If you’re doing research of any significance in today’s world and don’t have an active security program looking for harmful actions by foreign intelligence your organization opens itself up for all sorts of nasty liabilities. You don’t even have to have an electronic intrusion. The PRC’s government also pays people off as the case of this former Cleveland Clinic researcher shows: https://www.cleveland.com/crime/2020/05/former-cleveland-cli...
I'm not sure I agree that it's the responsibility of the people doing research to protect against foreign nation state attacks (whether cyber or legacy intelligence).
1st: most people outside of government don't know how much they are expected/"required" to do to protect their work against foreign nation states. Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
2nd: many people expect that the {NSA, Cyber Command, et al} are actively defending all US organizations. I don't see evidence of this (although if there was evidence, I probably wouldn't see it anyway).
3rd: In a national emergency (which the COVID response was declared), there are limits to the liabilities which would otherwise be enforceable in court. There are frequently/always legal escape clauses like force majeure and act of god which would likely alleviate liabilities due to fallout from acts of war or a severe pandemic, so it's not clear that those "nasty liabilities" could be enforced. There are currently 2 important cyberinsurance cases[1] which are winding their way through courts right now which may effectively decide if cyberinsurance is a viable product (depending on whether). Violations of HIPAA are possible, but similarly may not amount to much in terms of prosecution because of the pandemic.
In reality, it's damn near impossible to protect against a motivated+targeted nation state attack (especially with the resources of PRC). If the liabilities incentives require all projects (large and small) be able to withstand nation-state attacks, then all of the project resources go to cybersecurity and none into research -- your productivity is now zero.
It's important to remember that it's the FBI's job to do counter-intel. If a medical research group is defrauded by PRC spies and you blame the researchers for not being able to spot a non-trivial espionage attempt, you are just victim blaming. I work as a product developer in cybersecurity and I doubt I could identify most spy craft if it were to happen right in front of me.
> many people expect that the {NSA, Cyber Command, et al} are actively defending all US organizations. I don't see evidence of this (although if there was evidence, I probably wouldn't see it anyway).
If you keep your confidential research results on an unpatched server with weak passwords and exposed to the internet, what is the NSA supposed to do about that?
About the best thing they could do is to scan for and find the vulnerability before the attackers and notify you about it, which in general they don't. And it still wouldn't solve most of the problem because there would be objections if they did more than a cursory scan, which means they won't find most problems, but the attackers are under no such limitations.
> there are limits to the liabilities which would otherwise be enforceable in court
I don't think this is the kind of liability they're talking about. If your confidential research falls into the hands of economic spies, the problem isn't so much that someone is going to sue you as that your research and any relevant patents have now lost their economic value because a knockoff product will beat you to market.
> cyberinsurance
This is liable to be more of a grant hog than liability would. Not only do you have to pay the premiums -- which would be high unless researchers adopt good security practices, which having the insurance would give them the incentive to do the opposite of -- but you also then have the insurance company imposing some kind of bureaucratic best practices procedures that gives you even more compliance costs than you would get from having liability, because the insurance company has misaligned incentives with respect to the level of compliance burden to impose, since they don't pay any of it but get all the benefits.
The reality is, the researchers are the ones operating the systems their research is on. They're the ones who have to secure them. And they already largely have the right incentives to want to do that, but they also have a poor understanding of the necessity of it and the process for doing it.
What would help here are the things that would help in general. Fund vulnerability research in free software so that the software people are using (because it's what they can afford) is secure by default, and easy enough to use that people don't commonly make mistakes, and well-documented. Things like that. Make it easier to do the right thing so more people do.
> 1st: most people outside of government don't know how much they are expected/"required" to do to protect their work against foreign nation states.
This is very true, sadly. It ought not to be, but level of practical cyber abilities seems sorely lacking. I see lots of "governance" style cyber, but not a lot of "deep technical expertise being allowed to develop defences".
University research lab type environments deserve a special call-out though for being near-impossible to defend. Most of the time these are "defended" by pooled central IT staff without specific awareness of the significance of the systems or threats faced. University networks are also notoriously open, and even in lab environments, they're often connected directly to the internet or campus network (airgapped computers for internet access are less convenient and someone would have to pay for them, and nobody wants to). Let's not even go into the various shadow IT remote access systems in use, which circumvent the institution firewall to let them get work done from home in the evenings...
University lab environments are an incredibly tough target to secure. And the researchers will find ever more ingenious workarounds to security measures that they find getting in the way of their work.
> Except for heavily regulated sectors (government, military, heavy industry, banking, core telecom, and more recently elections) very few companies will actually get help from 3-letter-agencies to actively protect against foreign nation state attacks.
Even some of these sectors sorely lack ability in cyber, at least in some very developed and otherwise capable countries. There is still a very real barrier between 3 letter agencies, and the industries you mentioned that need this help. Information sharing is often too little too late, or not specific enough to be actioned.
That said, I do think cyber security needs to be a bigger priority in all sectors, but nobody wants to pay for it, and as long as there's no routine cost to business, I don't see that changing. Not while traditional "value for money" metrics are used to measure and compare options - it's very hard for those reviewing tenders or proposalsto see and differentiate between good security and some "military grade, unbreakable, quantum sprinkles" snake-oil security that has SQL injections everywhere.
You conflate so many facets into an hopeless image. Yes, all research facilities are potential targets. Yes, it's wise to assume that no single one can realistically deflect a full frontal attack from a state agent. But each possibility doesn't happen all at once because resources are limited. It's like saying you can't defend a country because each of your soldiers is mortal.
A large part of cybersecurity is removing the low hanging fruit (eg. Gitlab's recent phishing test). The current stakes might probably target an unprecedented level of attention towards research facilities where people weren't concerned about all this stuff, and it's safe to assume aren't experts in the matter. So there's probably a lot that can be done to strengthen the security landscape, making life difficult to attackers, and generally consuming their attention and resources, resulting in a net positive. Even if each one would still succumb, maybe fewer will.
Imagine a state actor hitting the contract research organization in charge of the last phase of a clinical trial for a blood pressure medication and changing data. Due to the nature of double blind trials, catching these modifications can become really hard to catch and could lead to a lot of human suffering.
If they target a CRO the sponsor still has the original data from the trial sites. I can say that at least for the company (one of the 10 largest pharmaceutical companies) I work for this would almost be impossible to not be caught.
Even the crappy little cowboy CRO I worked for had a fleet of CRA's go out and manually verify documents against the EDC. It's required by law. I think the FDA audit also repeats that process with a random sampling for some studies, though I couldn't swear to that.
I get the point the parent comment was trying to make, but yeah, bad example.
I appreciate that there’s probably a lot I don’t know or understand about the national security aspects of this but it seems wrong to not share as much information as possible with as many researchers as possible in order to help as many as people as possible. Protecting security interests is one thing but this press release specifically mentions protecting intellectual property and that seems kind of tone deaf.
I also wish they would explain how treatment options are jeopardized, even at a high level:
> The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.
First, it lists "affiliated with COVID-19-related research" not "exclusively COVID-19 research" so could be more than just the current research.
More importantly, while data theft is bad, data tampering could be much worse.
What happens to people's confidence, hope, and trust if a "remarkably effective" drug turns out to be a total dud or even dangerous because the underlying data was modified?
> to not share as much information as possible with as many researchers as possible in order to help as many as people as possible.
this presumes that the stolen information would be used 'to help as many people as possible'..
Also, 1st country with viable vaccine/treatment/etc will have a huge geopolitical bargaining chip & it will likely be used as such no matter the country of origin.
Ummm, I'm not sure how to break it to you, but USA is already laughingstock of world due to our comically misguided reaction to the "pandemic". Everyone expected Trump to screw up (and he hasn't disappointed), but there isn't any person or institution in USA that hasn't totally whiffed on this. CDC mandated tests that didn't work, news media remained unconvinced until late in the game and now jump from one conspiracy theory to another, in-person elections were held as late as April 7, some states required that diseased patients be forced into nursing homes for the elderly, effective masks are still somehow difficult to acquire, Congress has passed numerous "bailout" laws representing trillions of dollars yet has somehow not been able to arrange healthcare for every citizen as most comparable nations have had for decades, our deaths have passed 100k and seem certain to pass 200k as well, etc.
