Indeed. Why bother with weapons (kinetic AND cyber) at all, when the both the spread and the pseudo-anonymous nature of online communication has left the thoughts, desires and opinions of the Western world wide open for study and manipulation.
I used to have strong opinions about the necessity for a fully free, open, anonymous, untracked, etc etc, internet. However, from a national security point of view, countries like Russia and China have it right. Why would you allow the above to happen to your citizens?
> Why would you allow the above to happen to your citizens?
In peace time, its logical to continue military developments on individual members of the public. Besides there are more constraints on military activity at times of war, biological & chemical weapons are banned, propaganda or pysops continues to be developed though as its not banned under any international convention. Psyops can both microtarget and blanket cover huge parts of the population.
The public make the mistake in trusting those who rule over them.
> The public make the mistake in trusting those who rule over them.
Like we're supposed to trust corporations more? At least the government has some degree of transparency and it's at least theoretically possible to vote people out or make changes.
I don't think this would be a problem if we could divorce ourselves from using massive centralized internet services for everything. On a small forum if somebody is a troll it's pretty clear to the community. In fact, you get used to the trolls because you remember them by name. The small community should also be free to deal with it as they please.
It's why I'm becoming more and more in favor of the nuclear option of repealing Section 230 just because it would break up the monoculture internet status quo.
i don’t agree. centralization allows for one solution. it also incentivizes the central authority to solve the problem rather than incur the wrath of government.
the problem is not centralization. it is how the centralized authority is empowered and itself incentivized. i’m with the original commenter. the solution is better and more conscientious central government.
> In fact, you get used to the trolls because you remember them by name.
There's a concept in feminism called the "missing stair", which is basically the complaint that whenever a community knows someone personally, they'll adapt their behavior to his rather than ruthlessly insisting that everyone needs to behave exactly the same way.
I don't quite understand why that's supposed to be such a bad thing.
Ever worked with a seriously toxic co-worker? One who couldn't be fired for whatever reason. Did you notice that work-flows quickly became, "How do we work around the jerk?" rather than "What is the best thing to do?"
What about the Euro model of localizing data, privacy laws, right to be forgotten, etc? It doesn't stop scrapers/data harvesters from accessing data, but it might slow it down a bit. Or does it really just keep upstarts from entering the infospace legally?
Otherwise, I'm also concerned. Cyber crime laws didn't protect us from state sponsored hacks like Sabre, Antheim, OPM, etc. Combined with real-time psychology profiles based on personality, addictions, ideology, available for sale at Facebook, Twitter, Reddit, very dangerous information about people is in the hands of the 'enemy'. The real problem is even understanding who the enemy is, or how they will decide to abuse this information.
>The real problem is even understanding who the enemy is, or how they will decide to abuse this information.
I'm quite sure that state-sponsored online warfare, both psychological and through system intrusion, is very active, and we are losing because we don't even know where or what is happening.
Consider for a moment that perhaps most online warfare is not state-sponsored, for foreign gain, but is instead privately-sponsored, for the gain of our local moguls.
Anonymous and untracked aren’t the problem. Facebook is where most of “thought, desire and opinion” manipulation occurs. Totally the opposite of anonymous and untracked. How about Twitter? After these we have our own mainstream media spreading misinformation and running d&c psyops on the citizens. And we also can put a lot of blame on our vaunted universities. How many communist revolutionaries have been produced by radical tenured professors. I’d say most.
But you want to blame anonymous and free speech? Rather fascist no? Should we do it like the CCP?
I said "pseudo-anonymous", and by that I meant, there's no way to know which disparate online identities relate to which humans. As a consequence, I personally don't assume that anyone online particularly relates to a human.
I would go so far as to now say that, on the largest social scales, anonymous and pseudo-anonymous online communication is causing the biggest problems. This includes scenarios like Facebook friends who you think are people you know and website comment sections with plausible-looking people.
> Facebook is where most of “thought, desire and opinion” manipulation occurs. Totally the opposite of anonymous and untracked.
This matches media sentiment instead of what is happening in the real world. Qanon originated on 4chan and thrived on 8chan.
> After these we have our own mainstream media spreading misinformation and running d&c psyops on the citizens.
Tons of misinformation originated from /pol/.
> And we also can put a lot of blame on our vaunted universities. How many communist revolutionaries have been produced by radical tenured professors.
Free thought is valuable. I do not personally agree with communism for a wealth of reasons, but people should be free to entertain these ideas and try to understand them.
