This really feels like 1650's nautical piracy. Someone outside the reach of the law of the targeted country's merchants, making tons of money by theft and ransom. And like the pirates of old, often supported by the host nation so long as their attacks disrupt the activities of rivals nations' merchants.
The Cyber Privateer Code (draft 02—updated on 6/28/2013):
- Any unauthorized attempt to access your computer or phish your data access privileges constitutes a crime punishable by the looting of the attacker's assets by an authorized cyber privateer. All assets. Within 6 months of the attack.
- If it is determined that the attacker is acting under explicit instructions from a larger organization or government, the assets of that organization or government are also forfeit to the extent that an authorized cyber privateer may confiscate them within a six month period of the original motivating attack. All assets.
- The individual whose assets were seized by a cyber privateer—or the publicly and legally designated spokesperson for the organization or government whose assets were seized by the cyber privateer—has the "right of parley" with the head of the cyber privateering organization, such meeting to take place online in a two-way video conference, such conference to be publicly recorded by one or both parties and before the disposition of the booty but no later than 10 days from the confiscation.
- Innocent victims whose assets are directly and mistakenly confiscated by cyber privateers (and whose funds are not returned within 10-days after the parley) shall be compensated in an amount equal to four times their loss, with interest accruing on the restitution amount at the rate of twelve percent per annum. This does not include victims of the cyber criminals, since they were already victimized.
- Notifications and requests for parley must be unambiguously left by the cyber privateer so as to allow the right of parley to be exercised in a timely fashion.
*These rules would of course lead to the worlds end in any significant conflict, imo. But it would certainly be fun for a minute.
Many of us foresaw this (and much worse) when we first heard about Bitcoin in 2009-2011. Yes, Bitcoin has its anonymity issues, but cryptocurrencies in general is what typically enables this kind of crime.
Caesars Entertainment Inc. paid tens of millions of dollars to hackers who broke into the company’s systems in recent weeks and threatened to release the company’s data, according to two people familiar with the matter.
Hacking gangs typically ask to be paid in cryptocurrency if they demand a ransom.
I don't want to live in a world with 100% anonymous and untraceable payments.
> I don't want to live in a world with 100% anonymous and untraceable payments.
Cash is equally as capable of this, though. The hackers in this situation could demand cash and practically nothing would change about the technical aspects of their attack.
They would have to travel from e.g. Russia to Las Vegas to pick up the cash though. Or, I suppose, demand delivery of cash to Russia, or some other place. Whichever way, it's a lot easier for law enforcement. Suddenly a particular country is responsible.
Nah. Maybe $1000 bucks here or there, but you're not moving 8.1 million in paper money easily. And that money has to be laundered. Plus bills are traceable by number, and will often have markers on them. And they have to move, by hand, truck, package, etc., which means they can be found, often with little technical skill -- rando customs guy decides to open a box using the cutting edge tech of a letter opener.
BTC makes dealing with all of that a (potentially automated) bash one-liner.
Merchants provide a value to society and pirates harm that. The thieves are providing a value to society in this case by damaging casinos, which provide no value to society and only harm citizens.
Casinos provide leisure and entertainment. If what you're actually trying to say is that they are overall a net harm, then I'd point out that imperial mercantilism was also quite harmful to many people. At least MGM hasn't overthrown any countries.
In exactly the same way a heroin dealer provides leisure and entertainment. Selling access to an inherently addictive substance should not be a for profit endeavor. The incentives are inherently biased towards harming people for profit.
You say this as if "addictive" and "harmful" are boolean concepts. These concepts have a wide spectrum in reality. People die every day from addictions to all kinds of socially acceptable products and services, whether it be the dopamine rush from an unhealthy or dangerous activity, a buzz from their favorite beverage, or the sugar rush from an unhealthy snack.
I encourage you to walk through some casinos and take stock of what you see. The scales of enrichment and addiction are nowhere near the balance of candy and soda.
