4 years ago by salimmadjd
From the AP version (h/t @tareqak) [0], "identification of anyone engaged in foreign state-sanctioned malicious cyber activity". Key phrase, state-sanctioned.
This has less to do with tracking down cybercriminals, and more with creating a case for foreign policy agenda.
Remember it was WMD informant "Curveball" testimony to then Secretary of State Powell, that was used as one of the key pretexts to invade Iraq.
Essentially if an administration comes with an agenda to start a new war, they put the right people inside the State Department and then those guys just need to comb for anything (validated or not) to find "informants" to make the case for cyber attack. Followed by making the case in media that cyber attack is military attack and it requires military retaliation.
This will bypass the entire US intelligence system to validate the source of threat. It just needs one person to claim they were involve in cyber attack against US and it was sponsored by the government of Iraq, Iran, Venezuela, or any other country we want to go after.
I highly recommend watching this portion of the town hall with former US Congressman Dennis Kucinich talking about how non disclosure rules prevented the Congress from speaking out against US State Department spreading false information to American public [1].
[0] https://apnews.com/article/technology-joe-biden-europe-busin...
4 years ago by jonnybgood
> Essentially if an administration comes with an agenda to start a new war, they put the right people inside the State Department and then those guys just need to comb for anything (validated or not) to find "informants" to make the case for cyber attack. Followed by making the case in media that cyber attack is military attack and it requires military retaliation. This will bypass the entire US intelligence system to validate the source of threat. It just needs one person to claim they were involve in cyber attack against US and it was sponsored by the government of Iraq, Iran, Venezuela, or any other country we want to go after.
Thatâs a very oversimplified odd narrative. Unlike Iraq and mysterious nuclear related material objects, cyber attacks are happening. And itâs quite evident US is lacking in this area. The US doesnât need âone personâ when there are clear signatures and traces that are substantiated not only by the US intelligence system but also by non-government entities.
4 years ago by sudosysgen
Well sure, and just like in Iraq WMDs did actually exist at some point - the US sold some to Iraq - they were just destroyed.
The thing with cyberattacks is that they are even easier to misattribute. All it takes is for some country to use another countries tool, and then you've got actual evidence you can easily twist. That's how it works nowadays, you start with a kernel of truth or evidence, like the aluminium tubes in Iraq, and exaggerate wildly what suits your narrative. And it works, even to those that can know better.
4 years ago by pie420
"just like in Iraq WMDs did actually exist at some point - the US sold some to Iraq - they were just destroyed."
Are you seriously going to post that without a source?
4 years ago by nyokodo
> The US doesnât need âone personâ when there are clear signatures and traces
How clear are they really? How hard is it to pin an attack on another group or country?
4 years ago by Natsu
Less than one might hope, in general:
https://en.wikipedia.org/wiki/Vault_7#UMBRAGE
Even HN has torn a few of the analyses apart, e.g. when the auditors looked at Bezos' phone and claimed that a file from MBS might be malicious, HN called them out on the claims that it couldn't be decrypted:
https://github.com/ddz/whatsapp-media-decrypt
Given that their entire analysis hinged on this one file being a malicious executable that couldn't be decrypted, well... suffice it to say I'm quite mistrustful of these things, especially when politics is involved.
4 years ago by undefined
4 years ago by flowerlad
The government should offer a similar reward for information on US corporations who run critical infrastructure, or hoard personal information on US citizens, and don't maintain proper security.
4 years ago by cgb223
A government bug bounty program would be a huge step forward to our defense.
Could even encourage would be hackers to go white hat
4 years ago by flowerlad
The payout should come from the company that has the vulnerability, not US taxpayers. So basically there needs to be a law that states that if you run critical infrastructure, or hoard personal information on US citizens then you are required to set aside X dollars to pay white hat hackers who find vulnerabilities.
4 years ago by smolder
I wonder, is there a lobbying group that would or does support legislation like that? Maybe the EFF? I like the idea.
4 years ago by sircastor
That might have the added benefit of incentivizing better security practices overall.