It's difficult not to see this "investigation" and especially this silly press release that purports to inform the public about it as just more of the same. Furious pretend activity with no view of long-term strategy or of benefit to anyone other than the bureaucrats who wrote the release.
What is "advantage" in this case? Nations with reliable treatments and vaccines might use those to improve their citizens' health? Sure that's not something we'd do in USA but it doesn't seem like a bad idea...
to be clear, wasn't disagreeing, but pointing out some potential rationale why this could conceivably be viewed as a security matter vs open science matter
> Also, 1st country with viable vaccine/treatment/etc will have a huge geopolitical bargaining chip & it will likely be used as such no matter the country of origin.
Definitely, but thankfully, it is a positive sum game.
First thing, you won't keep your bargaining chip for long. If a country manages to find a vaccine, others will follow soon enough. Besides independent research and reverse engineering efforts, it is foolish to think that the US doesn't have spies and hackers targeting China.
So in order to use that "bargaining chip", the vaccine has to be at least as valuable as what you are asking for in exchange. So while it may cost a lot to the country that doesn't have the vaccine, if it took the deal, it means that the cost is less than not having a vaccine at all.
In the end it will be used to help as many people as possible, because it is the only thing a vaccine can do. Unless someone wants a full-on war that is. But if major powers really wanted the worst, there is a pile of nukes that is ready to make the whole pandemic look like a joke.
If Russia gave it to them via China which made it from research stolen from the USA, I wouldn't call it "funny." I would call it "saving half a face, just in case."
Personal attacks are not ok here, and neither is nationalistic flamewar or other flamewar. Please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when commenting.
Which leaves some hope that everybody is not yet brainwashed.
Remember, China sequenced the virus and shared the genome with the whole world to help build tests faster. And now they would try to impede research?
Also, 9 times or of 10 it takes a long time to get an idea of where an attack is coming from. And independently of what they know, 9 times out of 10 politics won't tell you what they know but what they want you to believe. So what are the chances that you have any idea of what actually happened and why? Close to zero.
What to do then? Well, at least let us refrain from howling with the wolves.
The virus did not come from Wuhan. The first known cluster of cases was in Wuhan. This is where China first identified and then quickly notified the international community that there was a new communicable disease.
Many of the original identified victims had no relation whatsoever with Wuhan, and virologists have traced the virus to several individuals throughout Hubei province as early as November. Virologists tracing the virus history through DNA shows a significant history to the virus before Wuhan.
SARS-CoV-2 shows no signs of having been bioengineered and plenty of markers of cross-species adaptation. Furthermore the closest coronavirus strain known to mankind is significantly (50 years of forced evolution) far from SARS-CoV-2.
Biological laboratories are located in many cities across the world. Given all of the scientific evidence we know about the likely species-jump origins of the virus and its history before Wuhan, it's it a bit of a tired theory (as in definitively unreasonable in the number of required assumptions) at this point that the virus escaped Wuhan's high-containment laboratory?
I think the difference is that the West is engaging in surveillance and not sabotage. If the CCP was found to contaminate or corrupt data, that is a far step above Western norms. Also, the West mostly focuses on international relations and national security concerns, whereas the CCP also participates in economic sabotage and IP transfer.
For example, it would be big news for the US to have been caught hacking Huawei, but, the CCP does this all the time to US companies.
First off, the west's covert activities are not limited to benign surveillance.
Second off.. aside from the total lack of evidence, why would the Chinese be interested in sabotage here? American discovery of a vaccine means they can rip it off, they're definitely not gonna be paying anyone for it. If we're selling it at exorbitant prices while they give it away practically for free to African countries, that's a huge win for them. Plus, there's the whole taking care of their people thing.
Sabotage just gets in the way, nobody cares who invented it 'first'.
Sabotaging the effort of others would actually be something that fit into Chinese political philosophy in this particular case, seeing as how much appearances mean to their long-tail strategy of global dominance and promenance. China being first with a working vaccine doesn't seem important to us, but to them? Fantastic PR for their next round of buying up desriable parts of Africa.
> the west's covert activities are not limited to benign surveillance.
Compared to the CCP, it's fairly benign. The example you gave, Merkel's phone, is a textbook example. Spy all you want, but we're not stealing IP or sabotaging power grids (to my knowledge). We're not interfering with other countries' covid response or possibly corrupting medical records.
> why would the Chinese be interested in sabotage here?
Presumably, because it gives China a geopolitical edge in the international sphere. Think about how damaging it would be to not only be the country where the virus started, but also not having a valid vaccine. By slowing down Western vaccine efforts and boosting their own, they can regain the upper hand and make China look strong. "Strong China" keeps those leaders in power, and they'll do whatever they can to project the feeling that they're in control and "better" than the West. Also, China is posturing itself to be a counterpoint to the West, but they need to show themselves as somehow a viable candidate for that.
So a wide variety of reasons, but it's easy to see why they would do this.
It would take a book-length treatment to evaluate that sentence, but I don't think it's justified. We've been VERY active, around the whole world, since WWII. China's only started to look past their immediate neighbors recently.
I guess 'benign' can do a lot of work for you if you think we're the protagonists of history.
I don't think anyone would ever argue that the West isn't active or that they've never done anything wrong. Obviously there are huge wikipedia articles and hundreds of books on the subject.
But from what it seems of what little we know of that world, the US seems to have some kind of value system, and the CCP has almost none. Freedom of speech is a good example. If the US were to spy on a citizen, they wouldn't end up in a concentration camp. The US also encourages its allies, as much as it can, to promote "Western democratic values". For example, we were instrumental in turning South Korea into a democracy, from a dictatorship.
So it's not as simple as "US bad china good" or "China bad, US good" but I think it's pretty clear China is a totalitarian system which has few scruples, if any. So that's what we mean by "benign". Some rough understanding of "the right thing". It's not that the US does everything great, forever, because clearly...
We spent 4 years fighting, with 3 million casualties, in order to leave the border between north/south in the same place we found it, and install an allied dictatorship for the following 30 years. I guess it worked out eventually, but that's to the credit of the Koreans, not us. We were fine with a capitalist dictatorship as long as the Cold War was on.
Thousands of protestors killed, by US weapons, while our defense dept was kept in the loop. And I had never even heard of it until I went to fact-check myself about the length of the dictatorship there. Funny. I wonder why.
I mean, I'm not trying to say "china always good, USA always bad", either. I'm just trying to add some perspective.
If I were to take that on as some sort of debate challenge, I'd point out the mass incarceration and the fact that we still have a bigger chunk of people in jail despite being so much freer. Of course, that's a bit of a rhetorical gambit.
As far as the characterization of china, it depends. Han Chinese don't go to prison just for criticizing the government, they just lose opportunities. Party membership is a big part of getting ahead there. They go to prison if they start getting organized, holding meetings, being an alternative political party.
Less 'add perspective' than 'spinning' or 'trying to manage a situation'.
> that we still have a bigger chunk of people in jail
Provide a citation. I believe this figure is true for the US (you are saying you are in the US I take it?), so cite it. It's a strong and damning figure so bring it to the front.
> Han Chinese don't go to prison just for criticizing the government
Do other ethnicities? Why does ethnicity matter here? Does ethnicity make a difference in chinese law?
> They go to prison if they start getting organized, holding meetings, being an alternative political party
In this respect the US and the UK are better because you don't. Mind, I've no great trust in the government not to 'keep an eye on troublemakers' as they'd put it, in fact there's a long history of infiltrating groups in an immoral and downright illegal way sometimes, but they strongly tend not to end up in prison.
> Xinjiang...
I've not heard of this. Could you provide some pointers please? (genuinely curious)
Not patronising at all. Also did not provide any info viz.
1. I encouraged you to provide a citation to support your own point which I AGREED WITH. You have not.
2. I asked a question about whether different ethnicities are treated differently in chinese law. You avoided answering.
3. I gave an example of greater freedom under UK & US law. You have not acknowledged this presumably because it is inconveniently true.
