I agree with the characterisation of this activity as 'cyber-warfare', but that has the consequence that telling businesses to 'hack back' is inviting them to raise private armies, with which I strenuously disagree. That sort of thing does, however, to fit with the present administration's ideology.
> telling businesses to 'hack back' is inviting them to raise private armies
> That sort of thing does, however, to fit with the present administration's ideology
These kinds of firms (usually branded as boutique consultancies) have already existed in the OffSec space for over a decade now in most countries and with tacit approval of their law enforcement agencies.
It was BSides this weekend and RSAC right now so you will bump into plenty of them walking around Moscone.
That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around. But when it's businesses defending against state-sponsored actors in the context of an actual shooting war, that's very different.
> That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around.
That's a rather crude analogy which misses the major dangers of vigilante hacking. A better analogy is allowing private guards to shoot you on suspicion of you having stolen their money based only on a claim that the money found in your wallet might be theirs.
To understand the problem, think of vigilante justice where some person/group assumes the roles of police, judge and executioner, circumventing due process which is due for a reason.
What happens if a corp doesn't like what you have on your website, spoofs some logs as if coming from it and then hacks the site to disable your ability to communicate?
Well, in that case you're toast. You may go to the judge, pay lawyers and waste your life on lawsuits fighting against a corp with a lawful reason to hack you because if this becomes law, you will be guilty until proven innocent - that's very costly and hard to do. Your chances of successful will be virtually zero meaning the corps get a license to silence you with impunity.
Most APTs companies are already dealing with are either directly state-sponsored or state-permitted as has been seen with tr fairly common Cyrillic, Simplfied Chinese, and Hebrew keyboard checks that have become fairly common in offensive payloads, so the division you are making has been nonexistent for decades.
This is just a tacit admission of a practice that has been occurring under the radar for years now.
Anyway, it's actually bad if there's been a problem for years, and the way it becomes widely known is by Authority(TM) legitimizing it instead of trying to stamp it out.
That was my immediate thought as well: Legitimizing in people's minds that it's ok to commit crimes in a self-coordinated fashion as long as it benefits the people in the current administration. It's very dangerous, and is also happening right now with regards to physical violence [0][1], in addition to all the white collar crime (too much to list).
Exactly. They don't even have the know-how to defend themselves -- there is no hope of them getting on the offensive, at least not without extensive external help.
I have this huge looming sensation private credit will trigger a mini 2008, but instead of investors sucking up the losses, as they should, american taxpayers will be left with the bill.
A part of me was hoping that with LLMs getting better and better at mimicking corporate nothing-speak that we'd realize that we can automate away a lot of the executives, Vice Presidents, and CEOs. Of course that was a naive hope on my end; if history has taught us anything, executives at big companies appear to only be skilled at one thing: shielding themselves from the consequences of their awful decisions.
Instead of automating away a job that is mostly about blathering on with half-truths about the future of the company (something that AI could actually do perfectly fine), they instead think they can fire half the engineers and replace them with a Claude Code.
AI may be able to mimic the cadence and vocabulary of CEO-speak, but it can't possess in-group signifiers like fraternity rings, golf club memberships or be able to trade favors like getting invites to the right kind of parties. All of these are required as part of an elaborate dance to placate a merry band of institutional investors, earnings analysts and politicians.
I'm just a regular intelligence, and sadly it appears I can't possess those things either; I've tried to break into the finance world [1], and I've learned that despite fifteen years of software experience, it doesn't matter if I didn't go to an Ivy League school.
I wonder if there is a service that just serves as a "degree cleanse" where I can technically say I have a degree from Columbia or something without having to spend $200,000 going through another degree program.
[1] Admittedly for money, but also it's one of the few areas where I might realistically be allowed to do math.
I see this sentiment repeated so often, and its so surprising to me that people have this train of thought.
If our society was organized around the needs of workers, and existed to help workers compete at their crafts (somehow), then this would make sense.
But it isn't. Every one of our jobs exists as a contract that was initially offered by an owner of capital, and created in order to make that person more money.
As such, ownership is literally the _only_ job that will never be replaced, because it is the atom from which all the rest of the market's building blocks have been built.
