cost to their function and utility.

Our over financialization is squeezing everyone and everything.


To clarify: this is not from "financialization" generally speaking. This is specifically from consolidation for the sake of increasing efficiency and thus margins (as you pointed out).

This is opposed to increased competition (which also increases volatility) in the markets.

The reason why the markets are so consolidated is because it removes short-term risk. If there is an obvious market and only one (or a few) companies involved then everyone makes money (magic, I know). This is why Wall Street lobbies for regulations so hard. They have ownership in all the existing major companies that can afford those regulations and it consolidates the profits (and thus returns). De facto Crony Capitalism at its finest. Your aristocratic oligarchs.

So, stop giving your money to large index funds. (And every time there is a comment on HN telling you to, and there are plenty, downvote them and tell them a proper F-off).

The idea that no one can/should ever lose is what is killing the economy. It got its birth in the boomer-retirement-fund markets of the past few decades.

To recap, it is consolidation for margins that is the problem. That is not the same as general "financialization" (increased trading) that helps increase volatility in the markets and actually increases the size of the economy.

We desperately need real markets and not this crony capitalism that seems self-persistent.

The current system is such a marriage between corrupt politicians and wall street (which is now heavily extended into SV, btw) that it is absolutely disgusting.


Critical services are on the Internet because they are provided by the lowest bidder.


They are not always the lowest bidder. Colonial Pipeline was known for selecting the higher bids sometimes in order to ensure quality of work. They'd generally evaluate risk vs. quality vs. price.

Colonial also kept multiple overlapping vendors for their last SCADA upgrade in order to make sure that no contractor was too overloaded during a "boom time". They'd generally stagger the work between locations (they had to upgrade dozens of stations along the pipeline) and keep track of the performance of everyone they hired and try to keep a steady workflow for everyone over a multi-year period.

It was generally not about the lowest bid.


> if you are a critical service ... for each occurances 10% of your total revenue ... are forfeited

You can achieve the same effect without all the arbitrary political decision-making inherent in this proposal by requiring these companies to buy delivery insurance or something. The insurance company will charge them proportionally to the risk of attack, which will internalize the cost.


Like AIG insuring investments during the 2008 crisis? I think for critical infra you want some extra care and redundancy (not arbitrary though of course).


We should also shut down Russian infrastructure through cyberattacks. The Russian government supports DarkSide.


Totally, take out all the hospitals, education and basic needs for the rest of the innocent people. Or just nuke them, that will teach um.

On a serious note, sure retaliate, probably don't hurt innocent people.


or maybe the notion that russia is even behind it is a lie aimed at stoking tensions between the united states and russia, probably for the sake of profitting companies like digital shadows--or wharever it was called.


Seems they got in through a password brute-force attack?

It might be time to switch to hardware tokens, encryption keys or to enforce fully random passphrases or diceware/xkcd passphrases.


Anyone not using U2F/WebAuthn to protect all of their internal resources is behind the state of the art. It's really not that hard, especially when you're a BigCorp and already have an SSO system in place.


nice timing for this "cyber" attack on an oil pipeline company.


[flagged]


> We should shut down Russian infrastructure as retaliation.

How about, instead of causing harm to innocent Russian people by such pointless escalation, the US makes a serious and meaningful effort to secure their critical national infrastructure. As they should have done in the first place.


No we should not. We should hunt down those individuals that are responsible but if we get into this tit for tat escalation pattern it might end poorly for all parties involved.


And if “the individuals” turn out to be operatives of the Russian government?

I find as world events unfold these last few years I have drifted away from my isolationist/non-interventionist views. I wouldn’t say I’d advocate for a military response (either electronic or physically destructive) at this point, but I wouldn’t think badly of our government if they did something like that.

Americans have become a rather stupidly optimistic/ignorant people. Russia and China will absolutely destroy us if we don’t aggressively counter their military aggression. And that’s what attacks like this are: military aggression. We ought to start acting like it.


They've already succeeded. America is already unprecedentedly divided and demoralised.

“One need not destroy one's enemy. One need only destroy his willingness to engage.”