4. I asked in good faith for some reading material on whatever was about Xinjiang. You have not provided this.
If I am "completely invested in strong opinions" then change my mind with facts. It was a worthless and pretty patronising reply. Provide relevant facts.
> Han Chinese don't go to prison just for criticizing the government, they just lose opportunities.
This is verifiably false. Han vine Chinese book store owners in Hong Kong were kidnapped to mainland China, incarcerated and forced to sign confessions. Their ‘crime’ was selling books critical of the CCP.
I was speaking more generally. WeChat is monitored and things get said there, the gulags aren't full. There was a lot of outrage over that doctor that died after blowing the whistle about C19, for example.
HK was more of a hot situation, you had protestors waving UK flags and talking about independence. I'm not justifying anything, but that's exactly the 'credible threat' vs 'talking shit' distinction I was talking anout.
In the cases you're referencing, are they still locked up? I'll check out a link if you've got one.
>>> Han Chinese don't go to prison just for criticizing the government, they just lose opportunities.
>> This is verifiably false.
> I was speaking more generally
That response is meaningless (the classic 'nebulous response' to an inconvenient question) and thus sidesteps addressing his point. Also please elaborate on what 'losing opportunities' means - I hope it doesn't extend to eg. the right to eat food does it?
> In the cases you're referencing, are they still locked up?
It's irrelevant if they are still locked up or released, they got locked up for political reasons. Right?
Different countries may have different values. Citizens of those countries are educated to value those different (quite abstract) ideals, such as "freedom of speach" in the US, or "economic development" in China. Like a religion, those systems of values are flexible and abstract enough that you can make them mean whatever you want. Then automatically we tend to think of our system of values as better than any other; indeed, that's what we use values for.
So what have we learn so far? Nothing, apparently.
I believe in cultural relativity, but that ends at, for example, mass concentration camps. Your argument is basically "let any country do whatever they want within their borders" and I don't think that makes sense. Or, there are limits to that. I would also argue that the acceptance of totalitarian values as "cultural norms" isn't entirely correct. Historical Chinese culture has little to do with the social credit system and the CCP is not Chinese culture.
I do not think cultural relativism, if you want to call it that way, means that one can never judge what others do, and I'm surprised my comment came across as this.
I'd like to help you realize that despite all your values of freedom of speech, free thinking and so on, this very set of strong emotional values makes you live in a fantasy world where countries/cultures are impersonated by good or bad characters, the actions of which are either justified or not despite they are all equally questionable.
Of course the USA have had concentration camps (China and France also), of course people were interned based on religion or skin color also in the USA (China and France too), of course the USA invaded countries while lying in the face of everybody about the reasons (like France and China also did). I don't know, whatch Powell's speech to the UN about the weapons of mass destruction in a loop until it clicks?
All countries (I included France just because I happen to write this from there) would likely do the same on the same circumstances regardless of their official values, because no country act because of values. Countries are not real characters, they do not act, and have no values. Individuals do and have, and it is important that individuals of the most powerful country in the world would adopt another set of guiding values than "when that's my gouvernement doing it it's Ok but when that's others it's evil". Because they have been subjugated by their ruling class[1] for a long time now, and the consequences have been dramatic.
It's interesting how biased you are, that you see the inherent good in the US and view China as totally evil. The Chinese version of you would probably see it the opposite way, and you'd call him brainwashed and deluded...
I remember reading a cynical blog post about how what occupies governments are how to have the most influence in the world. USA used to be good at that, but well, we know where that's gone. As for "Western democtratic values", one could cynically view that as trying to install a free market so American companies can exploit resources and the population. Just look up where the term "banana republic" came from.
> A report in the Moscow Times quoted KGB veteran Vasily Pchelintsev as saying that there was a natural gas pipeline explosion in 1982, but it was near Tobolsk on a pipeline connecting the Urengoy gas field to the city of Chelyabinsk, and it was caused by poor construction rather than sabotage; according to Pchelintsev's account, no one was killed in the explosion and the damage was repaired within one day.[2] Reed's account has also not been corroborated by intelligence agencies in the United States.[3]
"We're not interfering with other countries' covid response" - the US continues to freeze Iran out of the SWIFT system, which means Iran can't buy just about everything.
1. Iranian nuclear capabilities are a "legitimate target". For whatever that is worth. We're not sabotaging medical records or taking down Tehran's power grid.
2. Textbook definition of surveillance is watching and collecting. "Active measures" are "spy stuff" but usually far outside of the scope of intelligence collection.
3. Fair point, no way to know. But from what has come out from PRISM/NSA leaks, it honestly looks that the US intel community is mostly postured for data collection.
> We're not sabotaging medical records or taking down Tehran's power grid.
Has China sabotaged anyone's medical records, or taken down any power grids lately?
> Fair point, no way to know. But from what has come out from PRISM/NSA leaks, it honestly looks to be just purely surveillance.
Snowden was an NSA contractor, the NSA would not be responsible for sabotage, their raison d'etre is passive surveillance.
The CIA would be, and nobody's dumped 50 TB of random powerpoints from their Sharepoint deployment. However, various leaks over the years strongly imply that they do conduct sabotage - directly, or by funding saboteurs.
You seem to have rose colored glasses on, in thinking the west does not do things to sabotage others.
1. Stuxnet was active sabotage.
2. Some Chinese antivirus company, Qihoo360, found signatures of computer viruses in China, that matched CIA field programs. Then, the company got placed on the Entity List. Go figure.
3. All the recent propaganda against Huawei seems to be very sabotage oriented. There was evidence that the United States had already stolen Huawei source code, and actively developed tools to hack it. But, whenever someone brings this up, the justification, is that it’s perfectly legal for the United States to do it to others, because it’s enshrined in our laws, but somehow, it’s not ok for others to do it to the United States. Go figure.
2. Provide a reference for this (and other) claims please.
3. "All the recent propaganda against Huawei seems to be very sabotage oriented" That might be economic warfare but I wouldn't call it sabotage.
> There was evidence that the United States had already stolen Huawei source code
yeah, yeah, back it up please. Don't throw out claims.
> But, whenever someone brings this up, the justification, is that it’s perfectly legal for the United States to do it to others, because it’s enshrined in our laws
And anytime there’s someone trying to give a different perspective on the situation, there’s always someone who points out the political context. Sometimes having these conflicting opinions is conducive for good discussion and reducing echo chambers.
> And anytime there’s someone trying to give a different perspective on the situation, there’s always someone who points out the political context.
Yes, the Chinese government hacking into scientific organizations of other countries has political implications. In fact, they are probably the most significant implications, so it's correct to discuss them every time.
Just a detail about language and meaning. I think you may have meant to say:
>"if it was up to me, all of the senior members of the CCP would be tried for crimes against humanity."<
thereby leaving punishment to depend on the determination of criminal activity,
instead of
dcolkitt>"if it was up to me, all of the senior members of the CCP would be tried and executed for crimes against humanity. "*
The form you used describes a sort of "Judge Roy Bean" justice, whereby you assume them guilty of crimes. But if you do assume them guilty, why a trial? Simplify your language to the more succinct:
>"if it was up to me, the senior members of the CCP would be executed. "
I think that's a bit uncharitable, I interpreted the phrase to mean "tried and, except in the very unlikely case that guilt cannot be proved, executed".
I agree that public research should be publicly available, and Covid research in particular, but having worked in biomedicine, I also know that making data available to, and consumable by, everyone else takes actual work and dedicated resources, and most of the time when the data aren't easily downloadable it's usually not because someone doesn't want to share, but because they have other work to do and are possibly still collecting data. Unfortunately some of those resources now have to be spent recovering from a hacking attempt instead of actual science. Speaking as an American, I would prefer that the CIA and NSA please NOT hack Covid vaccine research in other countries based on stupid assumptions.
Again, to deflect the obvious misstatements of how IP actually works, anyone who wants to sell a vaccine to the world will need to produce large amounts of data and presumably a formal patent which will actually document how it is made. How the licensing actually shakes out is a complicated question and will no doubt be as acrimonious as everyone expects, but as long as we're at the early stages these arguments are a waste of time and effort. Get the vaccine(s) working, do it right, do it without fing over the rest of the world, then* worry about whether IP rights or excessive secrecy are holding us back.
