Hacker News

4 years ago by salimmadjd

From the AP version (h/t @tareqak) [0], "identification of anyone engaged in foreign state-sanctioned malicious cyber activity". Key phrase, state-sanctioned.

This has less to do with tracking down cybercriminals, and more with creating a case for foreign policy agenda.

Remember it was WMD informant "Curveball" testimony to then Secretary of State Powell, that was used as one of the key pretexts to invade Iraq.

Essentially if an administration comes with an agenda to start a new war, they put the right people inside the State Department and then those guys just need to comb for anything (validated or not) to find "informants" to make the case for cyber attack. Followed by making the case in media that cyber attack is military attack and it requires military retaliation.

This will bypass the entire US intelligence system to validate the source of threat. It just needs one person to claim they were involve in cyber attack against US and it was sponsored by the government of Iraq, Iran, Venezuela, or any other country we want to go after.

I highly recommend watching this portion of the town hall with former US Congressman Dennis Kucinich talking about how non disclosure rules prevented the Congress from speaking out against US State Department spreading false information to American public [1].

[0] https://apnews.com/article/technology-joe-biden-europe-busin...

[1] https://youtu.be/s-W9b-_K_Xo?t=2433

4 years ago by jonnybgood

> Essentially if an administration comes with an agenda to start a new war, they put the right people inside the State Department and then those guys just need to comb for anything (validated or not) to find "informants" to make the case for cyber attack. Followed by making the case in media that cyber attack is military attack and it requires military retaliation. This will bypass the entire US intelligence system to validate the source of threat. It just needs one person to claim they were involve in cyber attack against US and it was sponsored by the government of Iraq, Iran, Venezuela, or any other country we want to go after.

That’s a very oversimplified odd narrative. Unlike Iraq and mysterious nuclear related material objects, cyber attacks are happening. And it’s quite evident US is lacking in this area. The US doesn’t need “one person” when there are clear signatures and traces that are substantiated not only by the US intelligence system but also by non-government entities.

4 years ago by sudosysgen

Well sure, and just like in Iraq WMDs did actually exist at some point - the US sold some to Iraq - they were just destroyed.

The thing with cyberattacks is that they are even easier to misattribute. All it takes is for some country to use another countries tool, and then you've got actual evidence you can easily twist. That's how it works nowadays, you start with a kernel of truth or evidence, like the aluminium tubes in Iraq, and exaggerate wildly what suits your narrative. And it works, even to those that can know better.

4 years ago by pie420

"just like in Iraq WMDs did actually exist at some point - the US sold some to Iraq - they were just destroyed."

Are you seriously going to post that without a source?

4 years ago by nyokodo

> The US doesn’t need “one person” when there are clear signatures and traces

How clear are they really? How hard is it to pin an attack on another group or country?

4 years ago by Natsu

Less than one might hope, in general:

https://en.wikipedia.org/wiki/Vault_7#UMBRAGE

Even HN has torn a few of the analyses apart, e.g. when the auditors looked at Bezos' phone and claimed that a file from MBS might be malicious, HN called them out on the claims that it couldn't be decrypted:

https://github.com/ddz/whatsapp-media-decrypt

Given that their entire analysis hinged on this one file being a malicious executable that couldn't be decrypted, well... suffice it to say I'm quite mistrustful of these things, especially when politics is involved.

4 years ago by undefined

[deleted]

4 years ago by flowerlad

The government should offer a similar reward for information on US corporations who run critical infrastructure, or hoard personal information on US citizens, and don't maintain proper security.

4 years ago by cgb223

A government bug bounty program would be a huge step forward to our defense.

Could even encourage would be hackers to go white hat

4 years ago by flowerlad

The payout should come from the company that has the vulnerability, not US taxpayers. So basically there needs to be a law that states that if you run critical infrastructure, or hoard personal information on US citizens then you are required to set aside X dollars to pay white hat hackers who find vulnerabilities.

4 years ago by smolder

I wonder, is there a lobbying group that would or does support legislation like that? Maybe the EFF? I like the idea.

4 years ago by sircastor

That might have the added benefit of incentivizing better security practices overall.

4 years ago by ixacto

So basically all the credit rating agencies and the government itself? Or does the OPM get sovereign immunity? https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagi...

4 years ago by mikewarot

How would you define "proper" security in a way that is enforceable in court?

4 years ago by thereisnospork

Maybe turn it into something like a game of capture-the-flag? Anyone who stores sensitive information must also store an unique flag value which, if reported to the 'referee' by an external actor would constitute proof of a security breach and requisite payout.

4 years ago by social_quotient

Maybe the bar should be set to reasonable ongoing “effort”. It’s probably easier got a jury to judge at least an attempt equal the the stewardship of data they possess.

But valid point on “proper”.

4 years ago by okamiueru

Could it be following some sort of vetted requirement standard with authorised auditors? Something like PCI-DSS.

4 years ago by jnosCo

I think this could be a very effective countermeasure. It reduces trust between members of a crew, and between crews themselves. If you're constantly suspicious of Ivan the mail campaign guy ratting you out for a payday, it makes the whole business focus more on opsec and less on offense. Though sole operators can do plenty of damage on their own, they probably are less likely to be state-backed.

4 years ago by trhway

Does it come with Green Card for Ivan?

>it makes the whole business focus more on opsec

and that is bad?

4 years ago by lisper

With $10M in the bank there are surely many countries that would welcome him with open arms.

4 years ago by neatze

You need only to invest 500K (that passes AML) in US to get a green card.

4 years ago by anter

No longer the case. EB5 requires $1,800,000 that can be reduced to $900,000 if it's in the Targeted Employment Area.

4 years ago by trhway

with known criminal background? That is my point - without State Department waiving such requirement and issuing GC/witness protection the Ivan would be easy reachable for FSB in any other country.

4 years ago by giantg2

But wouldn't the methods needed to obtain that information generally carry a high risk of prosecution for illegal acts? I dont even want to go into specific chat rooms or browse the dark web for fear of being swept up in some overzealous prosecutor's net. Even if your innocent it can cost thousands of dollars and years of your life to prove it.

4 years ago by nubb

Totally agree. Some shitty prosecutor will 1000% make some Americans life miserable just to add a conviction to their belt. The risk is probably not worth the reward.

4 years ago by 3pt14159

You'd think that, but no, not really. If you talk to a lawyer first and he registers what you're doing with the police first and you don't actually break the law, you'll be fine. Lots of bounty hunters and private investigators are in the same game. Going to the police saying "I want to earn this $10m reward by finding those horrid blokes and here is why I'm qualified" isn't going to completely blow their mind.

But it could get you hacked or worse.

4 years ago by giantg2

Most states require bounty hunters and private investigators to have a license.

Usually notifyingthe police is something they would do for physical situations. It could get tricky on the internet when dealing with jurisdiction. You would likely have to file something with the local police, state police, and DOJ/FBI/?. Honestly, the level of competence is not stellar. You could still be searched/raided/arrested and inconvenienced for days to years. Just look at how long Crosby was in prison with an all-star level legal team and protective agreement with the DA...

4 years ago by tareqak

Same story from a different source (the Associated Press): https://apnews.com/article/technology-joe-biden-europe-busin...

4 years ago by wyldfire

It might seem like a lot but it is not enough to betray the FSB, even if you defected/emigrated. Clearly they've demonstrated their capability to strike targets in other countries. $10M can't buy enough security or safety and who wants to look over their shoulder for the rest of their lives?

4 years ago by artursapek

They should ask their buddies over at the CIA ;^D

4 years ago by igorzx31

The CIA doesn't monitor cyber, that would be the NSA and US Cyber Command

4 years ago by undefined

[deleted]

4 years ago by artursapek

They don't monitor it, you're right

4 years ago by Animats

"Russia’s most aggressive ransomware group disappeared. It’s unclear who made that happen." - NYT.[1]

Somehow, the problem seems to have been dealt with.

[1] https://www.nytimes.com/2021/07/13/us/politics/russia-hackin...

Daily digest email

Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.