AI could replace every job in the market, and company-owner would be the only job left untouched, because every other job in existence, ultimately, has been created to serve that person, not the other way around.
> ownership is literally the _only_ job that will never be replaced
Humans will always be the roots of the ownership graph, but I think AI can be any other node. Start an AI-first hedge fund or private equity firm. The AI makes the decisions. There may be a human manager, but they've agreed to be the AI's arms and ears. AI starts looking like a root owner if/when it starts managing a large charitable endowment, however.
Same thing with managers, particularly CEOs. The board may become dissatisfied with the present CEO, and start requiring that they run all decisions past an AI. The board agrees to certain values or priorities for the AI. Eventually, the AI is the one effectively in control, and the CEO is just a vestigial organ drawing a salary in case the AI ever makes a very bad decision.
Ownership is a little different; there are a lot of jobs in BigCos where they don't own the company but still basically only serve to blather half-truths to the employees.
My dad used to have a boss that he pejoratively nicknamed "VPGPT", because he felt that the way he spoke was indistinguishable from ChatGPT, and he could be replaced with ChatGPT without anyone noticing a different. This guy wasn't the owner of the company, he was just a higher-level manager.
It's easiest to mental model (for me) that those closest to the money are the last ones out the door. They control the purse strings and what the money is spent on.
So if you are the CEO, you are basically one or two tiers away from the money. Those who report to the CEO 5 levels deep are pretty far away.
Believing that someone very close to the money is going to replace themselves is incredibly naive.
If you could replace yourself with a program running on your laptop that took all your meetings and responded to your emails for you, while you did other stuff, wouldn't you? It's not naivety, I can see it as very appealing to this characature in my head of a CEO who just wants to go off and be lazy and fuck their secretary.
I don’t think this is about jobs. I think this is about information, power, and access to power.
The way a company with a bad C-suite gets fixed is by being competed out of existence. The way workers with bad bosses can fix that is imo limited, mostly to “find another job”.
I’m curious if anyone has ever heard of “complain to the board during the CEO’s renewal phase” being successful. It didn’t happen at places I know about.
The way that happens is you have enough money to buy enough shares to have enough votes to force a change in the board. Usually referred to as "activist shareholders" or "corporate raiders" whatnot.
>If our society was organized around the needs of workers, and existed to help workers compete at their crafts (somehow), then this would make sense.
How would this even work? "workers compete at their crafts" doesn't put food on the table. I'm sure that if "economics" and "capitalism" wasn't a factor, most of HN would be making indie games or whatever instead of making enterprise SaaS apps.
The US was a vastly different country in the 1960's than today from all points of view. Plebs had way more social cohesions and unity, and lot more bargaining power over the wealthy and politicians, when communism was the main enemy and all working class jobs hadn't been yet shipped abroad and PE hadn't yet monopolized ownership of housing and everything else and the US industrial elites didn't have doomsday bunkers in Hawaii and New Zealand.
What I'm saying is what worked then won't work now because the context is completely different.
If you're trying to make a veiled reference to the french revolution, keep in mind that's also ostensibly what the Jan 6th rioters thought they were doing, though arguably a lighter version. "Let's have a violent revolution to kill the elites" sounds like a great idea, until you realize that it works for the other side as well.
Mapping out the actual "ethics" of the J6 people has been difficult for me. It butts up against how I generally define "good" and "bad".
For an easy example, a guy murdering his wife for the insurance money is someone that I can pretty easily call "bad". That's would be hurting someone to enrich yourself, which I think we can agree is pretty bad.
But on an "individual morality" level, it's hard for me to directly condemn the J6 people. If they genuinely believed the election was stolen, and if they genuinely believed that the only way to save America was by invading the capital, and they were willing to do it at great risk to themselves with very little personal benefit, it's hard for me to directly say that they're "bad" people. Dumb, misguided people doing a bad thing, but they're doing what they think is right.
To be clear, I think the J6 people were very stupid, and I think it's horrible that the orange idiot lying about some election fraud in order to overthrow democracy is a very very very bad thing.
>That's bullshit. Same nonsense as equating J6 and BLM.
Since when did I bring in BLM?