I take it you've never worked in information security, because cleaning up after a mess like this is an enormous time suck and they will need to audit their data to make sure it hasn't been "adjusted". (From a national security perspective, I bet derailing a competitor's vaccine trials is at least as valuable as "stealing" data that was already going to become public in the near future.) That means spending time and money that would be better spent doing just about anything else, if it weren't for human nature.
I've always wondered how you can be so sure it's PRC in the age of easily being able to mask your true IP address. Perhaps the identified attacks have been previously linked with the PRC, or another option is that the actors were not as covert as they thought.
The FBI linked a pool of bitcoins used to purchase a VPN service and other things to the Russians. Probably best to not use a crypto with a public ledger for criminal activity.
First of all, the IC works with estimative language, i.e. "with a high degree of confidence", which everyone understands on what to make of it and how it should inform policy (I know, policy is different than a criminal investigation).
To your question: Imagine tracking these threat actors for years (or decades). You have observed different TTPs (Techniques, Tactics & Procedures) from different actors, you see them operating in different ways and with different teams, you can observe the time when they are active, by their targeting you can make an educated guess what they're after, you can correlate their activity with policy changes in their presumed home-countries and lastly you can repeat those observations over and over again since these threat actors are persistent and keep coming back since it's their job. If all these soft and passive observations already point to the same actor(s), and then you get some additional hard evidence on top (Opsec failures, HUMINT, SIGINT), you are eventually able to make a verdict with a high degree of confidence.
I think sometimes they just blame whoever suits the political narrative. The Chinese replaced the Russians as the boogeyman de jour a short while back, so of course they will now be blamed by default.
Same here. I remember once I was watching the news and they claimed a hack was done by Russians because they found Russian comments in the code. That didn't sound very convincing :). The ledger evidence sounds better.
At the same time in this case I would be more surprised if the PRC , since their need for control, and since the stakes are extremely high, wasn't doing such things.
Similarly, I recall a strain of malware being attributed to Chinese hackers because variable names were in Chinese; then when you actually inspect the code, it's clearly Unicode gibberish generated by an obfuscator... That is to say, the hackers weren't even trying to be misleading, it was just a result of obfuscation reminiscent of mojibake. (I read the article on Ars Technica but don't remember enough details to find the article.)
If I ever code a hacking tool I'll throw in some Korean comments for sure.
Do keep in mind that intelligence services are probably not being fully transparent about how they know the source of an attack. They wouldn't want to reveal their methods, to avoid them becoming unreliable in the future.
Which is another reason why attribution of cyber incidents is notoriously difficult.
The CIA is hardly the only organization to put misleading evidence in their attack path. Also, countries like China and Russia have healthy malware ecosystems so a Chinese-written malware can end up in the payload of a {North Korean, Russian, Iranian} cyber attack.
Personally, I'm starting to believe that the only way to have extremely high confidence in attributing an attack is to have surveillance of the person on the source keyboard when it happens or to have telecom evidence of people admitting what they did. Most of the actual attack is probably robotic at this point.
Would you be willing to share some good resources for identifying rework traffic beyond IP? I have seen things in my little snitch logs I wonder about but no real recourse.
I know I might be the weirdo here for browsing 4chon, but for the last few months I have seen a huge incursion of "PRC-affiliated"... "contributions"... and not only to high traffic and high turnover boards but even to niche ones. On boards using flags, these "contributions" come mainly from Canada, USA, and France.
Although I am secretly grateful for this spam, as it cut down my time spent there from 3-4 hours a week to 3-4 hours a month, it's still disconcerting as they are highly organized and apparently take huge pleasure in bludgeoning seals and other harmless creatures. Heck, I am amazed that the boards were clean even after the US Elections, the shutdown of 8chon and other such events.
To publicize the fact that these sort of attacks can be tracked. Similar to when they publish information about particularly crafty drug houses they bust: so that people planning on building a drug house think "well, if they got that house, then they'll definitely find out the one I'm planning, so maybe I'd better not."
This doesn't demonstrate that these kinds of attacks can be tracked though. If I were planning similar attacks, I'd just acquire a Chinese IP address and assume they'd take the blame.
Why would the FBI be hesitant about faking/sensationalizing this? It's nearly impossible to prove, China's unlikely to make an issue out of it, and even if the lie got exposed what punishment would they face?
Are you an infosec expert? You have said that it is impossible to trace origins of hacks multiple times but only offer two shallow points that you would learn about in your first week of a network security class.
There are papers out there that have multiple ways of using language to identify specific authors, determine multiple authors, and even decode unknown language. That's my first shallow example and would be a pretty reliable indicator if you could get your hands on their code. With a budget of millions of dollar I'm sure they have dozens of ways that can be combined. It would make no sense to reveal every single method they use to defend against people on the internet. That also assumes they don't just have a mole who told them about it, which they also wouldn't reveal.
>You have said that it is impossible to trace origins of hacks
I have not said this. The evidence they have provided makes it equally likely that they've tracked these hacks (correctly or incorrectly) or that they've made the whole thing up. You can't rule out either action.
>There are papers out there that have multiple uses of using language to identify specific authors, determine multiple authors, and even decode known language. That's my first shallow example and would be a pretty reliable indicator if you could get your hands on their code
There have been multiple papers on these subjects, with a budget of millions of dollars I'm sure identifiers could be faked. Particularly with password spraying, the only method mentioned.
The problem is that this administration has shown time and again that they're willing to corrupt American institutions (like the FBI) when it suits them.
Firing inspector generals en masse [1], personally attacking specific FBI agents and their families [2], intervening in the criminal proceedings of friends and political allies [3], etc. is a pattern of behavior that undermines the rule of law in this country. It's a comprehensive strategy to weed out anyone who disagrees with you, hurts your feelings, dares second guess you, or, god forbid, didn't vote for you.
This pattern of comprehensive corruption is unique to this administration.
There are _literally_ dozens of links I could provide for each point since these behaviors happen constantly, but I just google'd and picked one each.
>>>pattern of comprehensive corruption is unique to this administration
If you think that this administration is UNIQUELY corrupt....you might be in an echo chamber. Here's a more humorous take on the Obama administration's screwups: https://www.youtube.com/watch?v=1T7F2mvZE1E
That, or have a short memory, since Trump and Obama both pale in comparison to VP Dick Cheney and the Iraq War (KBR? Halliburton? have people forgotten about them already?).
All I see is extreme editorializing of the regular push and pull of government ("horrific neglect", "bull[ing]", "stonewalling", etc). How many of them were fired because Obama didn't like what they were investigating? Trump's count is 5 in the last few weeks. I'm sure Obama fired at least that many if you're making a comparison, right?
You don't take these blog posts seriously, do you? His connection to Obama was... what exactly? This is prototypical far right nuttery: oBaMaS FrIeNd dEeP StAtE BeZoS NyT AmAzOn hEr eMaIlS.
I wonder if you actually read these, since they have basically nothing to do with what you quoted. Did you just google "Obama friends bad" and copy/paste the first few links or something?
>"Obamagate II: Secret of the Schmooze"
Not going to spend time watching some fringe conspiracy YouTube channel, sorry. More complete nuttiness.
>That, or have a short memory, since Trump and Obama both pale in comparison to VP Dick Cheney and the Iraq War (KBR? Halliburton? have people forgotten about them already?).
I'm disappointed that I got this far before seeing this. You should seriously consider that you may be in a short, narrow, and extremely loud echo chamber. These aren't the kinds of ideas that normal, well-read, well-informed people from all sides of the political spectrum hold.
Kevin Johnson was a public political supporter of Obama while mayor of Sacramento.[1] Walpin investigated Johnson for fraud. Obama fired Walpin. Which one of those three facts are you disputing?
>>>since they have basically nothing to do with what you quoted
The cei.org link should have been grouped with the Rasmussen Reports link as they are both related to the firing of IGs.