― Sun Tzu


Since this account appears to be using HN primarily for ideological battle and that's against the site guidelines, we've banned it. Please don't create accounts to do that with. It's not what this site is for, and it destroys what it is for.

https://news.ycombinator.com/newsguidelines.html

https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...


Agreed. That said, we need to do it now before some populist lunatic is compelled to attempt it.


Actually, tit-for-tat is gametheoretic stable.

https://en.m.wikipedia.org/wiki/Tit_for_tat


Yes we should. There is no justification for why we meekly let them have at it cyberspace. It should be pain for pain. Russians will never learn until they feel pain.


I can think of some reasons why we should not retaliate against the Russian government. Perhaps we have more to lose in escalation. I don't know if this is true but it might be. If this is an attack at the behest/approval of the Russian government we don't know why they made the attack. It could be a response to something we did to them. We should not get riled up because what hasn't been reported is likely the real story. We just don't know and as citizens we ought not clamor for our leaders to respond. That sort of clamoring has in the past had very negative consequences.


> Perhaps we have more to lose in escalation.

We can entirely, safely remove Russia from the global Internet and we can do it trivially. That's exactly what we should do if they press attacks too far: isolate them. They have the increasingly government controlled Runet to restrict their people's access to the outside world, we should barricade them in.

Their economy is small, close to meaningless. It's nearly a rounding error at this point in the global economy and it'll continue to shrink in that relationship. The sole thing to be concerned about with Russia is their nuclear arsenal.


Their economy is small and ours large. Therefore we have more to lose possibly. Removing them from the internet will not prevent their ability to mount attacks. It makes it more difficult but not impossible. We cyber attacked an Iranian nuclear facility that was air gapped.


I like the concept of holding Russia (as with any country) responsible assuming they are, but your reply didn’t address the escalating pattern of tit for tat, and how to deal with that.


Perhaps a sort of cyber-MAD comes out of the escalation and the Russian government cracks down on the group to prevent their own serious infrastructure disruptions.


Here's the answer: it hasn't been tit for tat. It's been all tit.

At some point, you have to tat.


> We should shut down Russian infrastructure as retaliation

Sanctions against key people are probably more effective while not causing too much anti-American sentiment in the general population or a rally around the flag effect. Hard to rile up the people because a dodgy oligarch can no longer keep his roubles in a London bank, where Babushka Svetlana freezing to death 'cuz the Yankees cut the gas is a martyrdom event.


Not to mention sanctions cost real human lives. The people who will be starving aren't the same folks who are mounting highly complex, large scale ransomware attacks.


[flagged]


Please don't take HN threads into nationalistic flamewar. It's tedious, predictable, and nearly always nasty.

We detached this subthread from https://news.ycombinator.com/item?id=27102024.


If you believe this is somehow unprecedented, or that the United States does not also exploit extralegal methods for proxy conflict/geopolitical subterfuge when convenient, you need to read more


>and this an act of war

What an absurd statement. And what do you suggest we do? Attack them and hope they don't respond with nukes?


Solarwinds hack, Mueller report, this... I don't know what the best response is. First we have to wake up that we are under attack.


Take a deep breath, you are jumping at shadows and telling everyone that "they" are out to get us.

Thieves are thieves, organized crime is organized crime. You think there aren't major criminal organizations in the US committing ransoms in other countries?


Previous poster isn't wrong that the Russian government turns a blind eye to these kind of things as long as it doesn't target Russian citizens; same with China etc. This isn't especially controversial, and anyone involved with these kind of things will tell you this.

Calling this an "act of war" is of course hysterical.


You say “under attack,” I say “standard world power shenanigans”


where did you get this understanding?


MSNBC had a person on who purported to be someone knowledgeable. I also read the Washington Post. The act of war part was my idea. I realize I may not have the correct understanding yet, but based on the Solar Winds hack and the Mueller report, it seems to me they are attacking us. Isn't an attack an act of war?


consider washington post:

https://www.washingtonpost.com/national-security/democrats-a...

and msnbc:

https://www.msnbc.com/msnbc/watch/russia-paid-up-to-100k-bou...

in light of this:

https://abcnews.go.com/Politics/top-pentagon-officials-russi...

and this:

https://news.yahoo.com/russian-bounty-story-falls-apart-1921...

i noticed this at the time. i heard really loudly about russia paying bounties on american soldiers, and then so quietly that i might have missed it that there was no evidence for it. it's odd isn't it?