>J6 was a _government official_, with no evidence, inciting violence in people that _did not care about evidence_. They did not think, period.
So your only objection to Jan 6th was that the person inciting political violence was a government official and/or there wasn't "evidence" (whatever that means)? Nothing about violence itself? I guess a non-government official calling for the CEO of JPM or Ben Bernanke to be decapitated, citing some gini coefficient graphs is fine?
Nick Shirley and other indie journalists did investigations and found you can easily fraud election in places with no voter ID like Cali. But don't let distracted by the facts.
>BLM was individuals responding to seeing, _with their own eyes_, power being blatantly abused _by government officials_, live on TV, many, many times.
Yeah, all those innocent businesses and property deserved to get looted and torched because a cop killed a guy breaking the law high on fentanyl. It's totally acceptable and tolerant. If something from the government bothers you, you are now legally and socially allowed just rob a Nike store and brn down some cars in the city center.
State sponsored cyberattacks by China should be considered an act of war by the US government. Telling private firms to hack back isn’t a solution. Unfortunately Trump has been spineless and weak on China, as we have seen in the tariff debacle and in the TikTok ban debacle.
Relying on good will and people doing the right thing is clearly bullshit - any system which is insecure should be a legitimate target, and the onus needs to be on those who own the systems to secure them, and be unable to disclaim liability if they do not.
However, the law needs to reflect that if people are to actually take the suggestions seriously.
Say I do everything right and still get compromised because an AWS 0-day lets attackers read the RAM of my virtual server. It’s my responsibility, but is it my fault?
There’s no such thing as a secure system that’s usable. You can asymptomatically approach it giving infinite money, in the same way you can approach physical security (“if it were really important to you, you would’ve cloned Fort Knox, so I guess you don’t care”) or even the speed of light. But even Fort Knox is vulnerable to a highly determined invading army.
Getting compromised doesn’t inherently mean you made mistakes.
> Getting compromised doesn’t inherently mean you made mistakes.
I entirely agree, but I think the reason you see such upset posts is that they are thinking of situations where EGREGIOUS mistakes were made and no liability was found.
I'm sure that's right, and I also find that frustrating.
It just rubs me the wrong way, like people who say goofy things like "all CEOs suck". They're picturing [insert your least favorite CEO here], but probably don't know, or temporarily forget, that the local bodega's owner very well might be the CEO of an S-corp that operates their little store for liability purposes.
Is there practical ways other than spending a couple billion dollars to protect yourself from nation state hacking groups? Especially if you'd doing something like internet connected medical devices? Honest question
You can’t really avoid paying for security, which seems to historically be why it is ignored and risked. I’ve always felt the right approach is for an internal security & reliability org be formed to provide an owner and maintainer for core services and libraries, so that things are built robustly from the get-go. Think premade formulations an integration for auth, hosting, data storage, etc. Some companies have small security teams that _kind of_ fill this role, but usually they’re a gate you must pass rather than an ally helping you navigate hard problems by providing and maintaining prebuilt solutions. I’d rather just require that normal devs not need to solve these problems and instead be provided an appropriate sandbox to deploy software in.
They did login on a global admin account and wiped devices via whatever turd technology is used currently to have complete control over your employee's devices centrally.
Central control over everything gives you central way to shoot yourself in the foot. Duh. Don't be a control freak company maybe, or if you are, have 2FA on your admin's accounts.
"Nation state" my ass.
They also demonstrated that one rogue admin could have deleted the entire company in like one evening, too, if he felt bad enough.
Well, they also relied on this company to protect them, so...
The problem is, it doesn't matter. If the "good guys" are prevented from testing your system to uncover vulnerabilities without legal threats, but the "bad guys" are not, you still effectively do need to spend that anyway.
> any system which is insecure should be a legitimate target, and the onus needs to be on those who own the systems to secure them, and be unable to disclaim liability if they do not
And what is the limit on that, because the only actually-secured system is one that is not connected to anything or accessed by anyone.
Look, I agree that people are shit and the only person you can trust is one you've killed yourself, but that's not really a workable solution.
> That sort of thing does, however, to fit with the present administration's ideology
These kinds of firms (usually branded as boutique consultancies) have already existed in the OffSec space for over a decade now in most countries and with tacit approval of their law enforcement agencies.
