[HN Gopher] Cyber Security: A pre-war reality check
___________________________________________________________________
Cyber Security: A pre-war reality check
Author : edent
Score : 362 points
Date : 2024-05-18 09:38 UTC (13 hours ago)
(HTM) web link (berthub.eu)
(TXT) w3m dump (berthub.eu)
| sans_souse wrote:
| At times it's a bit difficult to read, as it seems to be a
| telescript of a speech. But the overall gist and main topic are
| one that needs much more attention sooner rather than
| later/never.
| nonrandomstring wrote:
| My colleagues and I submitted a similar talk/paper for a
| different NCSC conference (but weren't accepted). I see that
| this talk by Bert Hubert covers mostly the ground. so I am
| pleased, but worried about what this take misses out.
|
| Hubert is addressing much of the ground that lies between
| security and resilience.
|
| Our emphasis is on how mitigation lies in education and
| autonomous systems over regulation. Not that regulation is
| wrong, just that it doesn't work as a stick without a carrot.
| We also looked at timescales and how so much is already too
| late because of the lag-time from drafting to efficacy. And
| what I know from hanging out here on HN is that technologists
| appear hostile to regulation, but giant companies love it so
| long as they get to write the rules that give them more
| monopoly power.
|
| Where we went wrong I think is lack of political tact. Hubert
| stops himself from even finishing off the remark about the
| quality of Microsoft products. But I don't think the real
| problem can be ignored for much longer. Instead, we went all-in
| and emphasised (as previously here [0]) that "Big Tech _is_ the
| cybersecurity problem " (as Bruce Schniere recently echoed)
| because it pushes (in addition to highly centralised single
| points of failure) an irresilient "insecurity industry" that is
| based on _protection_ not security.
|
| Hubert's talk doesn't get to the key issue;
|
| Security and protection are not the same thing.
|
| Protection leads to dependency that ultimately erodes real
| security.
|
| However "protection" is easy and profitable to sell. Real
| security is not.
|
| That is ths succinct way in which it must be put.
|
| If the intel appraisal is accurate and we are entering a
| serious war footing than we can have no more patience for the
| profitable but dangerous "insecurity industry" that gives an
| appearance and simulation of security, without the reality.
|
| [0] https://techrights.org/o/2021/11/29/teaching-cybersecurity/
| ahubert wrote:
| Author here - if you have any questions, please do let me know!
| wyldberry wrote:
| No questions, but as a security person, I found this to be
| aligned with the view of many of the people i consider to have
| a good pulse on the warfare side of security. You're certainly
| not alone in these thoughts and efforts to fix.
| nonrandomstring wrote:
| Very good. Well said and most enjoyable.
| skybrian wrote:
| This is off topic, but I'm idly curious about the history of
| shipbuilding regulatory changes after the Titanic. Where did
| Brenno de Winter learn about them?
| auct wrote:
| What were the vulnerabilities in your 1600 lines imgur
| alternative?
| ahubert wrote:
| https://github.com/berthubert/trifecta/blob/main/README.md#k.
| .. has a list. The most painful one for me is that I did not
| know .svg files can contain javascript that gets executed _in
| the site context_ if you can get someone to click on a link
| to your .svg file!
| softsound wrote:
| That's one of the reasons SVG is often a third party plug-
| in with WordPress it's because of all the security
| involved.
| yread wrote:
| CSP would help against that. But at that time alpine.js was
| incompatible with CSP...
|
| Anyone tried using the new csp alpine.js build?
|
| https://laravel-news.com/alpinejs-csp
| RGamma wrote:
| Good to see there's still some people vouching for old-school
| programming virtues. Among all the capital-driven
| centralization, scaling and complexification dominating the
| conversation I thought I was going crazy...
| mike_hearn wrote:
| You talked a lot about how bad it is for governments to
| outsource stuff to Huawei and a handful of US clouds, but
| didn't really touch on what drive all those decisions beyond
| claiming it's due to non-technical leadership. It'd be great to
| see a somewhat deeper analysis than that in future. There are
| plenty of tech companies that also outsource a lot to the
| cloud, so it has to be more complicated than that, and there
| are European mini-clouds that don't get much love from European
| governments also.
|
| The basic problem is fundamental: outsourcing is a very common
| thing you find in all walks of life, it is often the most
| reasonable choice due to comparative advantage. This is the
| reason I eventually gave up on "decentralization" as a
| worthwhile technical goal (after years spent working on
| Bitcoin). Everyone is trying to outsource everything that isn't
| their key competitive advantage, and that's because
| specialization is the heart of progress. The costs of
| centralization are obvious in terms of loss of resiliency, but
| when people aren't actually needing that resiliency for entire
| lifetimes it's hard to convince anyone to take the loss of
| progress that decentralization may appear to entail.
|
| So what to do? As you found with your 1,600 line imgur
| alternative just starting over to make stuff be secure is ...
| hard. You wrote in C++ (not the most security conscious choice)
| and some of those vulnerabilities are very basic, like the one
| where you discover that due to a bug some users are getting
| empty passwords. You also sort of assume that your users will
| keep your app up to date, but we know they won't. So simply
| demanding programs be smaller isn't going to work. You'll just
| speedrun the history of vulnerabilities. Indeed, one reason to
| outsource stuff to a handful of giant providers is that they do
| a much better job of security overall. Yeah Microsoft may have
| problems with Chinese hackers, but government IT routinely has
| problems with greedy teenagers. So MS is still ahead of the
| pack.
|
| IMO the most critical thing is really whole-systems analysis to
| find sources of unnecessary complexity and fix it. That won't
| necessarily turn the tide, but it can at least help. As a
| trivial example, HTTP stacks don't understand the concept of
| load balancing. They're still stuck in a world where every
| website is run by a single computer. That entails a lot of
| server-side complexity like dedicated LBs, maybe even DNS LB,
| replicated databases, health checks, drain periods etc just to
| avoid users seeing little dinosaurs due to normal maintenance.
| The complexity of this is overwhelming. When users accepted
| things like "This service will be offline on Sunday due to
| maintenance" you could get away with it but now people expect
| everything to be 24/7, so that complexity drives people to the
| cloud where it's somewhat handled for them.
|
| Thus an obvious quick win - extend HTTP and DNS to understand
| IP address globbing and maybe even static route matching. If a
| connection to a server fails, have the stack transparently fail
| over to another one. Now you can scrap your server side LBs and
| reverse proxies but still have an HA service.
| alextingle wrote:
| > Indeed, one reason to outsource stuff to a handful of giant
| providers is that they do a much better job of security
| overall.
|
| Is that really true?
|
| Shifting infrastructure to the cloud makes it cheaper, it
| reduces the incidence of security problems, but it magnifies
| the impact of security problems when they do occur.
|
| Is that a "better job". How do you measure that?
| mike_hearn wrote:
| Well, fair point. If you consider blast radius of failure
| then maybe it's worse off yes. But then the issue is not
| them doing a bad job but that too many people rely on them
| doing a good job,
| int_19h wrote:
| It is the most reasonable choice when you get to disregard
| the long-term risks because by the time they are likely to
| manifest in a problem, it's no longer your concern anyway.
|
| I don't think it's accurate to describe it as "loss of
| progress", either. It just makes progress _more expensive_.
| There 's no reason why e.g. those support & maintenance jobs
| cannot be located in the same country, or at least a friendly
| one - it's not like there's something magical about China
| that makes Chinese inherently better at 5G maintenance. Nor
| is there any reason why the data centers cannot be run by
| different companies in the same country.
| sublimefire wrote:
| As an SWE I do agree somewhat with what you say but this story
| is not complete. If you look at the attacks on Ukraine and the
| cybersecurity damage done it was fairly small in the grand
| scheme of things. Another important thing is that Microsoft
| helped them to fight back as well, so it was not a terrible
| investment. Was there any quantifiable risk assessment done to
| understand the potential damages if Russians carried out
| similar attacks in the Netherlands?
| dralley wrote:
| > As an SWE I do agree somewhat with what you say but this
| story is not complete. If you look at the attacks on Ukraine
| and the cybersecurity damage done it was fairly small in the
| grand scheme of things.
|
| It's worth mentioning that the most expensive and extensive
| malware attack in history was caused by one of such Russian
| cyberattacks hitting systems which (at the time) they weren't
| intended to. Causing severe shipping delays and billions of
| dollars in damage.
|
| https://www.wired.com/story/notpetya-cyberattack-ukraine-
| rus...