Large corporate or state media outlets are unlikely to provide the historical context or the epistemic humility required to follow geopolitics with nuance


[flagged]


Regulatory clamp down as in higher regulations that companies must have good computer security?

I think it's already potentially illegal to pay a ransom. Maybe governments could increase those penalties and make it more clearly illegal.


Without knowing what OP is referring to, my guess is they're talking about a clamp down on cryptocurrency.


Mind if I asked where did you get this info?


Here’s the WEF head warning about a “cyber pandemic” that would make COVID look like a minor disturbance: https://www.youtube.com/watch?v=uD6C63ZuDlQ

This is the same group advocating for The Great Reset, and predicting people will “own nothing and be happy”.

It does seem like there is a plan in place for the controlled demolition of industrial society to depopulate the planet and solidify a neo-feudal order of rule by a breakaway elite.


Nothing to do with this article, but...

when did "legitimate interest" become the thing advertisers^Wtrackers are (ab)using to keep tracking on by default? It's not due to a change in legislation afaikt, the GDPR hasn't changed in this regard, right?


Hacks, not skill or ethics. Losers!


Is this event going to give Americans a new appreciation of pipelines? One of Biden’s signature issues was killing Keystone after all.


What makes you think Keystone and this pipeline are the same in any way?

They are not, and you should know the difference before dragging political nonsense totally irrelevant into the topic at hand.

I know, some people just can’t help themselves but to color everything in a political binary.


I suppose I’m very naive, but I’m under the impression that they’re the same in the way that that they’re both meant to provide necessary fuel oils to local markets in an efficient way.

And that maybe it would be good to have redundancy, which requires allowing new pipelines to be built. It’s not my fault that that’s somehow a “political issue,” which as far as I can tell means something that your preferred propaganda sources have conditioned you to have an emotional response to that overwhelms any hope of reasoning.


Critical data belongs on magnetic tape.

Should have also kept nuclear launch codes on floppy.


Clearly they should have hired the guys that made the elections the most secure in history, to secure the pipeline.


I like your sense of humor


The government is incompetent, especially when it comes to cybersecurity. It will be interesting to see how this plays out.


Who was it again that has the most effective intelligence community and military in the world?


I hope you're not talking about the CIA, whose network of agents in China (to pick one example) was rounded up and killed due to either shoddy IT work or a mole in the Agency. Either possiblity reflects poorly on the American intelligence community:

https://www.reuters.com/article/us-usa-china-espionage-idUSK...

>Investigators remain divided over whether there was a spy within the Central Intelligence Agency who betrayed the sources or whether the Chinese hacked the CIA’s covert communications system, the newspaper reported, citing current and former U.S. officials.

>The Chinese killed at least a dozen people providing information to the CIA from 2010 through 2012, dismantling a network that was years in the making, the newspaper reported.

>One was shot and killed in front of a government building in China, three officials told the Times, saying that was designed as a message to others about working with Washington.


This isn't a counter-argument against the person you're replying to, though. One can pick from numerous examples of the inverse(though the US doesn't round them up & disappear them, they go through the court system)


> though the US doesn't round them up & disappear them, they go through the court system

Yeah, unless you are suspected for terrorism. I recommend the movie named The Mauritanian.

> Mohamedou Ould Slahi (Arabic: محمدو ولد الصلاحي‎) (born December 21, 1970) is a Mauritanian man who was detained at Guantánamo Bay detention camp without charge from 2002 until his release on October 17, 2016.

> The book, Guantánamo Diary, was published in January 2015. It is the first work by a still-imprisoned detainee at Guantánamo. It provides details of Slahi's harsh interrogations and torture, including being "force-fed seawater, sexually molested, subjected to a mock execution and repeatedly beaten, kicked and smashed across the face, all spiced with threats that his mother will be brought to Guantánamo and gang-raped.[1]

[1] https://en.wikipedia.org/wiki/Mohamedou_Ould_Slahi


In a country of 330 million people, with massively global interests, you're going to have to do a lot better than rare examples.

