Comment by WJW
20 hours ago
The online security world is so wild. In pretty much any other field of engineering, foreign nation states explicitly targeting the thing you built is just kinda out of scope. There's no skyscraper in existence that is designed to withstand sustained artillery shelling, and your car is not going to withstand a tank shell either. Neither do they have to be designed to that specification. If North Korea killed someone with a missile or even destroyed a minor building or something, there would be public outrage and swift (military) repercussions.
But online, it's the wild wild west. The North Koreans can throw anything they want at your systems and the main response you get is "lol get good noob, should have built more secure systems" despite the opposing side literally having quite literally hundreds of people specifically trained to take on organisations like yours.
Not saying the Bybit people couldn't have been more careful of whatever, but let's appreciate how wild the online environment actually is sometimes.
Your logic is backwards.
Factories are not designed to withstand sustained aerial bombardment because the chance of sustained aerial bombardment is small to non-existent due to effective (geopolitical) mitigations.
But, if you are in a active war and being actively bombed, then you absolutely design your factories to be resistant to sustained aerial bombardment. You do not just throw your hands up in the air and say: “Who could have expected this totally routine and expected situation in our operational environment? We can not be blamed for not adequately mitigating known risks and intentionally mischaracterizing our risk mitigations as adequate for commonplace risks we know we can not adequately mitigate.”
If there were effective geopolitical mitigations that made the chances of a attack minimal, then your argument holds weight. But, that is not the case. Failure to accommodate for known, standard, commonplace failure modes is incompetence. Deceptively implying you do mitigate risks while lying or with a disregard for the truth is fraud and maliciousness.
There is also a second problem with your argument which is the relative accessibility of executing these attacks being trivial compared to military operations; being easily within the reach of lone individuals, let alone groups, organized crime, or entire governments. They require 10,000% security improvements to actually stop commonplace and routine attacks. But that is a longer argument I am not going to get into right now since the qualitative argument I made above applies regardless of the quantitative difficulty.
>But, if you are in a active war and being actively bombed, then you absolutely design your factories to be resistant to sustained aerial bombardment.
That's not really a viable strategy. It has been tried a few times - Mittelwerk and Kőbánya spring to mind - but you can't really build a self-contained factory. If your enemy can't bomb the factory, they'll bomb the roads and railways serving your factory, they'll bomb the worker housing, they'll bomb the less-sensitive factories that supply your factory with raw materials and components. You very quickly run into the diseconomies of operating under siege conditions.
At least during WWII, it was generally far more effective to rely on camouflage, secrecy and redundancy. Rather than having a super-fortified factory that shouts "this is vital national infrastructure", spread your capacity out into lots of mundane-looking facilities and plan for a certain level of attrition. Compartmentalise information to prevent your enemy from mapping out your supply chain and identifying bottlenecks. Your overall system can be highly resilient, even if the individual parts of that system are fragile.
All of those are methods to be resistant to aerial bombardment in my book.
If nobody knows where your factory is, it looks like a parking lot from the air and you have multiple smaller factories instead of one big factory to mitigate the impact of a damage event you are resistant to aerial bombardment, even if your ceiling isn't any sturdier than a normal factory roof. Same if the factory is out in the open but everybody thinks your drone factory produces windshield wipers
Yes, I am aware. I was using “resistant to sustained aerial bombardment” in the general sense of all classes of mitigations, not just fortification.
But thank you for elaborating when I was too lazy to. It helps further reinforce my point that the key is mitigating the risk however you can, not specific risk mitigations somehow absolving responsibility.
> they'll bomb the worker housing, they'll bomb the less-sensitive factories that supply your factory with raw materials and components. You very quickly run into the diseconomies of operating under siege conditions.
All true, and German WW2 production kept increasing despite the bombing.
Sure, if there was an active war going on. But while NK and the USA are not exactly friendly, they're definitely not at war either. In basically any other field, the question of "what do we do when a nation state deploys hundreds of people, well funded and well trained, specifically to screw us over?" is met with some variant of "that's why we pay taxes, so the army can protect us from that".