|
| If such attacks were _intentional_ , you could cause much
| worse problems.
|
| For example, doing _this_
|
| https://www.cisa.gov/news-events/news/attack-colonial-
| pipeli...
|
| except without offering a ransom fee to undo the damage, and
| doing it in parallel across more industries.
| sweetjuly wrote:
| Why _don 't_ we see these attacks though? I know they're
| worryingly practical and the West certainly has enough
| enemies (especially from extremist groups who don't have
| the same peace keeping concerns as a nation state), and yet
| we don't see groups just sabotaging critical infrastructure
| and businesses left and right. Is it really just
| difficulty/a lack of skill?
| time0ut wrote:
| First, thank you for the article and discussion.
|
| Do you have any thoughts on the role and practicality of
| deterrence in this space?
| ahubert wrote:
| No, not really - however, based on this post, several people
| contacted me with questions like these. I asked around and
| got recommended https://www.amazon.co.uk/Cyber-Persistence-
| Theory-Redefining... for a more theoretical basis. Haven't
| read it yet though.
| time0ut wrote:
| Interesting. I will have to read it. Though from the
| description it does not sound hopeful. Thank you.
| baxtr wrote:
| Is there a video version of this available?
| ahubert wrote:
| Sadly no - but the transcript is near verbatim.
| dkek wrote:
| Not a question.
|
| However as a fellow european, having worked for large
| "national/eu important companies", this article resonated a lot
| with me and my frustrations. Granted I don't do anything
| "security" related.
|
| Everything in "it infrastructure" has been outsourced to India,
| at best Poland. You have competent people in eu offices that
| don't have the power to use their own hardware. You have to beg
| for weeks to barely skilled ticket masters from outsourcing
| companies, endless meetings.
|
| All eu staff is relegated to feature factories or process
| managers. Zero ops. "It's not our core competency."
|
| I refuse to ever again work for the large "of national
| security" european companies. It's soul crushing. And it is
| very clear nobody cares.
|
| It hurts me everytime I read how tens of billions are allocated
| for whatever EU soverignity. I have been in way too many 10
| managers 2 engineers teams with way too many long meetings
| begging teams from $indian_outsourcing_company to let me do my
| job.
| ThomasBb wrote:
| Bert is a national treasure. We need more Bert in our lives!
| ahubert wrote:
| _blush_ :-)
| zelag wrote:
| Not to be confused with Bert Kreischer, the unfunny comedian.
| simmerup wrote:
| It does feel mad that we outsource so much of our national
| infrastructure maintenance to China.
|
| When/if they invade Taiwan, how are we going to do anything when
| they have that sort of leverage over us? It was bad enough with
| Russias gas
| gds44 wrote:
| Well US is not dependent on anyone for her Energy needs. Unlike
| China. Its quite vulnerable on that front if a few pipelines
| blow up ala nord stream.
|
| This is also why the US has such a large presence in the middle
| east.
| croes wrote:
| But you can pretty easily bring down their power grid
| vundercind wrote:
| Good point. Factories ain't shit without power.
|
| If we can't get stuff from China, that hurts, a lot. If
| _China_ can't get stuff from China, they're dead.
| Dalewyn wrote:
| >Well US is not dependent on anyone for her Energy needs.
|
| China's strength is they have the means of production (and
| maintenance) of everyone today, including the US. All the
| energy in the world means jack squat when all the means of
| using that energy rely on China.
|
| Could the west regain our own means of production? Certainly,
| but it's going to take far too long at the point China starts
| pursuing Bigger Gun Diplomacy. We're talking multiple decades
| to reachieve what we've surrendered, perhaps even the better
| part of a century because we simply don't have the ambition
| and political will to do so.
|
| I think China has been very shrewd with how they conducted
| themselves in the past half century or so. They've already
| won most wars they might be involved in before they start by
| seizing the economies of their supposed enemies.
| kjkjadksj wrote:
| China makes consumer crap not our guns and bombs. In a
| wartime situation maybe people can't get iphone cases from
| temu, big whoop. Not the first time the american population
| rationed consumer products in wartime. We will still have
| power and air, sea, and space superiority which is what
| really matters.
| salade_pissoir wrote:
| China also makes a huge amount of pharmaceuticals,
| medical supplies, electronic components, and parts for
| capital equipment. Decoupling from them would be very
| painful.
| seo-speedwagon wrote:
| Everyone has outsourced all their cheap and low-quality
| manufacturing to China, therefore China is only capable
| of manufacturing cheap, low quality items. Is this your
| argument?
| cpursley wrote:
| This is really out of date thinking, even South Korea is
| better at making ships than America now. In wartime China
| would switch from gadgets to bombs and drones and out
| produce us by an order of magnitude. They already produce
| 3x more vehicles than America; It's 2024, not 1956.
| Review the article called "The return of industrial
| warfare".
|
| https://www.rusi.org/explore-our-
| research/publications/comme...
| int_19h wrote:
| China makes a lot of electronics on which our
| infrastructure and logistics run. Much good a gun or a
| bomb will do you if you suddenly cannot get them from
| point A where they are made/stored to point B where they
| need to be used on time.
| mike_hearn wrote:
| You can convert coal to gas and petrol, and China has a lot
| of coal. So it can be reduced to an industrial scaling
| problem which China is very good at.
| mcculley wrote:
| China imports coal from the United States.
| card_zero wrote:
| They have huge amounts, but want slightly more. They're
| the biggest coal producer, producing half the world's
| coal, and then consuming it too, along with importing an
| extra 10% which is coking coal for steel making. They
| have lots of lignite and bituminous coal, which is fine
| for heat and electricity, and would be fine for turning
| into gas and liquid hydrocarbon fuel if that was useful.
| mcculley wrote:
| Am I missing something? This does not seem consistent
| with what I have seen going out of the harbors. Exports
| of both thermal and metallurgical coal from the United
| States to China have increased [0][1].
|
| [0]: https://www.eia.gov/coal/production/quarterly/pdf/t9
| p01p1.pd...
|
| [1]: https://www.eia.gov/coal/production/quarterly/pdf/t1
| 1p01p1.p...
| int_19h wrote:
| Donbas - the part of Ukraine that is presently occupied
| by Russia - is called that because it's an abbreviation
| of "DONetsk coal BASin", one of the largest in the world.
|
| Coincidentally, there has been a downturn in coal
| production there in the past two decades (and the
| associated closure of mines and processing infrastructure
| and unemployment) because of reduced demand. But if China
| were suddenly in dire need of coal, it wouldn't be hard
| for Russia to scale things up again there.
| kccqzy wrote:
| The Chinese are building solar farms and wind farms at an
| incredibly fast pace. Have you seen how cheap Chinese solar
| panels are? It's safe to assume by the time they decide to
| make a military move on Taiwan, they will have achieved
| energy independence as well.
| crocal wrote:
| I cannot agree more with the author's point of view. As an
| illustration, many people want to use GPS for the safe
| positioning of trains in the European Train Control Systems. This
| makes the space sector happy because it justifies the
| expenditures incurred for putting things like Galileo in orbit.
| However, in a pre-war check exercise, one immediately come to the
| conclusion that all European trains would crawl to a stop in case
| the GPS is jammed or interfered with. We were not very listened
| to... until Ukraine.
|
| Critical infrastructures should not depend from things that are
| located in space or on the other side of the planet. These are
| one of those things were market logic should be anticipated with
| regulations (we can't wait for the next Titanic). Another point
| touched by the article.
| killjoywashere wrote:
| Not sure I entirely agree?
|
| #1 > Or disable a hospital.
|
| The entire Ascension Healthcare system of hospitals (142
| hospitals, 2600 total facilities) in on divert since 8 May
| because they had to switch back to paper records. Change
| Healthcare has lost $872M since it was attacked in February.
|
| Maybe it's more like the pandemic: seems like nothing, unless
| it affects _you_.
|
| https://en.wikipedia.org/wiki/Ascension_(healthcare_system)
|
| https://www.wired.com/story/change-healthcare-admits-it-paid...
|
| #2 > Does your stuff need computers working 5,000 kilometers
| away? [implying that's bad]
|
| What if you live on the Gulf Coast, exposed to hurricanes? You
| _want_ compute resources warm and ready far away from that
| region. After Katrina, the Tulane medical school was able to
| re-form quickly because the noteservice was running a bulletin
| board forum on a VM in _Romania_. Everything else was
| underwater.