>>>Not going to spend time watching some fringe conspiracy YouTube channel
That video cites numerous articles from major journalistic outlets (BBC, NY Observer which itself cites the Washington Post) relevant to the discussion of corruption in the Obama administration, and runs through them at the cyclic rate. It's time-efficient content. It's also funny. But you can't debate any of the information provided, or any of the conclusions drawn, if you discount the presenter as "fringe conspiracy nuttiness".
>>>You should seriously consider that you may be in a short, narrow, and extremely loud echo chamber.
In this thread I've cited sources ranging from the right (Michelle Malkin, Heritage foundation), to the center (BBC, CBS News), to the left (Washington Post, Politifact). You haven't posted anything, haven't countered any of the facts, and have only criticized the sources with strawman accusations of "far right conspiracies". I would challenge you to be more aggressive about exposing yourself to information that challenges your positions and assumptions, and avoid the strawmen.
>>>These aren't the kinds of ideas that normal, well-read, well-informed people from all sides of the political spectrum hold.
Which idea are you arguing against, that Dick Cheney and associated companies were massively
corrupt? [2] [3]
Just for additional context several super computing sites in Europe were attacked a few weeks ago and are still down, among them PizDaint at CSCS, which ranks 6th in the world, several super computing sites in Germany (FZ Juelich) and so on. I think no-one wishes this to turn into a kinetic war, but for all we know besides the economic warfare that has been going on for quite some time, this feels like we are in an all out conflict with China.
Well this is clearly a hostile act during a time in which several European countries have declared medical emergencies. They were not just "attacked" but have been completely offline for almost two weeks now (https://www.hpcwire.com/2020/05/18/hacking-streak-forces-eur...).
In Germany it is (incident was 15.05)
- NEMO (Freiburg)
- bwUniCluster 2.0 and ForHLR II (Karlsruhe)
- Hawk (Stuttgart)
- Leibniz Supercomputing Center (Munich)
- JURECA, JUWELS und JUDAC (FZ Jülich)
- Taurus (Dresden)
Switzerland shutdown access to all of CSCS (16.05).
That's not my reading of the article you linked. A bad actor compromised the credentials of multiple researchers with access to various supercomputers (over some unknown or at least unspecified period of time). They then simultaneously accessed the compromised machines and installed cryptocurrency mining software on them.
This could easily be profit motivated (as it appears). It could also be (as you suggest) a hostile act disguised as the former, but I don't see what the motivation to do that would be?
Also the article mentions that Chinese researchers had access to the clusters as well. So the GP's implication is that the PRC attacked these datacenters ... to stop their own research?
Seems more likely that more people are using/accessing these services, and people's guards are down, which made it easier for intruders to get in.
Well there were two incidents (https://csirt.egi.eu/academic-data-centers-abused-for-crypto...) one of which had "unknown purpose". It had the real effect of disrupting the majority of the super computing infrastructure in Switzerland and Germany for almost two weeks now. The attacks originated from China (Shanghai Jiao Tong University and CSTNET).
2 - IP addresses associated with that second attack were all assigned to a Chinese University (Shanghai Jiaotong University), CSTNET and one Polish host known to be compromised by someone from China.
Re 2., since when IP is address tracking a reliable method of attack attribution?
It's like trying to assign blame for a terrorist attack based on where the jacket dropped by a terrorist was made. Maybe it was made in their home country. Maybe it was imported. Or maybe they purposefully wore a jacket made in a different country and dropped it on the scene to confuse you.
Unless you're testing a zero day, and staging an alternate route of infiltration to hide your installation of threat persistence.
I believe it's referred to as the "limited hangout" in spycraft jargon. You maintain the target's sense of security and ability to detect intrusion while you maintain the capability to reintrude at will.
These are crypto mining schemes, though. This looks a lot more like run of the mill money making cybercrime than espionage - I don't think any nation state would be interested in outing themselves for a pittance in bitcoin.
From the site you linked, the one with "unknown" motive has exclusively attacked Chinese academic victims. It would be extremely bizarre to suggest that the Chinese government is behind this.
The second one is the attack that spread all the way to a basement HPC cluster in the Physics Institute at LMU Munich, the IP addresses listed are indicators to look for that your system might be compromised, not the victims of the attack.
It's worth pointing out that countries regularly hack and attack their own citizens. In some ways, it's more important to know what they're doing than what your opponents' are.
How do we jump from some super computers being attacked by unknown actors to a conflict with China. When did every cyber attack become automatically a chinese cyber attack?
I'm not under the impression that non-military research and academic computing facilities are particularly well secured.
Decades ago I spent a bunch of time around fnal.gov with a buddy who worked there, and they were debating the requirement of every computer, including desktops, having a static, public IPv4 address. Nobody wanted to be behind a firewall in the name of open, collaborative research.
Yes, the fundamental problem is that this sort of thing has around the top of the threat list for academic computing facilities for 30 years or so (originally typically coming in to the UK from CERN). It's just that this is larger scale, possibly more automated (filching SSH keys), and has a higher profile. Despite that, the systems are normally not managed to counter the threat, running with known privilege escalations either through unpatched OS vulnerabilities or through something like the batch system. Don't trust them with anything sensitive, including credentials like typed passwords or SSH forwarding, yet people do. I have an existence proof that it doesn't have to be like that for HPC systems, even if you're not allowed system time -- in which case live patching of login node kernels is specifically necessary.
Incidentally, if attackers were looking for sensitive research results from this, I think it would have to be targeted with detailed knowledge about what specific researchers were doing; after all, it's difficult enough for a typical researcher to keep track of their own stuff, and it mostly won't have look-at-me names.
>It's been far worse for countries peopled with and led by idiots, like the USA.
Ranked next to Western European countries, the US ranks at the bottom of worst effected. The worst effected country is Belgium, followed by France, Italy, the UK, Sweden, and so on. As far as CFR, the US is about 1/3 or Belgium, and about 1/2 of the Netherlands.
Among western liberal democracies, the US is among the safest/best place to be right now with regards to health outcomes related to the coronavirus.
>We've already seen a huge shift away from the idea of American global leadership.
This is simply not true, and the evidence of it not being true is echoed at every reasonable metric. People are increasingly storing their money in the US (as evidenced by the stock market refusing to collapse), and increasingly following along with US-led pullbacks against global organizations like the WHO.
China is rapidly losing its ability to enact soft power anywhere in the world.
The US coronavirus response has been one of the strongest among western nations, our economy has weathered this better than anywhere in the world, and we will likely come out of this crisis even stronger, with even more global power, than we went in.
> our economy has weathered this better than anywhere in the world, and we will likely come out of this crisis even stronger, with even more global power, than we went in
Incredibly optimistic and I don't see the evidence for it. The US economy isn't out of the storm yet. Bear Sterns fell in March 2008 and the US economy kept "whistling past the graveyard" until September before it fell off a cliff after the smoke had somewhat cleared. Let's check back in 3-5 months. The only national institution in the US that didn't take a perception hit so far is the Federal Reserve, but that's because it threw $8+ trillion at the problem and made big promises early (too soon to tell if that massive injection will be problematic).
I see a national USA government who chose not to take a significant role in either helping the states (and never told the states that this would be the policy) or other nations (as we normally do during every natural disaster and health epidemic since WW2). I don't think I am alone in that view.
S Korea and Italy (yes, that Italy) sent PPE to assist other countries early in the first wave while the US federal government was intercepting shipments which were legally purchased by (entities in) other countries and diverting them to a federal government stockpile (not the states where civilians needed them).
It's worth looking at how well S Korea, Taiwan, and Singapore reacted to the outbreak. Their emergency health systems acted as if it didn't matter if "China lied" or not and set up useful policies and procedures just in case the disease made it there.
China has started to donate the medical equipment (PPE, ventilators) they didn't need to use after the first wave and they are sending medical staff around the world to assist other countries. The US is exporting some hastily-made ventilators, but it's not yet clear if that will make a difference in the perceptions other nations have of our response.
I think the US has lost significant soft power as we failed to provide the worldwide leadership we have since we became a superpower and China stood up to fill in the vacuum for very low cost to them.