In a country so large with so many different government agencies, entities, organizations, and interests, just about anything you can think of will have happened at some point. The question is whether it's going on at large scale, whether it's the common practice or rare.

You're trying to use one example to prove that the practice is common, when in fact that's false, it's not common it's rare. It's the exception, not the rule; which is exactly why it makes for an attention getting story.


I have no idea whether it is happening or not at a large enough scale. I did not mean to prove anything, just wished to shed light on it.

How do we know it is not happening though? Think about pre-Snowden.


> In a country of 330 million people, with massively global interests, you're going to have to do a lot better than rare examples.

USA doesn't have massive global interest. Maybe its companies, but not it's state. USA is a very insular, and static system of a state.

It's a good example what happens in those very few cases when the machine of US state moves, and what is characteristic of it.

A meaningful political reform will start with somebody starting to uncork it, and forcefully subjecting it to contact with outside world.


Okay, first of all, we have no reason to remotely assume those executed were CIA agents; it’s far(far) more likely they were CIA assets, local people recruited by agents to sell secrets. Assets are captured regularly.

Even still, do you expect any intelligence agency to be perfect? I’m not sure what point you’re trying to prove here.


Intelligence I'd say probably Russia right? They've made America look quite incompetent the past decade or so. Military I'd say America although I don't think SEAL team 6 is going to be hunting down these attackers


> They've made America look quite incompetent the past decade or so

This itself is American propoganda; the strategy is to be absolutely all over your opponents, knowing that they can't complain about it for fear of looking weak, while complaining loudly about how their meagre attempts are the end of the world, getting public and Congressional support for more spending.

Before the Snowden leaks, someone suggesting the US had the SIGINT capacities they actually did have would have be laughed out of serious circles as a crank, and you better believe they haven't been sat still over the 8 years since.


I don't believe the way America has embarrassed itself on the world stage is American propaganda. Russia has repeatedly exploited the stupidity of a few within the upper echelons of the elected American government with a few well placed agents and bots backing up those messages online.


> I don't think SEAL team 6 is going to be hunting down these attackers

It would certainly reduce their enthusiasm for hacking.


Why are you bringing Israel into this?


The effectiveness of the CIA (or government) depends on the narrative of the author. Like the immigrant paradox: are they lazy or are they taking your jobs? which is it?


In terms of actual execution, definitely not America!


Pound for pound I'd say Israel.

In absolute terms I'm pretty sure China has us at sea and in cyber so...

Not the US


Pretty sure china doesn't have the oceans - might want to check up on your stats.


Not to be rude but I'm pretty sure you need to check up on your stats. The Chinese do have the oceans.

>Citing the Office of Naval Intelligence, a Congressional Research Service report from March notes that the People’s Liberation Army Navy, or PLAN, was slated to have 360 battle force ships by the end of 2020, dwarfing the U.S. fleet of 297 ships.

[1](https://www.navytimes.com/news/your-navy/2021/04/12/chinas-n...)


Air Craft carriers and jets were proven in WW2 to be the big differentiator. US took note and has more than the entire world combined. 'Battle force ships' is a very loose term and your source only includes navy resources. You forget we have Army, Air force, Marines and not to forget coast guard that all have their own watercraft. Also, don't know if you've been seeing some of the new SWISS ships the US have been developing. Very small, hyper fast ships with a crew of 6 or less with a crazy amount of firepower in terms of AA, 50 cal, even torpedos. Those aren't categorized as 'Battle Force Ships'.

Also, despite the huge waste that is inherent in it - no one has bases like the US does. We have forward operating bases all over the middle east, geographically separated units all over east europe, africa, asian pacific, and military bases all over europe and every key point of the united states. Nasa never quite got launches down but we do have some of the most advanced satellite, imagery and other military instruments. look up number of military spacecraft by country.

Whether it's moral or not is an entirely different question, but there is a reason the international monetary fund has a weight 44% USD; It's not because all the other countries like us that's for sure.