|
| #3 > This is the sound-powered phone
|
| Have you used a sound-powered phone? I managed damage control
| in a ship. Sound powered phones _barely_ works. And the
| coordination system to actually fight that fire requires radios
| and making overhead announcements that _definitely_ depend on
| electrical power.
|
| #4 > They tried to sort of renew this emergency telephone
| network
|
| When the entire San Diego region lost power during rush hour
| for 4 hours in 2011, the cell phone system still worked. I was
| able to email documents to _Tokyo_ from a car despite no
| traffic lights.
|
| #5 > Because if the cable to the US is down
|
| Sure, but there are a lot of disasters where the cables are
| fine. Graceful degradation is all about having widely
| distributed _options_. Lots of people have What. Signal is even
| better for people with more serious responsibilities, IMHO.
| And, friends, if you think IP networks are vulnerable, get
| yourself a starlink terminal and a HAM radio license.
|
| https://en.wikipedia.org/wiki/SpaceX_Starshield
| indymike wrote:
| > Change Healthcare has lost $872M since it was attacked in
| February.
|
| The question is, what is the cost to secure? I've been in so
| many meetings where the cost of security is 10-15x the cost
| of a breach. It's horrifying.
| stouset wrote:
| Part of this is that nobody has cared about security since
| the beginning, for basically anything in tech.
|
| It's an industry-wide issue that permeates every level of
| the stack. And so yeah, individual companies trying to
| retrofit security onto a jenga tower of technology is going
| to have to spend a ridiculous amount of resources to have
| any kind of impact.
|
| I don't know what the answer is, but I too believe things
| won't change until the day someone figures out how to push
| a "kill all humans" OTA update to all the self-driving cars
| on some random Tuesday afternoon.
| ryandrake wrote:
| > I don't know what the answer is, but I too believe
| things won't change until the day someone figures out how
| to push a "kill all humans" OTA update to all the self-
| driving cars on some random Tuesday afternoon.
|
| Even in that case I'm pessimistic that any action will
| happen. People will go on TV and say grave things,
| hearings will be held. Fingers will be pointed. Task
| Forces will kick off. Reports will be written.
| Bureaucrats will have stern conversations with
| bureaucrats. Politicians will say: we must this and we
| shall that. IT companies will sell their "solutions". But
| no actual action will happen. It will be all talk and
| commerce but no actual hands unplugging and plugging in
| cables. We have completely lost the societal will to
| actually do anything besides generate words and reports.
| eastbound wrote:
| You are describing the current world, where politicians
| dissolve issues. There's a saying in Europe that no
| minister of defense was ever nominated. Real ministers of
| war, when there is war, appoint themselves into position.
|
| When there is a real problem, people act upon it
| (assuming society is functional - otherwise the country
| simply dies). That's why there is no better training for
| war than war itself. Ukraine has already unrooted all of
| the peace & love & no armament folklore in France, and
| even turned a lot of ecologists into pro-nuclear voters.
|
| So yes, I wouldn't be surprised if guarantees of offline
| mode (with regular drills) were passed into law for
| electric cars and everything cloudy, including IntelliJ.
| indymike wrote:
| Security wasn't really a design consideration especially
| in the one use one PC era. We're still trying to secure
| hardware and software descended from that era.
| dralley wrote:
| TL;DR hybrid-cloud, multi-cloud, or at the very minimum
| multi-region is a really good idea.
| freehorse wrote:
| > but there are a lot of disasters where the cables are fine
|
| We are talking about war-like situations, and where one state
| actor has incentive to cause maximum harm to another.
| Exposing your infrastructure like this is unlike damage that
| can come from natural disaster. For example, disrupting the
| communications exactly before the attack. Similar issues
| (though through lower tech hacking) happened in 7th of
| October during the Hamas attack in Israel, where the over-
| reliance on advanced, complicated technology became a
| liability.
|
| The stuff you describe make sense in normal, peaceful
| situations, where the cost of securing certain infrastructure
| can be higher than the cost of a power cut once. That has
| nothing to do with what the article really says, which is
| basically that infrastructure is currently not as secure from
| a potential hostile state attack. Also, in that case, a
| hostile state actor can combine attacks that together cause
| more damage than the sum of the attacks independently.
| yardstick wrote:
| What was the lower tech stuff on Oct 7?
| hughesjj wrote:
| The back of my head is screaming "defense in depth! Redundant
| systems!"
|
| The whole idea of the internet (and even some of our infra,
| like suburbs or highways/rail) is that there's no one single
| point of failure. Like designed-to-survive-nuclear-war
| redundant.
|
| Definitely incorporate the most advanced tech you can for
| when things are going smoothly to get that efficency gain,
| but there's a reason all branches of the military (that I'm
| aware of) still train _and test_ their aptitude using paper
| maps and trig instead of relying 100% on GPS and electronic
| devices.
| Dalewyn wrote:
| >The whole idea of the internet (and even some of our
| infra, like suburbs or highways/rail) is that there's no
| one single point of failure. Like designed-to-survive-
| nuclear-war redundant.
|
| The reality of course is that the internet has turned into
| a fragile, centralized system of complication that rests on
| single failure points like Cloudflare, AWS, and Chrome. The
| internet as envisioned by DARPA would have survived to be
| used by cockroaches, the internet today would not survive.
| plq wrote:
| > The whole idea of the internet (and even some of our
| infra, like suburbs or highways/rail) is that there's no
| one single point of failure. Like designed-to-survive-
| nuclear-war redundant.
|
| Sure, the routing algorithms can quickly adapt to changes
| in network topology, but they assume infinite bandwidth,
| which hasn't been the case since a long time now.
|
| In other words, if a couple of important pipes disappear
| between tier1 peers, alternate routes will certainly have
| trouble handling all the new traffic, which would make
| everything grind to a halt, and will only be solved by
| pissed network admins null-routing that additional load.
| hughesjj wrote:
| Definitely, we've seen this in fiber cuts before. That
| said a degraded availability is better than no
| availability.
|
| I know it's controversial in the context of net
| neutrality but personally I'd be okay with traffic
| shaping/prioritization for critical infra in cases such
| as this. Keep the power plants, emergency services,
| military, government, transit running over intsagram and
| netflix when things come down to it.
| baxtr wrote:
| I find it additionally odd that the author calls this era pre
| war. Ukraine is certainly at war right now with a very potent
| cyber state. Their infrastructure seems to hold up ok. It's
| not perfect but definitely not doomsday like described in
| this article.
| fullspectrumdev wrote:
| Tbf their infra holds up because their infrastructure
| workers put their lives on the line every single day
| repairing it under horrible conditions of shelling, etc.
|
| On my most recent trip there - I was amazed at how despite
| being routinely hit by missiles, their train systems "on
| time" status is better than British or even German trains.
|
| This is only possible because their railway workers have
| balls of steel and go out to repair damage _fast_ , and
| sometimes get hit in follow up strikes.
|
| Same with energy workers - they go out and repair stuff
| during air alarms, in the immediate aftermath of strikes
| they perform damage control and mitigations.
| int_19h wrote:
| It's still a pre-war era for the Netherlands.
| adrianN wrote:
| Trains use a variety of sensors for odometry. Losing one of
| them is not catastrophic.
| crocal wrote:
| Except the stated goal here is to replace these sensors with
| GPS.
| adrianN wrote:
| It has been a couple of years since I worked in the area,
| but back then that wasn't the plan and would've been deemed
| impossible both for safety and for accuracy reasons. Do you
| maybe have a source?
| crocal wrote:
| Sure thing: http://clugproject.eu/en (Edit: they even
| have a 2.0, see my sibbling comment)
| crocal wrote:
| The sequel: https://www.clug2.eu/
| Animats wrote:
| Railroads...
|
| Railroads can now outsource train control. Wabtec's "Wabtec
| Cloud Positive Train Control Communication Solution" - "A
| complete turnkey hosted office solution for I-ETMS-based
| Positive Train Control (PTC) systems"[1] (Wabtec used to be
| Westinghouse Air Brake.)
|
| Wabtec has had break-ins, but claims they only involved
| employee info, not control systems.[2]
|
| [1] https://www.wabteccorp.com/digital-intelligence/signaling-
| an...
|
| [2] https://industrialcyber.co/ransomware/wabtec-suffers-data-
| br...
| 616c wrote:
| This may be the first time I had that "well, that's enough
| Internet today ..." reactions on HN from a
| cybersecurity/cyber-physical protection perspective, and not
| something gross on Reddit.
|
| So, my hat off to you, Internet stranger.
| marcosdumay wrote:
| Railroads should absolutely use GPS. They also should
| supplement it with local transmitters, like aviation does.
|
| They should have lots and lots of local transmitters.
| numpad0 wrote:
| Rails has clever systems for locating trains by detecting
| circuit shorted by trains' wheels, no need to replace that
| with GPS. Besides railroads passes valleys and tunnels, GPS
| won't work anyway.
|
| The absolute last resort for trains is semaphores and mutexes
| based on physical tokens. Those concepts came from there, and
| were still used sometimes to this day. Doesn't sound high
| tech, but it works.
| rightbyte wrote:
| Who cares? In the case of some sort of big war why would you care
| about "cyber security" when the day to day problem is not dying
| from starvation, being drafted, radiation posioning or what ever
| the problem is.
|
| These kind of "we need to prepare" are silly since they
| implicitly downplay the severity of war and bring us closer to
| it.
| alephnerd wrote:
| Everything is computerized now. And most adjacent power wars
| will most likely be non-nuclear in nature until it crosses a
| red line.
| rightbyte wrote:
| Everything being computerized is a major peace time concern
| too.
|
| Ideally systems should not be as centralized as they are now
| and have offline fallbacks.
|
| I believe there is a great deal of over automization too.
|
| You can notice how war mongerers have turned to "cyber
| threats" to instigate on unfalsifiable information.
|
| I feel it might be better to pull the plug on the whole
| internet if that actually is such a concern.
| constantcrying wrote:
| It is incredibly hard to maintain an unused system. The
| Internet is the default mode of communications because it
| outperforms all other options on most metrics. Any backup
| would go nearly totally unused and therefore couldn't be
| effectively used during an outage.
| croes wrote:
| The day to day problem will mainly exist because our computer
| systems are down.
| constantcrying wrote:
| The underlying assumption of e.g. food distribution are that a
| certain part of infrastructure remains intact. This assumption
| comes into greater question the more individual parts are
| dependant on large software installations.
|
| E.g. some countries have an entire redundant telecommunications
| network for government functions precisely so that it can
| actually withstand such a scenario. The more enmeshed that
| infrastructure is into other systems the more likely it is that
| it too will fail.
| AnimalMuppet wrote:
| We need to prepare to not be destroyed on the cyber front
| brings us closer to war? _Hard_ disagree. In a world with
| sharks, you don 't make having to battle a shark more likely by
| looking less like prey.
|
| _Not_ preparing brings us closer to someone (Russia, China,
| Iran, ISIS, Al-Qaeda, whoever loses the next presidential
| election) being able to blackmail society with war-like
| consequences if we don 't do what they want. Worse, more than
| one adversary could have that level of blackmail on us at once.
| That's the kind of situation that free peoples fight wars to
| get out of. And the ones who won't, aren't free for long.
|
| If you consider "not fighting wars" to be more important than
| "being free", there is nothing more for me to say. And if you
| think that being free will endure without fighting wars, I
| think you are hopelessly naive.
| gostsamo wrote:
| Is there an enemy factor measure which reflects how many
| countries have to sanction/attack you directly before you are
| enable to maintain the economy and social services? It would be
| interesting to have an index of geostratigic resilience.
| nonrandomstring wrote:
| Yes. Front analysis [0] and also critical path analysis are
| useful.
|
| Real graphs look like social networks, with some clusters and
| nodes with very high relational degree, and some with almost
| none. But for security they are more like dependency graphs
| rather than just attack paths as in Blotto. An adversary
| blockades/sabotages them or blocks those on which they depend
| etc. The more resilient graph is the best connected by
| alternative paths. Go back and look at some DARPA papers on
| route security in the formative "Internet".
|
| What we have today are very insecure graphs with millions of
| logical dependency links going in/out of single centres of
| functionality, and not much peer connectivity.
|
| Hit a few critical nodes and the whole lot goes down.
|
| [0] https://en.wikipedia.org/wiki/Blotto_game
| kjkjadksj wrote:
| Cuba would be the most resilient nation on earth I'd guess
| baobun wrote:
| Why?
| ragebol wrote:
| They're boycotted out of a lot of stuff, yet still make
| due.
| nickpeterson wrote:
| As an outsider on most IT security so take the rest of this with
| a grain of salt, but I think reliability is a good way to view
| this topic. Complexity is the enemy of reliability and security.
| Most organizations seem to operate under the delusion that you
| can brute force your way to security through audits and policy.
| They're trying to 'test the quality in' so to speak. Think of the
| legion of security admins who diligently tweak windows group
| policies, firewall settings, and systems like 2FA/MFA. Nobody can
| stomach the truth that most of these things have grown in
| complexity beyond their ability to be truly reliable. They're
| basically the IT equivalent of locks on a few doors of mansion
| with 80 windows, they prevent some crimes of opportunity but
| won't stop an attacker motivated by something else.
|
| This also doesn't tend to bother security people. It's
| interesting, it quickly shifts to, "Well we don't run a nuclear
| reactor..." or "We're not a cloud provider or a bank", so they
| think they're not critical infrastructure and crimes of
| opportunity are really their main threat (ransomware, disgruntled
| ex-employees, etc). Also, their job usually depends on tweaking
| the knobs in this complex pachinko machine, so to have some
| outsider tell them to throw it all away is basically like saying
| you think they should lose their job as well.
|
| I don't know where this rant should end, but I think if I was
| tasked with making infrastructure decisions, It would be really
| hard for me to not use things like OpenBSD and SQLite for a lot
| of it. I'm sure someone here will say actually those are bad for
| various reasons, but they at least seem to capture the ethos of,
| "We're going to just say no to things and try to control the
| complexity of this thing." They also don't seem very motivated by
| making money which tends to be the root of most compromising
| decisions.
| rustcleaner wrote:
| Knowing how frail software out there really can be, I made
| moves to Qubes OS and GrapheneOS as my primary operating system
| distributions over a year ago. Haven't looked back since the
| first month!
|
| PC users should be using some kind of segregation like VMs
| these days; you most likely don't have a MAC policy protecting
| your files from your porn site bunker-busted browser, so your
| data is likely going up the pipe to North Korea (but you did
| make sure to be a user so at least it can't install the printer
| driver wrapped rootkit).
| nickpeterson wrote:
| Those are neat projects to look into, thanks. That said, I
| feel like wrapping everything in vms/container is actually an
| example of the complexity I'm fighting against. I want less
| code that does less with more eyes on it.
| pixl97 wrote:
| Looking at the XZ attack from last month, a lot of people that
| write software have no idea of the depth their software is
| being used in secure systems.
| mikewarot wrote:
| When I recently asked some air traffic controllers what would
| happen if GPS became unavailable, it was grumpy sounds all
| around.
|
| I understand a scramble to vector everything to land everything
| would result in a _very busy day_ for them, because suddenly most
| planes would be unable to safely navigate, and thus effectively
| grounded.
|
| Cutting the budget for ground based navaids is nuts, in my
| opinion.
| Rygian wrote:
| I was under the impression that GPS was a non-critical asset
| for aviation, ie. any plane can safely stop using it at any
| given time and keep flying with VOR and other navigational
| aids.
|
| This article [1] introduces some of the scenarios where pilots
| rely on GPS only:
|
| * GPS-based waypoints to optimize routing based on favorable
| winds and more direct routes even in the absence of VORs.
|
| * RNAV departures and arrivals that rely "solely on GPS rather
| than radio-based [...] aids" with more precise spacing and
| hence higher capacity.
|
| * GPS used as a substitute of ILS for some approaches e.g. in
| mountainous areas.
|
| [1] https://simpleflying.com/gps-in-aviation-pilots-guide/
| xavxav wrote:
| I would assume its not 'safety critical' but 'business
| critical', disabling GPS would mean slowing down departures /
| arrivals which means the airport losing money. I recall there
| being a similar issue with Lufthansa and SFO causing planes
| to get rerouted to oakland.
| hugh-avherald wrote:
| It's not safety-critical for a plane, in the sense that if a
| plane's GPS fails it can still get by safely.
|
| It's safety-critical for aviation, because if _all_ GPS
| fails, then the additional workload across the system means
| that a crash is likely.
| wkat4242 wrote:
| They do have other ways to navigate. Like land-based beacons
| (VORs).
|
| Unfortunately these are being used less and less and even
| deprecated in favour of GPS waypoints. Even when they are still
| around the pilots have less experience with them because they
| no longer use them every day.
| nonrandomstring wrote:
| > Unfortunately these are being used less and less and even
| deprecated
|
| Fortune may have something to do with it.
|
| Like copper land communications that cost billions to
| establish over almost 100 years, are extremely resilient and
| can be repaired by anyone with a ladder and pair of pliers.
| They're being ripped out across Europe and the US because the
| private companies they were sold to want to shrug maintenance
| to squeeze out a little more profit.
|
| It's just not _your_ fortune.
| pixl97 wrote:
| Copper land lines cost a fortune to maintain, and with
| everyone having moved to cellphones years ago, don't
| generate income to pay for their upkeep. People pay far
| more for an internet line that dumps out a gig of traffic,
| while very few pay for a hard line that is hard to cut and
| only carries a few kb of traffic.
| nonrandomstring wrote:
| > everyone having moved to cellphones years ago
|
| That is untrue. The news is full of stories of people who
| are right now being forced-off hard line connections that
| they want and will pay for. The choice is being removed,
| which is not a fair market.
|
| But, telling any group of people that "they are the only
| ones" is _gas-lighting_. Systematic lies to marginalise
| people was central to the Purdue Pharma opioid scandal
| and to the British Post Office scandal - telling people
| "You're the only one" when a problem is evidently
| extensive should be a very serious fraud.
|
| > don't generate income to pay for their upkeep
|
| When many private companies took on telecommunications
| properties they did so under obligations to maintenance
| of infrastructure, availability and reliability
| standards. If it turns out their choices of technology
| don't meet those standards of affordable resilience then
| that's their financial miscalculation and their problem
| now. Or are you saying that markets are incompatible with
| national security?
| dweekly wrote:
| The good news here is that the fine folks at the FAA have
| spent a lot of time thinking about how to keep aviation
| secure in a GPS denied environment, which is their basis for
| the build out of the VOR MON.
|
| https://www.faa.gov/about/office_org/headquarters_offices/at.
| ..
| labcomputer wrote:
| > FAA have spent a lot of time thinking about how to keep
| aviation secure in a GPS denied environment, which is their
| basis for the *build out* of the VOR MON
|
| That's an interesting characterization, given that the MON
| is a list of VORs they are not planning to _take down_.
| FL410 wrote:
| But that's better than taking them all down. Fact of the
| matter is most of us hate using VORs anyway, and left to
| our own devices probably wouldn't care one bit if they
| were removed.
|
| It is a good thing that someone is second-guessing that.
| Degrading to MON wouldn't be great, but it would be much
| preferrable to hoping poor ATC can figure out how to
| vector everyone all the sudden.
|
| I think more industries could apply the idea of a Minimum
| Operational _whatever_
| wkat4242 wrote:
| > Fact of the matter is most of us hate using VORs anyway
|
| This is partly UX and doesn't have to be like this.
| Cockpit systems could make this a lot easier to select
| VORs and radials without having to manually keep track of
| frequencies.
|
| After all a successful GPS fix is impossible to
| accomplish by a human given the raw receive data, which
| is why it's all automated inside the receiver. We can
| optimize the hell out of VORs as well. And only people
| flying ancient aircraft still have to do the thing.
|
| In fact it probably would be great to add some optional
| authentication signal to it, as even a VOR can be prone
| to jamming or spoofing.
| distances wrote:
| GPS is now often unavailable in eastern/northern parts of
| Europe due to Russian jamming. Some smaller airfields already
| had to update their systems not to rely only on GPS.
| tambre wrote:
| Finnair at the end of last month suspended service between
| Helsinki and Tartu due to Russia's GPS jamming [0]. DME is
| being added next week and they'll resume service next month
| [1].
|
| [0]: https://news.err.ee/1609328058/finnair-suspends-flights-
| to-t... [1]: https://news.err.ee/1609343694/finnair-restarts-
| tartu-flight...
| toomuchtodo wrote:
| Would it be accurate to say that DME is the equivalent of
| the deprecated US LORAN nav system?
|
| https://en.wikipedia.org/wiki/LORAN
| lsh123 wrote:
| DME (distance measuring equipment) is much simpler than
| LORAN. However, navigation computers can use multiple VOR
| / DME signals to compute position similar to LORAN or
| GPS. The problem is that DME / VOR are typically limited
| to 50-200nm (and even lower at lower altitudes) which
| requires extensive network to make it comparable to GPS /
| LORAN.
| toomuchtodo wrote:
| I appreciate the reply. Are there any canonical reference
| sources you would recommend to learn more about this
| implementation?
|
| Edit: sources provided are helpful, thank you lsh123 and
| Animats!
| lsh123 wrote:
| Not sure what exactly are you looking for. Bunch of info
| is on FAA website, for example:
|
| https://www.faa.gov/air_traffic/publications/atpubs/aim_h
| tml... https://www.faa.gov/air_traffic/flight_info/aerona
| v/acf/medi...
| Animats wrote:
| Wikipedia?
|
| The basics: A VOR (Very high frequency omni-directional
| range) station just gives you the bearing to the VOR.
| It's simple. It's a large ring of antennas with another
| antenna in the middle. It sends out a big omnidirectional
| pulse, and then sweeps around the circle like a
| lighthouse. The time difference between the
| omnidirectional pulse and the directional pulse tells you
| your bearing to the VOR station. The aircraft just
| receives; it doesn't send anything. Range is maybe 200
| miles.
|
| DME (Distance Measuring Equipment) came later. It's a
| request-response system. Time between aircraft request
| and DME station response gives you distance to the DME
| station. Most VORs also have a DME system installed, so
| you can get range and bearing.
|
| VOR bearings aren't very accurate. Error is up to +-4deg.
| So position from VOR and DME isn't very good far from a
| VOR. VORs are thus installed at major airports, so
| positional info gets better as you approach the airport,
| and pilots can find the airport reliably. SJC (San Jose
| International Airport) has a VOR northwest of the
| airport. It's a huge antenna array in a big open field,
| and can be seen from 101 north of the airport. It needs
| all that open land to work well. Obstacles would distort
| the directional beam and make the error worse.
|
| The FAA has shut down over a hundred VOR stations as
| redundant.[1] The original plan was to shut down even
| more, but there was much pushback. In addition to airport
| VOR stations, there were chains of "enroute" VOR
| stations, so that aircraft could fly along established
| airways from VOR to VOR. Some of those have been shut
| down.
|
| The FAA now uses the term "minimum operational network"
| for what's available with GPS down.[2]
|
| GPS jamming is very real. Here's a real-time map of known
| GPS jamming and spoofing.[3] Current jamming is mostly
| near Ukraine and Lebanon, plus the Black Sea. War zones.
| Discussion at Ops.group, which is a site for people
| involved in international aviation operations.[4]
|
| [1] https://www.faa.gov/ato/navigation-programs/vor-
| target-disco...
|
| [2] https://www.aopa.org/news-and-media/all-
| news/2021/july/pilot...
|
| [3] https://spoofing.skai-data-services.com/
|
| [4] https://ops.group/blog/where-is-the-spoofing-today/
| roenxi wrote:
| > I know it sounds devastating, but you have to get used to the
| fact that a new era has begun. The pre-war era.
|
| It is madness that we're in a position where this can be baldly
| stated by a PM and there has been no "huh?" moment when people
| stop and assess how badly the broader West's military, economic
| and diplomatic efforts have failed over the last 30 odd years.
| Possibly longer. I wasn't expecting to see land wars in Europe
| even before the cold war ended.
|
| Humanity has unprecedented destructive power at our command and
| the systems that sustain 8 billion people are delicate. We can't
| afford to be in a "pre-war era" and act like this is just going
| to be something to deal with when we get to it plus a little prep
| in specialist domains.
| fabian2k wrote:
| What kind of diplomacy would have prevented Russia from
| invading its neighbours?
| roenxi wrote:
| Picking on Ukraine, the US not having a policy of signing new
| people up to the anti-Russia military alliance every few
| years [0] seems like low hanging fruit. Or not working to
| integrate their intelligence with the CIA [1] for the last
| decade. I don't speak German but apparently Merkle said that
| we weren't negotiating in good faith to keep the peace either
| [2].
|
| These are the sort of thing I suspect Russia would see as
| escalatory. I certainly do. A better diplomatic policy would
| have been to encourage neutrality. The western powers weren't
| going out of their way to make sure that the situation stayed
| peaceful. We could have treated this as the Russian
| equivalent of the US invasion of Afghanistan or Iraq and let
| it go away.
|
| [0] https://en.wikipedia.org/wiki/Enlargement_of_NATO
|
| [1] https://www.washingtonpost.com/world/2023/10/23/ukraine-
| cia-...
|
| [2] https://politics.stackexchange.com/questions/77139/what-
| posi...
| kibwen wrote:
| _> US not having a policy of signing new people up to the
| anti-Russia military alliance every few years_
|
| Weird how all of Russia's neighbors are eager to join a
| military alliance protecting them from Russia. I wonder if
| that has something to do with Russia's actions towards its
| neighbors? No, no, surely the US is to blame for that...
| roenxi wrote:
| Yeah, sure. But the US chooses who it integrates with
| militarily. An alternative approach would have been to
| say "hey, yeah we can see why you'd want to join - but
| this will foment tensions with Russia, so you can't".
|
| That is the kind of diplomacy would have prevented Russia
| from invading its neighbours. It would have been
| difficult to get worse outcomes with that approach than
| what the powers that be managed to get us to - we could
| be staring at the start of a major pattern of wars here
| and the US's deterrence has been spectacular in not quite
| succeeding. The Russian border is still closer to Moscow
| right now than it was in the 80s, but it has gotten a lot
| bloodier than the 90s.
| fabian2k wrote:
| The only thing that would have changed is that Russia now
| also could invade the baltic states. Why do you think
| Russia would not have invaded Ukraine if the NATO had not
| been expanded?
| Ray20 wrote:
| >Why do you think Russia would not have invaded Ukraine
| if the NATO had not been expanded? Because the main
| reason for the full-scale invasion of Ukraine is a
| miscalculation about resistance. With the expansion of
| NATO, the prospect of invasion would be assessed closer
| to reality and dismissed as counterproductive
| AnimalMuppet wrote:
| I don't think Russia invaded Ukraine because it
| threatened to join NATO. Russia invaded Ukraine because
| it threatened to have a color revolution leading to a
| viable democracy in a culture/society that was similar to
| Russia's. Putin, personally, could not allow that to
| succeed. It threatened him, personally, too greatly.
| rainworld wrote:
| >it threatened to have a color revolution leading to a
| viable democracy
|
| Threatened? They tried that two or three times but
| Ukraine never stopped being Ukraine. Always losing a
| couple million people between these attempts.
| koonsolo wrote:
| So what was first, Russia invading neighbors, or
| neighbors wanting to join NATO?
|
| I'll give you the answer: Chechnya.
|
| Thinking that Russia would never invade an independent
| Georgia or Ukraine is very naive, to say the least.
|
| If you want a "neutral" country, take a look at Belarus.
| A neutral country in Russia's eyes only has connections
| with Russia, not with the West. They make it very clear
| which countries they want "under the influence sphere of
| Russia".
|
| Ukrainians want a sovereign democratic country, and they
| are willing to pay a very high price for that.
| cpursley wrote:
| Ukraine will no longer be democratic come May 21st,
| unfortunately.
|
| https://www.economist.com/leaders/2024/05/16/volodymyr-
| zelen...
| dralley wrote:
| This is a nonsense statement.
|
| Every poll performed on Ukrainians shows that a clear
| majority doesn't want elections right now, and Ukrainian
| law permits this during wartime. The logistical
| challenges are insurmountable particularly when one
| things about local elections. People are displaced all
| across the country and to other countries, soldiers that
| are fighting on the front lines cannot just rotate simply
| to be able to cast their votes without creating
| unnecessary chaos and risks, there's the legitimate
| threat of bomb attacks on polling places.
|
| The UK didn't hold elections during WWII despite being
| vastly more secure on their island than Ukrainians are.
| Ray20 wrote:
| >Ukrainians want a sovereign democratic country, and they
| are willing to pay a very high price for that.
|
| Doesn't seemed to be true, considering Ban for men's
| leaving country, forcefull conscription and cancelled
| elections
| denton-scratch wrote:
| > That is the kind of diplomacy would have prevented
| Russia from invading its neighbours.
|
| Really? You _believe_ the Russian claim that it attacks
| its neighbours because they 're mumbling about NATO
| membership?
|
| Russia attacks its neighbours because it regrets its loss
| of a "zone of influence" at the end of the Cold War. Like
| all former imperial powers (I'm a Brit!), loss of empire
| is hard to swallow.
| mopsi wrote:
| > That is the kind of diplomacy would have prevented
| Russia from invading its neighbours.
|
| Only if you subscribe to the argument that Russia has no
| intention to gobble up countries west of it at least to
| the furthest extent of USSR and its satellites.
|
| No European neighbors of Russia subscribe to that
| anymore. Finland and Sweden were the last holdouts who
| thought that having a "responsible" diplomacy would
| prevent war with Russia, but the absurd and fabricated
| excuses Russia uses to justify the invasion of Ukraine
| have destroyed almost overnight all credibility of that
| line of thought.
|
| Assuming imperialistic intentions, staying neutral and
| out of alliances only lowers the cost of invasion for
| Russia. If Russia decides to invade a country like
| Poland, then at the moment they risk a large
| multinational response that can go far-far beyond
| Poland's own means, up to a nuclear war. If Poland didn't
| have solid allies, the potential cost associated with the
| invasion would be considerably smaller for Russia.
| simion314 wrote:
| It is not an anti-Russia alliance, we Romania enter NATO to
| survive teh eventual Ruzzian invasion, as you can see from
| Ukraine war our politicians, even the communist regime was
| sure that a Ruzzian invasion is unavoidable (yeah, makes
| your mind segfault when you find out that communist Romania
| had better relations with USA and was preparing to resist a
| USSR invasion).
|
| You need to talk with Russians to understend their Zed
| mentality, they think God gave them the right to dominate
| half of the world, they will tell it to my face that
| genocide my nation is not personal, it is geo politics and
| Ruzzia must do it.
|
| the way to avoid the Ukrainian war would ahve been if
| Ukrainians would ahve not been stupid and would ahave
| joined NATO with Romania and Poland, but the idiots still
| believed in brotherhood with the Zeds.
|
| P.S I am using Z to refer to the Russians that are Zed
| supporters and to make it clear I am not referring to the
| entire Russian population, since there are a few educated
| Russians there that can see the truth.
| aizen89 wrote:
| Everything you outlined applies to US politics too :DD
| simion314 wrote:
| >Everything you outlined applies to US politics too :DD
|
| What? that Canada made an alliance with soem other
| neighbors so the evil USA would not invade them ?
| 5e92cb50239222b wrote:
| I've never heard a single bad word about Romania or its
| people, and I definitely have a lot more ties to Russia
| than you do. No idea where you read shit like this, but
| you should probably avoid those places from now on to
| keep your sanity.
| int_19h wrote:
| I'm Russian, and I've heard plenty rhetoric about
| "Romanian Nazis" when talking about Transnistria.
|
| More so since 2022, because Moldova is clearly one of the
| prime next targets after Ukraine.
| simion314 wrote:
| It is history, maybe read about USSR invasion of
| Czechoslovakia and Romania refusing to participate and
| condemning the fact that USSR is tring to force their
| will on other communist states. It was not enough that
| USSR forced communism in eastern Europe, they really
| wanted Moscow to control everything, no different
| communist approaches were allowed since Moscowites know
| better what other countries should do.
|
| So Romania built infrastructure to handle an invasion,
| build roads over the mountains to be able to quickly move
| the armies, and is a very known fact in Romania that
| everything was prepared for an USSR invasion like in
| Czechoslovakia, so first read about the USSR invasions
| and meddling in communist countries.
|
| Then if you really want to know more , I mean really want
| to learn and not spread Ruz propaganda I might find for
| you english documentation of all douzens times Ruzzians
| invaded Romania lands.
|
| So Romania has very good reasons to enter NATO, all
| political parties were in agreement, even our president
| who was a communist and who studied in Moscow was for
| NATO. Super hard for Ruzzians to admit that all those
| country that entered NATO had a good reason, and some
| "special" people in Africa, Asia and West might fall for
| the ton of propaganda that claims that NATO brainwashed
| everyone to join them, it is pure Ruzzian projection.
| relaxing wrote:
| The gunboat kind.
| matheusmoreira wrote:
| That's a great way to get countries to promptly ally with
| China and Russia instead.
| atemerev wrote:
| Autocracies are inherently unstable and dangerous in this
| regard. They have every incentive to be irrational and
| unwilling to negotiate. They call it "sovereignty", which it
| isn't -- just a sparkling dictatorship.
|
| Autocracies have no place in the modern world.
| z3phyr wrote:
| And yet autocracies are historically the most "successful"
| types of governments. Humans always and eventually end up
| selecting autocracies with thunderous applause.
| atemerev wrote:
| History is young, there's too little data to go for
| meaningful conclusions yet, particularly post-industrial
| revolution.
|
| But yes, I agree, autocracy is a natural state of
| affairs. Democracy is a miracle to keep.
| z3phyr wrote:
| There is not much difference in the capability of human
| experience. I bet a baby born in 494AD, teleported to the
| modern period and raised by modern humans will be
| indistinguishable in capability to every other human
| being.
| indymike wrote:
| 150K NATO troops in Ukraine.
| ein0p wrote:
| Basically the opposite of this "advice":
| https://www.rand.org/pubs/research_briefs/RB10014.html
| lesuorac wrote:
| I mean you're either in a war period or a pre-war period ...
|
| Although yeah the whole propping up non-democracies because
| they have cheap labor or cheap materials for decades does seem
| to have been a poor decision in the long run.
| 5e92cb50239222b wrote:
| "You" are still doing it, your Western governments looked the
| other way at killing of more than 300+ pro-democracy
| protesters by our government forces at the beginning of 2022
| because it was convenient for them to do so. Half of
| worldwide supply of uranium fuel and all that. These things
| will be remembered for decades.
| kjkjadksj wrote:
| Not exactly the first post cold war european land war either
| croes wrote:
| At the same time MS & Co. try to force everyone in to the cloud.
|
| So if MS Azure AD goes down everyone goes down too.
| jeffrallen wrote:
| It is too bad he didn't follow up on "we give control to foreign
| clouds" with "we need European data sovereignty, our governments
| need to choose local cloud providers".
|
| Because they exist. I work for one.
|
| The cloud is just someone else's computer. But if that someone
| else is your neighbor, they may be motivated by the same things
| as you, and can contribute helpfully to your goals.
| ahubert wrote:
| (author here) You might be interested in my writing on this
| very subject -> https://berthub.eu/articles/posts/cloud-naive-
| europe-and-the...
| gz5 wrote:
| >Why did it happen? Non-technical people have made choices and
| have optimized for stuff being cheap.
|
| Yes and amplified by:
|
| + Cybersecurity 'bad actors' are decentralized and distributed.
| They innovate at speed, with no barriers, and share their
| innovation. Cybersecurity 'good actors' are centralized,
| proprietary and bounded.
|
| + Software and service providers traditionally couldn't build
| secure networking into their products - they had to delegate it
| to the consumer of the software or service for the consumer to
| implement as a day two bolt on. Dangerous when networking is
| often the largest and most vulnerable surface area.
| stalfosknight wrote:
| Non-technical people should be stopped.
| javajosh wrote:
| He mentions the threat of remotely taking over autonomous
| vehicles, but really its any vehicle who's a) network connected
| and b) drive-by-wire. Which is why I won't buy one, and why the
| problem is even worse than it appears.
|
| The other problem that he doesn't address is the centralization
| of critical (and semi-critical, like logistics) software in large
| shared data-centers. If you wanted to disable large chunks of the
| American software economy for an extended period, you only have
| to kill ~100 buildings.
|
| In a way I think the ransomware people are doing us all a huge
| favor by putting the fear of God into executives around
| cybersecurity. Unfortunately, as other commenters have mentioned,
| the real problem is hard to address, because it's the complexity
| inherent in the "worse is better" philosophy. Current systems
| have grown in a lovely, nice environment that is generally
| reliable. When that environment changes quickly (which is one way
| to characterize a cyber attack) these systems will fail, and
| there will be no time or tools to repair them. This includes
| software and infrastructure hardware. Somewhat ironically, this
| is precisely the kind of non-extinction-level threat that "having
| a bunker" and a large store of food would actually get you
| through - something only executives can afford. Perhaps we might
| consider outlawing such bunkers to properly motivate the monied
| elite to address these issues.
| constantcrying wrote:
| Very interesting article. I think the author makes a compelling
| point about the vulnerability of infrastructure.
|
| To be honest I wouldn't be surprised that in an actual unlimited
| war, between two major developed nations _nothing_ will actually
| continue to function. None of the systems have ever been actually
| tested and still make assumptions about the rest of the
| infrastructure. I also don 't believe that simplicity can fix
| this, everything already has deep built-in assumptions about
| everything else, which makes any replacement a daunting task.
| waveBidder wrote:
| Well, every major city being eliminated by a nuke would also
| hamper these systems in a total war between developed
| countries.
| cwillu wrote:
| I regret that I have but one upvote to give.
| vaylian wrote:
| This is definitely one of the best submissions I've seen on HN.
|
| I don't think it helps with the ranking, but you can still
| favorite the thread.
| ahubert wrote:
| Thank you both :-) (author here)
| tetha wrote:
| > So you can have a whole board full of people that studied
| history and art and French, and they sit there making our cloud
| decisions. And they simply don't know.
|
| > And if there had been more nerds in that room, some of these
| things would not have happened. And that is also a call to maybe
| us nerds, although you don't really look that nerdy, but do join
| those meetings.
|
| > Because quite often, we as technical people, we're like, "Ah,
| these meetings are an interruption of my work, and I'm not
| joining that meeting." And while you were not there, the company
| decided to outsource everything to India.
|
| Oof. This is hitting me hard on two levels.
|
| As I'm racking up years in the operational business, the best
| impact I can have isn't that I can understand log files twice as
| fast as the guy next to me. Many people can learn that. The
| bigger impact is to be able to connect the effects of technical
| decisions onto the overall business and vice-versa to higher
| management.
|
| Like, sure, I can rattle down a lot of technical requirements we
| need to self-host a highly available infrastructure, and I can
| rattle down a lot of the advantages of the cloud /in a small
| company situation/ and such.
|
| But that is largely useless to the CEO of a small and medium
| business. The more interesting statement is: Self-hosting
| requires a larger upfront and a larger continuous investment over
| time at a certain range of scale. You need to buy servers,
| firewall, switches, rent bandwidth and DC space and to hire
| people to take care of all of these. However, we can achieve a
| higher level of security and data protection on these systems and
| in the long run, we can become cheaper than the big cloud
| providers, because the current product-visions are already
| decently big. The cloud can be more flexible and innovate faster,
| but we will have more security discussions with our customers and
| the control over our systems will be lower, for better or worse.
|
| Put this way, we're setting up a pretty good self-hosted plan,
| which primarily uses the cloud as a way out if we or our DC
| hosters fuck up.
|
| This plan cost the company more money than the existing cloud
| infra would have for a year or two, but now it is starting to pay
| off and in a year or two, hardware extensions will be a welcome
| expense.
|
| But that is bringing me to a second point, deeper point: This
| only works because the board here is fine planning for benefits
| 3-5 years down the line. "In 2-3 years we'll be even", we said,
| and "in 3-5 years we'll be cheaper, a lot". We're even now 2
| years after.
|
| If they were just maximizing next quarters profits, we probably
| would have migrated everything to AWS and just started shoveling
| more money across the Atlantic, making us highly dependent on
| cross-atlantic and US infrastructure. It would've been cheaper
| for a year or so.
|
| And this profit-maximizing mindset looming over good decisions
| and great tech is frustrating me.
|
| Generative AI is similar there to me. Generative AI should be
| something I should be excited about. For example, Runegate
| Studios cooperated ethically with Unleash the Archers and Bo
| Bradshaw to create a music video[1] in Bo's style we just
| wouldn't have without generative AI and it would never be created
| without. And like, sure, it's not Disney quality, but you're
| looking at ~10 people cooperating here. For that headcount, that
| video is amazing.
|
| But I know it will be used to slash jobs, prevent juniors from
| learning because AI is cheaper, ruin careers "because the AI can
| do 80% for less costs" and such. Short-term perspectives. And
| then in 10 years there will be a crisis of "Why can't we find
| good writers/cartoonists/musicians/... anymore?"
|
| Sorry for the TED-talk. I'm currently torn between a very excited
| and a very frustrated person.
|
| 1: https://www.youtube.com/watch?v=eLPMBD7i0IU
| CJefferson wrote:
| I wonder if we, in secret, have "mutually assured destruction" of
| cyber-warfare.
|
| It seems like a reasonable assumption to me that major world
| powers probably have enough 0-days at any one time that they
| could use them together to format a significant proportion of the
| world's computers and phones. It would be not be that hard to
| make these worms intelligently use IP to target particular
| countries.