> But you want to blame anonymous and free speech? Rather fascist no? Should we do it like the CCP?
Free speech does not require anonymity. Speaking about the cons of a fully anonymous internet does not make someone fascist. Our only choices are not, fully anonymized internet or CCP. There is a balance that can be hit. Likely, leaning too far to either side will result in consequences which outweigh the benefits.
I am not sure where that balance should be placed. Everyone should have the ability to be anonymous or use encryption without backdoors, but this makes people untraceable. Probably the balance is close to what we already have today.
I think you misrepresented the original commenter's perspective though.
> And we also can put a lot of blame on our vaunted universities. How many communist revolutionaries have been produced by radical tenured professors. I’d say most.
Oh yeah, communist revolutionaries are a big problem in the United States right now. /s Or maybe you're saying "communist" when you really mean "Democrat"? The real problem is Y'all Qaeda and Christian Reconstructionists trying to bring an end to our system of government.
>>Western world wide open for study and manipulation
I have long since held the opinion that blogs and online publishing would yield an avenue for foreign influence and cognitive attacks on our way of life.
For what it is worth, I do believe that the government and our intelligence agencies are fundamentally good and are staffed by mostly non-partisan, non-extremist patriots who I have tremendous respect for. We are, presently, a government for the people by the people and of the people.
I do, however, fear that our intelligence agencies and politicians exist with a high degree of arrogance derived from a faith in the superiority of our messaging. I share their faith that our way of life and methods of dealing with each other is superior to that of communist or authoritarian societies, but I do not share their same level of arrogance.
I am more inclined to think that the internet should be modified so as to ensure that the emergent dialogue, the emergent narrative of history and events, is one that came about naturally from our citizens speaking with one another.
For starters, comment sections should be siloed or firewalled nationally. Media entities of significance that wish to portray themselves as reputable news media should be required to have a registration with the government. Their comment sections should be limited to an anonymized walled-garden of citizens of our country only.
Removing foreign influence operatives from the comment sections of CNN, WashingtonPost, and Fox News would do a lot to heal the national divide and quell the brewing extremism.
I would go much further than that and would do tons of experiments if I was in charge of a department handling such a push at the government level. I think all of these troll attacks on our republic fall under the umbrella term "cognitive attacks" and I think it is time we make an effort to apply network security concepts to our national, internal dialogue.
> Removing foreign influence operatives from the comment sections of CNN, WashingtonPost, and Fox News
Even if it didn't fail the first amendment test, and the difficulty of identifying the real identity and nationality of posters, this would be easily addressed by paying some Americans to be propagandists. Or just signing up to existing domestic propaganda organisations and "steering" them a bit. https://www.theguardian.com/us-news/2019/apr/26/maria-butina...
Are you saying (1) "This update to the system's defenses would be circumvented by attackers using this alternative method."?
or are you saying, (2) "An easier solution is for the department of defense to inject their own commenters into the comment sections so that truth combats the noise our adversaries bombard us with."?
Replying to (1):
This suggestion of yours would involve foreign adversaries having to recruit Americans to be traitors in a way that is (A) easily tracked to their personal identity and (B) risks imprisonment.
It is true that they could try this method, but I doubt their success. Few people would betray their nation and community in such a transparent way.
That severely handicaps the efforts of our adversaries who are currently waging a war for the minds of some of our most vulnerable and unstable citizens.
Replying to (2):
The DOD already does this. I know of several such operations of pretty cool levels of sophistication. I think the efforts are made with good intentions, but I think this whole effort falls short and doesnt stop the problem at the source. It also makes it so that comment sections everywhere appear "crazy" and enemy efforts still succeed from time to time at programming our citizens against the state.
A useful idiot (Russian term) programmed by an adversary to doubt the truth will often times see the government's sincere efforts to spread the truth as evidence that the government is corrupt. These idiots will seek refuge in news media ran by adversaries like RT dot com.
A useful idiot will also find themselves accused of being a foreign shill. By being accused of working for a foreign government while knowing they are just a normal citizen, these useful idiots immediately begin to believe that there are no foreign shills and that they are, in fact, all Americans who are being oppressed by a corrupt government. It is this state of "foreign programmed useful-idiocy" that renders an idiot to become a pawn to our adversaries who will then go around spreading anti-western civilization misinformation.
We should just prevent all of this outright, I think #2 is simply not enough.
I'm having a very hard time with your suggestions. You begin with,
"For starters, comment sections should be siloed or firewalled nationally. Media entities of significance that wish to portray themselves as reputable news media should be required to have a registration with the government. Their comment sections should be limited to an anonymized walled-garden of citizens of our country only."
Which limits the visibility of comments to those who are identifiably citizens. (How often have you seen a comment like, "Things are actually much (better|worse) than what is being reported" on an international story?) Then,
"This suggestion of yours would involve foreign adversaries having to recruit Americans to be traitors in a way that is (A) easily tracked to their personal identity and (B) risks imprisonment. It is true that they could try this method, but I doubt their success. Few people would betray their nation and community in such a transparent way."
You declare anyone who violates that barrier to be a traitor subject to imprisonment.
That seems to me to be, at best, using a sledgehammer as a fly-swatter: it'll do a lot of damage and really won't hurt the fly.
And I say that as someone who is not all that fond of internet anonymity.
> Removing foreign influence operatives from the comment sections of CNN, WashingtonPost, and Fox News would do a lot to heal the national divide and quell the brewing extremism.
No one in Operation Mockingbird even so much as got a sternly written letter when they were caught implanting CIA agents within national news agencies. They got the message loud and clear though, it was only a problem if the U.S. government directly coordinated the propaganda directly. The CIA immediately privatized the whole operation and hid it behind the curtain in Allen and Co's Sun Valley conference, where they still meet every year (for 37 years now), to coordinate the national narrative.
The government of the people, by the people, for the people is able to talk to the press and control the media through various means. This is true. This is also fundamentally good when the government is a Western Liberal Democracy.
The issue I am trying to discuss is the comment sections which are being leveraged as an attack vector. In addition to that, there is the issue of attackers leveraging abstracted comment sections like Reddit, Twitter, Facebook, and even HackerNews.
The adversaries are everywhere. They are even embedded in tech companies under false identities.
Just in the unlikely event of disarmament negotiations between cyber super powers in the future. You can count nukes and explosive power, but you can't count cyber weapons.
A new deterrence doctrine,nobody knows what will happen.
It has already evolved. I don't want to rehash everything here, but I wrote something that made the rounds at the Munich security conference some years back and the bottom line is deterrence to massive cyberattack is via nuclear weapons.
Do you like Moscow? Ok great. Keep the lights on stateside.
That's the policy.
I know it isn't what HN likes to hear but it's not like it doesn't exist. There is a reason the nuclear football has a switch to disable the internet for at least the USA and probably Canada too because of NORAD, etc. Even Matt Tait (aka, pwnallthethings) has talked about the "strategic threats" from the cyber domain of war at a completely unclassified conference in Miami and he ended the talk with a mushroom cloud up. I believe it was the keynote, but I can't quite remember.
I am also after this info. I believe the parent poster given his high reputation, I just hope he can point us to some sort of article about it as google is failing me
I like the idea of adding rather vague threats, compared to kinetic weapons, with often not clearly or quickly identifiable causers/perpetrators as a possible justification for a nuclear weapon use.
It's hard to count HUMINT assets too, and yet it is the subject of negotiations.
Biological weapons have been similar and are perhaps most analogous. Though, you can offer tours of your facilities and it's harder to hide large fermenters and the like. But it's much harder to identify offensive weapons research than it is offensive production.
It's not terribly difficult to hide nuclear warheads themselves. Their launch systems, however, require a significant amount of infrastructure that is usually easily visible. As is the infrastructure for building the warheads.
It's worrying how IT security is getting militarized because conventional conflicts are getting less (which is a good thing) and thus military staff might be getting bored/lacking opportunities.
Those are good points, but there's quite a bit more to it than that.
Off the top off my head, hunting within your network and reducing attackers' dwell time is another strong recommendation. Proxying internal network traffic with SSL-decrypt and rules-based analysis is another. Defining boundaries and firewalling off infrastructure to limit the blast radius is another. Scanning project code, dependencies and containers, and so on.
It really requires a holistic approach and commitment. There is no one right answer here but it's something we all need to take seriously, imo.
Disclosure: Have worked for several cyber-security startups with former .gov and .mil professionals while assisting many sensitive federal agencies myself.
Does SSL-Decryptand and rules-based analysis work? These are the times I've interacted with them:
1. Disabling SSL-Decrypt because it blocks HTTPS from PowerShell, bash, git, android studio and other comandline tools where I couldn't figure out how to trust our internal cert. I figured it out for Postman, but mostly I just couldn't figure it out.
2. Disabling or exempting rules that blocked our pharmacy app from going to webpages or perform SQL Queries that included legal drug names that were also illegal drug names.
I think it's tough for non-security professionals who feel burdened and never get to see the benefits.
I'd expect in case of actual war, prepare for commercial network connectivity to fail.
Satellites? Shot down.
Fiber? ISP and higher-level routers are owned or simply DDOSed
Cellular? what parts of the edge are owned is down, the core networks get targeted heavily. At best this will be spotty.
The big internet-interconnects? Targets for cruise missiles and any other viable attacks.
BGP? Fully poisoned and needs to be cleaned up before anything works.
I'd expect the DoD to have their own networks up that are much more resilient. But our current highly interconnected, triered, and multi-faceted internet is going down the moment war between the great nations breaks out. It is simply too easy, and too valuable for the enemy not to do this.
Also cutting underwater cables. In the news in the last few days as a potential act of war [0], and the real-world effects have already been , e.g. [1]
Unless EMPs also wipe out consumer electronics, there will likely be only islands of connectivity.
I'm thinking folks with WIFI gadgets and COTS networking gear could very well build local connectivity, but those islands would be unable to talk to each other. The WIFI gadgets would have to mesh up over distances which are likely to exceed their range.
Jamming and a generally dirty RF environment is likely in a war of such magnitude, so perhaps distributed laser links would work best, if one could create line of sight between the link nodes.
Just out of curiosity, could you suggest any good tutorial/book/manual etc. about how to create local (let's say city-wide) networks with consumer electronics?
MFA and patching doesn’t help much when your perimeter gets knocked over by a zero day. There is quite a bit more that goes into security than these surface level recommendations. It’s why cybersecurity is such a hot field right now, with a massive talent shortage.
There's a talent shortage because most companies don't want to make security a priority. The executives just go "eh, we have insurance for that" beyond some base threshold of security focus. The companies don't want to train either. I see way more dev postings that security ones.
I'm an application security champion (in addition to being a dev) at my company and I'm looking for a new job. I see very little for security and almost none that are entry level. The ones I do see don't pay as well as the dev jobs either.
Not disagreeing, but Op's 'biggest' and 'societal' is not necessarily in disagreement with what you said, and leaves lots of room for necessary measures above and beyond.
People get compromised with MFA all the time. It’s like 1/10th of a societal level solution. The real biggest part is also the hardest and that is education. Password managers, spotting phishing, spotting scam calls, using MFA, updating your software regularly, patching your ancient home router, etc. It takes a lot and these are all likely vectors you will get popped as a regular user in home equipment. There is no cure all and even as someone with 15 years of experience in the most technical parts of information security I have no simple solutions. Don’t use computers lol.
yes they do get compromised, but that doesn't mean you shouldn't use it. It also doesn't mean that's all you should use. If all of society used 2fa, we'd be much better, which is all OP was saying. Also, 1/10 can still be the biggest factor. but this is getting pedantic
I don't think it is pedantic at all. I have been in the most technical parts of the infosec industry for 15+ years. The usability of security features and user education is the iceberg. Getting them to use MFA and such are the tip.
I think you're so deep you don't see the forest for the trees. I doubt you are right about people getting compromised with MFA all the time. Especially with hard tokens. If you can substantiate that claim, I might learn something.
I see it all the time in incident response summaries.
It’s happened to our own customers many times. Standard “enter a few numbers” MFA is easy. Phishers collect it just like they get passwords. It raises the bar slightly. Hardware based MFA is a different situation. So it has to be qualified. But normal people logging intoxicated their bank accounts don’t have hardware MFA tokens. Most security professionals don’t even use them everywhere.
We run phishing simulations and red teams dozens of times a year for F500 and high tech firms. MFA tokens are never what saves someone. Ever. We always get in. Often with phishing or smishing.
I talk with many other folks that do red teams and phishing engagements.it’s of course anecdotal, but it’s a rather large and high impact customer set across people I know and our own customers.
It will save some people some of the time. But not like people think.
If my own deep experience and what I have seen in the field doesn’t convince you, that’s fine. I’m just sharing what I know to help people understand.
Indeed. Why bother with weapons (kinetic AND cyber) at all, when the both the spread and the pseudo-anonymous nature of online communication has left the thoughts, desires and opinions of the Western world wide open for study and manipulation.
I used to have strong opinions about the necessity for a fully free, open, anonymous, untracked, etc etc, internet. However, from a national security point of view, countries like Russia and China have it right. Why would you allow the above to happen to your citizens?