> Ranked next to Western European countries, the US ranks at the bottom of worst effected. The worst effected country is Belgium, followed by France, Italy, the UK, Sweden, and so on. As far as CFR, the US is about 1/3 or Belgium, and about 1/2 of the Netherlands.
The problem is that the numbers you cite aren't about response, they are about {affected population, environment, response}. Being lucky that the USA isn't as population-dense as Belgium (which is 10x the number of people per area of the USA) isn't a strategy, it's an environmental factor.
"our economy has weathered this better than anywhere in the world, and we will likely come out of this crisis even stronger, with even more global power, than we went in" - I can't read your entire paywalled off article, but I think the US' response of basically ignoring the plight of unemployed workers and only nominally trying to save small businesses ... vs the European model of giving aid to employers and cover a fraction of employees salary as long as they don't lay off workers, is obviously going to give the European countries a head start on recovery.
Unless you're a Creative Destruction disciple. There's been a lot of destruction!
The US was probably not the safest place to be with regards to covid, but it's ridiculous to imply that our leaders are all idiots who messed it all up. The data just does not support that no matter how you look at it.
I was replying to this:
>It's been far worse for countries peopled with and led by idiots, like the USA.
Maybe this person means that the majority of western europe as well as The US is peopled with and led by idiots, but it seems much more likely that they are just incredibly misinformed.
The aspect of the pandemic which impacts the USA most greatly is not the number of dead bodies, it is the loss of the perception of the USA as a global leader. Nobody thinks that Italy was key to handling the Ebola outbreak, so they did not lose their reputation over this. In fact everybody knows that Italy is a basket case led by craven criminals. But the USA was until recently viewed as the nation that could coordinate global action against pandemics. Now, everyone sees China as that nation. China is exporting masks and test kits and whatnot. USA is importing them. Officials with the German Marshall Fund, essentially a US propaganda outlet leftover from the Cold War, are going on the record discussing America's abdication of leadership.
Not when there's money to be made. The Gates foundation does seek a Return on Investment, and has publicly stated they wanted to create good markets for vaccines.
Gavi/Gates/GSK and other big pharma companies might be claiming to help the world, but they're also seeking to get a return on their research funding. Even in academic circles, there isn't really a lot of information sharing.
How can western leaders condemn China's lack of publishing info related to COVID-19 and protect private research for curing it at the same time? Research like this should be public and accessible to everyone. I don't know why I shouldn't applaud any hackers spreading this information.
COVID-19 affects the entire world.
Shouldn't all COVID-19 basically be done on a globally viewable wiki?
It's going to take the cooperation of all countries to get through it.
I don't understand why the US should hoard any COVID-19 data it has, besides extremely non altruistic ones.
I come from an ex-communist country. So this is probably (hopefully) the only moment my talent of spotting this kind of shit is useful. The thing is that whatever bad behavior the USA committed in the past, and then anxiously analyzed and mulled over for decades... the Chinese are doing day by day, routinely, without ANY remorse or second thought. With the Russians it was different. Sorry to say this, but compared to the Chinese, they had soul. I do not foresee anything like the collapse of the Soviet Union in China. They are too "rational" for it. Not to mention their numbers. Our only hope is Jesus Christ.
US and China at war? I don't know. China at war? By their logic of expansion, I'm afraid it is guaranteed.
Seems strange to me to assign any emotion to the political entity of a huge country. I don’t even mean what it means. What does China / America/ Soviet Union feeling remorse even look like?
History has shown us that any super power will go to war. The Romans, the British, the Americans. Maybe we’ve learned our lesson from history or maybe today things are different due to greater education, multiculturalism and just rapid communication. Either way we shouldn’t be pinning our hopes on “Jesus Christ”, as again I don’t know what that means. Would he come down and disarm everyone or something?
We avoid conflict by having rational open dialog, educating people and increasing transparency and accountability. The way to increase the probability of conflict is by having this tribalistic us vs them mentality. Everything they do is bad, they are evil and we are just.
I cant tell wether the statement that Russia had “soul” is because of the stockholm syndrome or something else, but how can you say that considering millions of people have been deported to gulags in the early days of communism, and hundreds of millions are still suffering today because of communist regimes Russia imposed on their countries? Do I get a sense of someone decrying the collapse of the SU? The political entity that literally massacred the cultures of millions of east europeans? Think again about what you wrote.
I get what you are saying but those countries were more like colonies than a part of Russia. My opinion is that they should have been left alone, like every country should, especially in that time when technology wasn't so hazardous and so widespread.
The fact that you managed to understand that I decry the collapse of the Soviet Union when my post said the exact opposite, namely that I can't see how in China an event like that could take place -- and this was the foundation on which I based my affirmation of Russians having a soul -- tells me that your agenda stands firmly on the side of the CCP, in detriment of everybody else. Quite sad, really.
There is a big business opportunity, which I am sure is already fulfilled to some extent, to provide air-gap and other securities/countermeasures to businesses and orgs that deal with highly sensitive data, equipment, specimens, whatever.
Some of the comments here discuss how an attacker could tamper with data. What are some good ways for a scientist to ensure the integrity of their data in this case?
Post it online with a hash, particularly in a way that will get archived by others?
Where it's possible, perhaps using a deterministic process that can be easily repeated to verify the groupings haven't been tampered with? (Not to reduce the importance of backups, though they themselves can be attacked, but just as an idea for discussion...)
Here's an idea for how this could work for an example given elsewhere in the thread about the risk of an attacker mislabelling the subjects so the outcomes are unclear or deliberately skewed.
For a binary double-blind placebo trial (one group gets the medication, another gets the placebo), compute the hmac of each subject identifier (name, some participant ID), keyed with a key known to the principal investigator. Everyone whose hash MSB is above 0x80 gets the treatment, and everyone whose hash is below 0x80 gets the placebo. If you need more experimental groups, adjust the thresholds as needed
Clearly this is very restrictive and limited (you might need to ensure a proper demographic and medical/age profile distribution of subjects between both groups), but there are likely ways to achieve this by creating multiple "groups" and doing this process within each demographic balanced group.
You'd get a reproducible outcome, as long as you can recover the patient names or participant ID numbers, and the PI or experimental lead takes careful note of the hmac key used.
Just a straw man idea for how at least the patient to group allocation could be done deterministically. If someone attacked this and muddled patients and groups around, it could be reproduced just from knowing who the subjects are, and the hmac key. Clearly this doesn't scale to results or beyond, but I imagine this is where digital signatures start to help. And with modern ed25519 signatures we aren't talking massive signatures either.
"One of Britain's most powerful academic supercomputers has fallen victim to a "security exploitation" of its login nodes, forcing the rewriting of all user passwords and SSH keys."
"Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
The National Cyber Security Centre (NCSC) and America’s Cybersecurity and Infrastructure Security Agency (CISA) cautioned of a “password spraying” campaign targeting healthcare and medical research organisations."
> Foreign state hackers are trying to brute-force their way into pharmaceutical and medical research agencies hunting for a COVID-19 vaccine, British and American infosec agencies are warning.
I have a hard time believing foreign state hackers are using "script kiddie" tactics. But that's just me.
This is information that can save lives, so I support any nation to hack on COVID research, anywhere in the world. If they patent COVID research, I also support breaking any patent.
Compromising remote systems puts researchers, their work, and patient rights at risk. Patents are published publicly and available free of charge, so I'm not sure how that would be a reasonable justification for compromising other's computers. "Research" per se isn't patentable anyway.
Patents provide country-by-country protection -- a US Patent doesn't mean anything in other countries - except for being evidence of prior art in their own patent offices.
Also, some/many countries have laws that disallow patents or patent infringement claims associated with medicine.
Until the fairly recent proliferation of trade agreements that are negotiated out of the view of the public, the investor relations and patent/copyright clauses that prevented the sharing of medical information were not common and were routinely broken by most developing nations. The business community's wishes had no power there, and quite arguably when it comes to medicine, it is a crime against the people to withhold lifesaving information.