|
| It's hard for me to imagine how much damage it would do if I
| could wipe even say 25% of all work and home computers, maybe
| every phone not updated in the last 6 months, and a decent chunk
| of online servers.
| hollerith wrote:
| >It seems like a reasonable assumption to me that major world
| powers probably have enough 0-days at any one time that they
| could use them together to format a significant proportion of
| the world's computers and phones.
|
| If that is true, then how come we have _not_ heard much about
| erasure of data on phones and computers in Ukraine by Russian
| hackers?
|
| Please don't say that the Kremlin is holding its 0-days in
| reserve for a more serious conflict! the Kremlin sees the
| Ukraine situation as extremely serious for Russian national
| security. It uses large numbers of missiles costing over a
| million dollars each to degrade Ukraine's electrical grid. It
| has attempted to assassinate the president of Ukraine many
| times. Why wouldn't it be all-out trying to do as much damage
| as possible to Ukraine through cyberattacks?
| r2_pilot wrote:
| In point of fact, Ukraine has been hacked, multiple times
| during this conflict, and they were hardly damaging. This is
| in large part due to the fact that this particular
| conflict(hacking in particular) has been going on longer than
| just the start of the official war, so Ukraine has been
| hardening its systems significantly for many years. It goes
| to show that with dedication, even nation-state actors can be
| stymied with defense-in-depth.
| kjkjadksj wrote:
| Probably for the same reason why they aren't using their
| nuclear weaponry.
| hollerith wrote:
| Isn't that a fully-general argument? I say that flywheels
| will cause a revolution in military affairs. You reply
| with, "Why haven't we seen flywheels used in war?" I reply
| that flywheels are such a potent weapon that armies are
| afraid to deploy them out of fear that their enemy will
| response by using flywheels against them, which would be
| just too terrible and might cause a global ecological
| catastrophe or a general breakdown of society.
| pixl97 wrote:
| You are going to die, going to happen to all of us,
| nothing we can do about it.
|
| Now, the when is the part that gets the attention of our
| little monkey brains.
|
| 1. Within the next 15 minutes.
|
| 2. Sometime within the next 100 years.
|
| Your scenario is a type 2 scenario. At some time in the
| ethereal future 'flywheels' may cause the death of
| mankind. Well, we're all going to die in the ethereal
| future anyway so who cares.
|
| Nuclear weapons are a type 1 problem. It's like a gun
| being pointed at your head and someone screaming "give me
| the money", you're not going to be thinking about what's
| for dinner because the likelihood of dinner is low.
| indymike wrote:
| > I wonder if we, in secret, have "mutually assured
| destruction" of cyber-warfare.
|
| Low-orbit nuclear EMP would be that option. Not cyber...
| technically.
| hughesjj wrote:
| Is the idea that that would essentially form a 'shield'of
| radiation that none of our existing satellites could
| penetrative with a resolvable signal? Or just that most of
| our satellites are LEO?
|
| I'd imagine anything in GEO would be far out enough to
| survive a LEO emp
| pixl97 wrote:
| More like it would fry the electrical grid rendering our
| server farms and telecommunication networks without power.
| throwaway22032 wrote:
| Tough times create tough men comes to mind.
|
| Leadership in the UK is absolutely pitiful. Yes, you can work on
| multiple problems at once, but in reality both the public and
| private discourse is focused on utterly trivial and stupid stuff.
|
| The top level goals of a government are to ensure that the state
| exists and can protect its' citizens. We enacted income taxes on
| that basis in the first place for wars.
|
| Now we have people arguing the toss over whether cars should emit
| a particular thing because it reduces life expectancy by a few
| months or landlords should put triple glazing in because tenants
| would pay slightly less on their bill or men can pretend to be
| women or whatever else. Fiddling over 0.1% issues whilst ignoring
| the elephant in the room.
|
| I fear that there's going to have to be a big shock and we'll
| wake up from this collective delusion much like in the early days
| of Covid when everything just... stopped.
| openasocket wrote:
| I agree with the overall thesis, but I do need to quibble about
| Stuxnet. Yes, Stuxnet was very interesting, and it did disrupt
| Irans nuclear program. However, its impact is often overblown. It
| likely delayed Irans nuclear program by only a few weeks. Cyber
| attacks can absolutely cause a lot of damage and harm, but
| Stuxnet is not the best example of that.
| hyperman1 wrote:
| Stuxnet was a very graphical demonstration of the
| possibilities. Even if the results weren't that great, it
| demonstrates to nontechies the expensive real-world
| consequences of 1 usb stick with malware.
|
| I understood the hole in the ozon layer was similar. Even if
| the actual danger of it was probably overrated, it made people
| imagine how we broke earths radiation shield and would be hit
| by all kinds of nasty space radiation. This resulted in real
| world policy changes.
| jjice wrote:
| The reason I personally think Stuxnet is so interesting is
| because of it's reach. The goal was so specific and it
| accomplished it while infecting lord knows how many machines
| (but I bet Wikipedia knows).
|
| Impact wasn't massive by any means, but the scope of the
| project will always impress me.
| FL410 wrote:
| This is one of my favorite reads on HN to date. I hope more
| people see it. It's funny how, even as a "nerd," I often think
| about if we are doing the wrong thing by taking the nerdy
| approach to problems that could be solved more simply. It feels
| like we often choose the most complex or nerdiest approach to
| prove to ourselves and others that we _can_ and not whether we
| _should_ - which isn 't to say that we _shouldn 't ever_ - just
| that some problems deserve the simple solution.
| Terr_ wrote:
| At least in my education, the Therac-25 incidents [0] featured
| pretty prominently as an example of software overconfidence.
|
| https://en.m.wikipedia.org/wiki/Therac-25
| darkPotato wrote:
| Great piece!
| ahubert wrote:
| Thanks!
| baxtr wrote:
| This is a pretty scary article. And yet I have to say it's weird
| to say we are pre-war. Ukraine certainly isn't. So shouldn't any
| scenario outlined in that article happen there already? The
| mobile network there seems to be operational.
| int_19h wrote:
| TFA:
|
| > Ukraine was already at war for two years and battle-hardened.
| So anything that was simple to break was already broken by the
| Russians. Then after two years, the Russians managed to break
| Kyivstar, one of the biggest telecommunications companies of
| Ukraine, This was a very destructive attack. But the Ukrainians
| (in and outside Kyivstar) are good enough that in two days they
| were back up and running, _because these people were prepared
| for chaos. They knew how to restore their systems from
| scratch_. If we get an attack like this on VodafoneZiggo or on
| Odido, and they don't get external help, they will be down for
| half a year, because they don't know anything about their own
| systems.
| xyst wrote:
| If COVID-19 didn't move the needle on how dependent we are on
| foreign countries to do our scut work.
|
| I highly doubt the precipice of war will change anything. We are
| a species that will optimize for the shortest path. Cutting
| corners along the way. When it blows up on our faces and while
| sitting on a pile of ashes, will ponder "wtf did we do wrong".
| jawiggins wrote:
| > If COVID-19 didn't move the needle on how dependent we are on
| foreign countries to do our scut work.
|
| I believe the search-term you are looking for is
| "Friendshoring".
|
| "Some companies and governments pursue friendshoring as a way
| to continue accessing international markets and supply chains
| while reducing certain geopolitical risks... Bonnie Glick first
| used the term "allied shoring" at the start of the Covid-19
| pandemic, while serving as the deputy administrator of the
| United States Agency for International Development... The new
| U.S. Trade Policy, including USMCA and IPEF, complies with the
| Friendshoring arrangement." [1]
|
| [1]: https://en.wikipedia.org/wiki/Friendshoring
| joquarky wrote:
| What's grating on my nerves is that I called out a lot of
| security concerns in courts & justice software and shortly after
| was constructively dismissed.
|
| I've been unemployed ever since.
|
| I'm getting antsy about income and getting no traction on my job
| search.
|
| How many other people are advanced in tech but having some
| difficulty finding work right now?
|
| How tempted will they be to switch to black hat for income?
|
| I can't be the only one thinking this way.
| bongodongobob wrote:
| It's really bad right now. I've learned to not stir the pot
| over the years. Unless you're primary role is security it's
| best to go with the flow. I've seen some massive security holes
| at every company I've worked at. As long as the boxes are
| checked for insurance, they don't care.
___________________________________________________________________
(page generated 2024-05-18 23:00 UTC)