It was BSides this weekend and RSAC right now so you will bump into plenty of them walking around Moscone.
That's a rather crude analogy which misses the major dangers of vigilante hacking. A better analogy is allowing private guards to shoot you on suspicion of you having stolen their money based only on a claim that the money found in your wallet might be theirs.
To understand the problem, think of vigilante justice where some person/group assumes the roles of police, judge and executioner, circumventing due process which is due for a reason.
What happens if a corp doesn't like what you have on your website, spoofs some logs as if coming from it and then hacks the site to disable your ability to communicate?
Well, in that case you're toast. You may go to the judge, pay lawyers and waste your life on lawsuits fighting against a corp with a lawful reason to hack you because if this becomes law, you will be guilty until proven innocent - that's very costly and hard to do. Your chances of successful will be virtually zero meaning the corps get a license to silence you with impunity.
This is just a tacit admission of a practice that has been occurring under the radar for years now.
Anyway, it's actually bad if there's been a problem for years, and the way it becomes widely known is by Authority(TM) legitimizing it instead of trying to stamp it out.
0 – https://en.wikipedia.org/wiki/Pardon_of_January_6_United_Sta...
1 – https://www.nbcnews.com/politics/politics-news/trump-calls-a...
Instead of automating away a job that is mostly about blathering on with half-truths about the future of the company (something that AI could actually do perfectly fine), they instead think they can fire half the engineers and replace them with a Claude Code.
I wonder if there is a service that just serves as a "degree cleanse" where I can technically say I have a degree from Columbia or something without having to spend $200,000 going through another degree program.
[1] Admittedly for money, but also it's one of the few areas where I might realistically be allowed to do math.
If our society was organized around the needs of workers, and existed to help workers compete at their crafts (somehow), then this would make sense.
But it isn't. Every one of our jobs exists as a contract that was initially offered by an owner of capital, and created in order to make that person more money.
As such, ownership is literally the _only_ job that will never be replaced, because it is the atom from which all the rest of the market's building blocks have been built.
AI could replace every job in the market, and company-owner would be the only job left untouched, because every other job in existence, ultimately, has been created to serve that person, not the other way around.
Humans will always be the roots of the ownership graph, but I think AI can be any other node. Start an AI-first hedge fund or private equity firm. The AI makes the decisions. There may be a human manager, but they've agreed to be the AI's arms and ears. AI starts looking like a root owner if/when it starts managing a large charitable endowment, however.
Same thing with managers, particularly CEOs. The board may become dissatisfied with the present CEO, and start requiring that they run all decisions past an AI. The board agrees to certain values or priorities for the AI. Eventually, the AI is the one effectively in control, and the CEO is just a vestigial organ drawing a salary in case the AI ever makes a very bad decision.
My dad used to have a boss that he pejoratively nicknamed "VPGPT", because he felt that the way he spoke was indistinguishable from ChatGPT, and he could be replaced with ChatGPT without anyone noticing a different. This guy wasn't the owner of the company, he was just a higher-level manager.
So if you are the CEO, you are basically one or two tiers away from the money. Those who report to the CEO 5 levels deep are pretty far away.
Believing that someone very close to the money is going to replace themselves is incredibly naive.
From Schlock Mercenary: "I can replace desk-meat like you with a Turing dynamo, an Eliza helix, and a white noise generator."
It's just that they're typically also a shareholder.
The way a company with a bad C-suite gets fixed is by being competed out of existence. The way workers with bad bosses can fix that is imo limited, mostly to “find another job”.
I’m curious if anyone has ever heard of “complain to the board during the CEO’s renewal phase” being successful. It didn’t happen at places I know about.
https://www.inc.com/bill-murphy-jr/an-activist-investor-forc...
https://www.investopedia.com/top-10-activist-investors-in-th...
I don't think this is true in any meaningful sense.
How would this even work? "workers compete at their crafts" doesn't put food on the table. I'm sure that if "economics" and "capitalism" wasn't a factor, most of HN would be making indie games or whatever instead of making enterprise SaaS apps.
So just like 2008.