In fact, until the US became top dog in the post-war era, we pirated everything we could from England, especially industrial know-how so that we could promote our own development. It is only after we reached hegemonic status that we started enforcing these ludicrous agreements in order to preserve our own businesses' position.
This is a gross misunderstanding of what patent and copyright actually mean - specifically, they exist to encourage sharing of information, not secrecy. They require full disclosure by definition, so you can't patent a trade secret without revealing it to everyone. There's a period of exclusivity (~20 years), which is very different from "withholding information", but that's only after the IP has been published.
They exist to encourage sharing of information in the context of a private marketplace. Most useful technology is created by state-funded research over decades. The private sector just monopolizes the results. If anything, competition would be better if there were no patents. If employers could simply poach key employees by offering good salaries, they would get that information quite easily.
> Most useful technology is created by state-funded research over decades. The private sector just monopolizes the results.
This is another gross oversimplification at best, and I have yet to hear anyone who has spent significant amounts of time in either public or private sector R&D make such a claim. Real life, and product development in particular, is not so easily reduced to catchy political slogans.
Off top of head, the recent Ebola vaccine was created almost exclusively from gov. research. Merck bought a company who was supposed to commercialize it but they did a really poor job . There are people who would not be dead if the vaccine had been available, sooner
That's an anecdote, not data. The last article I read about this calculated that around 20% of new drug approvals came directly from government/academic research - and that's usually repurposed older drugs (which is actually a good place to focus, since it's cheaper and big pharma isn't really interested in resurrecting off-patent molecules).
Point to nearly anything that has dramatically changed modern life and you will see the arm of the state involved: GPS, internet, the airplane, etc. The best argument I'm aware of for private enterprise producing really novel products is Bell Research, however they were a regulated monopoly, not a competitive industry and the state authorized 10% additional charges for investment.
You can make some arguments about things like iPhones but that device depended on a huge state funded or regulated infrastructure to be useful (e.g. cell towers, internet), and it was essentially a very polished cobbling together of different components (microchips, batteries) that were developed from many decades of state supported / regulated monopoly research.
Business is very good at taking something off the shelf and making money with it. It's very bad at sustained investment that might not be profitable more than a few years away.
If you think Apple simply "took something off the shelf" and sold us iPhones at huge markups, you clearly know even less about R&D than I assumed. Cherry-picking examples like the Internet doesn't really prove your point: try comparing the amount of taxpayer-funded R&D that went into the early (pre-1994) Internet with the amount of private investment since then. (I have no idea what the actual numbers are but I'd guess at least two orders of magnitude difference based on what I've seen elsewhere.)
I don't disagree, but research money spent may be a poor proxy for technical progress if it's spent to research ever better ways of showing ads to consumers.
I mean, it'd make sense if the government research spending aligned with public interest more closely than private investment did, the government is spending the public's money after all.
Totally valid points - but this is why oversimplifying the entire issue into "Private sector bad! Public sector good!" (or vice-versa) is a terrible idea. However, oversimplifying what big companies like Apple do as pushing ads is just as bad. Think about the supply chains involved in building an iPhone, and how the individual components are manufactured - it's decades beyond the roots in government (and remember, projects like the Internet still depended on private companies to actually build most of the hardware).
You are misunderstanding the matter of patents. Modern patents exist precisely because of the inevitability of industrial espionage, which is largely practiced by all developed countries. The goal is that, even after a trade secret is stolen, it will be made useless because nobody can use that information. So the goal is not to "share knowledge", but to avoid the practical use of knowledge that was shared by any means.
Also, you are mistaken in thinking that, by publishing a patent, the company is sharing knowledge. Quite the contrary, the contents of a patent gives only the minimum necessary to protect a crucial aspect of a business secret. Most patents are opaque and don't give any concrete business information that be used to successfully replicate what it is trying to conceal.
In the USA, patents are explicitly mentioned in the Constitution and the purpose is to incentivize disclosure, not because the founders were worried about industrial espionage. It would have been awfully difficult for hostile powers to remotely hack our R&D facilities in 1789.
Think again. Hacking is a very old activity; it was not done with computers in 1789, but you can be sure that there was a lot of industrial espionage between Britain and the US at that time.
Have family that work in encryption, you can think of barriers to entry as orders of magnitude in cost.
AWS can decipher decade old encryption standards for about $100k brute computational cost.
Nation states have access to 5-8 zeros of effort if it is valuable enough. Private entities have no chance against nation-state backed hacking efforts.
It’s one-sided or ‘asymmetric’, because western intelligence refuses to share commercial intelligence with western businesses (probably because there isn’t much of value to share... yet).
Given today's anti-free-thinker HN climate I'm probably going to get downvoted to oblivion for saying this, but I feel I need to say it.
I don't think COVID-19 research should be secretive, I think it should be a global effort, and I'm perfectly happy with the idea of any nation having open access to all COVID-19 research, vaccines, results, and (anonymized) data. There should NOT be a concept of intellectual property when there are people dying in droves from a disease. Please, China, Italy, Spain, everywhere, scoop up all the COVID-19 research you can find and act upon it to save lives. Copy ideas. Copy drugs. Re-do and verify tests. Immediately. Don't mind the courts. They suck, and are sitting in armchairs killing people by delaying the effort and enforcing intellectual "property".
Someone should profit for figuring out how to stop COVID because otherwise there is little incentive beyond the government, and they don’t typically work nights and weekends.
If China succeeds in stealing the solution, that will harm mankind because it will reduce future incentive to stop these things quickly.
>there is little incentive beyond the government, and they don’t typically work nights and weekends
The government certainly doesn’t pull long hours.
Beyond the military. They do pull some late nights and cold field deployments in the DoD.
And beyond local police and fire. And state troopers. Law enforcement does go late and I’m pretty sure fire departments deploy all night. But of course those are not federal.
There is, obviously, the FBI. Those agents are mostly not up at night though. Now, CBP and TSA staff air and sea ports pretty late but that’s different.
The diplomatic corps also works pretty late hours if I remember my leaked cables correctly. But again, an exception. And they get to go to fancy parties.
Obviously people in Congressional staff offices, political advisers in the executive branch, and so forth. But those folk are essentially politicians.
FEMA. Pretty sure some of them stay up.
Other than our armed forces and supporting staff (good morning NSA NSOC), police and fire departments, federal law enforcement, State Department diplomatic staff, staff for elected officials, and FEMA, no one I can think of right now in government stays up late.
Intelligence community, forgot them, other than NSA and FBI. At least some of the 14 other members probably work late, I think? NGA, at least.
But no you’re right, why would we want government scientists like those at NASA, CDC and the EPA working as leading exemplars of COVID research. Surely they are lazy. And they show good work does not happen without a profit motive.
Not to mention that if they find a cure before the world they will mark it as "strategical advantage" and not shared because it's of "national interest." At least based on their past history.
I understand any extra data gives you an advantage, but I think I'm missing a step where they can steal a solution while simultaneously keeping that solution for themselves (assuming stealing means copying/sneaking out information others have already gathered).
Maybe a slight headstart if they throw extra research money on it.
It's not okay to keep solutions for only their citizens, but it would still be in your best interest to share what you know with their citizens so that you have a lower priority of getting infected by their citizens who may travel to your place.
Humans are humans. The virus doesn't care for the politics, it will spread without regard to human-invented political borders, so the preventative measures shouldn't stop at political borders, either. That would be contradictory to the apolitical nature of the virus.
(In any case, if you shared something with them and it is actually useful, there's a good chance you're pretty close to the solution yourself, anyway.)
Before sanctioning stealing, perhaps the problem is two fold. China wants to have the first vaccine for:
* Becoming the first to market, to try and salvage their reputation
* Using the vaccine as leverage toward the incoming sanctions for violating the Hong Kong treaty during UK handover, as well as the now-declared possible non-peaceful reunification of Taiwan
* monetary gain
* leverage against the US restricting/removing Chinese’s companies from the NASDAQ
I agree research should be open, but it’s hard to say to what degree, and how that might effect the economics of it. Whether we like it or not, capitalistic driven progress requires a reward, and one of the few reasons pharmaceutical companies will take the risk of finding a vaccine is the potential for increased reputation, and being first to market.