The most harmful things inside of a casino are the bar, the buffet, and the cigarettes.
> I encourage you to walk through some casinos and take stock of what you see.
I have spent a lot of time at casinos with family members who love eating, drinking, smoking, and gambling. Know what I've seen? I've seen that gambling is the only one of the four that hasn't killed at least one of my family members.
Lots and lots of gambling addicts die through suicide. Is there some reason this is less attributable to gambling as a cause than lung cancer is to smoking or drunk driving accidents are to alcohol?
Urgent to whom? We live in a multipolar world now.
Countries already use criminals as political tools to advance their goals on the world stage. What makes you think expanding these efforts will somehow change existing geopolitical behavior?
All systems of law break down into the imposers, and the imposed upon. You don't have to impose anything on the voluntarily compliant, but what about those that refuse? Are you going to invade or kill innocent people just because a few leaders don't want to play by your rules?
Sanctions don't work for their intended political purpose. The only reason politicians talk about them is because it enables their corporate masters to swoop into markets and make a lot of money. (And if you disagree, I ask you find a study pointing to how sanctions were politically successful.)
> What does that have to do with it? We should expect more of international institutions in a multipolar world.
The whole reason why the world went from unipolar to multipolar is because the existing international organizations failed. What you're missing is these international organizations are political instruments used to obstruct and hinder Russia and China's development. The people in those countries don't share your supposition that more international organizations are a good thing.
> It's urgent to anyone that has had to deal with ransomware gangs.
What makes you think an international organization can do anything about ransomware? It's existed in this form for over a decade and nobody has done anything about it.
> It's urgent for countries suffering from violent cartels.
Why hasn't some international organization been formed to handled this then? Multipolarity is a very recent.
> It's urgent for Canada, which just accused India of assassinating one of its citizens on Canadian soil.
Do you think Canada is going to war with India over this?
> The whole reason why the world went from unipolar to multipolar is because the existing international organizations failed.
They "failed" because they were gutted by a covert, powerful and violent "right-wing" alliance (imperialists, capitalists, white supremacists, all who felt tremendously victimized by recent global events incl. rise of communism). They were not about to throw away centuries of dominance to share international power with "inferior" classes of human.
The UN was rather effective in its initial decades.
Do you really think Hammarskjold, Kennedies, African(-American) leaders getting assassinated en masse in the 1960s was a spate of random coincidence? They were all united in opposing this covert alliance.
But the world is different now, the Global South is decisively emerging from under the imperial boot and multipolarity has a real chance.
> They "failed" because they were gutted by a covert, powerful and violent "right-wing" alliance (imperialists, capitalists, white supremacists, all who felt tremendously victimized by recent global events incl. rise of communism). They were not about to throw away centuries of dominance to share international power with "inferior" classes of human.
It seems no answer can satisfy you.
You're saying we need more international organizations (or more powerful ones) to prevent the problems described. But when we do form these international organizations, and they don't do exactly like you hoped it's because of intangible reasons that cannot be falsified.
> The UN was rather effective in its initial decades.
The League of Nations, which precedes the UN, was rather effective in the 1920s and didn't include the USA. It also completely dropped the ball by 1930. Historians partially blame the League of Nations for the outbreak of second World War.
> Do you really think Hammarskjold, Kennedies, African(-American) leaders getting assassinated en masse in the 1960s was a spate of random coincidence? They were all united in opposing this covert alliance.
You're vacillating between wanting more powerful international organizations, but at the same time don't want international organizations wielding their power in ways you personally don't approve of.
I assure you there is nothing intangible about a clear pattern of high-profile assassinations, to say nothing of other related global events.
> You're vacillating between wanting more powerful international organizations, but at the same time don't want international organizations wielding their power in ways you personally don't approve of
You really can't see the difference between overt, ratified international institutions, and shadowy, nameless, violent special-interest groups? Come now.