A normal bank being robbed for 1.5 billion, ESPECIALLY by a pariah country like North Korea, would absolutely not be met with "oh that was definitely your own fault" as many of the sibling comments seem to imply.
A normal bank was robbed of $1B back in 2016, likely by North Korea, and the global reaction was pretty much a collective shrug:
https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery
7 replies →
Actually we have been at war with North Korea continously since the 1950s, we only have a cease fire with them.
The Korean War ended with an armistice signed on July 27, 1953, which stopped active fighting but did not establish a formal peace treaty.
https://en.m.wikipedia.org/wiki/Korean_conflict
I know that soldiers stationed in South Korea get paid at the wartime rate.
2 replies →
It is not about “active war”. It is about mitigating known, routine risks. You are confusing a description of the problem and a description of the solution.
Routine harmful cyberattacks is a problem. You do not get to abdicate responsibility because it is too hard. If you can not handle the operational environment, then do not operate in it.
Maybe the solution is “go to war due to cyberattacks”, but that is not happening right now so their systems are inadequate for the expected operational environment (i.e. incompetent). And everybody knows this is the operational environment, everybody knows they can not deal with expected problems, and everybody does not adequately inform their customers because it would be detrimental to their bottom line.
As you say, it's weird. There absolutely is an all out war going on online. They attack us and we presumably throw just as much at them.
The chief US adversaries have the advantage of national firewalls, and less of their crucial infrastructure is online, so it is perhaps less effective against them. Or for all I know they are subject to equivalent thefts every day and just keep it out of the news.
No one said "they didn't need to defend", or at least that's not how I read OP. The observation is merely that the situation is so wildly different from the physically local world. It's remarkable.
I suspect the truth lies between the two - we are under constant attack, but we aren’t as a society reacting as if we were.
It’s like a building occasionally gets hit by a shell and we dont get on a war footing.
The closest analogy I can come up with is England in the 1600s and early 1700s. Fairly regularly ships would be attacked by pirates from North Africa, and sometimes an actual land raid woukd occur- pirates from North Africa would take slaves from small seaside towns.
It was not till Englands navy grew strong enough that the threat was eliminated - and perhaps that’s the real issue here - we know it’s happening, we cannot turn the Wild West into urban peace, so we just have to keep taking the licks and keep building more secure and stronger
> The closest analogy I can come up with is England in the 1600s and early 1700s.
I like your point, but that it a hell of an analogy. 1600 is when they formed the East India company, which was basically a state sponsored bunch of pirates, looting the wider world with its hundreds of thousands of soldiers. https://en.m.wikipedia.org/wiki/East_India_Company
It is not about war footing it is about mitigating known environmental hazards. This can be done geopolitically, collectively, technologically, etc. but the point is that you need to mitigate or accommodate the known, routine risks.
It is silly to point to situations where the risks were mitigated as evidence that you do not need to mitigate the risks as the person I was responding to did. You can do that to argue that we need to mitigate the risks in a different manner, but not to argue that you can not be blamed for not mitigating the risks.
And to examples from history, we could look to Israel’s anti-rocket defenses as an example handling occasional shelling. Ancient castles and walls as an example to handle stray bandits, mercenaries, and armies. Private merchant naval vessels of the 1600s who routinely had their own cannons. Armored compounds and communities in areas with high crime. Armored trains and trucks. This is standard practice. We just figured out more effective and cheaper collective mitigations. But until that happens, you need to handle it yourself or you are incompetent.
The state of online security hasn't changed much.
What has changed is that there is an digital (as opposed to gold) international form of money whose transactions cannot be reversed or stopped. Bybit and those holders of large crypto are operating with a fundamentally different threat model where its worthwhile for an attacker to invest millions of dollars of effort (for the Bybit payout even tens or hundreds of millions) attacking them. Everyone else just needs to worry about getting ransomed for a much smaller amount.
There's a long BBC podcast on Lazarus that touches on the spending.