Without those incentives, it’s straightforward to not to take a massive monetary risk as others are all working on similar problems, thus the likelihood that your lab will be the first is slim.
Further, the crisis is a worldwide pandemic, but if the rate of natural immunity is as high as some predict, the efficacy of these vaccines may lead to less ‘sales’ than initially expected.
I'm not a medical expert, but can someone in the know comment on this? Can I volunteer to get the Oxford vaccine in the US? Can I volunteer to fly to UK and get the vaccine immediately upon arrival?
The problem is not the absence of volunteers, the problem is that as the first wave of the epidemic recedes, most volunteers won’t catch the disease by themselves and thus will add no information as to whether the vaccine works. And challenge trials (deliberately infecting people) are apparently a big ethical no-no.
While that's true, it is still possible to get data by giving the vaccine to as many people as possible and seeing if the virus recedes faster than previous models predicted. If the slope of the trend suddenly buckles when people start taking the shots, there's a good chance it did something.
Although I'm also strongly against deliberately infecting people, if there is a high chance there is no danger to take the vaccine, and a strong possible upside (i.e. possibly save lives in the next 2 weeks), I don't see why we it isn't okay to volunteer to take it today, even if it isn't a fully conclusive data point. Hell, if there are 5 candidate vaccines, and they are all non-dangerous, I'd love to take all of them just to protect my own life, even if that makes me not as useful of a useful data point. There's a nonzero chance the virus will kill me in 2 weeks, 4 weeks, 6 weeks, and I think it is only ethical to reduce that chance even if that means 5 shots (pun intended) in the dark.
Of course, I see people downvoting me and it seems HN doesn't welcome this type of discussion anymore.
There’s a few premises that are hard to get by, for one mass-testing vaccines defeats the purpose of the safety axis of trials. If we knew it was non-dangerous, then there wouldn’t be the need for small scale trials. Instead large scale trials could be done just to try efficacy, rather than both safety and efficacy.
Yes there’s a non-zero chance of death, but assuming you’re a part of the average population (assuming US or UK for example sake), then you’re more likely to die getting in a vehicle.
Personally I’m for vaccines, but I do not want to be the first 10k they try it on. I’m in good health, so I’ll wait months or longer if one where released in their hopeful expedited timeline. By nature of the pandemic, this is rushed, and the risk to reward ratio favors waiting a bit (for myself), given the low mortality rate for people with no preexisting conditions.
Further, I’m near a hot spot, so it’s highly likely I have the antibodies, given others in my household are less careful, and thus my exposure profile essentially equals the lowest common denominator.
You should champion China to be more transparent about the origins of the virus. Even if it did not originate in a lab, shining more light on its origins will help prevent future outbreaks.
China also actively prevented Taiwan from joining the WHO. This would have resulted in more free flow of information.
Curiously, I was a labelled a racist for making this statement.
> Please, China, Italy, Spain, everywhere, scoop up all the COVID-19 research you can find and act upon it to save lives. Copy
China does not do anything for free. Let us not pretend that China is angelic. Have you heard of debt diplomacy?
So we are excusing one of the most locked up countries in terms of information to hack into cutting edge research in a free society.
I have to decided to just stopping commenting on these kinds of threads.
No matter how objective I am it is going to piss violate some unknown law of the land here. Being logically correct in these threads usually ends up being politically incorrect.
> Is it fair and ethical to ask country A to make free all research while being okay with country B hiding its own research on the same subject?
This isn't about countries. I think it is unethical to hide research when it could save lives. If country B is hiding research, that doesn't mean country A should hide it as a revenge, and that doesn't mean the residents of country B deserve to take the brunt of the actions of their government policies. The civilians of B and the civilians of A deserve the best of science equally.
The virus doesn't care about where country borders are drawn. Even in the above situation where country B is hiding their research, if country A shares their research with B, it helps country A themselves because country B's people may be inoculated much faster and immigrants from country B to
A will not be carrying the virus anymore.
The objective function that should be optimized is getting the virus eradicated from the world ASAP. There's a good chance that only some fraction of the world needs to be inoculated with a vaccine before the virus is nearly eradicated, and that will only happen if the vaccine is shared across borders. A good start, for example, would be to inoculate everyone who wants to take a flight or train, inoculate all doctors, and inoculate all service industry personnel, regardless of which of the 200 countries they are a citizen of.
> I think it is unethical to hide research when it could save lives
Why are you assuming the US is hiding research?
Are you aware that there are protocols in medical research against premature release of information as it will taint the results (placebo effects etc)?
There are blackout periods etc. just to make sure that the analysis is valid and not tainted.
Also a lot of research has lag time. Experiments can take a lot of time.
You are also assuming that China is hacking to release information for the greater good. You are discounting the following:
> There are blackout periods etc. just to make sure that the analysis is valid and not tainted.
This is an interesting potential debate. In some sense we are sacrificing lives for scientific validity, because it is potentially possible that we could deploy early, ignore blackouts, and have probabilistically fewer deaths + tainted data. But the world is apparently wanting to choose probabilistically more deaths + clean data.
> In some sense we are sacrificing lives for scientific validity, because it is potentially possible that we could deploy early, ignore blackouts, and have probabilistically fewer deaths + tainted data
This is spurious logic.
How are you saying that tainted science + bad data will result in fewer deaths long term?
You may end up with probabilistically more deaths + tainted data.
Given the posts earlier saying that the virus' origins are part of research and we know they weren't cooperating with the WHO in that research as of not that long ago, I think we do know at least that much.
> Is it fair and ethical to ask country A to make free all research while being okay with country B hiding its own research on the same subject?
An American journalist toured the Soviet Union in the 1930s. Everyone he spoke to proudly bragged about the USSR and its accomplishments. But some things seemed off. He asked about the mass starvation, and his handler explained it was because the kulaks destroyed their food to spite the people. He questioned why newspapers would one day say one thing, and the next denounce the same as counterrevolutionary. His handler responded, there was no difference, he's just misunderstanding the context. Finally he asked about political opponents mysteriously disappearing when they stood against Stalin.
Exasperated, the handler shrieked, "And you are lynching negroes!"
If the PRC gets a workable vaccine first, they can gain influence to get everyone to use a WHO run global vaccine passport instead of separate national systems. They can then tie the WHO's databank into their global surveillance system and franchise out China's surveillance state and social credit score system throughout the world.
- "If you want to buy our vaccine, you need to buy Huawei equipment for all your communications systems" - we've already seen that in France with PPE
- What would that do for investment in vaccine research if you know China can drop in theirs at any time and address the entire market? Investments dries up, China pulls back, go back to 1.
What you're encountering might just be a selection effect since many of these press releases don't raise people's interests. Perhaps it's the people amplifying certain stories to drive their narrative than the FBI themselves?
The FBI is a highly political organization that uses its position of authority to routinely intervene in politics often at the behest of the state.
Usually I list the interference they do in left wing movements where they spy and infiltrate spaces to disrupt and discredit vital activities aimed at e.g. preserving the environment. As a highlight, they tried to get MLK to kill himself. Much of this was documented by the revelations of COINTELPRO. That stuff was never punished, so why would they ever stop? It's good for the integrity of the state.
For a conservative example, the recent "Obamagate" disclosures show how the FBI was instrumental in creating the now totally discredited Russiagate conspiracy which raged in the media for two years as a ploy to disrupt the Trump administration by an insane xenophobic conspiracy that Trump was the manchurian candidate, going so far as to create speculation that he was some kind of soviet sleeper agent from the 1980s. He's of course a bad guy, but this stuff is off the wall.
Now the FBI is being brought under control by the current administration which is attempting to distract from it's total failure to respond to the pandemic and its actions which are widely acknowledged to have made it far worse that it should have been. The United States, the richest most powerful country in the world, has had one of the worst responses in the world. So the administration is attempting to clumsily pin the blame on a "foreign enemy" by saying it's attempting unfairly to do something about the pandemic. What an incredible world we live in.
EDIT: To conclude: Is withholding medical information in a pandemic for any reason ethical? What about for making money? Is stealing such information from such an actor unethical?