4 years ago by ixacto
So basically all the credit rating agencies and the government itself? Or does the OPM get sovereign immunity? https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagi...
4 years ago by mikewarot
How would you define "proper" security in a way that is enforceable in court?
4 years ago by thereisnospork
Maybe turn it into something like a game of capture-the-flag? Anyone who stores sensitive information must also store an unique flag value which, if reported to the 'referee' by an external actor would constitute proof of a security breach and requisite payout.
4 years ago by social_quotient
Maybe the bar should be set to reasonable ongoing âeffortâ. Itâs probably easier got a jury to judge at least an attempt equal the the stewardship of data they possess.
But valid point on âproperâ.
4 years ago by okamiueru
Could it be following some sort of vetted requirement standard with authorised auditors? Something like PCI-DSS.
4 years ago by jnosCo
I think this could be a very effective countermeasure. It reduces trust between members of a crew, and between crews themselves. If you're constantly suspicious of Ivan the mail campaign guy ratting you out for a payday, it makes the whole business focus more on opsec and less on offense. Though sole operators can do plenty of damage on their own, they probably are less likely to be state-backed.
4 years ago by trhway
Does it come with Green Card for Ivan?
>it makes the whole business focus more on opsec
and that is bad?
4 years ago by lisper
With $10M in the bank there are surely many countries that would welcome him with open arms.
4 years ago by neatze
You need only to invest 500K (that passes AML) in US to get a green card.
4 years ago by anter
No longer the case. EB5 requires $1,800,000 that can be reduced to $900,000 if it's in the Targeted Employment Area.
4 years ago by trhway
with known criminal background? That is my point - without State Department waiving such requirement and issuing GC/witness protection the Ivan would be easy reachable for FSB in any other country.
4 years ago by giantg2
But wouldn't the methods needed to obtain that information generally carry a high risk of prosecution for illegal acts? I dont even want to go into specific chat rooms or browse the dark web for fear of being swept up in some overzealous prosecutor's net. Even if your innocent it can cost thousands of dollars and years of your life to prove it.
4 years ago by nubb
Totally agree. Some shitty prosecutor will 1000% make some Americans life miserable just to add a conviction to their belt. The risk is probably not worth the reward.
4 years ago by 3pt14159
You'd think that, but no, not really. If you talk to a lawyer first and he registers what you're doing with the police first and you don't actually break the law, you'll be fine. Lots of bounty hunters and private investigators are in the same game. Going to the police saying "I want to earn this $10m reward by finding those horrid blokes and here is why I'm qualified" isn't going to completely blow their mind.
But it could get you hacked or worse.
4 years ago by giantg2
Most states require bounty hunters and private investigators to have a license.
Usually notifyingthe police is something they would do for physical situations. It could get tricky on the internet when dealing with jurisdiction. You would likely have to file something with the local police, state police, and DOJ/FBI/?. Honestly, the level of competence is not stellar. You could still be searched/raided/arrested and inconvenienced for days to years. Just look at how long Crosby was in prison with an all-star level legal team and protective agreement with the DA...
4 years ago by tareqak
Same story from a different source (the Associated Press): https://apnews.com/article/technology-joe-biden-europe-busin...
4 years ago by wyldfire
It might seem like a lot but it is not enough to betray the FSB, even if you defected/emigrated. Clearly they've demonstrated their capability to strike targets in other countries. $10M can't buy enough security or safety and who wants to look over their shoulder for the rest of their lives?
4 years ago by artursapek
They should ask their buddies over at the CIA ;^D
4 years ago by igorzx31
The CIA doesn't monitor cyber, that would be the NSA and US Cyber Command
4 years ago by undefined
4 years ago by artursapek
They don't monitor it, you're right
4 years ago by Animats
"Russiaâs most aggressive ransomware group disappeared. Itâs unclear who made that happen." - NYT.[1]
Somehow, the problem seems to have been dealt with.
[1] https://www.nytimes.com/2021/07/13/us/politics/russia-hackin...
Daily digest email
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.