The members are state sponsored and young/bright. Top 0.1℅ academic sorts. At one point, the BBC got access to a conversation with one of the hackers, and their only question was "how much do you get paid?" (the context was that the hacker thought they were talking to Someone else in the tech space)
Apparently they aren't paid very well at all. Far less than the average Western IT worker. Their lives are not luxurious either. They're in barracks style living quarters with strict schedules and travel. Presumably, the anonymous Lazarus hacker was putting out a probing question because they must have been ruminating about what life on the other side would be like, what they are really worth, etc.
That's part of the power of Lazarus, the ability to dedicate resources far in excess of what most expect due to their indentured servant hackers (the opportunity to join is presented as a gift, Which to some extent it is because it does come with the extremely rare opportunity to travel. Many of them are in China.)
It is essentially a financial institution handling billions of dollars. It is not the average website of your neighbourhood restaurant that got hacked or a scattershot ransomware attack. I would expect that for that scale nation state actors are not out of scope, even if it is usually about infiltration and IP/secrets theft than outright getting robbed.
Eh said financial institution chose a field of operation where certain risks are present by design. They make good profits because other institutions judge those risks too high.
It's the mob attacking a casino and making off with chips. That people keep valuing those chips is one of the mysteries of our days.
That’s a really good point. If a nation state bombed a private oil rig with $1.5B in damages all hell would break loose. But if it’s a cyber attack no one cares and we blame the victim.
I think it really boils down to plausible deniability, and the fact that it’s convenient for the governments on the receiving end to ignore the damages done to private citizens when there’s no physical harm and clear responsibility.
No president is going to bomb NK because they attacked a crypro exchange. Maybe they should, but it’s not something the public will support. So it’s easy to say “oh well we don’t really know for sure who did it” and call it a day. It’s our own fault.
I also agree that private citizens have a responsibility to secure ourselves, but where do you draw the line? If I don’t have an AA gun on my roof, am I responsible for enemy warplanes bombing my business? Isn’t this partially why I pay taxes?
Well, there's a couple of airliner shootdowns that kind of go in this category. MH17, PS752, AHY8243... That's at least $0.5B in damage plus many hundreds of civilian lives.
It seems more analogous to the Soviets infiltrating your small business. Which no small business owner is prepared to screen for, and which happened.
If your small business has $1.5billion in the safe then it’s not a “small business”
Especially if it’s $1.5bn of other people’s money
At a certain scale nation-state-level actors have to be part of your threat model, there's no excuse.
But yeah, it's quite baffling how in a couple years we seemingly went from stealing email addresses to credit cards to straight up billions of dollars.
If we can expect that everything shifts online eventually, where will this end? Clicked on the wrong link? Guess your house is gone... tough luck.
This is why it is dangerous to replace people and laws with code. With laws, you eventually get to talk to a human being who has leeway in interpreting the situation. With code, it just works the way it does, regardless of circumstances.
Cryptocurrencies avoid a central authority, but by doing that, they also avoid any possibility of human discretion, oversight, or recourse. There is no institution to appeal to, no customer service to call, and no regulator to enforce fairness.
It does feel, doesn’t it, that the cryptocurrency crowd seems mainly to comprise the kinds of actors who correctly anticipate that the legitimate banking sector—and most humans, if asked—will say “no” to them…
Which I guess the idealists would say is part of the point: “first they came for the DPRK extortionists, and I said nothing,” etc.
1 reply →
What concerns me is the idea that risks like these might leak into the regulated financial sector.
Right now, if I want to avoid my dollars being among those billions stolen, I can (and do) keep them someplace far away from instant digital currency. With firms that, while they could move large sums of their money somewhere else, build in a whole lot of friction in proportion to the amount being moved—by their customers, their staff, and their counterparties. Limited and well-understood modes of potential malfeasance, and strong structural discouragement for each of them.
There is nothing that I need to do that needs to move fast. But I’d hate for the firms servicing my slow, boring needs to be tempted by the new shiny.
> If North Korea killed someone with a missile or even destroyed a minor building or something, there would be public outrage and swift (military) repercussions.
Russia kills people in the West with nerve-gasses or Plutonium, cuts electrical and Internet cables, blows up ammunition factories or puts incendiary devices on cargo airplanes and there are no repercussions.