This one in particular is good because, it's public, it's not that scary, but it's easy to make the jump to scary attacks.

Absolutely, it's better to have a ransomware attack against the workstations instead of a more developed attack that blew the pipeline up.

This is interesting. Ransomware authors may be protecting their targets against destructive attacks since this would reduce their profits. In the same way that botnets attempt to protect their host from being infected by competing malware.

Agreed. It also tells us where bug bounty rewards should be in value. As the structure of bug bounty programs are completely wrong and the rewards are undervalued.

The market is literally saying they are undervalued.

The flogging will continue until bug bounties improve.

I think I understand your POV and can see why one might find some peace in it, but I don't. More crime, or I suppose mroe news about it, so we know how much crime costs? More attacks make us safer? It's a means justify the ends argument, but it doesn't hold water.

It's eerily similar to "burn it all down" https://en.wikipedia.org/wiki/Accelerationism, which, itself is on the rise and burning from both ends.

I infer your point to be that more attacks might cause the victims to step up their defenses. It's a cat and mouse game. Always has been in all realms.

"It'll get worse before it gets better." I've been hearing that for decades. I'm starting to wonder, due to what appears to be a decline in civility. Following the rules only works if we all do. Those who eschew the rules have an obvious advantage.

Where has integrity gone? We are tearing ourselves apart and justifying it ... or coming to terms with it I suppose, by saying it'll be better some day.

Well... when... exactly? By what measure will we know?

I know Stephen Pinker, Hans Rosling, and various folks say it's the best time to be a human. Okay. Sure. I see the math. I'd like to see them update their charts for data out over the past year.

But ... anecdotally, none of that math seems to percolate down to my community. The people around me are in constant fear. I just saw a woman walking down the road, all by herself, I had clear vision for a mile and so no one else but her... and she was wearing a mask.

She was afraid. She was anxious. Regardless of the relative safety that exists today, or the belief that it'll be safer tomorrow because of the lack of said safety, the people around me aren't feeling it.

They're buying guns because red people are coming for them... or the blue people already are. Or the government will. There is literally no milk at the store because of an HDPE shortage prompting the grocer to put a Force Majeur notice on the dairy fridge door.

Trust has broken down. Fear of our own neighbors is up. Crime is up. Poverty is up. Suicide is up. Cyber crime is up. Inflation is up. The Gini coefficient is up.

I really have trouble believing that making it worse real fast, or even reporting more of it, is going to make it better.

I don't see it.

Trust and integrity are irrelevant when it comes to professional cyber criminals who likely live in another country. Continually escalating cyber attacks are our new reality. There is no possible way to prevent the attackers from trying. Thus the only option is to harden our systems.

I expect after a few major crises involving mass casualties or major economic losses the federal government will mandate that private industry completely disconnect certain critical infrastructure control systems from the public Internet. Basically the same approach used by SIPRNet.

What is the other option?

> What is the other option?

letters of marque for the nation-state actors. bounty hunters for the criminals. There's a lot of options, I suspect using the financial systems to stop bad guys is probably going to miss the mark and produce emergent unintended consequences.

I.E. it's going to get bloody.

What a silly idea. The Chinese will conduct a false flag cyber attack to trick us into retaliating against the Russians.

Hell, your own government may conduct a false flag attack to fabricate a casus belli against anyone they wish. It's not like governments don't do such things.

Digital Gulf of Tonkin

You still think there's only one other option? There are probably at least dozens if you think about it.

Then let's hear some of your brilliant options based on your expensive experience in cyber security and international relations.

I have no patience for bullies.

While you’re probably right on the zeitgeist aspect of this, I think you’re missing the practical aspects of what OP is talking about. We have major vulnerabilities to key infrastructure components. Publicly exposing these helps harden them. Yes 9-11 added a ton of security theater and fear, but it also resulted in armored doors on airplane cockpits. I’d like to see the armored door of the energy infrastructure implemented.

That's not the society I want. I don't want stronger doors everywhere. Tougher locks everywhere. Onerous security everywhere.