I acknowledge there's pattern of high-profile assassinations in history that raise questions and seem interconnected. However, attributing them to a small covert group is a logical leap.
What would convince you they're not conspiring together?
As for international organizations, my point is that even ratified and official organizations are not immune to political pressures and special interests. How do we ensure transparency, efficacy, and fairness when the existing entities can't do that sufficiently well to maintain unipolarity?
> There is an urgent need to have effective international law-enforcement and justice.
What makes you think any other organization given such privilege would do any better with it than the US? Even if they started out with good intentions, that kind of power will inevitably corrupt them.
Embrace multipolarity. Benevolent, wise and just unipolarity will never happen.
If you have in mind the kind of international courts that already exist, e.g. the ICC,... well they already exist. I took your emphasis on "effective" to imply that you would like international courts to have substantially more power than presently exists. With enough power to truly be effective, that court would become the unipolar power. It would attract the power hungry like moths to a lightbulb.
This is a good example of the kind of case study I will point to when someone starts to get cranky with my unyielding principle of putting the entire business inside a single SQL database.
When you have geo replicas and point-in-time restoration capabilities which can synchronously bring 100% of the business back from the dead in a matter of seconds/minutes...
How many $8.4m days before a complete rewrite of all systems would be justified? If you are going to entertain a rewrite, why not use one system to rule them all so you can audit one thing and move on with life?
This industry does not seem like a good fit for non-traditional technology stacks. I'd strongly consider putting my entire casino on a mainframe if I could. Any vendor who indicates a lack of willingness for integration with that tech stack would be instantly disqualified from selection. I feel like this is a really good technology bullshit filter for the kind of industry MGM is operating in. If it's not good enough for Visa or Amex, it's not good enough for a gambling operation.
>putting the entire business inside a single SQL database.
I too have a theory that you could get away with this and come out ahead of the industry. The problem is no CEO has the balls to try it in FinTech or any other heavily regulated industry.
The business logic has to live somewhere, and triggers and stored procedures are just not the right place to do it.
Plus these guys apparently got majorly pwned. I don't think any particular blend of stack was to blame, more likely they have a lord-of-the-flies driven technology "architecture" and simply hoped nothing bad ever happened.
It seems like a bug/wrong infra, nothing that mainframe could fix.
>it's not good enough for Visa or Amex, it's not good enough for a gambling operation.
We have multicloud/kubernetes
The hackers have taken down slots, cash registers and EPOS handhelds, controllers for doors and elevators, ATMs, kitchen ordering systems, display screens, etc.
Even if all their business data was 100% retrievable, they are losing money every day that customers are wandering around a casino full of darkened screens, and playing a working slot or getting a drink involves waiting 20 minutes for an employee with a pencil, notebook and a handful of cash.
I'm curious if MGM fully understood their cyber risks. Many companies underestimate threats until something like this happens. After seeing MGM, if other hotels beef up security too (very likely), will overall costs for consumers go up?
Security is a SG&A line item, I am sure they are far more fixated on physical security due to their business vertical and had a gap. There will be many cyber companies chomping at the bit to get a piece of the inevitable (I made this number up) 100m MGM will spend on Cybersecurity over the next 5 years.
They won't make the same mistake twice and will build a comprehensive cybersecurity program, and it will succeed. Up until someone questions this cost and they forgot what they are paying for because everything was so smooth and repeat the cycle.
The objective of security is risk identification and management, not creating an impervious barrier for potential adversaries.
Ha, that is funny. I have literally never met a CISO who shares your confidence. Not a single one of the companies chomping at the bit can protect MGM against a multi-million dollar ransomware attack. Companies get hacked because commercial cybersecurity by the big names is useless against the modern, prevailing threat landscape of organized crime. The sum total of their ability is stopping unskilled children, and even then only sometimes.