Can’t find anything about the SWISS ships but curious to learn more, if you could provide a link.


opps - it's SWCC*. Can't seem to find the heavier version, but it was based on the SOC-R.

https://en.wikipedia.org/wiki/Special_Operations_Craft_%E2%8...


without significant aircraft carrier fleet i'm not sure china has dominant control of any seas, despite best efforts in south china seas

[1](https://en.wikipedia.org/wiki/Chinese_aircraft_carrier_progr...)


https://www.cnn.com/2021/03/05/china/china-world-biggest-nav...

I am not sure what your point is. By number of ships, they are the biggest. I have no idea how important aircraft carrier fleet is.


Biggest by number, not by capability or weight. There are significant differences as a result.

I.e. who cares if you have the most swordsmen on the planet, if you in a gunfight.


> I have no idea how important aircraft carrier fleet is.

It’s the most important part of a modern blue water navy and has been since WW2. The US also has a world-dominating submarine fleet.


Bath Iron Works is hiring people on the spot right now. They are probably going to hire 3k people in the next year. I imagine this is happening at other shipyards around the country. Expect those ship numbers to be revised upwards.


I don't dispute the ability for China to produce more ships than the US or have more ships. By tonnage they are still less than half the size of the the US fleet and they aren't in control of the oceans. I'm not saying that won't change I am merely flagging OP statements as inaccurate.

Don't worry I don't take your comments as rude.


We should use it and shut down Russian pipelines. The Russian government is supporting and harboring DarkSide. It's possible the state directed this attack through them for plausible deniability.


That same incompetent government that was behind Stuxnet?


Tell that to Ross Ulbricht.


Who decides how many hours we're allowed to work, driving trucks, fixing jet engines, taking care of children, or doing anything else?

Our and our employer's liability for errors is enough motivation to maintain safety at a reasonable level.

Put another way, is there statistical evidence of the efficacy of these regulations in reducing trucking accidents? Not that I could find!



Forgive my ignorance, but is it incredibly hard to determine the actual identities of the people behind this? I don’t know why a government wouldn’t simply assassinate culprits who were guilty of crimes at a level that would qualify as an act of war.


Given that this is a ransomware attack, the data is probably encrypted, so if they did find the person behind it, they would probably use "rubber-hose cryptanalysis" to extract encryption keys before...

https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis


I think it’s odd that I’m being downvoted.. I’m not advocating murder, I just wonder if ransomware criminals (assuming they aren’t actually state actors) wouldn’t be at risk.


Breaking: U.S. government is inept at carrying out procedures which are standard in the technology industry, including the proper safeguarding of important tools & data, despite a budget larger than any other entity on earth.

Not Breaking: Citizens’ disappointment in the aforementioned, particularly given their direct contribution to said budget.

The Unsaid: Much of this will not change, unless incentives are realigned.


> Breaking: U.S. government is inept at carrying out procedures which are standard in the technology industry, including the proper safeguarding of important tools & data, despite a budget larger than any other entity on earth.

I'm not sure what technology industry you are in, but in the one I'm in software engineers are fooled by phishing attacks extremely consistently, people routinely expose critical systems and devices to the internet, developers often expose databases with insecure defaults to the internet over well-known ports, customer data gets stolen on a regular basis, etc., etc., etc. Regardless of how one feels about the government, I don't think the average technology company does any better when it comes to securing its own infrastructure.


Basic security practices like 2FA and not using VPNs/trusting the network would be a great start. There is no excuse for private business like Facebook and Google being more secure than the f*@& United States of America.


Well, to be fair, the government doesn't control the pipeline...


Well, FB, Google, et al. have sucked up all the talent.


The NSA and CIA pay less than half of what a FAANG company pays for the same role.

Sources: FAANG: Levels.fyi and personal experience

NSA/CIA: https://work.chron.com/nsa-pay-scale-16399.html and https://www.opm.gov/policy-data-oversight/pay-leave/salaries...


For sure, and worse because there's no stock grants that subsequently go up several times in value after distribution. I get that it's a compensation problem as well as a supply problem: software engineering talent is hard to come by and world class software security talent is even harder to come by.


How is the US government inept? This is a private company sucking ...


Er, the victim here is a private company, not the government.


When 45% of the East Coast's supply of diesel, gasoline and jet fuel is impacted, the government has a problem.


Yes, the problem is "How quickly can we nationalize this company."




Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: