Articles like these make me wonder if the long-term progression of the PC revolution will follow the sexual revolution of the 1960s.
The AIDS crisis of the 80s did everything it could to undermine the last few decades worth of free love. Not only was promiscuity tinged with risk, that risk alone (and the lgbt association) opened the door to conservative ridicule.
Fast forward to 2016 and sex is better and safer than ever: hookup apps give you the opportunity to connect with people without the prerequisite of an alcohol-soaked atmosphere. Condom quality is light years ahead of what it used to be. Truvada and low-cost antiretrovirals have chipped away at HIV stigma. STI test results are an app away.
If an apocalyptic hack resembling this article occurs, it could spur on a similar security revolution among businesses and consumers. Only when people realize how insecure they have made their own lives will there be any chance of saving them from themselves.
In large companies we're already in the beginning of a backlash. Companies are going overboard on IT security, throwing tons of money at it relative to the past.
CIO's used to fear failed projects and downtime. Now they tell me they fear hackers. Many large companies in America are dealing with APT's as well. I'm sure others here can comment on their experience with this.
Instead of a backlash like the 80's I think there will be a split. I'm already seeing tech haves and have-nots. My gut tells me there will be those with amazing tech at their fingertips and those left out or even punished for trying. I recently commented here that security and privacy are a feature not a product. I want to retract that statement. Security and privacy may become an essential product offering.
If decision makers want to improve security, there are readily available levers they can pull: give a shit about code quality, put 5 minutes of thought into authorization decisions inside their applications, escape strings, take advantage of memory safety, upgrade unpatched legacy garbage, stop using and creating protocols that are trusting by default, etc. They don't do those things. They buy bolt-on antivirus suites and magic Cisco gateway boxes and when a 12 year old who's heard of SQL injection comes along they throw up their hands and go "APT nation-states, what could we have done?" They continue to believe in perimiter-based security, where network drops in unlocked conference rooms and hallways are inside the perimeter. They continue to laugh off email encryption and signing.
We aren't seeing sophisticated attacks, by and large. We're just seeing someone finally bothering to attack all the crap that was designed in the assumption of "who would ever want to attack this?" or that pre-existing viruses for which signatures are published are the only relevant threats.
If you are not seeing sophisticated attacks, perhaps your detection systems are simply not good enough!
I recently found an unknown 64MB filesystem on a USB stick, it was in the middle of the USB exfat filesystem.
Considering the core TinyOS is only 400KB in size before addon's thats small enough to hide on many systems & devices connected to the internet.
After all, the 64MB code I found could easily store itself on a hard disk, rewrite the disk controller and hang out in the disk cache when the computer is on, and then write itself back to an unused part of the hard drive when its switched off. Switch computer back on, disk controller reloads the malware.
You wont see it unless you use a hex editor, and whose going to spend 8 hours scanning a 2TB disk sector by sector when the OS driver is already compromised?
Do you think disk controllers cant be updated even when Western Digital or Perc say it cant? Have you tried reading a RaidXYZ blade server in a hex editor when the controllers or OS is already hacked?
Are those sectors marked damaged really damaged or just a cover?
Whose's going to check their data centre at that hex editor level?
Anything that can be updated ie software or hardware has the potential to be hacked.
So as Lizard squad showed with hacked routers, who last checked their network printer cards for malware?
Who virus scans their router, who virus scanned their bios or any other hardware device? What about your mobile, sure thats not been hacked in a variety of ways?
Do you think your read only mounted *nix systems are really read only?
Remember Stuxnet? It took over a year to reverse engineer the code before an AV company declared it was a virus. Thats alot of time in the wild, and since then we have had duqu1 and duqu2 amongst others. Of the AV companies, only Kaspersky has come closest to identifying duqu2.
It doesnt matter where you look, I can show you a hack to compromise a system.
Think that linux distro is safe having checked the hashes match? What if your ISP has been hacked and switches reroute you to look-a-likey servers serving compromised distro's with matching hashes? Unless you download the code and compile source yourself, you have no piece of mind. But wait didnt someone recently hack Github? How do you know the sourcecode you have downloaded is not compromised?
Even your CA's are a liability which then compromises various HW like say Cisco.
There is simply too much trust placed in other people.
Sure buying a product offsets your liability, but its all too easy to shutdown a company and startup again once the liquidators have done their work.
So what liability have you offloaded in the scheme of things? You can be sure the insurance company if insured will wriggle out of it.
Most tech people dont have a clue how vulnerable they really are, but then its not illegal to withhold the fact a company has been hacked is it? Cant hurt the share price now can we?
Google, Microsoft, Facebook are not obliged to announce the fact they have been hacked if they even know they have been hacked. Plus considering how management have sacked many dev's over their time, just how far ahead does one plan ahead when hacking systems from the inside? A few days, weeks, months or even years ahead?
But by and large, the decision makers can't make those decisions, because of dependencies on open source systems that are too large to audit, or closed source systems where all they can do is trust the vendor's salesperson who says "oh yeah, it's secure".
Vendors can be held to published standards. The industry seems to take operational/sysadmin standards seriously when required to (HIPAA, PCI, etc), including across the client/contractor boundary. Problem is, there don't seem to be equivalent standards in widespread use for programs themselves, only the environments they're running in. That could change, if the holders of the purse strings were to demand it.
Attacks on dependencies are tricky. But it seems like the dumbest, most high-profile attacks are against the core line-of-business applications. I'm sure AT&T has the very best firewalls money can buy, but it operated a consumer-facing application which did not check whether a user-supplied primary key actually belonged to the logged-in user before displaying private data! This is the disconnect I'm talking about.
If they're being outsourced to the lowest bidder, then maybe they shouldn't be. If they're being bought off the shelf, purchasers could either demand certifications that meaningfully eliminate at least the elementary classes of vulnerabilities or go in-house and do it right.
> Security and privacy may become an essential product offering.
So I used to think that this was an issue of unknown unknowns, but I'm now of the opinion that it is an issue of OPSEC valuation. Experience is the best teacher when it comes to a thing's true value. Story time:
I'm sitting in a conference room with a bunch of DBAs, a few network guys, some programmers, a couple of managers and a logistics guy. When the bullet point on customer mailing address correctness comes up - the action item is quickly assigned: price out services that offer a REST API. The network guy that usually wears the infosec hat insists on SSL for incremental, SFTP for bulk batches. On to the next bullet point, casual Fridays. I ask if we really want to broadcast the mailing addresses of our customers, and how much work are we willing to do to accomplish the task in house. Pushing through the blank stares, I ask how much would we pay for such information on one of our competitors - not only for sales leads but also second order strategic information like acquisition rate, campaign activity related to targeted markets and demographics, etc. I see glimmers of recognition on only two faces: the infosec hat and the logistics guy. The logistics guy makes it clear that such an information leak is unacceptable.
Now the reason why the infosec hat got it is obvious, the news is full of third party breaches. The logistics guy got it because he was prior military, where OPSEC is highly valued and experiences related to costly lapses are pretty unpleasant (ranging from public shaming due to a lost crypto key loader, to a friend being shot in the face while smoking at night).
While I'm glad that corporate America doesn't ape the military in everything, I do wish they'd do something approaching what the military did for software acquisition prior to the massive shift to COTS:
That's a good analogy, but there is an entirely orthogonal dimension: A significant part of out telecom and computing ecosystem was built to be friendly for surveillance. And why not? The US was far in the lead in the surveillance and hacking race.
APTs are showing us that era might be over. Someone might get it into their head that the only way to win is not to play. If computing and telecom rebalance in favor of security from outside hacking and surveillance threats, as we are seeing in OTT communications apps, that will propel a virtuous cycle.
> A significant part of out telecom and computing ecosystem was built to friendly for surveillance.
A very interesting point. We've all collectively raised the cry against building backdoors into products when the very backbone of much of our (commercial) network infrastructure has been friendly to backdoors (required by law, I believe) for decades.
Perhaps, in the near future, some catastrophic network incursion will make the concept of "tapping a phone line" a relic of the past, requiring much more intensive, in-person intelligence gathering to collect similar information.
Although, given the complete lack of progress on homicidal maniacs with guns in the US, it seems unlikely that a massive telecom breach will really change anything, unless it reveals the improprieties of a majority of our elected officials. (Note: I'm not arguing that legislation will fix that particular problem (read: maniacs w/guns), just that inertia has prevented any real progress or attempts at progress from being made in that regard)
I think what you are describing is just action-reaction. Cause and effect. Something happens, people react. I hate to oversimplify, but this is at the very core of human nature. A societal supply and demand...
Hookup apps give you the opportunity to connect
with people without the prerequisite of an
alcohol-soaked atmosphere. Condom quality is
light years ahead of what it used to be.
Truvada and low-cost antiretrovirals have
chipped away at HIV stigma.
Oh... well... I wouldn't quite jump the gun on that one, sir. Those are words spoken by an unrealistic outsider, or a spectacularly negligent individual.
When was the last time you faced down an STD? If it was more than a decade ago, why not give it another whirl? C'mon take the plunge, and brave the antiretroviral white water rapids!
Whilst HIV is a retrovirus, the same type used for gene therapy, thus why its a difficult challenge, its interesting to note that in ancient Egypt before the French moved in, fasting was used to treat syphilis amongst other health problems.
Marriage is a religious invention designed to curb the transmission of STD's in the ancient bed hopping world.
Nothing like fear to curtail the activities of the less risk taking members of the public is there?
Well, "[t]he AIDS crisis of the 80s" was as much about free transportation as free love. The chimp-to-human jump had occurred decades before. It was long-distance trucking and international air travel that got it out of Central Africa.
I read a novel [1] in 1979 with a similar plot. In this book, the attack took place in Hollister CA rather than NYC. It didn't have vehicles being hacked, of course, but traffic lights were hacked and people died. Factory production and medical records were messed up and the hospital's power electronically shut down by the intruder. My point is that the idea of attacking a city through its computer systems is older than most HN readers.
I read one as a kid in 1982[1]. As I recall it was along the same lines, starting with an attack on the computers that control the traffic signals, causing massive gridlock. I forget the rest of the plot.
Let's not forget that, in some parts of NYC, Sasndy recovery is not yet complete. As you suggest, I imagine if a scenario like that depicted in this piece were to unfold, some New Yorkers would be relatively unaffected. Others, however, might have their lives upended for months.
Minor nit. In each of 3 medical facility settings I've gone to to restore the computers, the staff was disappointed when I got them going again. Instead of just using the paper charts on the doors, they once again had to enter all of the data 3 times in 3 different awful systems designed to show, it seems that yes, Vogons do write user interfaces.
And they had the added burden of catching back up what they'd put on paper in those 3 systems.
Aw yes, classic puffed up (likely state-sponsored) scare pieces designed, not written, for the easily swayed common man and not any real workers in netsec or systems architecture.
The real subtext of this piece reads like "stay frightened and helpless," "fund the DHS more," or, "submit to the NSA."
Perhaps I'm not predisposed to view this story the way you are, but I actually got the opposite sense from it.
Don't trust that the massive bureaucracies will save you. Don't trust that the US government is doing a good enough job.
The brief mention in the story "there was a congressman demanding that even white-hat hackers, who tried to probe systems as a way to point out vulnerabilities before the bad guys got to them, be thrown in jail", I think screams that there are people working with our best interests at heart, don't demonize them as hackers.
But perhaps I'm just predisposed to optimism; that eventually the rational, sensible approach to cybersecurity will prevail.
I think the premise was totally reasonable because of the probabilities involved. Instead of a single hack resulting in a smoking crater, I think it's far more likely that the enemy will quietly amass a large library of exploits over a period of years, and then unleash them all at once to impede emergency service response, leverage panic, comm failures. This also means that instead of a 100pct success on one essential target like a nuclear plant, the enemy can work with thousands of 10pct successes against softer targets like EMS, power, transport, economy, etc.
So, you're saying you completely trust the people that make and manage our infrastructure? Hell, all half of this takes is a group of hackers discovering the next SuperFish before the good guys and pre-emptively selling a persistant presence on high valued targets computers. Or some router serious with yet another backdoor or cameras that dont remove the previously registered owner or any number of awful, awfully made security products.
And this doesn't even paint any government organization in a competent light!
The AIDS crisis of the 80s did everything it could to undermine the last few decades worth of free love. Not only was promiscuity tinged with risk, that risk alone (and the lgbt association) opened the door to conservative ridicule.
Fast forward to 2016 and sex is better and safer than ever: hookup apps give you the opportunity to connect with people without the prerequisite of an alcohol-soaked atmosphere. Condom quality is light years ahead of what it used to be. Truvada and low-cost antiretrovirals have chipped away at HIV stigma. STI test results are an app away.
If an apocalyptic hack resembling this article occurs, it could spur on a similar security revolution among businesses and consumers. Only when people realize how insecure they have made their own lives will there be any chance of saving them from themselves.