This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
I'm a long time lurker, so this is my first attempt at a top level post.
I have recently changed jobs, and this has caused me to work with a bunch of companies that are low level engineering firms. I don't mean they don't have good engineers, but they are small companies with tiny IT budgets. For my personal experience, in college I worked at a help desk and then was a networking engineer until I got my CS degree. My first job out of college was at Cisco, and I have always worked at pretty large companies that had the highest security possible. I wouldn't even consider myself a security expert necessarily, but my experience at Cisco and networking did teach me a lot. We're talking firewalls years out of date, unnecessary equipment plugged in with vulnerabilities, ports open that shouldn't be, default admin passwords, etc.
I am amazed at some of the profits of some of these companies that spend essentially no money on IT or security. Just one look at their server room tells you all I need to know.
There is so much low hanging fruit. My question is this: why are there not more cybersecurity attacks on these blue collar profitable companies? If I was a malicious actor (with my programming and IT experience), there are thousands of profitable companies I could easily snipe if I was so inclined. I have a friend that works for homeland security, and he says there are tons of attacks on government organizations. He says they are basically a MSP for a lot of organizations that have no idea what they are doing such as universities. But the government at least has a standard. So I kind of get that, but from what he tells me they are also vulnerable.
But how are there not more easy attacks? Ransomware would be easy with how some of these companies are. Are there just not enough attackers? Every city and company I have traveled to I could easily have taken over their network if I was so inclined. Are there just not enough attackers to take advantage of everything?
If I was China or an adversary, this would be child's play. Do they just not want to reveal themselves? I just don't get it. Every company I have gone to would be so easy to get admin creds. This makes me think there are two options. Either there aren't enough hackers to take advantage, or they are holding back. Which one is it? Because like I said, it would be trivially easy to hack these companies.
The problem with ransom attacks is that they require the victims to do an individual rational cost benefit analysis and pay.
Most of these companies would refuse to pay out of moral indignation, which collectively gives them a herd immunity.
There are also types of insurance to cover some of the losses from business interruption.
More options
Context Copy link
You know, I've always wanted to learn how hackers do what they do. I don't think I would be able to actually use those skills for material ends, because I consider myself a moral person, but I just love learning about how things are done, and I love amassing "super power" skills. Maybe even save the skill for one day, if I wanted to exact revenge on a company or person that I feel had wronged me or something.
But I don't even know where to go to learn how to do this kind of thing. I'm probably just naive. I have learned all about how to prevent hacking attacks, but I've never found a course or instruction manual that says "here's how you can spy on someone else's email" or "use this program to access files on someone else's machine". I suspect one problem is that a lot of hacking is actually just social engineering, which I find super boring and a non-starter for learning to hack.
So, is it possible that there aren't enough hackers because it's not the sort of thing that you can learn easily, and you have to roll your own everything in order to do it?
More options
Context Copy link
They are occasionally targeted. There’s a growing scam where a coordinated group will hack in, carefully watch company email for a few months, and then when it looks like a big deal might be going through they bust out some targeted social engineering. For example, they might email and text the CEOs secretary with a panicked tone about needing to make a wire transfer ASAP, they have email control and maybe spoofed a SIM, it looks legit and some poor employee actually wires away millions.
But there are a few brakes here. One, sometimes the English or social engineering skills are actually medium rare, and you need a specific set of skills to make the whole thing work. Believe it or not, but the supply of well organized foreign hackers is actually moderately constrained. Second, there’s the discoverability problem. These companies, they also are small enough that many even would-be legitimate employees don’t know about them until they post on Indeed. How is a foreign hacker supposed to find them if job seekers sometimes even can’t?
I would argue that the US actually sees a remarkably low level of internal hacking all things considered. You’re right, if you were malicious you probably could make some money. Part of it is the FBI actually is somewhat effective (Anonymous for example was absolutely picked apart, and US jurisdiction and subpoenas and such are relatively easy and effective compared to international stuff). Part of it is if you have the skills you can earn more money for much less risk working a legit job. All this leads to a less favorable risk-reward. There’s also maybe morals coming into play?
But finally, smaller and smaller companies are targeted each year. You may have noticed for example that smaller regional hospital systems get occasionally hacked. Also some corporations especially smaller ones don’t ever admit when they are hacked, or if they do you don’t hear about it. Smart hackers of course tend to avoid hacking hospitals because it draws US federal attention, which does sometimes successfully strike back.
More options
Context Copy link
Because these companies aren't that vulnerable. The CEO or his top guy tracks every cent in and out of the company. All expenses are to the same 10 employees and 7 vendors, all income comes from discreet knowable streams. And they have a good relationship with their bank who will flag anything odd, and act on any stop-payment requests they themselves flag to the bank. And lets say you do rip them off, where are you going? Covering up your tracks doing this is going to be nearly impossible unless you are state sponsored. And again, why is Iran interested in embezzling $500k from a copper screws plant in Indiana?
The CEO can track every penny. That doesn't help a ransomware situation. Pay up or have fun with all your data being permanently unaccessible.
This is exactly the kind of company that doesn't care about losing computers for a day. They just call the FBI and business proceeds as normal.
In a ransomware attack you don't get locked out of your computers for a day. You lose access to all your data forever.
Unless as someone pointed out you have such rigorous use of offsite backups that you just revert back to the latest copy.
More options
Context Copy link
More options
Context Copy link
The only IT practices you need there are regular backups though -- "fuck off" is the best response to ransomware people -- a week's financials are not much leverage for them.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
Why would foreign adversaries concern themselves with small fry, when they can go for the big fish?
Salt Typhoon is a nation state hacker though, not really what OP is talking about.
More options
Context Copy link
More options
Context Copy link
I work for a blue collar company- the answer is 'every payment is given a tracking number by one of a small number of trusted people, payments are only authorized to selected vendors, there isn't the scale to route around the human element'.
More options
Context Copy link
In a lot of cases, I think the cost/benefit ratio isn't there.
Imagine you're you're a hostile actor who's targeted a successful taxidermy ship outside Monkey's Eyebrow, Kentucky. What are your exploitation vectors?
They don't have any kind of in house network. They keep all their financials on "The Quick Books", which is an extremely hardened cloud offering. Most contact is done through Facebook and cell phone messages, if not in person.
Even if you do get in, they don't usually have huge cash reserves that you could leverage. All of the corporate value is in capital.
So say you lock and ransom the circa-2011 PC that's sitting in the back room. Now what? They're going to say "damned thing doesn't work", throw it out, and get a laptop or tablet from The Best Buy over in Paducah.
Now, if you wanted to talk about something like small, independent CPAs, I have similar questions.
More options
Context Copy link
I wonder if most of the people with the skills and means to become hackers are just far more motivated by political ends than pure profit. I'd imagine if you could become a hacker, getting money would be relatively easy (although still entail a lot of hard work) by just getting a job in red teaming.
Or perhaps it's just a blind spot to the hacker mindset? Hardcore programmers do tend to kind of forget the blue collar world exists, after all.
More options
Context Copy link
More options
Context Copy link