Just ask any CISO if they would bet their job on surviving a $1M unrestricted red team exercise with a year-long timeframe. They would all be scared shitless by the thought. I bet if you asked the CISO of MGM three days before the attack: "How much would it cost to hack MGM and cripple operations?" they would answer like every other CISO I have heard answer that question and say something on the order of $100K. They know it does not work; they are there to be sacrificed and just hope it does not happen on their watch.
I am not. Name one competent security program certified and verified to stop total compromise by a $30M unrestricted red team exercise which is the ransom amount demanded by the attackers on Caesars just a few weeks prior.
Keep in mind that amounts to around 100 person-years of dedicated hacking labor. I get a team of 50 and 2 years to achieve total compromise. I get to burn 5-10 zero click RCE zero-days. The idea that any of the commercial cybersecurity companies or any commercial IT organization could design a system that could resist such an attack is laughable. This is not a question of resources, it is one of ability.
I agree, compliance is not an above-average security program. But an security program that is merely above-average is woefully underprepared for the modern threat landscape. You need a security program 100x better than “best practices” to stand a meaningful chance and you are not finding that amongst the charlatans in the big cybersecurity players.
“ They won't make the same mistake twice and will build a comprehensive cybersecurity program, and it will succeed. Up until someone questions this cost and they forgot what they are paying for because everything was so smooth and repeat the cycle.”
> Many companies underestimate threats until something like this happens
Speaking from my experience, many don't understand the threats even after an incident. The reaction is often to add 'more security' under any name. More restrictive policies, more scanning, more layers of MFA - just blindly layering on things because it's seen as 'more secure' without properly understanding how it affects risk is an awful approach to managing security.
And I would say T-Mobile not only doesn't understand the threats after their many data breaches, they have continuously failed to improve Cybersecurity.
They have an incredibly crusty, buggy billing system written in PowerBuilder, and I swear it's a holdover from the Voice stream days
> underestimate threats until something like this happens
And then, when it does, they blame the people who were pointing out the risks and suggesting solutions rather than the people who were ignoring those people the whole time.
I bet that right now there are at least 3 teams trying to understand this. One working for MGM's current IT vendor, one working for their cybersecurity insurance company, and another one hired by MGM's board independently to try to sort out exactly what the heck and make sure they aren't behind any info the insurance company finds out.
> Katz told investors in his Thursday and Sunday reports that damages from the cyberattack at MGM would be claimed against insurance, but it’s unclear just how much would be covered.
I'm curious to see how this plays out. After all, if MGM is audited and found to have been negligent, would insurance pay out at all?
Presumably the insurance requires a security audit (yearly?) in order to get in the first place?
As long as the auditors OK'd it then the insurance should pay out. Unless they can show that MGM intentionally lied in the information they gave the auditors -- which will surely now be gone through with a fine-toothed comb.
(See that HN thread from a couple of days ago wondering if they were personally liable for fraud for producing a document lying about pentesting.)
The audits you get for something like SOC2 are quite weak, I'm very curious to learn if the insurance team's audit is more thorough (if they perform one).
How is it even possible for all aspects of such a massive enterprise to all share a single point of failure like that? And why can't they just cut their losses on the past N days of business, restore all these servers from snapshots and get back to business?
There are multiple things that are done here. Suppose you had great, immutable backups. They still have many things that can ruin your business
1. Restoring networks, servers, third party services with knowledge that anything you restore could be compromised as well. Keys
2. The attackers will then threaten to dump all of your private information.
It is more than just restoring data, it is restoring and resetting your entire infrastructure. And most places have backups, but they don't practice entire restores
> And most places have backups, but they don't practice entire restores
Or worse, they only practice part of it. Only once in my career have I seen a "restore.txt" that didn't start with something along the lines of "connect to $server".
Ok, that assumes a LOT is already in place. Where is the "restore.txt" that goes over how to get $network up so that I can resolve the IP(s) for the server I need to restore?
I can't prove it, but I suspect that most businesses know deep down that they _cant_ do a "black start" and they know that even a practice run is likely to find some pretty basic and embarrassing issues that will just be too costly to address.
