sounds like a good opportunity to bring back "letters of marque." These were less about authorizing ships to fight back against pirates, and more about authorizing private to your army to find and capture pirate vessels with the expectation that they would be allowed to keep whatever loot they captured. sounds like we're taking a step in that direction as the Internet is being identified as Lawless as the sea.
Even better, why would they bother? If it's a non-monetary hack (i.e. for data), hacking them back won't undo leaking the data. If it's a monetary hack, there are surely much better recovery options than trying to do a hack-in-kind to take it back.
It also seems incredibly risky. This US admin might be okay with it, but will the next? For multi-national corporations, will other nations be okay with it? I wouldn't think countries unassociated with the conflict would be happy with digital privateering.
> For multi-national corporations, will other nations be okay with it?
imagine hacking back and accidentally hitting a hospital killing someone in the process
that is a fast line to get an Interpol terrorist arrest request on your head, sure the US won't hand you over, but have fun to never leave the US and get assets abroad sized
the comments are about "private firms hacking back"
not about highly specialized groups hacking first
but also "professional hackers" have screwed over hospitals before and confirmed it was accidental, so potentially yes
worse Iranian terrorist with hacking skills might intentional target hospitals and they might not sit in Iran so disconnecting Iran is unlikely to help at all with such a threat
so wherever you "hack back" to has a good chance to be another victim
it's also a good point to remind people that most cases of "knowing who was it but not catching the people behind it" are either wild guesses without proof or the attacker leaving recognizable traces (like a literally "it has been us <group>" note /not a joke). But the problem with that is any other
advanced enough hacker group/apt could also have made it look like that...
This already exists to some degree. It’s the “Brand Protection” industry and they’ve been doing it for years. Our clients were all Blue Chips that need additional help and or want plausible deniability.
Having worked in the space, the normal flow would look something like:
1. Random WordPress blog is hacked, hosts a fake iCloud page, the is linked to in phishing emails.
2. We find it, either by direct reporting or by our internet crawling
3. We reach out to the hacked company, their hosting provider, and their DNS. The goal being take this site offline no matter how.
This worked for the vast majority of hacks. Some random plumbing company has no clue their marketing site is compromised and happily works with us. Or maybe they host at GoDaddy and we have a privileged relationship with them and they disabled the site. Last resort the DNS company will just delete their records.
Sometimes, though, we get a compromised site on a host in a foreign land that won’t cooperate. Then what? Well, it’s a legal grey area that our in-house counsel felt was perfectly fine: hack the site and take it down the hard way. We didn’t advertise or document when we did this. It was an open-secret inside the company however.
All this does is legitimize the sadly necessary work we face in a modern world.
okay that is kinda funny and much less legally problematic (because they didn't actively hack back and depending on what that virus did in detail could be seen more like how money bags can spray color on the bills if forcefully opened making them useless but not quite destroying them)
What are you “scoring” though. US firm loses data, has downtime, lost revenues, etc. If they attack back, what damages are they doing that they even care about? Seems to me they just are asking to be continually targeted.
Also, why burn the resources? Attacking isn’t free.
Look at every single sportsball event where the losing team had > 0 points. Same thing. Has there ever been a "war" with 0 casualties on the winning side?
There's also a quote from Prez in The Wire, "Nobody wins. One team just loses more slowly"
except this isn't a game of sports and a private company doesn't gain anything from attempting to "hack back" a foreign adversary. It just costs them resources and makes them an even larger target. And given that those adversaries are in all likelihood state sponsored the actual opponent is the US government, which is abdicating their responsibility.
It's like saying "the police doesn't care any more citizen, so you know just punch back". It's also incredibly dangerous btw to tell private firms they have the authority to engage in what is basically an act of warfare.
> what makes them think they have the knowledge/expertise to fight back?
If the goal is simply breaking shit (versus e.g. exfiltrating data) offense is way easier than defense. Also, security is an ongoing expense. Retaliation is one time.
> Also, security is an ongoing expense. Retaliation is one time.
Disagree. Retaliating draws a larger target on you. Increasing need for ongoing security. And increasing need to retaliate. You’re retaliating against multiple fronts and vectors. It’s all very expensive and an arms race.
This is likely why the administration is suggesting that private firms to hack back. It draws a larger target on the private firms instead of the administration.
> Retaliating draws a larger target on you. Increasing need for ongoing security
Does it? I feel like I could pretty easily pay a mercenary group to fuck around with Iran without being particularly concerned about blowback. (My main risk would be getting scammed.)
Having worked in anti-Phishing brand protection firm on behalf of firms like Apple, it absolutely draws a target on your back.
We used to receive routine threats from the IRGC on top of the usual DDoS attacks on our systems. Turns out cybercriminals don’t like it when you disrupt their cash flow. Thankfully we never got SWAT’d or had a box of heroin shipped to our office like that one journalist.
I guess this means if you know your attacker as IDd by your MDR, you don't have to feel helpless in not being able to fight back against the likes of Cozybear, Romcom, Lazarus, etc., if you're up to it. Now, I don't think many orgs would be up to it, but perhaps the bigger orgs in the US might quietly fight back -Microsoft and others typically fight back in the legal space with takedowns, etc., but who knows, they could venture further afield.
> Now, I don't think many orgs would be up to it, but perhaps the bigger orgs in the US might quietly fight back
Sony's movie division financed a movie North Korea disapproved of, and DPRK retaliated[1] by hacking Sony Pictures and released executive salaries, emails, private employee information, unreleased movies, scripts, and set loose wiper malware on Sony Pictures' internal network. Sony was also forced to cancelled the theatrical release because there were threats of terrorist attacks at theaters that showed the film.
"Hacking back" is not a great strategy for most companies, except those that were already juicy targets and are battle-tested against state actors. But what do I know, I'm no fancy CSO.
On the Internet, attackers have about the same ratio of advantage that defenders do IRL. They absolutely can hack back, because hacking is easy.
The real question is if they can even properly attribute to the correct target. Nobody hacks from their home IP. Anyone remember Uplink? You'd make it way easier to avoid getting arrested (which wipes your save) if you proxied through the tutorial machine first and wiped its logs after you were done. Likewise, even the most basic cybercriminals know to hack with machines they've already compromised, so that all the owners of those machines and their ISP's abuse desks spend all their time pointing the finger at each other.
I don't think that follows. There's not a single large organization - private business or a government - that can claim to be 100% hacker-proof. A lot of "cyber" problems are also people problems: humans make mistakes, deliberately circumvent policies and security mechanisms to "get stuff done", can be coerced or bribed. That doesn't mean they are incompetent, just that defense is never perfect.
Making criminals' lives more complicated is a good strategy. Corporate vigilantism, I don't know.
Exactly. They don't even have the know-how to defend themselves -- there is no hope of them getting on the offensive, at least not without extensive external help.
This has nothing to do with the reality of computer security. Not getting hacked requires doing everything right and some luck. Hacking requires some luck or doing one thing right.
The problem is to hack something you need to know the what, where, who.
Companies have a very visible what, where, who in most cases.
Hacker don't, and take extra steps to obscure it (e.g. jump hosts, bot nets etc.).
Now if it's idk. a spear phishing campaign or similar "hacking back" by giving them trapped data or reverse social engineering attacks might work.
But if it's a technical security vulnerability some one found by scanning and sneaked into using multi-country jump hosts and cleaned up behind them. Then you have little chances to find them and to do so likely requires getting information from telcoms which require judge orders to be handed over, and from multiple countries, too.
Sure though I would view that as a separate problem with the idea of asking anyone to target attackers.. Everyone is an equally good psychic some believe they are better than others.
it's also why Germany started WW1 and what made it easy to put all the blame on them (after WW1, WW2 is a different thing)
and also is related to common war crimes iff in a conflict combatants frequently hide as civilians (as a defense by offense will sooner or later lead to attacking random civilians due to mistaking them for hidden combatants)
I think there may be adversaries smart enough to coordinate a situation to get a little hacking war going on between two friendlies who both think they're 'hacking back' at enemies.
Verifying the actual source of a hack is not necessarily easy, as far as I know.
Yes, this is what I really had in mind but could not retrieve this from my memory banks. If the combatants are not going to properly identify themselves, then the risk of civilian casualties is going to be very high. I guess interlock breathalyzers was just the opening shot.
I look forward to the first instance of a DDoS or targeted exploit used against security researchers who have been misidentified as “hackers” by some corporate IDS.
I don't look forward to corporations "automating" (unleashing) their "defenses" (hackbots) with AI, and ending up bricking random people's and businesses' phones and devices because they start hallucinating attacks.
Yeah, considering the number of corporate IT products that count anything from a port scan to requesting /wp-admin a "thwarted cyberattack" I can see this going very poorly when every cowboy IT manager gets their sheriff badge.
It's still around and up to 6th edition! Catalyst Game hasn't been the best steward of the IP, with the rules still being internally inconsistent and usually needing a lot of house rules to fix.
I agree with the characterisation of this activity as 'cyber-warfare', but that has the consequence that telling businesses to 'hack back' is inviting them to raise private armies, with which I strenuously disagree. That sort of thing does, however, to fit with the present administration's ideology.
> telling businesses to 'hack back' is inviting them to raise private armies
> That sort of thing does, however, to fit with the present administration's ideology
These kinds of firms (usually branded as boutique consultancies) have already existed in the OffSec space for over a decade now in most countries and with tacit approval of their law enforcement agencies.
It was BSides this weekend and RSAC right now so you will bump into plenty of them walking around Moscone.
That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around. But when it's businesses defending against state-sponsored actors in the context of an actual shooting war, that's very different.
> That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around.
That's a rather crude analogy which misses the major dangers of vigilante hacking. A better analogy is allowing private guards to shoot you on suspicion of you having stolen their money based only on a claim that the money found in your wallet might be theirs.
To understand the problem, think of vigilante justice where some person/group assumes the roles of police, judge and executioner, circumventing due process which is due for a reason.
What happens if a corp doesn't like what you have on your website, spoofs some logs as if coming from it and then hacks the site to disable your ability to communicate?
Well, in that case you're toast. You may go to the judge, pay lawyers and waste your life on lawsuits fighting against a corp with a lawful reason to hack you because if this becomes law, you will be guilty until proven innocent - that's very costly and hard to do. Your chances of successful will be virtually zero meaning the corps get a license to silence you with impunity.
Most APTs companies are already dealing with are either directly state-sponsored or state-permitted as has been seen with tr fairly common Cyrillic, Simplfied Chinese, and Hebrew keyboard checks that have become fairly common in offensive payloads, so the division you are making has been nonexistent for decades.
This is just a tacit admission of a practice that has been occurring under the radar for years now.
Anyway, it's actually bad if there's been a problem for years, and the way it becomes widely known is by Authority(TM) legitimizing it instead of trying to stamp it out.
Russia, China, India, Singapore, Israel, South Korea, and Japan don't cooperate on stamping out these kinds of operations. Even EU states likes Italy, Czechia, Poland, Hungary, and Greece have continued to allow these kinds of organizations to operate and proliferate capabilities, so much so that the European Parliament attempted an investigation that was promptly ignored by those states because "national security" falls under national sovereignty.
When it's morals versus national security, national security always wins, and no country will leave capabilities unused in the interest of maintaining a moral high-ground.
> the way it becomes widely known
It has been widely know in the security industry for years.
That was my immediate thought as well: Legitimizing in people's minds that it's ok to commit crimes in a self-coordinated fashion as long as it benefits the people in the current administration. It's very dangerous, and is also happening right now with regards to physical violence [0][1], in addition to all the white collar crime (too much to list).
Would this open "interesting" possibilities for false flags: make one entity attack another entity you don't like, and now watch them fight each other.
It works for me Firefox's Cloudflare DNS over HTTP.
For clarity, the recent issue[0] likely wasn't intermittent. Cloudflare's malware blocking DNS server now blocks those archive.today sites. Doesn't affect the non-malware-blocking DNS server (1.1.1.1).
Overtime, if everyone who robs gas stations ends up dead and shot, people will significantly stop robbing gas stations.
The attendant does not want smoke… but if circle K can hire top talent to “eliminate”?
How cool would a team of 12 guys charged with hurting the hacking firm be? Awesome job. And if successful you’d have a cool story. White hat but you don’t need to work for the NSA.
The referenced policy says "We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities."
One reason: When a corporation attacks someone, how do they decide who they are attacking? What if they attack the wrong person due to misattribution? What if they do it due to incompetence (stretch your mind adn try to imagine incompetence in IT) or just to look like they did something? What if they attack enemies or competitors? I'm sure they can find some excuse.
In every other domain of justice, there is a warrant, an arrest, indictment, and trial, involving they agreement of many people in two branches of government.
Also, does this mean I can 'hack back' the endless scammers?
I have this huge looming sensation private credit will trigger a mini 2008, but instead of investors sucking up the losses, as they should, american taxpayers will be left with the bill.
A part of me was hoping that with LLMs getting better and better at mimicking corporate nothing-speak that we'd realize that we can automate away a lot of the executives, Vice Presidents, and CEOs. Of course that was a naive hope on my end; if history has taught us anything, executives at big companies appear to only be skilled at one thing: shielding themselves from the consequences of their awful decisions.
Instead of automating away a job that is mostly about blathering on with half-truths about the future of the company (something that AI could actually do perfectly fine), they instead think they can fire half the engineers and replace them with a Claude Code.
AI may be able to mimic the cadence and vocabulary of CEO-speak, but it can't possess in-group signifiers like fraternity rings, golf club memberships or be able to trade favors like getting invites to the right kind of parties. All of these are required as part of an elaborate dance to placate a merry band of institutional investors, earnings analysts and politicians.
I'm just a regular intelligence, and sadly it appears I can't possess those things either; I've tried to break into the finance world [1], and I've learned that despite fifteen years of software experience, it doesn't matter if I didn't go to an Ivy League school.
I wonder if there is a service that just serves as a "degree cleanse" where I can technically say I have a degree from Columbia or something without having to spend $200,000 going through another degree program.
[1] Admittedly for money, but also it's one of the few areas where I might realistically be allowed to do math.
There are three ways into the finance world; straight out of undergrad from a 'target' school with at least one summer intership at target bank, MBA from a target school, or Math PhD from a well-regarded school.
Is there a fourth way of doing it by befriending a random person who already works there and can get shoehorned in? Probably not, I'm sure they care about the pedigree more than basically anything else.
I send an application to RenTec every six months, almost as a joke because I would be extremely surprised if they continue after seeing <NOT A TOP 20 SCHOOL> on my resume. Granted, I don't think you really "apply" to RenTec to begin with, I think realistically they actually find you.
Yes, if you know someone and they can vouch for you and provide an introduction, that's a possibility, but you will need to have some prior experience that's relevant to the role.
The other way would be to be working at a management or strategy/IT consultancy that is working with the financial institution. That way you can build your own relationships, understand their business and get head-hunted into an internal role when one comes up.
Yeah, I figured that contracting is probably the only way I'll break in. I haven't ruled it out, though I really hate working for consultancies like that.
Maybe I should just get my mom to write them a note explaining how clever and handsome I am, because I don't know that that comes through clearly in the resume. If I attached that as a cover letter, it might at least be memorable :)
I have have noticed this, there seems to be an 'Ivy League ceiling' which exists and presents others from breaking into certain roles, even if they have the experience and skills for them.
I had a recruiter on LinkedIn reach out recently who sent me a PDF of a job that they thought I might be interested in. I read through it, and the job seemed fine, but on the very bottom it said "people who went to a mediocre school need not apply".
I could kind of understand this if it was a junior position since the incoming person might not have any real experience, but this was for a staff level and required at least ten years of experience.
I responded back to the recruiter with something like "I didn't go to a fancy school, and I don't want to work with these assholes if they think that that's more important then fifteen years of experience. I'm not sure why you sent this to me, you can see my education history clearly on my LinkedIn profile".
all about keeping out the riffraff. Just being Ivy League isn't enough by the way, you very well may need to be in the right social clubs ("fraternities" by any other name), have had the right internships and participate in the right college sports to accumulate the necessary social proof of being a 'culture fit'.
There is no Ivy League ceiling in finance (as an industry). I know plenty of people who make (or made) good money in finance with public school degrees. (The ex-finance blokes are all retired now.)
Of course, if you limit your search to the "prestigious" firms, then yes, there is an Ivy league filter. But why would you want to work at a firm that is all style and no substance?
I see this sentiment repeated so often, and its so surprising to me that people have this train of thought.
If our society was organized around the needs of workers, and existed to help workers compete at their crafts (somehow), then this would make sense.
But it isn't. Every one of our jobs exists as a contract that was initially offered by an owner of capital, and created in order to make that person more money.
As such, ownership is literally the _only_ job that will never be replaced, because it is the atom from which all the rest of the market's building blocks have been built.
AI could replace every job in the market, and company-owner would be the only job left untouched, because every other job in existence, ultimately, has been created to serve that person, not the other way around.
> ownership is literally the _only_ job that will never be replaced
Humans will always be the roots of the ownership graph, but I think AI can be any other node. Start an AI-first hedge fund or private equity firm. The AI makes the decisions. There may be a human manager, but they've agreed to be the AI's arms and ears. AI starts looking like a root owner if/when it starts managing a large charitable endowment, however.
Same thing with managers, particularly CEOs. The board may become dissatisfied with the present CEO, and start requiring that they run all decisions past an AI. The board agrees to certain values or priorities for the AI. Eventually, the AI is the one effectively in control, and the CEO is just a vestigial organ drawing a salary in case the AI ever makes a very bad decision.
Ownership is a little different; there are a lot of jobs in BigCos where they don't own the company but still basically only serve to blather half-truths to the employees.
My dad used to have a boss that he pejoratively nicknamed "VPGPT", because he felt that the way he spoke was indistinguishable from ChatGPT, and he could be replaced with ChatGPT without anyone noticing a different. This guy wasn't the owner of the company, he was just a higher-level manager.
It's easiest to mental model (for me) that those closest to the money are the last ones out the door. They control the purse strings and what the money is spent on.
So if you are the CEO, you are basically one or two tiers away from the money. Those who report to the CEO 5 levels deep are pretty far away.
Believing that someone very close to the money is going to replace themselves is incredibly naive.
If you could replace yourself with a program running on your laptop that took all your meetings and responded to your emails for you, while you did other stuff, wouldn't you? It's not naivety, I can see it as very appealing to this characature in my head of a CEO who just wants to go off and be lazy and fuck their secretary.
Would you also replace your salary and title? Or would you let your AI bot do your work for you and still get paid?
Sure owners in the end might get wise and realize they can fire the human and just keep the bot doing all the work. Or they might decide that having a person to manage all the bots instead of them is worth the money to not be bothered going all the way. Or perhaps it takes until the board alol replaces themselves with bots that those bots decide it’s time to do away with the pesky human. Either way it’s the last of the dominos to fall.
I don’t think this is about jobs. I think this is about information, power, and access to power.
The way a company with a bad C-suite gets fixed is by being competed out of existence. The way workers with bad bosses can fix that is imo limited, mostly to “find another job”.
I’m curious if anyone has ever heard of “complain to the board during the CEO’s renewal phase” being successful. It didn’t happen at places I know about.
The way that happens is you have enough money to buy enough shares to have enough votes to force a change in the board. Usually referred to as "activist shareholders" or "corporate raiders" whatnot.
The current structure is just the evolution of Norman lords, only they no longer have to worry about the pesky governing detail and can focus solely on value extraction. But corporate attitude towards humans, both their workers and the 'markets' they extract from, are if anything less humane. The Normans had to have their conquered populations housed, getting married, having kids in order to have workers/something to extract from. Corporate Normanism just throws people away/moves to another group.
>If our society was organized around the needs of workers, and existed to help workers compete at their crafts (somehow), then this would make sense.
How would this even work? "workers compete at their crafts" doesn't put food on the table. I'm sure that if "economics" and "capitalism" wasn't a factor, most of HN would be making indie games or whatever instead of making enterprise SaaS apps.
The US was a vastly different country in the 1960's than today from all points of view. Plebs had way more social cohesions and unity, and lot more bargaining power over the wealthy and politicians, when communism was the main enemy and all working class jobs hadn't been yet shipped abroad and PE hadn't yet monopolized ownership of housing and everything else and the US industrial elites didn't have doomsday bunkers in Hawaii and New Zealand.
What I'm saying is what worked then won't work now because the context is completely different.
The same way it’s always done: political organizing. Find groups that are working towards the world you want and start chipping in and getting involved. It takes time, there’s no magic wand, and we should’ve started 20 years ago, but none of that changes the answer: if you want the world to be different, get out there and start doing the work.
And, it has worked - it worked in the 30s to get the New Deal through and expand unions, it worked in the 60s to advance the environmental and civil rights agendas, it worked in the 80s to dismantle the New Deal, it worked in the 90s to promote gay rights, it worked in the 00s to make Christian Nationalism a national political force, it worked in the 10s to get a fascist elected and then re-elected, and god willing it’ll work in the 20s to get these fucks out of office again too.
If you're trying to make a veiled reference to the french revolution, keep in mind that's also ostensibly what the Jan 6th rioters thought they were doing, though arguably a lighter version. "Let's have a violent revolution to kill the elites" sounds like a great idea, until you realize that it works for the other side as well.
Mapping out the actual "ethics" of the J6 people has been difficult for me. It butts up against how I generally define "good" and "bad".
For an easy example, a guy murdering his wife for the insurance money is someone that I can pretty easily call "bad". That's would be hurting someone to enrich yourself, which I think we can agree is pretty bad.
But on an "individual morality" level, it's hard for me to directly condemn the J6 people. If they genuinely believed the election was stolen, and if they genuinely believed that the only way to save America was by invading the capital, and they were willing to do it at great risk to themselves with very little personal benefit, it's hard for me to directly say that they're "bad" people. Dumb, misguided people doing a bad thing, but they're doing what they think is right.
To be clear, I think the J6 people were very stupid, and I think it's horrible that the orange idiot lying about some election fraud in order to overthrow democracy is a very very very bad thing.
to be honest, the only downside with this idea is that in case you succeed, you are left with a group of people who like killing elites (and who can switch their definition of "elites" to include you)
>That's bullshit. Same nonsense as equating J6 and BLM.
Since when did I bring in BLM?
>J6 was a _government official_, with no evidence, inciting violence in people that _did not care about evidence_. They did not think, period.
So your only objection to Jan 6th was that the person inciting political violence was a government official and/or there wasn't "evidence" (whatever that means)? Nothing about violence itself? I guess a non-government official calling for the CEO of JPM or Ben Bernanke to be decapitated, citing some gini coefficient graphs is fine?
You didn't. You did a false dichotomy, then both-sides'd your argument. Presumably "hack back" being one side, and J6s the other. I'm likening "hack back" to BLM, people seeing, with their own eyes, blatant abuse of power, and acting, sans "leader". We should all be on the "side" of being against blatant abuse of power, when we actually see it.
> So your only objection...
People should legally be allowed to say whatever they want but, since I can see why the roles played by government officials requires special consideration (extraordinary powers, supposedly granted by "The People", checks and balances, and such), if Biden had done even 1 of the hundreds of things Trump had, I would still be on the same side of this argument. Would you be?
>You didn't. You did a false dichotomy, then both-sides'd your argument. Presumably "hack back" being one side, and J6s the other. I'm likening "hack back" to BLM
So saying that political violence is bad, and pointing out an example where the other side did political violence is "both-sides"?
>We should all be on the "side" of being against blatant abuse of power, when we actually see it.
Again, you haven't answered my question. It sounds like you wouldn't have any issue with Jan 6th if Trump wasn't involved, and it was just grassroots election denialism.
>People should legally be allowed to say whatever they want but
No, I specifically referring to "veiled reference to the french revolution", which implies some sort of political violence, not just something like BLM protests.
Nick Shirley and other indie journalists did investigations and found you can easily fraud election in places with no voter ID like Cali. But don't let distracted by the facts.
>BLM was individuals responding to seeing, _with their own eyes_, power being blatantly abused _by government officials_, live on TV, many, many times.
Yeah, all those innocent businesses and property deserved to get looted and torched because a cop killed a guy breaking the law high on fentanyl. It's totally acceptable and tolerant. If something from the government bothers you, you are now legally and socially allowed just rob a Nike store and brn down some cars in the city center.
Nick Shirley and other "indie journalists" doing "investigations", is very far from "fact". And nowhere near justification for attempting to overthrow a government. Curious though, did they "find that out" by doing it end-to-end? Pseudo-intellectual "deductive reasoning" does not actually prove anything, other than the bad-faith nature of the person presenting it as evidence.
Didn't say any of that should be legal. Anyone arrested for that deserved it. And anyone pardoned, should not have been. Do you agree?
If Biden had told those people directly that he loved them, and they should keep up the good work, I'd be on here objecting to it just as much.
>Anyone arrested for that deserved it. And anyone pardoned, should not have been. Do you agree?
Agree butt...
>attempting to overthrow a government.
J6 Storming the capital is not the same thing as overthrowing a government. It's more like cosplaying to overthrow the government while the actual government watches and laughs. You can't overthrow any government until you have the full support of the military. Why can't democrat supporters see and analyze anything else happening in their back ayrd besides being forever stuck on J6? Everyone agrees it was bad, now can we move on to the present issues at hand?
>"deductive reasoning" does not actually prove anything
Deductive reasoning is everything. If there's loopholes that allow crimes to happen in theory, then crimes will 100% happen in practice. Do you agree? Pretending it's not actual evidence, is how criminals(and governments) get away with crime, because they never investigate those issue, when their exploitation benefits them. Same like with the Minnesota somali childcare fraud. Isn't it convenient that we can't consider it fraud until the government investigates itself and it rarely does and when it does it finds nothing because they're in cahoots with the scammers as they all get kickbacks?
You obviously left out pseudo-intellectual part on purpose. Actual deductive reasoning has it's place. It's most certainly not "everything". It sure as hell isn't how law works. The 1 loophole every single law has is they can't physically stop people from committing the crime, so they can always still happen. There's a ton of laws anyone can break with something as simple as a pencil, you can't use that "fact" to justify ANYTHING, let alone J6.
>You obviously left out pseudo-intellectual part on purpose.
I didn't want to insult you.
Everyone with two neurons to rub together can recognize when a scam (election fraud, childcare fraud, etc) is happening right in front of them because they see the conditions for something to happen are all there. The midwit pseudo intellectuals are the ones refusing to acknowledge the common sense pattern recognition logic that exposes scams, and instead rejects them on ideological grounds and only bases their judgement on asking for proof coming from the corrupt sources of authority that are in on the scams or too incompetent and short staffed to check.
>you can't use that "fact" to justify ANYTHING, let alone J6.
Relying on good will and people doing the right thing is clearly bullshit - any system which is insecure should be a legitimate target, and the onus needs to be on those who own the systems to secure them, and be unable to disclaim liability if they do not.
However, the law needs to reflect that if people are to actually take the suggestions seriously.
Say I do everything right and still get compromised because an AWS 0-day lets attackers read the RAM of my virtual server. It’s my responsibility, but is it my fault?
There’s no such thing as a secure system that’s usable. You can asymptomatically approach it giving infinite money, in the same way you can approach physical security (“if it were really important to you, you would’ve cloned Fort Knox, so I guess you don’t care”) or even the speed of light. But even Fort Knox is vulnerable to a highly determined invading army.
Getting compromised doesn’t inherently mean you made mistakes.
> Getting compromised doesn’t inherently mean you made mistakes.
I entirely agree, but I think the reason you see such upset posts is that they are thinking of situations where EGREGIOUS mistakes were made and no liability was found.
I'm sure that's right, and I also find that frustrating.
It just rubs me the wrong way, like people who say goofy things like "all CEOs suck". They're picturing [insert your least favorite CEO here], but probably don't know, or temporarily forget, that the local bodega's owner very well might be the CEO of an S-corp that operates their little store for liability purposes.
Is there practical ways other than spending a couple billion dollars to protect yourself from nation state hacking groups? Especially if you'd doing something like internet connected medical devices? Honest question
You can’t really avoid paying for security, which seems to historically be why it is ignored and risked. I’ve always felt the right approach is for an internal security & reliability org be formed to provide an owner and maintainer for core services and libraries, so that things are built robustly from the get-go. Think premade formulations an integration for auth, hosting, data storage, etc. Some companies have small security teams that _kind of_ fill this role, but usually they’re a gate you must pass rather than an ally helping you navigate hard problems by providing and maintaining prebuilt solutions. I’d rather just require that normal devs not need to solve these problems and instead be provided an appropriate sandbox to deploy software in.
They did login on a global admin account and wiped devices via whatever turd technology is used currently to have complete control over your employee's devices centrally.
Central control over everything gives you central way to shoot yourself in the foot. Duh. Don't be a control freak company maybe, or if you are, have 2FA on your admin's accounts.
"Nation state" my ass.
They also demonstrated that one rogue admin could have deleted the entire company in like one evening, too, if he felt bad enough.
Well, they also relied on this company to protect them, so...
The problem is, it doesn't matter. If the "good guys" are prevented from testing your system to uncover vulnerabilities without legal threats, but the "bad guys" are not, you still effectively do need to spend that anyway.
> any system which is insecure should be a legitimate target, and the onus needs to be on those who own the systems to secure them, and be unable to disclaim liability if they do not
And what is the limit on that, because the only actually-secured system is one that is not connected to anything or accessed by anyone.
Look, I agree that people are shit and the only person you can trust is one you've killed yourself, but that's not really a workable solution.
State sponsored cyberattacks by China should be considered an act of war by the US government. Telling private firms to hack back isn’t a solution. Unfortunately Trump has been spineless and weak on China, as we have seen in the tariff debacle and in the TikTok ban debacle.
https://en.wikipedia.org/wiki/Letter_of_marque
It also seems incredibly risky. This US admin might be okay with it, but will the next? For multi-national corporations, will other nations be okay with it? I wouldn't think countries unassociated with the conflict would be happy with digital privateering.
imagine hacking back and accidentally hitting a hospital killing someone in the process
that is a fast line to get an Interpol terrorist arrest request on your head, sure the US won't hand you over, but have fun to never leave the US and get assets abroad sized
not about highly specialized groups hacking first
but also "professional hackers" have screwed over hospitals before and confirmed it was accidental, so potentially yes
worse Iranian terrorist with hacking skills might intentional target hospitals and they might not sit in Iran so disconnecting Iran is unlikely to help at all with such a threat
worse hacker do like using jump hosts
so wherever you "hack back" to has a good chance to be another victim
it's also a good point to remind people that most cases of "knowing who was it but not catching the people behind it" are either wild guesses without proof or the attacker leaving recognizable traces (like a literally "it has been us <group>" note /not a joke). But the problem with that is any other advanced enough hacker group/apt could also have made it look like that...
That fact that they have money to hire someone to do it?
Now one might ask why didn't they use that money to defend themselves to start with.
Having worked in the space, the normal flow would look something like:
1. Random WordPress blog is hacked, hosts a fake iCloud page, the is linked to in phishing emails. 2. We find it, either by direct reporting or by our internet crawling 3. We reach out to the hacked company, their hosting provider, and their DNS. The goal being take this site offline no matter how.
This worked for the vast majority of hacks. Some random plumbing company has no clue their marketing site is compromised and happily works with us. Or maybe they host at GoDaddy and we have a privileged relationship with them and they disabled the site. Last resort the DNS company will just delete their records.
Sometimes, though, we get a compromised site on a host in a foreign land that won’t cooperate. Then what? Well, it’s a legal grey area that our in-house counsel felt was perfectly fine: hack the site and take it down the hard way. We didn’t advertise or document when we did this. It was an open-secret inside the company however.
All this does is legitimize the sadly necessary work we face in a modern world.
1.https://videocardz.com/newz/nvidia-allegedly-hacked-the-rans...
Also, why burn the resources? Attacking isn’t free.
There's also a quote from Prez in The Wire, "Nobody wins. One team just loses more slowly"
https://en.wikipedia.org/wiki/Anglo-Zanzibar_War
It's like saying "the police doesn't care any more citizen, so you know just punch back". It's also incredibly dangerous btw to tell private firms they have the authority to engage in what is basically an act of warfare.
If the goal is simply breaking shit (versus e.g. exfiltrating data) offense is way easier than defense. Also, security is an ongoing expense. Retaliation is one time.
Disagree. Retaliating draws a larger target on you. Increasing need for ongoing security. And increasing need to retaliate. You’re retaliating against multiple fronts and vectors. It’s all very expensive and an arms race.
Does it? I feel like I could pretty easily pay a mercenary group to fuck around with Iran without being particularly concerned about blowback. (My main risk would be getting scammed.)
We used to receive routine threats from the IRGC on top of the usual DDoS attacks on our systems. Turns out cybercriminals don’t like it when you disrupt their cash flow. Thankfully we never got SWAT’d or had a box of heroin shipped to our office like that one journalist.
Sony's movie division financed a movie North Korea disapproved of, and DPRK retaliated[1] by hacking Sony Pictures and released executive salaries, emails, private employee information, unreleased movies, scripts, and set loose wiper malware on Sony Pictures' internal network. Sony was also forced to cancelled the theatrical release because there were threats of terrorist attacks at theaters that showed the film.
"Hacking back" is not a great strategy for most companies, except those that were already juicy targets and are battle-tested against state actors. But what do I know, I'm no fancy CSO.
1. https://en.wikipedia.org/wiki/2014_Sony_Pictures_hack
The real question is if they can even properly attribute to the correct target. Nobody hacks from their home IP. Anyone remember Uplink? You'd make it way easier to avoid getting arrested (which wipes your save) if you proxied through the tutorial machine first and wiped its logs after you were done. Likewise, even the most basic cybercriminals know to hack with machines they've already compromised, so that all the owners of those machines and their ISP's abuse desks spend all their time pointing the finger at each other.
Making criminals' lives more complicated is a good strategy. Corporate vigilantism, I don't know.
Companies have a very visible what, where, who in most cases.
Hacker don't, and take extra steps to obscure it (e.g. jump hosts, bot nets etc.).
Now if it's idk. a spear phishing campaign or similar "hacking back" by giving them trapped data or reverse social engineering attacks might work.
But if it's a technical security vulnerability some one found by scanning and sneaked into using multi-country jump hosts and cleaned up behind them. Then you have little chances to find them and to do so likely requires getting information from telcoms which require judge orders to be handed over, and from multiple countries, too.
and also is related to common war crimes iff in a conflict combatants frequently hide as civilians (as a defense by offense will sooner or later lead to attacking random civilians due to mistaking them for hidden combatants)
so I would take that saying with a bit of salt
Verifying the actual source of a hack is not necessarily easy, as far as I know.
The Geneva convention says that combatants must be identifiable by uniform, so we can just enforce that, right? /s
https://www.ietf.org/rfc/rfc3514.txt
> That sort of thing does, however, to fit with the present administration's ideology
These kinds of firms (usually branded as boutique consultancies) have already existed in the OffSec space for over a decade now in most countries and with tacit approval of their law enforcement agencies.
It was BSides this weekend and RSAC right now so you will bump into plenty of them walking around Moscone.
That's a rather crude analogy which misses the major dangers of vigilante hacking. A better analogy is allowing private guards to shoot you on suspicion of you having stolen their money based only on a claim that the money found in your wallet might be theirs.
To understand the problem, think of vigilante justice where some person/group assumes the roles of police, judge and executioner, circumventing due process which is due for a reason.
What happens if a corp doesn't like what you have on your website, spoofs some logs as if coming from it and then hacks the site to disable your ability to communicate?
Well, in that case you're toast. You may go to the judge, pay lawyers and waste your life on lawsuits fighting against a corp with a lawful reason to hack you because if this becomes law, you will be guilty until proven innocent - that's very costly and hard to do. Your chances of successful will be virtually zero meaning the corps get a license to silence you with impunity.
This is just a tacit admission of a practice that has been occurring under the radar for years now.
Anyway, it's actually bad if there's been a problem for years, and the way it becomes widely known is by Authority(TM) legitimizing it instead of trying to stamp it out.
How do you stamp it out?
Russia, China, India, Singapore, Israel, South Korea, and Japan don't cooperate on stamping out these kinds of operations. Even EU states likes Italy, Czechia, Poland, Hungary, and Greece have continued to allow these kinds of organizations to operate and proliferate capabilities, so much so that the European Parliament attempted an investigation that was promptly ignored by those states because "national security" falls under national sovereignty.
When it's morals versus national security, national security always wins, and no country will leave capabilities unused in the interest of maintaining a moral high-ground.
> the way it becomes widely known
It has been widely know in the security industry for years.
0 – https://en.wikipedia.org/wiki/Pardon_of_January_6_United_Sta...
1 – https://www.nbcnews.com/politics/politics-news/trump-calls-a...
Link seems to be down ATM. Is this caused by that cloud flare issue affecting archive.today that was just posted recently?
For clarity, the recent issue[0] likely wasn't intermittent. Cloudflare's malware blocking DNS server now blocks those archive.today sites. Doesn't affect the non-malware-blocking DNS server (1.1.1.1).
[0] https://news.ycombinator.com/item?id=47474255 "Cloudflare flags archive.today as \"C\&C\/Botnet\"; no longer resolves via 1.1.1.2"
The attendant does not want smoke… but if circle K can hire top talent to “eliminate”?
How cool would a team of 12 guys charged with hurting the hacking firm be? Awesome job. And if successful you’d have a cool story. White hat but you don’t need to work for the NSA.
https://www.whitehouse.gov/wp-content/uploads/2026/03/Presid...
I don't see where the policy instructs the private sector to "hack back", a quoted term in the article.
One reason: When a corporation attacks someone, how do they decide who they are attacking? What if they attack the wrong person due to misattribution? What if they do it due to incompetence (stretch your mind adn try to imagine incompetence in IT) or just to look like they did something? What if they attack enemies or competitors? I'm sure they can find some excuse.
In every other domain of justice, there is a warrant, an arrest, indictment, and trial, involving they agreement of many people in two branches of government.
Also, does this mean I can 'hack back' the endless scammers?
Instead of automating away a job that is mostly about blathering on with half-truths about the future of the company (something that AI could actually do perfectly fine), they instead think they can fire half the engineers and replace them with a Claude Code.
I wonder if there is a service that just serves as a "degree cleanse" where I can technically say I have a degree from Columbia or something without having to spend $200,000 going through another degree program.
[1] Admittedly for money, but also it's one of the few areas where I might realistically be allowed to do math.
I send an application to RenTec every six months, almost as a joke because I would be extremely surprised if they continue after seeing <NOT A TOP 20 SCHOOL> on my resume. Granted, I don't think you really "apply" to RenTec to begin with, I think realistically they actually find you.
The other way would be to be working at a management or strategy/IT consultancy that is working with the financial institution. That way you can build your own relationships, understand their business and get head-hunted into an internal role when one comes up.
Maybe I should just get my mom to write them a note explaining how clever and handsome I am, because I don't know that that comes through clearly in the resume. If I attached that as a cover letter, it might at least be memorable :)
I could kind of understand this if it was a junior position since the incoming person might not have any real experience, but this was for a staff level and required at least ten years of experience.
I responded back to the recruiter with something like "I didn't go to a fancy school, and I don't want to work with these assholes if they think that that's more important then fifteen years of experience. I'm not sure why you sent this to me, you can see my education history clearly on my LinkedIn profile".
Of course, if you limit your search to the "prestigious" firms, then yes, there is an Ivy league filter. But why would you want to work at a firm that is all style and no substance?
If our society was organized around the needs of workers, and existed to help workers compete at their crafts (somehow), then this would make sense.
But it isn't. Every one of our jobs exists as a contract that was initially offered by an owner of capital, and created in order to make that person more money.
As such, ownership is literally the _only_ job that will never be replaced, because it is the atom from which all the rest of the market's building blocks have been built.
AI could replace every job in the market, and company-owner would be the only job left untouched, because every other job in existence, ultimately, has been created to serve that person, not the other way around.
Humans will always be the roots of the ownership graph, but I think AI can be any other node. Start an AI-first hedge fund or private equity firm. The AI makes the decisions. There may be a human manager, but they've agreed to be the AI's arms and ears. AI starts looking like a root owner if/when it starts managing a large charitable endowment, however.
Same thing with managers, particularly CEOs. The board may become dissatisfied with the present CEO, and start requiring that they run all decisions past an AI. The board agrees to certain values or priorities for the AI. Eventually, the AI is the one effectively in control, and the CEO is just a vestigial organ drawing a salary in case the AI ever makes a very bad decision.
My dad used to have a boss that he pejoratively nicknamed "VPGPT", because he felt that the way he spoke was indistinguishable from ChatGPT, and he could be replaced with ChatGPT without anyone noticing a different. This guy wasn't the owner of the company, he was just a higher-level manager.
So if you are the CEO, you are basically one or two tiers away from the money. Those who report to the CEO 5 levels deep are pretty far away.
Believing that someone very close to the money is going to replace themselves is incredibly naive.
Sure owners in the end might get wise and realize they can fire the human and just keep the bot doing all the work. Or they might decide that having a person to manage all the bots instead of them is worth the money to not be bothered going all the way. Or perhaps it takes until the board alol replaces themselves with bots that those bots decide it’s time to do away with the pesky human. Either way it’s the last of the dominos to fall.
From Schlock Mercenary: "I can replace desk-meat like you with a Turing dynamo, an Eliza helix, and a white noise generator."
It's just that they're typically also a shareholder.
The way a company with a bad C-suite gets fixed is by being competed out of existence. The way workers with bad bosses can fix that is imo limited, mostly to “find another job”.
I’m curious if anyone has ever heard of “complain to the board during the CEO’s renewal phase” being successful. It didn’t happen at places I know about.
https://www.inc.com/bill-murphy-jr/an-activist-investor-forc...
https://www.investopedia.com/top-10-activist-investors-in-th...
I don't think this is true in any meaningful sense.
How would this even work? "workers compete at their crafts" doesn't put food on the table. I'm sure that if "economics" and "capitalism" wasn't a factor, most of HN would be making indie games or whatever instead of making enterprise SaaS apps.
So just like 2008.
If the country isn’t on fire afterwards, I’m giving up on it.
How?
Then organize like every other movement; study the US in the 1960s.
The US was a vastly different country in the 1960's than today from all points of view. Plebs had way more social cohesions and unity, and lot more bargaining power over the wealthy and politicians, when communism was the main enemy and all working class jobs hadn't been yet shipped abroad and PE hadn't yet monopolized ownership of housing and everything else and the US industrial elites didn't have doomsday bunkers in Hawaii and New Zealand.
What I'm saying is what worked then won't work now because the context is completely different.
You keep avoiding to answer the main question: How?
And when you answer how, answer why that hasn't already worked.
And, it has worked - it worked in the 30s to get the New Deal through and expand unions, it worked in the 60s to advance the environmental and civil rights agendas, it worked in the 80s to dismantle the New Deal, it worked in the 90s to promote gay rights, it worked in the 00s to make Christian Nationalism a national political force, it worked in the 10s to get a fascist elected and then re-elected, and god willing it’ll work in the 20s to get these fucks out of office again too.
You live it. This is basic shit.
If you're trying to make a veiled reference to the french revolution, keep in mind that's also ostensibly what the Jan 6th rioters thought they were doing, though arguably a lighter version. "Let's have a violent revolution to kill the elites" sounds like a great idea, until you realize that it works for the other side as well.
For an easy example, a guy murdering his wife for the insurance money is someone that I can pretty easily call "bad". That's would be hurting someone to enrich yourself, which I think we can agree is pretty bad.
But on an "individual morality" level, it's hard for me to directly condemn the J6 people. If they genuinely believed the election was stolen, and if they genuinely believed that the only way to save America was by invading the capital, and they were willing to do it at great risk to themselves with very little personal benefit, it's hard for me to directly say that they're "bad" people. Dumb, misguided people doing a bad thing, but they're doing what they think is right.
To be clear, I think the J6 people were very stupid, and I think it's horrible that the orange idiot lying about some election fraud in order to overthrow democracy is a very very very bad thing.
J6 was a _government official_, with no evidence, inciting violence in people that _did not care about evidence_. They did not think, period.
BLM was individuals responding to seeing, _with their own eyes_, power being blatantly abused _by government officials_, live on TV, many, many times.
Since when did I bring in BLM?
>J6 was a _government official_, with no evidence, inciting violence in people that _did not care about evidence_. They did not think, period.
So your only objection to Jan 6th was that the person inciting political violence was a government official and/or there wasn't "evidence" (whatever that means)? Nothing about violence itself? I guess a non-government official calling for the CEO of JPM or Ben Bernanke to be decapitated, citing some gini coefficient graphs is fine?
You didn't. You did a false dichotomy, then both-sides'd your argument. Presumably "hack back" being one side, and J6s the other. I'm likening "hack back" to BLM, people seeing, with their own eyes, blatant abuse of power, and acting, sans "leader". We should all be on the "side" of being against blatant abuse of power, when we actually see it.
> So your only objection...
People should legally be allowed to say whatever they want but, since I can see why the roles played by government officials requires special consideration (extraordinary powers, supposedly granted by "The People", checks and balances, and such), if Biden had done even 1 of the hundreds of things Trump had, I would still be on the same side of this argument. Would you be?
So saying that political violence is bad, and pointing out an example where the other side did political violence is "both-sides"?
>We should all be on the "side" of being against blatant abuse of power, when we actually see it.
Again, you haven't answered my question. It sounds like you wouldn't have any issue with Jan 6th if Trump wasn't involved, and it was just grassroots election denialism.
>People should legally be allowed to say whatever they want but
No, I specifically referring to "veiled reference to the french revolution", which implies some sort of political violence, not just something like BLM protests.
Nick Shirley and other indie journalists did investigations and found you can easily fraud election in places with no voter ID like Cali. But don't let distracted by the facts.
>BLM was individuals responding to seeing, _with their own eyes_, power being blatantly abused _by government officials_, live on TV, many, many times.
Yeah, all those innocent businesses and property deserved to get looted and torched because a cop killed a guy breaking the law high on fentanyl. It's totally acceptable and tolerant. If something from the government bothers you, you are now legally and socially allowed just rob a Nike store and brn down some cars in the city center.
Didn't say any of that should be legal. Anyone arrested for that deserved it. And anyone pardoned, should not have been. Do you agree?
If Biden had told those people directly that he loved them, and they should keep up the good work, I'd be on here objecting to it just as much.
Agree butt...
>attempting to overthrow a government.
J6 Storming the capital is not the same thing as overthrowing a government. It's more like cosplaying to overthrow the government while the actual government watches and laughs. You can't overthrow any government until you have the full support of the military. Why can't democrat supporters see and analyze anything else happening in their back ayrd besides being forever stuck on J6? Everyone agrees it was bad, now can we move on to the present issues at hand?
>"deductive reasoning" does not actually prove anything
Deductive reasoning is everything. If there's loopholes that allow crimes to happen in theory, then crimes will 100% happen in practice. Do you agree? Pretending it's not actual evidence, is how criminals(and governments) get away with crime, because they never investigate those issue, when their exploitation benefits them. Same like with the Minnesota somali childcare fraud. Isn't it convenient that we can't consider it fraud until the government investigates itself and it rarely does and when it does it finds nothing because they're in cahoots with the scammers as they all get kickbacks?
I didn't want to insult you.
Everyone with two neurons to rub together can recognize when a scam (election fraud, childcare fraud, etc) is happening right in front of them because they see the conditions for something to happen are all there. The midwit pseudo intellectuals are the ones refusing to acknowledge the common sense pattern recognition logic that exposes scams, and instead rejects them on ideological grounds and only bases their judgement on asking for proof coming from the corrupt sources of authority that are in on the scams or too incompetent and short staffed to check.
>you can't use that "fact" to justify ANYTHING, let alone J6.
Where did I justify that?
History books say that ...oh ...starts flipping frantically ... oh no!
Yeah, no that's not gonna happen and you also don't want that.
Maybe this time they will only let it go down for a couple days.
However, the law needs to reflect that if people are to actually take the suggestions seriously.
There’s no such thing as a secure system that’s usable. You can asymptomatically approach it giving infinite money, in the same way you can approach physical security (“if it were really important to you, you would’ve cloned Fort Knox, so I guess you don’t care”) or even the speed of light. But even Fort Knox is vulnerable to a highly determined invading army.
Getting compromised doesn’t inherently mean you made mistakes.
I entirely agree, but I think the reason you see such upset posts is that they are thinking of situations where EGREGIOUS mistakes were made and no liability was found.
It just rubs me the wrong way, like people who say goofy things like "all CEOs suck". They're picturing [insert your least favorite CEO here], but probably don't know, or temporarily forget, that the local bodega's owner very well might be the CEO of an S-corp that operates their little store for liability purposes.
Central control over everything gives you central way to shoot yourself in the foot. Duh. Don't be a control freak company maybe, or if you are, have 2FA on your admin's accounts.
"Nation state" my ass.
They also demonstrated that one rogue admin could have deleted the entire company in like one evening, too, if he felt bad enough.
Well, they also relied on this company to protect them, so...
https://www.bleepingcomputer.com/news/security/microsoft-ent...
And what is the limit on that, because the only actually-secured system is one that is not connected to anything or accessed by anyone.
Look, I agree that people are shit and the only person you can trust is one you've killed yourself, but that's not really a workable solution.