A massive data leak from a Chinese cybersecurity firm has offered a rare glimpse into the inner workings of Beijing-linked hackers. Analysts say the leak is a treasure-trove of intel into the day-to-day operations of China’s hacking programme, which the FBI says is the biggest of any country.

  • @thesmokingman@programming.dev
    link
    fedilink
    English
    2
    edit-2
    9 months ago

    The DoD’s initiatives are coming way too late. Private industry is much more lucrative and without a pipeline like, say, Unit 8200, there’s no hook to pull people in. Thirty years ago when the NSA controlled the entire stack, math to hardware to code, it was a different story. In undergrad I regularly attended lectures by mathematicians who were finally able to talk about combinatorics problems that had been classified for 20+ yr. The genie is out of the bottle.

    I’m in cybersecurity and voraciously consume everything related to it. I’d be really curious to know what you’re reading that says the US is capable of anything beyond social engineering.

    Edit: really good example is the rampant infiltration of malware into critical infrastructure in the US, something that would have been unheard of until the late 90s/early 00s. Hell, the Silk Road was only taken down via social engineering and gross misconduct was completely missed.

      • @thesmokingman@programming.dev
        link
        fedilink
        English
        09 months ago

        That’s okay! The literature and the international cybersecurity community explicitly disagree with your naive assessment that “billions means we have capabilities” and the total lack of defense for critical infrastructure highlights how all of that is spent poorly. I don’t need to go out of my way to try and convince someone on a government contract doing nothing because neat attacks like the Colonial Pipeline and Pegasus prove my point!

          • @thesmokingman@programming.dev
            link
            fedilink
            English
            19 months ago

            NIST also pushed DES after it was known to have been broken. Granted NIST-800 does actually match industry standards but that’s only because the NSA can’t weaken it without raising eyebrows.

            Since you bring up Sandworm, that’s a great example of proving my point. Not the US.

            You can’t call Colonial “cherry-picking” and then say that critical infrastructure is a known vulnerability no one can defend. It’s a great example of, once again, my point because Russia has already taken out grids multiple times and we still have no response. If you say the feds got Volt Typhoon I’ll point to plenty of other attacks on US companies they didn’t foil.

            Show me the equivalent US attacks on Chinese, North Korean, or Russian targets. Show me the constant prevention of not attacks on government targets but private targets. Show me the diversion of academic resources and constant publication pulled from universities because of its classified nature. Show me a government that pays more than private sector with its pick of the top. Show me a private sector known around the world for its cyber capabilities.