I prefer a society where passengers are free to chit chat with the pilots when they aren't busy. Where children who might be interested in being a pilot can see a cockpit in the air and how it's done.

I remember reading about the history of security in ancient Rome. The lengths to which normal citizens had to go to to protect their homes. I don't want that. No one wants that. No one wanted that then either.

It's a distraction from productivity. It's a constant worry factor that consumes brain waves that could be spent making all our lives better.

Instead, we have to divert our attention to those who want to make it worse.

Do I want security cameras/metal detectors/metal doors and other <s>police state</s> security measures everywhere? No. Do I want to have all that in electrical plants/pipelines/nuclear reactors and other objects of critical infrastructure - yes. If that means employees there would need to spend more time for annoying security checks(additional password prompts, 2FA, metal detectors, etc) - sure, I did all of that when working for one of British banks, mildly annoying but feasible. If that means more taxes - I'm ready to pay.

One can't just tell russians/chinese/iranians "we have open and free society do please don't hack into our electric grid" and expect it to work.

Those things already exist in electrical plants/pipelines/nuclear reactors and other objects of critical infrastructure. Eliminating the ability of people to casually enter and access/alter/destroy this infrastructure isn't the issue.

And yeah... we exactly can say that. We do it all the time. We almost blew up the world because Russia sent some missiles to Cuba.

There's no reason the digital war can't have physical repercussions. If a foreign nation invades our digital properties, we drop a bomb on their electric plant.

Simple as that.

> There's no reason the digital war can't have physical repercussions. If a foreign nation invades our digital properties, we drop a bomb on their electric plant.

> Simple as that.

Do you think people would support a nuclear war ( because if the US bombs Russia or China, the response could very well be nuclear) as a response to hacking? And are you aware that the US is one of the most active countries on the cyber warfare front? ( Snowden, the various NSA toolkit leaks, etc.) Should Iran respond with bombs when Israel and maybe the US sabotage it's nuclear industry? Should Russia respond with nukes when the US disrupts GRU operations?

It's already happened. Remember Stuxnet?

>> drop a bomb on their electric plant

Not gonna happen. Because: a) that would almost surely mean all-out war (in case of Russia/China - with country that has nukes), started by US b) dropping a bomb on electric plant of country that has at least some air defense (and I think it's safe to assume Russia/China/Iran have plenty of that) is not simple

While I wholeheartedly agree with what you're saying for the physical world, the digital world is completely different. In the physical world, the scope of any action is inherently localized. But with digital systems it takes just one person out of seven billion (or even just the right software bug) to create a global scale problem. The Internet is best treated as a source of malicious noise.

So then you're up against the halting problem at the "digital border" and you've only reduced the problem to say one in 300 million.

There are many differences. I already mentioned locality and scale. Another is that it's possible to make secure software (aka math) that precludes undesirable behavior a priori, whereas such thing is impossible in the real world.

> That's not the society I want. I don't want stronger doors everywhere. Tougher locks everywhere. Onerous security everywhere

> Digital borders exist all over the net. We use them every day to secure all sorts of things

Erm, how do you square these two sentences?

I took your first comment to be arguing against software security in general, presumably in favor of more post-facto enforcement when people violated authorization boundaries.

Your response then seemed to focus on mitigating the cross-jurisdictional issues that make post-facto enforcement hard, by having some sort of software-based security enforcement at a "border", and then relying on post-facto enforcement inside of that.

Now you seem to be supporting software-based security in the form of firewalls everywhere?

If we continue along this trend to even more local, we'll get to fewer firewalls (because they aren't that good of a technology), with security pushed out to the edges. Which is where best practices seem to be headed (BeyondCorp, etc), but is directly antithetical to your initial comment.

No it isn't. Arguing with people like this is just boring.

Not interested.

What isn't? I'm earnestly trying to understand what you're actually advocating, as your perspective seems to be shifting with each comment. If I have characterized your previous comments incorrectly, it was done in good faith and please correct me.

So you're not talking about digital security at all?

Actually, I expected such a response, as I already stated, the reality is: I'm not interested in talking to you at all.

Forgive me for thinking you had a coherent opinion on the topic at hand.