If the country isn’t on fire afterwards, I’m giving up on it.
How?
Then organize like every other movement; study the US in the 1960s.
The US was a vastly different country in the 1960's than today from all points of view. Plebs had way more social cohesions and unity, and lot more bargaining power over the wealthy and politicians, when communism was the main enemy and all working class jobs hadn't been yet shipped abroad and PE hadn't yet monopolized ownership of housing and everything else and the US industrial elites didn't have doomsday bunkers in Hawaii and New Zealand.
What I'm saying is what worked then won't work now because the context is completely different.
If you're trying to make a veiled reference to the french revolution, keep in mind that's also ostensibly what the Jan 6th rioters thought they were doing, though arguably a lighter version. "Let's have a violent revolution to kill the elites" sounds like a great idea, until you realize that it works for the other side as well.
For an easy example, a guy murdering his wife for the insurance money is someone that I can pretty easily call "bad". That's would be hurting someone to enrich yourself, which I think we can agree is pretty bad.
But on an "individual morality" level, it's hard for me to directly condemn the J6 people. If they genuinely believed the election was stolen, and if they genuinely believed that the only way to save America was by invading the capital, and they were willing to do it at great risk to themselves with very little personal benefit, it's hard for me to directly say that they're "bad" people. Dumb, misguided people doing a bad thing, but they're doing what they think is right.
To be clear, I think the J6 people were very stupid, and I think it's horrible that the orange idiot lying about some election fraud in order to overthrow democracy is a very very very bad thing.
J6 was a _government official_, with no evidence, inciting violence in people that _did not care about evidence_. They did not think, period.
BLM was individuals responding to seeing, _with their own eyes_, power being blatantly abused _by government officials_, live on TV, many, many times.
Since when did I bring in BLM?
>J6 was a _government official_, with no evidence, inciting violence in people that _did not care about evidence_. They did not think, period.
So your only objection to Jan 6th was that the person inciting political violence was a government official and/or there wasn't "evidence" (whatever that means)? Nothing about violence itself? I guess a non-government official calling for the CEO of JPM or Ben Bernanke to be decapitated, citing some gini coefficient graphs is fine?
Nick Shirley and other indie journalists did investigations and found you can easily fraud election in places with no voter ID like Cali. But don't let distracted by the facts.
>BLM was individuals responding to seeing, _with their own eyes_, power being blatantly abused _by government officials_, live on TV, many, many times.
Yeah, all those innocent businesses and property deserved to get looted and torched because a cop killed a guy breaking the law high on fentanyl. It's totally acceptable and tolerant. If something from the government bothers you, you are now legally and socially allowed just rob a Nike store and brn down some cars in the city center.
History books say that ...oh ...starts flipping frantically ... oh no!
Yeah, no that's not gonna happen and you also don't want that.
However, the law needs to reflect that if people are to actually take the suggestions seriously.
There’s no such thing as a secure system that’s usable. You can asymptomatically approach it giving infinite money, in the same way you can approach physical security (“if it were really important to you, you would’ve cloned Fort Knox, so I guess you don’t care”) or even the speed of light. But even Fort Knox is vulnerable to a highly determined invading army.
Getting compromised doesn’t inherently mean you made mistakes.
I entirely agree, but I think the reason you see such upset posts is that they are thinking of situations where EGREGIOUS mistakes were made and no liability was found.
It just rubs me the wrong way, like people who say goofy things like "all CEOs suck". They're picturing [insert your least favorite CEO here], but probably don't know, or temporarily forget, that the local bodega's owner very well might be the CEO of an S-corp that operates their little store for liability purposes.
Central control over everything gives you central way to shoot yourself in the foot. Duh. Don't be a control freak company maybe, or if you are, have 2FA on your admin's accounts.
"Nation state" my ass.
They also demonstrated that one rogue admin could have deleted the entire company in like one evening, too, if he felt bad enough.
Well, they also relied on this company to protect them, so...
https://www.bleepingcomputer.com/news/security/microsoft-ent...
And what is the limit on that, because the only actually-secured system is one that is not connected to anything or accessed by anyone.
Look, I agree that people are shit and the only person you can trust is one you've killed yourself, but that's not really a workable solution.