I never like it when writers use the word "lose" to describe money not earned. Yeah, MGM is not earning as much as it could because of this attack. They are under pressure to settle with the attackers. Articles like this can increase that pressure. I'm glad that they aren't settling, and I'm certain that they will survive this attack.
It is just plain normal language to refer to a loss as a comparison against a current trajectory or current state. It is reasonable to assume that the reader/listener knows that the future cannot be predicted exactly, because this is generally true. This is why it isn't said explicitly.
It would be silly to correct someone who said "I just accepted a $120,000/yr job" with "you don't really know for sure, you could get fired or die". The colloquial presumption is that the rate of future income cited is dependent on a steady trajectory without confounding variables.
Accounts don't think revenue and income are synomymous: income is revenue minus expenses. Now if you were to say that profit and income are synonymous, that I might be okay with.
There's an implied "losing $X [in comparison to expected revenue]" every time they say it.
It's a reasonable perspective from accounting and, in my mind, a reasonable shorthand. For a more literal version of losing, people would be saying misplacing or stealing.
You're getting a lot of comments to the contrary, but I agree with you.
There is a difference between losing money (like someone is actually stealing the money) and not getting money you were hoping/expecting to get. In this context it can even be a little bit confusing since there are criminals involved that could actually be stealing money.
Language has lots of ambiguities and despite this being a common way of describing this situation, I don't like it. Some people don't like the word "moist" either and that's just fine. It's an opinion.
The revenue may be going down, but that doesn't mean they have to operate at a loss (they could always cut their variable expenses to match the cut in revenue). It would be more accurate, but not as click-baity, to describe it as "MGM getting up to $8.4M less revenue a day".
A slightly more misleading use of "losing money" is for example when movie or music companies claim they are "losing" billions of dollars to piracy, when there is no reason to believe that every pirated copy would instead be purchased at full price, if only piracy were eliminated.
There's lots of instances where I'd agree, but this one seems like a tried and true business with years of revenue to gauge how much they are in fact "losing" on average.
I also wonder how much pressure it puts on MGM - who are no doubt very much aware of the loss (every major outage I've been on eventually comes down to how much did this cost us - whether it's money, customer attrition, customer trust etc) vs how much pressure it puts on executives following along to maybe pay attention to their IT and security teams. Pipe dream.
Yes you lost your job, and will not receive money in the future. Money from a job is in exchange for services rendered to company. It's reasonable to say you can't lose something you haven't yet received, but it is also normal to say they're losing money given they had an incredibly high likelihood of actually receiving it.
I suspect that's just an initial breakdown. They're estimating 4.2 to 8.4 million a day out of the 42 million they normally make, but that's just on the revenue side.
Equipment, man hours, botched projects, and lawsuits are going to push that number waaay higher, and even then I feel like it's got to be pretty low given the vast amount of money that passes through every day. On a 15% hold 42 million would work out to 280 billion of flow through the slots max (and obviously that's estimating high and assuming all revenue is from slots).
So 8 million a day is $53 billion in coin in that's not occurring? Maybe that's correct.
You can't let the scammers dictate what a casino does, MGM is already in the business of scamming people. They'll build their whole system from the ground up and be incredibly resistant to future attacks.
Or they have been telling management for years that security needs to be improved and more spending is needed to do that but management declined to provide funding.
It's still on the onus of the employee to properly state their viewpoint and deliver a proper business document, outlining the risks and benefits. Too many times I've seen security been increased and upgraded, at the cost of the entire business shutting down, or even worse, layoffs.
The cybersecurity team will probably take the fall for it, but if I had to take a guess, their budget was probably no where near where it should be for a team that is responsible for protecting $8.4M of revenue a day.
I'd say that responsible organizations know that a hack is inevitable and you evaluate based on the response, but I've heard from people who've worked at MGM in the past that the place is disgustingly cutthroat.